Information Technology

The vast majority of cybersecurity professionals think that the business they work for is a target for nation-state hackers, but only a small fraction think that their organisation can confidently identify if attacks are actually being carried out by hostile states.According to analysis by cybersecurity company Trellix, half of all organisations think they’ve been the target of a nation-state cyberattack within the past 18 months, while a further 42% think they’ll be subject to one in the future. Fewer than one in 10 businesses believe that they’re not a target for nation-state hackers at all. 

For organisations that have been targeted by nation-state-backed hackers, the most likely suspects identified by cybersecurity staff are Russia and China, along with cyber -criminal mercenaries suspected of working on behalf of governments.  SEE: A winning strategy for cybersecurity (ZDNet special report) North Korea, Iran and western governments are among those that are also suspected of being behind attacks, while some cybersecurity staff concede that it’s just too difficult to tell who is behind campaigns. When asked how confident they were that, without help, their organisation could tell the difference between cyberattacks carried out by a nation states and cyberattacks carried out by cyber criminals, just a quarter said that they have complete confidence that this would be the case. This lack of awareness could lead to issues down the line, as nation-state-backed hacking operations are often designed to create long-term persistence on networks, meaning that if an intrusion isn’t correctly identified as being the work of hostile government-backed cyber attackers, even if an attempt is made to clean it up, not knowing that it’s a well-resourced nation-state-backed attack could lead to backdoors and other remnants of the attack being missed – and exploited later on. “Nation-state cyber incidents are more sophisticated and persistent than an average cyber crime incident. Successfully detecting and responding to these types of attacks requires a deeper understanding of the adversaries’ methods and their intended goal,” John Fokker, principal engineer and head of cyber investigations at Trellix, told ZDNet. “Many organisations struggle with successfully detecting backdoors left behind after a state-backed cyber incident,” he added. Even organisations that aren’t confident in their ability to identify nation-state-backed cyberattacks say it’s important to be able to do so, although many are limited by cybersecurity strategy or a lack of resources. The vast majority – 90% – of those surveyed said that their own government needs to do more to help to help them protect themselves against hostile, foreign observatories. “Governments can provide organisations who have been targeted with vital intelligence to better assess the origin and objective behind a state-backed cyber incident,” said Fokker. Defending against cyberattacks, particularly those by enemies with significant resources behind them, is a challenge, but there are steps that can be taken to improve the odds. This includes cyber-hygiene measures, like applying critical security patches, and requiring the use of multi-factor authentication to help keep attackers out of the network. It’s also vital for cybersecurity staff to fully understand the network they’re defending, so they can identify all the assets that need protection and to take action against any potentially suspicious activity. MORE ON CYBERSECURITY More

A new strain of Python ransomware is targeting environments using Jupyter Notebook. 

Jupyter Notebook is an open source web environment for data visualization. The modular software is used to model data in data science, computing, and machine learning. The project supports over 40 programming languages and is used by companies including Microsoft, IBM, and Google, alongside numerous universities. Aqua Security’s Team Nautilus recently discovered malware that has honed in on this popular data tool.  While Jupyter Notebook allows users to share their content with trusted contacts, access to the app is secured through account credentials or tokens. However, in the same way, that businesses sometimes do not secure their AWS buckets, leaving them open for anyone to view, Notebook misconfigurations have also been found.  The Python ransomware targets those that have accidentally left their environments vulnerable. The researchers set up a honeypot containing an exposed Jupyter notebook application to observe the malware’s behavior. The ransomware operator accessed the server, opened a terminal, downloaded a set of malicious tools — including encryptors — and then manually generated a Python script that executed ransomware.  While the assault stopped without finishing the job, Team Nautilus was able to grab enough data to simulate the rest of the attack in a lab environment. The encryptor would copy and then encrypt files, delete any unencrypted content, and delete itself. 
Aqua Security
It should be noted that no ransom note was included as part of the package, which the team suspects indicate one of two things: either the attacker was experimenting with their creation on the honeypot, or the honeypot timed out before the ransomware attack was completed. While attribution isn’t concrete, the cybersecurity researchers say they might be “familiar” with the miscreant due to their trademark checks before an attack begins. Clues indicate the individual could be from Russia, and if it is the same attacker, they have been linked to cryptojacking attacks on Jupyter environments in the past.  A Shodan search reveals several hundred internet-facing Jupyter Notebook environments are open and accessible (although some may also be honeypots.) “The attackers gained initial access via misconfigured environments, then ran a ransomware script that encrypts every file on a given path on the server and deletes itself after execution to conceal the attack,” the researchers said. “Since Jupyter notebooks are used to analyze data and build data models, this attack can lead to significant damage to organizations if these environments aren’t properly backed up.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Change the default user name and password settings on your internet-connected uninterruptible power supply (UPS) units, the US government has warned.  UPS units are meant to provide power backup to keep devices, appliances and applications connected to the internet by supplying off-grid power to places like a data center during a power outage. But hackers have been targeting internet-connected UPS units to disrupt the backup power supply. 

The Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Energy (DOE) said they “are aware of threat actors gaining access to a variety of internet-connected uninterruptable power supply (UPS) devices.” SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydaysHow? Just like many Internet of Things (IoT) devices, such as routers and smart-lighting systems, they are gaining access “often through unchanged default usernames and passwords.” The risk of not changing the default credentials in IoT devices and appliances isn’t new. It’s also a problem that reminds admins of the importance of network-hardening guidance.    UPS devices are a critical backup power supply because of the costs of downtime when core business applications and staff devices can’t connect to the internet. In healthcare, lives might depend on a UPS in an outage because of powered medical devices.As CISA notes, UPSs can protect small loads, such as a few servers, large loads, like an entire building, or massive loads, including a data center. One complication in an organization is the question of exactly who should manage UPS devices, which only becomes necessary during a power outage. “Various different groups within an organization could have responsibility for UPSs, including but not limited to IT, building operations, industrial maintenance, or even third-party contract monitoring service vendors,” CISA notes in an insights alert. CISA doesn’t cite examples of recent attacks or attribute these threats to specific actors. However, in this case, it seems more important to emphasize remediation steps. As CISA notes, it’s rare that a UPS’s management interface needs to be accessible from the internet. So, its bolded advice is: “Immediately enumerate all UPSs and similar systems and ensure they are not accessible from the internet.” It also recommends viewing its, and the NSA’s, warning that state-sponsored attackers have targeted internet-accessible operation technology (OT) to breach critical infrastructure, such as water utilities. Again, the agencies warn of the risks of remote access to OT networks and the use of default passwords. If the UPS device’s management interface must be accessible from the internet, CISA advises putting these controls in place: Ensure the device or system is behind a virtual private networkEnforce multi-factor authenticationUse strong, long passwords or passphrases in accordance with National Institute of Standards and Technology guidelines (for a humorous explanation of password strength, see XKCD 936, CISA notes)Check if your UPS’s username/password is still set to the factory default. If it is, update your UPS username/password so that it no longer matches the defaultEnsure that credentials for all UPSs and similar systems adhere to strong password-length requirements and adopt login timeout/lockout features More

Image: Ronin
In a shock to absolutely no one paying attention to the so-called Web3 space, the touted security of blockchain-driven solutions might not be all it is cracked up to be. The latest victim comes by way of Ronin, which detailed that 173,600 in Ethereum (ETH) and 25.5 million in USD coin had departed its clutches across a pair of transactions that occurred a week ago. The Ronin Network said it only found out when a user on Tuesday wanted to withdraw 5,000 ETH but was unable to. “ETH and USDC deposits on Ronin have been drained from the bridge contract. We are working with law enforcement officials, forensic cryptographers, and our investors to make sure there is no loss of user funds. This is our top priority right now,” the network said. Ronin was announced in mid-2020 by play-to-earn game Axie Infinity created by Vietnamese blockchain game maker Sky Mavis. At the time, the studio touted Ronin as being able to overcome Ethereum network congestion. “To help secure Ronin, we have recruited an all-star cast of partners from the traditional gaming, crypto, and nonfungible token space to serve as validators of our network,” it said at the time. For the attack to occur, the attacker gained control of the four validators operated by Sky Mavis, and one operated by Axie DAO. “The attacker found a backdoor through our gas-free RPC node, which they abused to get the signature for the Axie DAO validator,” the Ronin Network explained. “This traces back to November 2021 when Sky Mavis requested help from the Axie DAO to distribute free transactions due to an immense user load. The Axie DAO allowlisted Sky Mavis to sign various transactions on its behalf. This was discontinued in December 2021, but the allowlist access was not revoked.” In response, the Ronin bridge and Katana Dex exchange were halted, the number of validators increased to eight, and security teams at major crypto exchanges were contacted.Luckily for those seeking to trace the funds, the use of blockchain means the transactions can be traced, in the case of the attackers, appears to be forgoing the step of washing the funds through a coin tumbler, and transferring it directly to FTX exchange. Flora Li of the Huobi exchange research institute said the hack was a result of trying to balance user experience and security.”Axie Infinity exploded in popularity and saw a rapid influx in users on the Ronin blockchain. They took shortcuts to relieve network bottlenecks, cutting down the number of nodes that needed to be validated for transactions to just five of nine nodes, making it easier for hackers to exploit,” Li said.”While Sky Mavis has pledged to raise the number of required nodes to eight, it still doesn’t solve the fundamental problem of how proof-of-stake blockchains can keep transactions fast, user-friendly, and energy-efficient without compromising security.”Earlier this year, Crypto.com said 483 of its users were hit in an attack that saw over $31 million in coins withdrawn. “In the majority of cases we prevented the unauthorized withdrawal, and in all other cases customers were fully reimbursed,” the company said at the time. “Unauthorised withdrawals totalled 4,836.26 ETH, 443.93 BTC, and approximately US$66,200 in other cryptocurrencies.” Last year, the Poly Network had $600 million in cryptocurrency taken before the attacker began returning the stolen assets. Updated at 3:50pm AEDT, 30 March 2022: Additional comments from Huobi.Related Coverage More

Image: Sam Mooy/Getty Images
South Australian independent Senator Rex Patrick has called on his former boss, and previous occupant of his Senate seat, Nick Xenophon to reveal the details of his contract with Huawei. After leaving the Senate in 2017, Xenophon set up a law firm with former investigative journalist Mark Davis that was appointed as strategic counsel in 2019. The firm also represented Jordan Shanks in a recent high-profile defamation case. Xenophon last week said he was running for the Senate again in the upcoming federal election. On the basis of his return to public life, Patrick said in the Senate on Tuesday night that Xenophon should disclose the terms of his Huawei agreement. “He was entitled, as a private individual, to work for whoever he wished. But the choice he made was akin to someone choosing to do PR work for the German companies Krupp or Messerschmitt in 1938,” Patrick said. “Mr Xenophon now says that he has not worked for Huawei for some time, though we don’t know when he ceased. He now claims to support the Australian government’s 5G ban on Huawei. “As a declared Senate candidate, he should now, in the interests of transparency and accountability, disclose the full details of his contractual relationship with Huawei. He should disclose the terms, conditions and duration of his contract; what instructions he accepted from Huawei; and precisely what services he and Mr Davis were paid for.” Patrick pointed out that Xenophon had previously called for the same from another former Senator, and did not register with the Australian Foreign Influence Transparency Scheme. “In this, he appears to have relied on the exemption for persons providing legal advice to foreign organisations and a claim that he was not directly lobbying government ministers. However, the work that Xenophon Davis did for Huawei appears to have been largely in the public relations field and directed towards influencing the federal government to reopen the door for Huawei to infiltrate Australia’s 5G telecommunications network,” Patrick said. “That is of course one of 14 demands the Chinese government has made before they will reconsider their current hostile stance towards Australia.” The current Senator also raised allegations that Huawei has been involved in helping Chinese authorities oppress Uyghurs, using backdoors in its carrier equipment to assist in state esponiage, and having close ties to the Chinese Communist Party. “In December last year it was revealed, further, that as early as 2012 Australian intelligence detected a sophisticated penetration into our telecommunications system, an intrusion that began with a software update from Huawei that delivered malicious code,” Patrick said. “Mr Xenophon declared that Huawei was an ‘underdog’. I’m not sure how a vast Chinese conglomerate with global networks backed by the Chinese state could ever be described as an underdog, but that was his description. This was all a misjudgement on Mr Xenophon’s part.” Patrick said that critical infrastructure like telecommunication must be completely secure from foreign interference and possible sabotage. “There can’t be any compromise when it comes to Australian national security, nor can there be compromises on human rights,” Patrick said. “Mr Xenophon has declared his political candidacy. In the interests of accountability and transparency, he should make an immediate disclosure of all the details of his work for Huawei. I urge him to do so. Voters can then make their own judgement.” In its yearly results announced earlier this week, Huawei reported a 29% drop in revenue to $100 billion, as profitability lifted 76% to $17.9 billion.Related Coverage More

Image: Getty Images
The federal government’s big-ticket tech item in last night’s annual Budget was its proposed AU$9.9 billion injection into Australia’s cybersecurity and intelligence capabilities. Chief among the objectives of that injection would be the creation of 1,900 jobs at the Australian Signals Directorate (ASD) over the next decade.While Australia’s tech industry has welcomed the increased cybersecurity spending, it’s unclear whether those jobs can be filled due to Australia’s digital skills shortage, RMIT University cybersecurity professor Matt Warren told ZDNet. Due to the ASD being a government agency, only Australian citizens can be hired for these new jobs, which means the federal government and Australian organisations need to develop talent with sovereignty in mind to fill these roles.”A key issue is that only Australian citizens can work for the Commonwealth and with the current cyber security skills shortage, it may be difficult to fill the 1,900 new security roles,” Warren explained.”In terms of how the cyber industry works, they poach off each other — so industry poaches off government. So I think part of the discussion is how to develop cybersecurity skills into the future from a sovereignty perspective.”Read more: Australian Budget 2022 delivers AU$9.9 billion for spicy cyberLast week, Australian Prime Minister Scott Morrison made similar remarks, warning organisations about the need to prioritise trust over costs and efficiency when it comes to cybersecurity.”We see that in the most terrible events, whether it’s in Ukraine or the stresses that are being placed on our own country here in the Indo-Pacific, when it comes to your data security you’ve got to be dealing with someone you trust and so words like sovereign really mean something,” Morrison said last Friday at the opening of Macquarie Telecom’s new Sydney-based data centre.According to recruitment firm Hays, survey results of nearly 3,500 organisations from last year indicated that 68% of the local technology industry is suffering from skills shortages. The findings by Hays around skills shortages in the tech sector mirrored those uncovered by Seek in 2020.With the skills shortage being a key chokepoint for filling any large influx of cyber jobs, Warren said the federal government’s next steps need to be focused on establishing a national coordinated plan for making sure Australia can develop its future cyber workforce.”What Australia needs is not just one or two initiatives,” the RMIT professor said.Cybersecurity software firm BlackBerry said Australia’s cybersecurity private sector also has a role to play in addressing the skills shortage, explaining that the growing number of cyberthreats cannot be solely alleviated by government.”As the breadth of malicious cyber activity increases, public and private sectors must work together to rapidly up-skill the Australian and invest in complementary automation, including AI/ML-driven security technologies to help security professionals protect the government and other enterprises,” said Graeme Pyper, BlackBerry APAC channels director.Depending on the upcoming federal election’s outcome, which is expected for May, the jobs announced last night may not come to fruition if the Coalition loses the federal election. Regardless of the outcome, Warren said both the Coalition and Labor parties have committed to backing increased cybersecurity spending due to the growing cyberthreat landscape around the world.”Whether there is a change in government, I don’t see the cybersecurity strategies changing in the future. Both parties are committed to protecting Australia against future security risks, whether they’re physical, cyber, or space-based,” Warren said.RELATED COVERAGE More

Singapore has introduced certification programmes to tag small and large enterprises that have adopted good cybersecurity practices. The move is touted as essential for companies to ascertain their security posture amidst increasing supply chain attacks. The certification scheme encompassed two cybersecurity marks, one of which would enable small and midsize businesses (SMBs) to prioritise basic security measures they should implement to protect their systems and operations against common cyber attacks. These baseline measures included preventive measures to control access to systems and data, and cyber incident response. The Cyber Essentials mark not only recognised SMBs with good cyber hygiene, but also would help these companies understand fundamentals they should have in place even with their limited IT or cybersecurity resources, said Singapore’s Cyber Security Agency (CSA). 

An SMB food and beverage company, for instance, with the Cyber Essentials mark would have adopted baseline cybersecurity measures to safeguard personal data of its customers, such as name and date of birth, needed to facilitate its loyalty programme. These included controlling access to and backing up customer data and investing in software to secure its internal IT systems. The second certification programme was targeted at larger and more digitalised businesses, including multinational corporations, CSA said. Called Cyber Trust, it outlined a risk-based approach to help organisations understand their risk profiles and determine security elements they needed to prepare to mitigate such risks. Specifically, the Cyber Trust mark encompassed five cybersecurity preparedness tiers that matched the company’s risk profile. Each tier outlined 10 to 22 domains such as cyber governance, education, information asset protection, and secure access against which the organisation would be assessed to determine their cybersecurity posture.For example, a financial services institution would have to ensure both its internal and external systems had a robust level of cybersecurity to safeguard its customers’ personal and financial data, CSA said. The industry regulator added that the Cyber Trust mark would certify the financial organisation’s investments and efforts in cybersecurity. The certification would provide a competitive advantage for companies who earned it as well as offer assurance for their customers,. CSA’s chief executive David Koh: “CSA’s cybersecurity certification scheme for enterprises is a timely introduction to the market. Supply chain cyber attacks will continue to proliferate in the digital space and, in time to come, companies could be required to demonstrate their cybersecurity posture when they conduct business as a way of providing greater assurance to their customers. “Having the certification reflects the company’s commitment to ensure that they remain cyber-secure, giving them an edge over their competitors,” Koh added. CSA said it would work alongside industry partners such as SGTech to drive the adoption of both security marks, which would not be made mandatory. The certification process would be run by an initial group of eight certification bodies, including Bureau Veritas Quality Assurance, EPI Certification, and iSOCert. According to CSA, the marks were developed in consultation with industry partners such as certification practitioners and trade associations. The industry regulator also worked with several companies in Singapore to trial the frameworks for both Cyber Trust and Cyber Essentials. These included F&B companies as well as e-commerce operators and technology vendors such as Andersen’s of Denmark Ice Cream, IBM, Kestrel Aero, and Lazada Singapore. CSA also developed a toolkit to help companies adopt cybersecurity and attain the certification marks. Designed for IT administrators, the toolkit curated an initial list of partners offering products and services that could help businesses meet the requirements of the two marks. RELATED COVERAGE More

Hackers were much faster to exploit software bugs in 2021, with the average time to exploitation down from 42 days in 2020 to just 12 days. That marks a 71% decrease in ‘time to known exploitation’ or TTKE, according to security firm Rapid7’s new 2021 Vulnerability Intelligence Report. The main reason for the reduction in TTKE was a surge in widespread zero-day attacks, many of which were used by ransomware gangs, according to the company. As Rapid7 notes, 2021 was a grim year for defenders, which kicked off with the SolarWinds Orion supply chain attack which was  pinned on Russian state-sponsored hackers. The year ended with the very different Apache Log4j flaw, which had no obvious main attacker but was spread across millions of IT systems.   Google’s Threat Analysis Group (TAG) and Project Zero researchers also have also observed an uptick in zero-day attacks, where attackers are exploiting a flaw before a vendor has released a patch for it.Rapid7 tracked 33 vulnerabilities disclosed in 2021 it considered to be “widespread”, an additional 10 that were “exploited in the wild”, and seven more where a threat was “impending” because an exploit is available. The company recommends patching impending threats today.   Rapid7’s list excludes browser flaws because they’re already well-covered by Google Project Zero’s zero-day tracker. Instead, Rapid7 focusses on server-side software, meaning its dataset under-represents zero-day exploitation detected in 2021, it said. Rapid7 highlights several startling trends. For example, in 2021, 52% of widespread threats began with a zero-day exploit. What’s “unusual and wildly alarming” about this trend, it said, is that these attacks aren’t just highly targeted ones, as was the case in 2020. Instead, last year 85% of these exploits threatened many organizations rather than just a few. Rapid7 blames much of this trend on the proliferation of affiliates supporting the ransomware industry, which is now dominated by the ransomware-as-a-service model. Last year, 64% of the 33 widely exploited vulnerabilities are known to have been used by ransomware groups, it noted. Its 2021 “widespread” list includes enterprise software from SAP, Zyxel, SonicWall, Accession, VMware, Microsoft Exchange (the ProxyLogon bugs), F5, GitLan, Pulse Connect, QNAP, Forgerock, Microsoft Windows, Kaseya, SolarWinds, Atlassian, Zoho, Apache HTTP Server  and, of course, Apache Log4j. These flaws affected firewalls, virtual private networks (VPNs), Microsoft’s email server, desktop operating system and cloud, a code sharing platform, remote IT management products, and more. Many of the bugs were exploited at a time when most people were still remote working and relying on remote access and VPNs to connect to work. It does however note a few bright spots in 2021, including the US Cybersecurity and Infrastructure Security Agency’s (CISA) frequently updated Known Exploited Vulnerabilities Catalog and its binding directive for federal agencies to patch flaws within a certain timeframe. Also the main reason the security industry can measure such a spike in zero-day attacks is because zero-day exploits are being detected and analyzed quicker. More