Information Technology

Camera maker Axis released more details about a cyberattack that started on the night of Saturday, February 19.

In its initial messages on its website, the Swedish camera giant said it got alerts from its cybersecurity and intrusion detection system on Sunday, February 20, before it shut down all public-facing services globally in the hopes of limiting the impact of the attack. But in a lengthy report about the attack, Axis says someone used “several combinations of social engineering” to sign in as a user on Saturday night “despite protective mechanisms such as multifactor authentication.”According to the report, there was no ransomware, but investigators did find malware and discovered that the company’s internal directory services were compromised. Axis claimed no customer information was involved. “Inside, the attackers used advanced methods to elevate their access and eventually gain access to directory services. Axis threat detection systems alerted incident staff of unusual, suspicious behavior, and investigations began early Sunday morning. At approximately 9 am CET Sunday morning, IT management decided to bring in external security experts, and at approximately 12:00pm (noon), it was confirmed that hackers were active inside Axis networks. The decision was taken to disconnect all external connectivity immediately as a way of cutting the intruders off,” Axis explained. Also: Nvidia says employee credentials, proprietary information stolen during cyberattack”At 6pm, all network access had been shut off globally. The measure had the intended effect of shutting the intruders off from their access. It also resulted in a loss of external services for Axis staff, such as in- and outbound email. Partner services were also affected, with axis.com and extranets being unavailable. Investigations rapidly showed that parts of the server infrastructure had been compromised while other parts remained intact.”The company noted that their global production and supply chain remained “largely unaffected” during the attack. Their first customer-facing service returned on Sunday evening. Most external services were restored by February 27, while others are still waiting on security clearances. Axis said it is still operating in “a restricted mode” with internet-facing services. As of Wednesday, March 2, device upgrades for AXIS OS/Apps is still facing a major outage, and the company’s licensing system is dealing with a partial outage.”This will continue as long as the forensic investigation is ongoing and until the cleaning and restoration are completed. This mainly affects our internal work streams and has a very limited effect on customers and partners. We expect the final parts of our customer-facing services to be completely available within a few days,” Axis said. “Needless to say, we are humble in the face of and due to the gravity of the situation. We are also grateful that we were able to catch and stop an ongoing attack before it had much more lasting effects.”The company initially announced the outages on Twitter but did not respond to requests for comment. On its status site Friday afternoon, Axis said its Case Insight tool in the US and the Camera Station License System were dealing with partial outages.  More

The US Senate approved new cybersecurity legislation that will force critical infrastructure organizations to report cyberattacks to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours and ransomware payments within 24 hours. 

Ukraine Crisis

The Strengthening American Cybersecurity Act passed by unanimous consent on Tuesday after being introduced on February 8 by Senators Rob Portman and Gary Peters, ranking member and chairman of the Senate Homeland Security and Governmental Affairs Committee. The act combines pieces of the Cyber Incident Reporting Act, the Federal Information Security Modernization Act of 2021, and the Federal Secure Cloud Improvement and Jobs Act — all of which were authored by Peters and Portman and advanced out of committee before floundering. The 200-page act includes several measures designed to modernize the federal government’s cybersecurity posture, and both Peters and Portman said the legislation was “urgently needed” in light of US support for Ukraine, which was invaded by Russia last week. 

I’m concerned that, as our nation rightly continues to support #Ukraine during Russia’s illegal, unjustifiable assault, the US will face increased cyber & ransomware attacks from Russia. The federal govt must quickly coordinate its response to any potential attacks.— Rob Portman (@senrobportman) March 2, 2022

“As our nation continues to support Ukraine, we must ready ourselves for retaliatory cyber-attacks from the Russian government… This landmark legislation, which has now passed the Senate, is a significant step forward to ensuring the United States can fight back against cybercriminals and foreign adversaries who launch these persistent attacks,” Peters said. “Our landmark, bipartisan bill will ensure CISA is the lead government agency responsible for helping critical infrastructure operators and civilian federal agencies respond to and recover from major network breaches and mitigate operational impacts from hacks. I will continue urging my colleagues in the House to pass this urgently needed legislation to improve public and private cybersecurity as new vulnerabilities are discovered, and ensure that the federal government can safety and securely utilize cloud-based technology to save taxpayer dollars.”The act also authorizes the Federal Risk and Authorization Management Program (FedRAMP) for five years to ensure federal agencies can “quickly and securely adopt cloud-based technologies that improve government operations and efficiency.” The act attempts to streamline federal government cybersecurity laws to improve coordination between federal agencies and requires all civilian agencies to report all cyberattacks to CISA.

The legislation updates the threshold for agencies to report cyber incidents to Congress and gives CISA more authority to ensure it is the lead federal agency in charge of responding to cybersecurity incidents on federal civilian networks. It now heads to the House for a vote before it makes its way to President Joe Biden’s desk. Peters and Portman said they have been working with chair of the House Oversight Committee Carolyn Maloney as well as Republican and Democratic lawmakers in the House to get the bill approved. Maloney told ZDNet that the act contains the Federal Information Security Modernization Act, a provision she called one of her “top legislative priorities.””The Committee on Oversight and Reform kicked off 2022 with a bipartisan hearing and markup to examine how best to approach FISMA modernization, and we look forward to incorporating those crucial lessons learned as this effort moves through the legislative process,” Maloney said. “FISMA reform will determine our federal cybersecurity posture for years to come, and it is essential that the final bill seizes every opportunity to defend our federal networks from the onslaught of attacks they face daily.”In his own statement, Portman also touted the ways the act will update FISMA and provide “the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised.”

ZDNet Recommends

The best network-attached storage devices

If cloud-based servers don’t meet all of your storage needs, consider a NAS solution. We selected a handful of devices that passed our reliability torture tests and offer superior usability and feature sets.

Read More

Both Senators noted that the bill would have applied to the 2021 ransomware attacks on Colonial Pipeline and global meat processor JBS. But the two said the legislation would “help ensure critical infrastructure entities such as banks, electric grids, water networks, and transportation systems are able to quickly recover and provide essential services to the American people in the event of network breaches.” CyberSaint co-founder Padriac O’Reilly works directly with critical infrastructure across financial services, utilities, and the government to measure cyber risk.O’Reilly explained that the current cybersecurity landscape has worn down the long-standing recalcitrance of certain critical infrastructure sectors with respect to the 72-hour reporting window for incidents. “There are two sections very deep in the legislation that stand out to me. They talk about a budget-based risk analysis for improving cybersecurity and metrics-based approach to cyber in general. This is precisely what is needed and it has been known for some time in the industry,” O’Reilly said. “Section 115 covers automation reporting. This is very timely as automation has been advancing in the private sector and it is key with respect to risk management going forward. I was really impressed to see this in the bill. The government has been trying for years to advance this cause across all agencies and departments. Section 119 really gets at the holy grail in risk management, which is the ability to view cybersecurity risks in a prioritized way with respect to budget.” More

Credit: Microsoft

Microsoft’s newest Windows 11 test build adds a new Smart App Control security feature; improved Microsoft 365 account management; and a handful of other new features. Microsoft made this new build, No. 22567, available to Dev Channel testers on March 2. Smart App Control is a security feature that Microsoft is enabling on Windows 11 to block untrusted or potentially dangerous applications. Testers can manually turn on SAC in the Windows Security app under the App & Browser Control section. This feature will only work on devices that apply Build 22567 and higher via a clean install. Officials said they will provide more details about this feature “in the future.” Microsoft also has made the Microsoft 365 subscription management capability more visible under Settings > Accounts as of today’s build. In addition, in the subscription card area, Microsoft is enabling users to see their subscription payment information and be notified when their methods need updating through payment details. For those who aren’t Microsoft 365 subscribers, Microsoft plans to provide information on free capabilities and services they still can access via their Microsoft Account on the “Your Microsoft Account page. These kinds of free services include access to Office Web apps and the ability to view OneDrive storage. It sounds like an ad for moving to a Microsoft 365 subscription to get more functionality will be on this page, as well. Microsoft plans to use its Online Service Experience Packs to bring additional functionality under Settings > Accounts going forward, according to today’s blog post. Microsoft will be highlighting the ability to link Android phones to PCs using the Your Phone app by making a QR code available as part of the device setup (OOBE) for Windows 11 as of this build, It also is changing Windows Update to try to schedule updates at a specific time of day to save on carbon emissions — but only when PCs are plugged-in and “regional carbon intensity data” is available from its partners electricityMap or WattTime. There are a large number of other fixes and updates in Build 22567 which are itemized in Microsoft’s blog post. As Microsoft notes, those running Windows 10 who try to upgrade directly to 22563 or higher in the Dev Channel may get an install failure error code but can bypass this using the instructions in the blog post. Microsoft officials also note they plan to release new ISOs in the next few weeks.

Windows 11 More

Boise State University and Stellar Cyber announced a new partnership on Wednesday that will see the company’s Open XDR Platform adopted by the university’s Institute for Pervasive Cybersecurity.Boise State created its Cyberdome initiative as a way to promote cybersecurity skill development and create a collaborative hub for competency-based training that aims to reduce cyber risk in rural communities and help expand Idaho’s cyber workforce.Stellar Cyber’s Open XDR Platform will be used as a teaching tool and as the center of the Cyberdome program. It will be available to any rural or remote community interested in using it. The university said Stellar Cyber’s “intuitive dashboard” and built-in multi-tenant facilities will make it easier for Boise State’s students and mentors to support dozens of different organizations through a single interface.By partnering with Stellar Cyber, the university is hoping to increase the number of graduates while providing enterprise-level Security-as-a-Service to rural and remote communities across the state.”The cybersecurity market has evolved rapidly since the beginning of the pandemic, especially when it comes to identifying and developing talented cybersecurity personnel, and providing them an environment where they can make an impact, be challenged and feel successful,” said Edward Vasko, CISSP and director at the Boise State Institute for Pervasive Cybersecurity. “Today, Boise State and Stellar Cyber have teamed up to help our partners and our customers resolve these critical challenges.”Vasko started the Cyberdome initiative and has 30 years of cybersecurity industry expertise. Jim O’Hara, chief revenue officer at Stellar Cyber, explained that their platform is suited for this kind of usage because it has built-in tools like Network Detection and Response (NDR), Security Information Event Management (SIEM), and Threat Intelligence Platform (TIP). It also can be integrated with third-party security tools like End-point Detection and Response (EDRs), which the university said its students already have been trained to use.Boise State added that it wants to provide free Security-as-a-Service services to Idaho’s more than 750 state-funded agencies. The university noted that it already has a Security-as-a-Service relationship with the city of Sun Valley. “Cities and public agencies across the country are increasingly falling victim to sophisticated ransomware attacks, and we want to be fully prepared to address them,” said Walt Femling, city administrator for Sun Valley. “Boise State’s new Cyberdome program enables us to outsource our cybersecurity preparedness and enhance our protection against such attacks.”Vasko told ZDNet the effort is important for two significant reasons. Protecting rural communities is important due to cyber-adversarial approaches that identify the “weakest link” to attack, Vasko explained.He added that far too often, in the interconnection of local, county and state government entities, it is the rural local/county communities that are unable to afford advanced technologies and, more importantly, people who are forced to configure, run and operate them. As a result, cyber-adversaries establish beachheads through these rural communities and then leverage existing chains of trust that exist to find access to other interconnected state, county and community services, Vasko explained. “The second reason this is important right now is because we are listening to the needs of employers hiring our cyber students by ‘shifting left’ the competency development of security analysts and engineers. According to cyberseek.org, the nation has over 400,000 openings in cybersecurity. The Cyberdome enables employers to know that Boise State and our Idaho education partners are readying cyber professionals with the right level of skills and knowledge to be effective in a much shorter timeframe than other universities,” Vasko said.”We have students from around Idaho participating in the program. While Boise State provides the centralized operating environment, our education partners are providing students to collaborate, learn, and obtain real-world experience before graduating.”Vasko added that the Cyberdome and the university’s work with rural communities is something completely new, providing monitoring and detection services to regions in desperate need of cybersecurity help. He noted that Stellar was chosen because the company has strong support for the Managed Security Service Provider (MSSP) market. “This means their platform provides certain kinds of functionality ‘out of the box’ as a result. For example, by partnering with Stellar, the Cyberdome supports multi-tenancy out of the box, is enabled with OpenXDR approach, and strong AI/ML decisioning. The Stellar platform also is head and shoulders above open-source projects. The analysis we did showed that going to an open source model would have required more time, energy, and upkeep to enable, and run and operate. This time saved will enable us to engage our students with advanced real-world skill development in threat hunting, forensics, etc,” Vasko said. “Boise State and our education partners in Idaho are committed to solving the workforce gap in cybersecurity. We believe there is a need to help foster long lasting connections between industry and our community to make it even easier for our trained students to find not just a job, but the right opportunity as they groom their cybersecurity career.” More

Ukraine’s government has called on Oracle and SAP to end business relationships with entities tied to Russia immediately. 

Ukraine Crisis

On March 2, Ukraine’s Vice Prime Minister and Minister of Digital Transformation, Mykhailo Fedorov, tweeted a copy of letters addressed to Oracle co-founder and CTO Larry Ellison, Oracle CEO Safra Catz, and SAP’s chief executive officer Christian Klein. The letters are similar in their appeals, and both request an end to business relationships in Russia in response to the current invasion of Ukraine by the country.  In the letter sent to Oracle’s leadership, Fedorov said, “Ukraine is now on the frontline of the defense of the principles of democracy and freedom in the face of the war waged by [the] Russian Federation.” “The IT industry always supports values of responsibility and democracy. I believe your country shares them.” The Ukrainian leader went on to say that Ukraine “calls on your company to end any relationships and stop doing business in/with [the] Russian Federation, in particular, to stop providing support, maintenance, and software updates for Oracle products until the conflict is resolved and fair order is restored.”  In communication with SAP, Fedorov said that “modern technology in 2022 is also the way we can defend our country and citizens, and that’s why we need your support.””We hope that you will not only hear, but also do everything possible to protect Ukraine, Europe, and finally, the whole world from bloody Russian aggression. […] Thus, I appeal to you to stop providing SAP services and products until Putin’s attack on our country [is] over.”
Screenshot via Twitter
Update 17.15 GMT: Oracle has tweeted:”On behalf of Oracle’s 150,000 employees around the world and in support of both the elected government of Ukraine and for the people of Ukraine, Oracle Corporation has already suspended all operations in the Russian Federation.”Fedorov responded, “With gratitude from all the free people of Ukraine!”The official also published an open letter to game developers on March 2, requesting a temporary block on all Russian and Belarusian account holders, including a temporary ban on their participation in international e-sports events.  In related news, on Tuesday, Apple said product sales have been paused in Russia, exports to sales channels have been stopped, and the Russian state-controlled RT News and Sputnik News outlet apps have been revoked from the App Store outside of the country. In addition, the iPad and iPhone maker said it “has disabled both traffic and live incidents in Apple Maps in Ukraine as a safety and precautionary measure for Ukrainian citizens.”  Ukraine has also asked for Russia’s top-level domains (TLD) to be revoked, alongside their SSL certificates. ZDNet has reached out to Oracle and SAP, and we will update when we hear back.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The NATO Cyber Security Centre (NCSC) has completed its test run of secure communication flows that could withstand attackers using quantum computing.

Konrad Wrona, principal scientist at the NCSC, told ZDNet that it is becoming increasingly important to create protection schemes against current and future threats.  “Securing NATO’s communications for the quantum era is paramount to our ability to operate effectively without fear of interception,” Wrona said. “The trial started in March 2021. The trial was completed in early 2022. Quantum computing is becoming more and more affordable, scalable and practical. The threat of ‘harvest now, decrypt later’ is one all organizations, including NATO, are preparing to respond to.”The NCSC, which is run by the NATO Communications and Information Agency (NCI Agency), protects NATO networks around the clock and works with UK company Post-Quantum to conduct the test. Allied Command Transformation’s VISTA framework financed the project.Post-Quantum provides organizations with different algorithms to ensure security even if attackers are using quantum computing. A VPN can use algorithms to secure communications, ensuring that only the correct recipient can read the data, the company claimed. Wrona said the NCSC does not have a follow-on contract with Post-Quantum but sees the potential of technologies like what Post-Quantum offers and will continue to look into the technology. Andersen Cheng, CEO of Post-Quantum, called Post-Quantum a ‘Hybrid Post-Quantum VPN’ because it combines both new post-quantum and traditional encryption algorithms. Cheng said that because it will take many years for the world to completely migrate to a “quantum-safe” future, it is more realistic to combine these new algorithms with better understood traditional encryption in order to ensure interoperability. They noted that this kind of software is increasingly relied upon to protect remote connections when working from outside of traditional office environments and can be used to ensure secure communications between organizations in an operational environment.  Cheng founded Post-Quantum 12 years ago and said his team had spent a decade developing encryption capable of withstanding a quantum attack.His team has focused on building useable commercial grade ‘quantum-safe’ products like the Hybrid VPN system NATO tested. “Our encryption algorithm NTS-KEM (now known as Classic McEliece, after merging with the submission from renowned cryptographer Professor Daniel Bernstein and his team), is now the only ‘code-based’ finalist in the National Institute of Standards and Technology (NIST) process to identify a cryptographic standard to replace RSA and Elliptic Curve, for public-key cryptography (PKC). We’ve also designed a new specification for a quantum-safe VPN as part of the Internet Engineering Taskforce (IETF),” Cheng said. “We have undertaken work for a number of high-security stakeholders, such as NATO, but the challenges posed by quantum computers are universal. Everything that we do over the internet today — from buying things online to online banking to nation-state communications — is encrypted. Once a functioning quantum computer arrives, that encryption can be broken. This means that, almost instantly, bank accounts will be emptied, Bitcoin wallets will be drained, and entire power grids will be shut off.”  More

The first Arm-based laptops with Microsoft’s Pluton security co-processor have arrived in the form of Lenovo’s new ThinkPad X13s, which features Qualcomm’s latest Snapdragon 8cx Gen 3 chipset.     Microsoft started talking about its Pluton dedicated security chip in November 2020 and predicted it would take a few years to arrive in PCs. In January 2022, the company announced Pluton would come with Lenovo’s AMD Ryzen-6000 ThinkPad Z series laptops; now Pluton is coming to Lenovo’s newest laptop with an Arm-based mobile chipset from Qualcomm. 

Windows 11

Lenovo’s AMD laptops with Pluton will ship in May, while the ThinkPad X13s with the Pluton processor was just announced at Mobile World Congress (MWC) and will be available in April from $1,099 in the US through AT&T and Verizon, according to ZDNet’s sister site CNET. Both laptops are aimed at the business market.SEE: Best Windows laptop 2022: Top notebooks comparedPluton is a big deal for Microsoft because it is at the centre of the security capabilities for Windows 11, providing protection in the boot, identity, credential protection and encryption processes.Pluton is a security processor architecture designed to store sensitive data like encryption keys securely with hardware that’s integrated into the die of a device’s processor. This makes access more difficult for attackers, even if they have physical possession of a device. With Pluton being on the die of the device’s System on a Chip (SoC), potential attack surfaces, like bus interfaces that pass data between the SoC and other components on a motherboard, are not exposed. Microsoft named Intel as its first partner for the Pluton security processor, but it was also working with AMD and Qualcomm. The Pluton design was first integrated as a DRM feature in its Xbox One game console, which been based on AMD chips since 2013.Microsoft’s director of enterprise and OS security, Dave Weston, details some of the work on hardware and security that’s gone into the collaboration in a blogpost. “Pluton will leverage advanced hardware capabilities while built-in security countermeasures from PAC [Pointer Authentication Codes] protect against common exploit patterns to help customers strengthen their device security posture,” Weston said. The other advantage of Pluton-powered PCs is that users will get firmware updates that Microsoft has verified on a predictable timeline, just like its Patch Tuesday updates on the second Tuesday of each month.”You’re getting better protection against physical attacks, you’re getting Microsoft verification of firmware to stop some of the new firmware attacks, and we’re going to update this thing every month just like it’s Patch Tuesday,” Weston previously told ZDNet. The Arm pointer protection (PAC) will protect boot processes, bus interfaces that pass data between the Qualcomm chip and other components on a motherboard, and will keep the Pluton processor’s firmware up to date through Windows Update. SEE: MWC 2022: Lenovo announces ThinkPads, IdeaPads, Chromebooks, ThinkBooks and moreSo, Pluton-capable laptops won’t necessarily spell the end of firmware updates from multiple hardware manufacturers, but at least this particular piece of hardware won’t depend for delivery on anyone but Microsoft.Weston argues it could also mitigate so-called return-oriented programming (ROP) attacks, which are dangerous and common enough that Intel has developed hardware-based security answers to thwart them. Pluton brings similar protections against ROP attacks to Arm systems.”With Windows 11 on the Snapdragon 8cx Gen 3, the ARM pointer authentication hardware capability provides similar robust mitigation against exploits that leverage return-oriented programming (ROP) or stack modification techniques on ARM-based Windows systems,” Weston said in the blog post.    “Windows binaries are compiled with Pointer Authentication Code instructions, injecting a hash (the PAC) for return addresses at function prologue and verifying the hash immediately before function return to verify that the return address has not been tampered. Windows 11 utilizes the Snapdragon 8cx Gen 3 hardware schemes to generate and verify the PAC to provide resilience against attacks that overwrite the intended return address. This helps to break a common technique attackers use to try to execute malicious code”, he said.The new ThinkPad X13s, which features Qualcomm’s latest chipset.
Image: Lenovo More

Distributed denial of service (DDoS) attackers are using a new technique to knock websites offline by targeting vulnerable ‘middleboxes’, such as firewalls, to amplify junk traffic attacks. Amplification attacks are nothing new and have helped attackers knock over servers with short busts of traffic as high as 3.47 Tbps. Microsoft last year mitigated attacks on this scale that were the result of competition between online-gaming players. 

ZDNet Recommends

But there’s a new attack on the horizon. Akamai, a content distribution network firm, says it has seen a recent wave of attacks using “TCP Middlebox Reflection”, referring to transmission control protocol (TCP) – a founding protocol for secured communications on the internet between networked machines. The attacks reached 11 Gbps at 1.5 million packets per second (Mpps), according to Akamai.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)The amplification technique was revealed in a research paper last August, which showed that attackers could abuse middleboxes such as firewalls via TCP to magnify denial of service attacks. The paper was from researchers at the University of Maryland and the University of Colorado Boulder.Most DDoS attacks abuse the User Datagram Protocol (UDP) to amplify packet delivery, generally by sending packets to a server that replies with a larger packet size, which is then forwarded to the attacker’s intended target. The TCP attack takes advantage of network middleboxes that don’t comply with the TCP standard. The researchers found hundreds of thousands of IP addresses that could amplify attacks by over 100 times utilizing firewalls and content filtering devices. So, what was a theoretical attack just eight months ago is now a real and active threat. “Middlebox DDoS amplification is an entirely new type of TCP reflection/amplification attack that is a risk to the internet. This is the first time we’ve observed this technique in the wild,” it says in a blogpost. Firewalls and similar middlebox devices from the likes of Cisco, Fortinet, SonicWall and Palo Alto Networks, are key pieces of corporate network infrastructure. Some middleboxes however don’t properly validate TCP stream states when enforcing content filtering policies. “These boxes can be made to respond to out-of-state TCP packets. These responses often include content in their responses meant to “hijack” client browsers in an attempt to prevent users from getting to the blocked content. This broken TCP implementation can in turn be abused to reflect TCP traffic, including data streams, to DDoS victims by attackers,” Akamai notes. Attackers can abuse these boxes by spoofing the source IP address of the intended victim to direct response traffic from the middleboxes. In TCP, connections use the synchronize (SYN) control flag to exchange key messages for a  three-way handshake. The attackers abuse the TCP implementation in some middelboxes that cause them to unexpectedly respond to SYN packet messages. In some cases, Akamai observed that a single SYN packet with a 33-byte payload produced a 2,156-byte response, amplifying its size by 6,533%.    More