Information Technology

Image: Getty Images
Australian Home Affairs Minister Karen Andrews has launched a centre to bolster the country’s cybercrime fighting efforts. The AU$89 million cybercrime centre forms part of Home Affairs’ national plan to combat cybercrime, which was announced alongside the centre’s launch on Monday morning. The AU$89 million was provided through the AU$1.67 billion in funding for Australia’s cybersecurity strategy by the federal government. Andrews said the national plan and the Australian Federal Police’s (AFP) new cybercrime centre, called Joint Policing Cybercrime Coordination Centre (JPC3), would bring together the experience, powers, capabilities, and intelligence needed to build a strong, multi-faceted response. “Using far-reaching Commonwealth legislation and high-end technical capabilities, the AFP’s new cybercrime centre will aggressively target cyber threats, shut them down, and bring offenders to justice,” Andrews said.”During the pandemic, cybercrime became one of the fastest-growing and most prolific forms of crime committed against Australians. The tools and the techniques used to rob or extort Australians became more effective and more freely available than ever before.”Home Affairs first announced the centre was being developed back in November, at the time explaining the AFP would use the centre to specifically focus on preventing cybercriminals from scamming, stealing, and defrauding Australians. Based in the AFP’s New South Wales headquarters, JPC3’s operations will be led by Australian Federal Police (AFP) assistant commissioner Justine Gough, who is the AFP’s first full-time executive dedicated to countering cybercrime. Looking at the national cybercrime plan, Home Affairs envisions governments at all levels will operate under a cybercrime-fighting framework prioritising three pillars: Preventing and protecting cybercrime; investigation, disrupting, and prosecuting cybercrime incidents; and helping victims recover from cybercrime incidents. Alongside launching the cybercrime centre, the plan also outlines a goal of establishing a national cybercrime forum that brings representatives from Commonwealth, state and territory justice departments, law enforcement agencies and regulators — such as the Office of the eSafety Commissioner — to develop a national cybercrime action plan. Last month, Home Affairs introduced three new Bills into Parliament, covering the federal government’s ransomware action plan, critical aviation and marine cybersecurity, and mobile phone access in prisons. The department is also pushing for a second tranche of cyber laws targeted at critical infrastructure sectors, which is currently being reviewed by a parliamentary committee, to become law. Labelled by Home Affairs Secretary Mike Pezzullo last month as the government’s defence against cyber threats, the federal government is hoping the second tranche of cyber laws will create a standardised critical infrastructure framework for Australia’s intelligence agencies. Related Coverage More

Image: Getty Images
When policy makers are dreaming about how cybersecurity will be handled in the future, it consists of governments issuing warnings to organisations, the community sharing intel with each other in real time, and the ecosystem being able to respond with a degree of unanimity.

For Cisco advisory CISO Helen Patton, that dream leaves out lots of organisations that are struggling underneath the security poverty line.”We’ve got a lot of organisations that don’t have the resources to be able to participate in that kind of environment. They’ve got old pieces of equipment, they don’t do automation, they don’t have the resources to make it happen, they’re never going to engage in that kind of environment,” Patton told ZDNet.”Maybe the financial sector, maybe the big companies that have got a lot of money that they can throw at this problem, might engage. But now you’re into these two tiers of security, we’ve got the upper tier that can take advantage of machine learning and artificial intelligence, and real-time info share.”And we’ve got everybody else who is hoping that some kid on a keyboard can do something about it, and obviously they won’t be able to. We will have a bifurcated security community is what we will end up with.”One way to lift those at the bottom is something akin to a co-operative, with Patton describing a community that shares resources and uses purchasing consortiums along with governments using the tools at their disposal to help under-resourced organisations help themselves.Previously, Patton spent a decade at JPMorganChase, and said even in banking it sometimes felt as though more security resources were needed.”I don’t know of anyone in any size organisation that feels like they’ve got everything they need, but I do think we need leadership to understand when they make a risk-based decision to put money in one area and not in security that they are taking a gamble, that they are making a choice that could lead to a real problem for them operationally,” she said. In order to help boards get to proper grips with risks and cybersecurity, Patton believes governments need to consider legislating a requirement for boards to have someone that understands technology and risk, and governments should be trying to inform the C-suite, not security professionals.”When AWS burps and half of social media goes out … do our CEOs and boards really understand that? No, they don’t,” Patton said.”We’ve got to get them educated on that. And the guy who’s trying to run a security program with one other guy and a dog doesn’t have time to sit and educate the board. The government does.”Stop training security people about how to do security better with no resources, and start training CEOs on how to think and manage the systemic risk, that’s what they should be doing.”Following legal requirements imposed by government on breach reporting, it should comes as no surprise that lawyers are getting involved with such a process, and Patton says CISOs are having to determine how to manage risk yet work with requirements that say all breaches are equally bad.”We’re seeing CISOs separate themselves operationally from the reporting requirements,” Patton said.”So now we’ve got lawyers who are making a decision about whether something is material enough to require a report, which is not really the spirit of the regulation. But I’ve seen it in Australia, and I’m seeing it overseas as well. “This is a coping mechanism because the reporting requirements are sort of vague.” The advisory CISO said reporting demands mean if an incident is in a low-risk area, no security lead is going to tell lawyers or regulators they were going to sit on it because it was assessed as low risk, as compared to critical infrastructure elsewhere.”These reporting requirements that say you’ve got 72 hours or 48 hours will generate a lot of inaccurate noise, that both the governments and the organisations will then have to unpick after the fact, once they have more information. There’s going to be a lot of misinformation, that goes out into the environment because of the short windows that we’re [dealing] with, it’s a challenge,” Patton said.”It’s not until you’ve had a certain amount of time to explore the incident, respond to the incident, learn from the incident that you really have good quality information. But our regulators want us to tell them immediately when something looks funny. And there’s lots of things that look funny in our environments, because our environments they’re inherently odd. “They’re going to get a lot of really bad signals early on, and we’re going to have to work out how do you talk about that publicly when the information is really asymmetrical in terms of what you know, and what’s actually happening. It’s a problem.”ZDNET’S MONDAY MORNING OPENER  ZDNet’s Monday Morning Opener is our opening take on the week in tech, written by members of our editorial team. We’re a global team so this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US, and 10:00PM GMT in London.PREVIOUSLY ON MONDAY MORNING OPENER :  More

Over the past year, many ‘franchise’ deals and new partnerships have emerged in the Ransomware-as-a-Service (RaaS) industry. 

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

RaaS has arguably become one of the most prolific and dangerous threats to enterprise security today. Cybercriminals have worked out that they can make serious profits from leasing out their ransomware creations, and especially if it is used against large companies able to pay high ‘ransom’ payments to have their data decrypted after a successful infection. Furthermore, the industry has evolved over recent years to also include other roles — malware developers, native speakers of a language able to manage negotiations, and Initial Access Brokers (IABs) who offer network access to a target system, thereby speeding up RaaS operations.  Leak sites, too, are now common. When a ransomware group attacks a victim, they may steal sensitive corporate information before encrypting systems. The cybercriminals will then threaten to publish this data unless a payment is made.  On Friday, KELA published a report on ransomware operators’ overall trends and movements over 2021. The cybersecurity firm says that the number of major organizations tracked as ransomware victims increased from 1460 to 2860, with many appearing on ransomware leak sites and negotiation platforms.
KELA
In total, 65% of the leak sites monitored last year were managed by new players on the scene. The majority of targets are based in developed nations, including the US, Canada, Germany, Australia, Japan, and France.  Manufacturing, industrial companies, professional services, technology, engineering, and retail are among the sectors that are at the most risk of being targeted by ransomware operators.  However, once a company has been breached, this does not mean that the security headache is restricted to only one incident.  As an example, Party Rental appeared on Avaddon’s leak site in February 2021, and Conti allegedly claimed the same victim in September. Both groups shared data belonging to the company. Amey, too, appeared on Mount Locker’s domain and then Clop’s.  According to KELA, roughly 40 organizations compromised in 2020 were then hit by a separate ransomware group last year, and “it is possible the groups used the same initial access vector.”  “Operators of data leak sites, namely Marketo and Snatch, frequently claimed the same victims as many ransomware groups (Conti, Ragnar Locker, and more), hinting about possible collaboration,” the report says.Over 1300 access listings were posted in the underground by at least 300 IABs over 2021. LockBit, Avaddon, DarkSide, Conti, and BlackByte are among the Russian-speaking ransomware operators who frequently purchase access.  While some intrusions may be coincidental, it does appear that “franchise” businesses are emerging. Trend Micro previously connected the dots between Astro Team and Xing Team, both of which were allowed to use the Mount Locker ransomware under their own brand names. The same malware was in use, while each cybercriminal group maintained their own name-and-shame blogs. Some of the victims were duplicated in Astro/Xing Team and Mount Locker disclosures. In addition, 14 victim organizations were published under Quantum, Marketo, and Snatch blogs in 2021.  “Collaboration can mean that ransomware operators share stolen data with actors behind data leak sites on specific conditions,” the researchers say. “For operators, it can mean additional profits if the data is sold on a data leak site or simply more intimidating to the victim (or future victims). Aside from collaboration, as between ransomware groups, actors behind these data leak sites can use the same entry vector or attack the same company via different initial access.”Some of the major ransomware players vanished in 2021 — although they may emerge again under different brands — including BlackMatter and REvil. New groups including Alphv, Hive, and AvosLocker have emerged to fill the gap. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) has warned satellite communications network providers to beef up security. The CISA and FBI on Thursday said in a joint advisory that they are “aware of possible threats” to U.S. and international satellite communication (SATCOM) networks.   

“Successful intrusions into SATCOM networks could create additional risk for SATCOM network customer environments,” the agencies note.SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydaysThe advisory contains mitigation actions for both SATCOM operators and their customers to take amid US and European investigations into a major outage affecting Viasat’s internet service for fixed broadband customers in Ukraine and elsewhere on its European KA-SAT satellite network. The outage started on February 28, coinciding with Russia’s invasion of Ukraine. The same day German energy firm Enercon reported remote communications to 5,800 wind turbines was down due to a satellite outage.    Reuters on March 11 reported that the National Security Agency, France’s cybersecurity agency ANSSI, and Ukrainian intelligence were investigating an attack that disrupted Ukraine broadband satellite access that coincided with Russia’s invasion on February 28. As part of CISA’s Shields Up initiative, the agencies are calling on SATCOM operators and their customers to “significantly lower their threshold for reporting and sharing indications of malicious cyber activity.”CISA launched Shields Up in February and cited US fears that sanctions against Russia heightened the risk of cyberattacks on US critical infrastructure and organizations. The agencies are recommending SATCOM operators review the security of communications to and from end-user terminals, and to review the Office of the Director of National Intelligence’s February report, which details Russia’s anti-satellite technologies, including directed energy weapons, for jamming civilian and military satellite GPS and communication services. Notably, CISA also warns customers to review IT supply relationships and the NSA’s January 2022 recommendations for protecting very small-aperture terminal (VSAT) networks.  The NSA told CNN this week that it’s “aware of reports of a potential cyber-attack that disconnected thousands of very small-aperture terminals that receive data to and from a satellite network.” Viasat told CNN the “partial outage” was caused by a “deliberate, isolated and external cyber event” and added that the network was now “stabilized”. However, Netblocks on Wednesday reported that Viasat’s KA-SAT network remained “heavily impacted” 18 days after the outages began.

ℹ️ Update: Satellite operator Viasat’s KA-SAT network in Europe remains heavily impacted 18 days after it was targeted by an apparent cyberattack, one of several incidents observed as Russia launched its invasion of Ukraine on the morning of 24 Feb 🛰📰 https://t.co/S0qJQ7CbNv pic.twitter.com/nLNlquYQF9— NetBlocks (@netblocks) March 15, 2022

Among many other recommendations CISA suggests SATCOM providers consider:Using secure methods for authentication, including multi-factor authentication where possible for all accounts used to access, manage, and/or administer networks. Using and enforcing strong, complex passwords. Review password policies to ensure they align with the latest NIST guidelines. Do not use default credentials or weak passwords. Audit accounts and credentials: remove terminated or unnecessary accounts; change expired credentials.Enforcing principle of least privilege through authorization policies. More

Over 10 million suspicious emails have been reported to National Cyber Security Centre’s (NCSC) Suspicious Email Reporting Service, resulting in 76,000 online scams being taken down. Launched almost two years ago, the reporting service enables members of the public to alert the authorities about potential cyberattacks and scams. 

ZDNet Recommends

Scams relating to the NHS, fake notifications from delivery companies, phony cryptocurrency investments and more have all been taken down after being reported by the public to the NCSC, the cybersecurity arm of intelligence agency GCHQ. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)  The reporting service – where users can forward suspected malicious emails to report@phishing.gov.uk – was launched at the start of the pandemic as the UK went into lockdown, forcing people to rely on digital services more than ever before.Cyber criminals attempted to take advantage of this situation by sending out scams and phishing emails to unsuspecting users – and continue to do so. The aims of these attacks can include stealing usernames and passwords, as well money and bank details. While the takedown of 76,000 online scams marks a success for NCSC, phishing and other cyberattacks continue to be an issue – according to the latest Crime Survey for England and Wales, there was a 161% increase in unauthorised access to personal information offences, including hacking, during the past year. In order to help protect people against this threat, the cybersecurity agency is launching a new campaign encouraging individuals to be cyber aware and to properly secure their email and other online accounts.  People are encouraged to create strong passwords made up of three random words and to apply multi-factor authentication on their accounts. Both of these simple steps can help protect online accounts from being hacked. “The British public’s response to our Suspicious Email Reporting Service has been incredible and led to the removal of thousands of online scams. But there is even more we can do and by following our Cyber Aware steps to secure online accounts – starting with email – people will dramatically reduce risks including financial losses and personal data breaches,” said Lindy Cameron, chief executive of NCSC. “We all have a role to play in our collective cybersecurity and I urge everyone to follow our Cyber Aware advice to make life even harder for the scammers,” she added. The NCSC has dedicated advice pages on creating strong passwords and setting up multi-factor authentication.  MORE ON CYBERSECURITY More

Image: Getty Images
The three local elections impacted by New South Wales’ iVote system failure last year have all been voided, the New South Wales Electoral Commission (NSWEC) said yesterday evening. “The Electoral Commissioner regrets the inconvenience caused to these councils and their councillors, but he welcomes the resolution of the matter and will now commence preparations for fresh elections,” the NSWEC said in a statement. The integrity of local elections in Kempsey, Singleton, and Shellharbour was put into doubt at the end of last year as some people in those councils were unable to cast their vote as the iVote system suffered a failure for a portion of the voting period. This led to the NSWEC submitting an application to the state’s Supreme Court for the election bungle to be reviewed. After reviewing the elections, the NSW Supreme Court decided to void the three election outcomes, which now means people in those councils will have to recast their vote. The re-election will use a separate system, as the NSWEC confirmed earlier this week that the iVote system will be parked until after next year’s state election as there is a lack of confidence it will be ready in time. “The current version of the iVote software used by the Electoral Commission will be phased out and the short runway for configuring and testing a new version before March 2023 means the Electoral Commissioner cannot be confident an updated system adapted for elections in NSW will be ready in time,” the NSWEC said on Wednesday. Prior to NSWEC’s confirmation that the iVote system would not be used in next year’s state elections, the commissioner had already shelved the iVote system for “extensive reconfiguration and testing” to resolve the issues encountered during local elections. During the system failure’s aftermath, Dr Vanessa Teague, a cryptographer with a particular interest in privacy and election security, criticised the flaws within the iVote system. “Every serious investigation of iVote found serious problems,” Teague tweeted in December in light of the iVote failure. Teague’s comments at the end of last year were not her first in warning about the iVote system’s flaws. Starting in 2015, she and her colleagues found numerous flaws in iVote, problems that NSWEC had previously downplayed.  Related Coverage More

Image: Getty Images
Proposed UK laws could see top managers at tech companies be jailed if they fail to meet the demands of regulators. The laws, coming in the form of an Online Safety Bill, were introduced to Parliament on Thursday after almost a year of consultation. The UK government commenced work on the proposed laws in May last year to push a duty of care onto social media platforms so that tech companies are forced to protect users from dangerous content, such as disinformation and online abuse. “We don’t give it a second’s thought when we buckle our seat belts to protect ourselves when driving. Given all the risks online, it’s only sensible we ensure similar basic protections for the digital age,” Digital Secretary Nadine Dorries said. Under the proposed legislation, executives of tech companies could face prosecution or jail time if they fail to cooperate with information notices issued by Ofcom, UK’s communications regulator. Through the Bill, Ofcom would gain the power to issue information notices for the purpose of determining whether tech companies are performing their online safety functions.    A raft of new offences have also been added to the Bill, including making in-scope companies’ senior managers criminally liable if they destroy evidence, fail to attend or provide false information in interviews with Ofcom, or obstruct the regulator when it enters company offices. The Bill also looks to require social media platforms, search engines, and other apps and websites that allow people to post their own content to implement various measures to protect children, tackle illegal activity and uphold their stated terms and conditions. Among these measures are mandatory age checks for sites that host pornography, criminalising cyberflashing, and a requirement for large social media platforms to give adults the ability to automatically block people who have not verified their identity on the platforms. The proposed laws, if passed, would also force social media platforms to up their moderation efforts, with the Bill calling for platforms to remove paid-for scam ads swiftly once they are alerted of their existence. A requirement for social media platforms to moderate “legal but harmful” content is also contained in the Bill, which will make large social media platforms have a duty to carry risk assessments on these types of content. Platforms will also have to set out clearly in terms of service how they will deal with such content and enforce these terms consistently. “If companies intend to remove, limit or allow particular types of content they will have to say so,” Dorries said. The agreed categories of “legal but harmful” content will be set out in secondary legislation that will be released later this year, the digital secretary added. While the UK government has framed the Online Safety Bill as “world-leading online safety laws”, law experts have criticised the Bill for its use of vague language through the “legal but harmful” classification, which they say could create unintended consequences. “The Online Safety Bill is a disastrous piece of legislation, doomed not just to fail in its supposed purpose but make it much harder for tech companies and make the internet less safe, particularly for kids,” said Paul Bernal, University of East Anglia IT law professor. The UK government hasn’t been alone in wanting to create laws regulating how social media platforms moderate content. Australia’s federal government is currently mulling over two pieces of legislation, one focusing on stopping online defamation and the other being about online privacy. The defamation laws, framed by the federal government as anti-trolling laws, seek to force social media companies into revealing the identity of anonymous accounts if they post potentially defamatory material on platforms. Australia’s proposed online defamation laws have faced similar criticism of potentially creating unintended, adverse impacts, leading to criticism from online abuse victims and privacy advocates. Related Coverage More

Image: Google
Google’s Threat Analysis Group has detailed a group it has labelled as Exotic Lily that breached a target and sold off the gained access.The preferred method for gaining targets is spear phishing, with the group sending around 5,000 emails a day, and setting up similar domains with different TLDs — such as using example.co for example.com users — in an effort to fool those on the receiving end. It also began with fake personas, but recently started ripping publicly available data from sites like RocketReach and CrunchBase to impersonate users. The group also used public file-sharing sites including TransferNow, TransferXL, WeTransfer, or OneDrive to pass payloads onto users and make it harder for defenders to detect, since the sites are legitimate. “Investigating this group’s activity, we determined they are an initial access broker who appear to be working with the Russian cyber crime gang known as Fin12 (Mandiant, FireEye) / Wizard Spider (CrowdStrike),” Google said. “Exotic Lily is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol.” The group also appears to maintain a high degree of work-life balance, as Google said the activity it has seen is typical of a 9 to 5 job in eastern or central Europe, with little activity on weekend. Although the group has relationships with ransomware gangs, Google said Exotic Lily is a separate entity that is only interested in access, with other groups doing the ransomware operations. Off the back of its discovery, Google said it would have additional Gmail warning for emails originating from website contact forms, improve its spoofing identification, and adjust the reputation of email file sharing notifications. Related Coverage More