More stories

  • in

    Conti ransomware attack on Irish healthcare system may cost over $100 million

    An Irish news outlet is reporting that the country’s healthcare system will have to spend more than $48 million recovering from a widespread ransomware attack by the Conti group that took place last year.In a letter obtained by RTÉ, Health Service Executive interim chief information officer Fran Thompson said the costs associated with the ransomware attack include $14.2 million for ICT infrastructure, $6.1 million to pay for outside cybersecurity assistance, $17.1 million for vendor support and $9.4 million for Office 365. 

    ZDNet Recommends

    The best security key

    While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

    Read More

    The letter was sent to Aontú party leader Peadar Tóibín, and Thompson noted that they are projecting the end cost to be more than $100 million. That $100 million does not include the costs associated with implementing the recommendations passed down in the detailed PWC report on the attack. Conti attacked Ireland’s Health Service Executive in May 2021, causing weeks of disruption at the country’s hospitals. The country refused to pay the $20 million ransom.According to RTÉ and the BBC, dozens of outpatient services were canceled, a vaccine portal for Covid-19 was shut down, and the country spent weeks trying to bring its healthcare IT system back online. The Journal reported that 85,000 computers were turned off once the attack was noticed and that cybersecurity teams went through all 2,000 different IT systems one by one. Irish Foreign Minister Simon Coveney called it a “very serious attack” while Irish Minister of State Ossian Smyth said it was “possibly the most significant cybercrime attack on the Irish State.”  Emergency services still operated, but many radiology appointments were canceled, according to a government statement. There were delays in COVID-19 test result reporting as well as delays with issuing birth, death, or marriage certificates. Pediatric services, maternity services, and outpatient appointments in certain hospitals were all affected by the attack, according to The Journal. 

    Dublin’s Rotunda Hospital, The National Maternity Hospital, St Columcille’s Hospital, Children’s Health Ireland (CHI) at Crumlin Hospital, The UL Hospitals Group all reported varying levels of IT outages. Health Minister Stephen Donnelly added that the HSE payment system was downed by the attack. The 146,000 people working in the healthcare industry faced issues with full payment. Ransomware experts said that while the numbers seem large, ransomware recovery is an incredibly complex process. Emsisoft threat analyst Brett Callow said recovery costs can be extraordinarily high, as evidenced by the situation facing Scripps Health.”After a ransomware attack in May 2021, Scripps Health estimated its losses for Q3 of that year to be $112.7 million. It should be noted that some of the costs associated with incidents are effectively catch-up spending as organizations address whatever weaknesses enabled the attack to succeed,” Callow said. “In other words, they pay off their security debt. Additionally, the costs do not necessarily include the remediation of the incident. Lost trust, lost opportunities, and class actions can all have an ongoing impact.”Recorded Future ransomware expert Allan Liska noted that major municipalities in the US have similarly had to spend millions recovering from ransomware attacks. Baltimore, Atlanta, and other cities have had to spend millions on ransomware recovery. 

    While the numbers seen in Ireland are high, Liska said it accurately reflects how devastating and thorough the attack was on HSE. It also showed that HSE is serious about not only recovering, but improving their security going forward.”That 100 million number likely reflects not just the recovery but implementing new security protocols adding new capabilities and erasing what is likely years of technical debt that had been accumulating. Most organizations don’t do that during a recovery, they do some of it. You almost have to, but they can’t afford to implement everything they need to fully protect their organizations,” Liska said. “I think people are amazed at how much recovering from a ransomware attack can really cost. When Baltimore was hit with a ransomware attack recovery costs were estimated at $18 million. Atlanta spent $17 million to recover. Ransomware recovery is expensive, we (the public) just don’t see the true costs most of the time.” More

  • in

    Ping Identity reports nearly $300 million revenue for 2021

    Ping Identity delivered better-than-expected fourth quarter earnings results on Thursday, reporting a Q4 revenue of $75.4 million and total revenue for the full year of $299.4 million. The company, which “delivers intelligent identity solutions for the enterprise,” reported a non-GAAP net loss per share of $0.13 for the quarter and a non-GAAP net earning per share of $0.10 for the full year. 

    ZDNet Recommends

    The best security key

    While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

    Read More

    Wall Street was expecting a non-GAAP loss of $0.10 a share and a revenue of $71.4 million for the quarter.”We and our customers are building a new security perimeter focused on identity and Zero Trust, one that aims to do away with the data-center perimeter that permeated the past,” said Andre Durand, Ping Identity’s CEO. “In 2022, we are centered on four strategic growth pillars: further driving our cloud transformation, extending our leadership in the customer use case, deepening our channel relationships, and ensuring our solutions drive accelerating demand among our enterprise customers in existing and new markets.”For the fourth quarter, the company reported an ARR of $312.7 million, a 21% increase compared to last year. Subscription revenue was $70.4 million, or 93% of total revenue. SaaS revenue grew 56% to $16.9 million in the fourth quarter, driven by the adoption of Ping Identity’s PingOne solutions. For the full year, SaaS revenue was $57.6 million. The company ended 2021 with 1,468 customers, 71 of which had more than $1.0 million in ARR. Ping Identity is modeling first quarter revenue between $78 million and $82 million, with a total ARR between $320 million and $324 million. For the full year, Ping Identity predicted a total ARR between $378 million and $385 million as well as a revenue between $330 million and $340 million. “We delivered yet another strong quarter including a significant milestone as we surpassed 25% of our ARR coming from SaaS,” said Raj Dani, Ping Identity’s Chief Financial Officer.”With year-over-year ARR growth of 21%, we’ve now seen four quarters of sequential accelerating ARR growth and expect this trend to continue on the glidepath towards our long-term goal of $1 billion in ARR.”

    Tech Earnings More

  • in

    White House denies report about cyberattack plans against Russian infrastructure

    The White House has denied reports that it is considering a range of cyberattacks on Russian infrastructure in response to the invasion of Ukraine. 

    Ukraine Crisis

    The denials came after NBC News reported US President Joe Biden was offered options that included the use of American cyberweapons “on a scale never before contemplated.”Reporters for NBC News claimed they were told by two US intelligence officials, one Western intelligence official, and another person briefed on the matter that Biden was given options such as shutting off electric power in Russia, disrupting the country’s internet connectivity, and damaging railroad switches.One official claimed the US could “do everything from slow the trains down to have them fall off the tracks.” Within an hour of the story being published, multiple White House officials came out against it, denying its accuracy. White House spokesperson Emily Horne called the story “wildly off base.””This report on cyber options being presented to [the President] is off base and does not reflect what is actually being discussed in any shape or form,” said White House Press Secretary Jen Psaki.

    This report on cyber options being presented to @POTUS is off base and does not reflect what is actually being discussed in any shape or form.— Jen Psaki (@PressSec) February 24, 2022

    The NBC report noted that some US officials believe if the cyberattacks simply disrupt systems and refrain from the destroying them, they will fall short of being considered “acts of war.” According to the sources that spoke to NBC, the US government would not publicly take credit for the attacks and would most likely make them covertly.  The denials came before Biden spoke to the press and discussed how the US may respond if cyberattacks expand beyond Ukraine and affect US organizations.   “If Russia pursues cyberattacks against our companies, our critical infrastructure, we’re prepared to respond. For months, we’ve been working closely with the private sector to harden our cyber defenses [and] sharpen our response to Russian cyberattacks,” Biden told reporters on Thursday. Ukraine faced a barrage of DDoS incidents and a new form of disk-wiping malware before Russian-backed forces invaded the country on Wednesday. Ukraine has continued to face intermittent DDoS incidents, according to Doug Madory, director of internet analysis at Kentik. He noted that the Ukraine State Cyber Protection Center, Secretariat of the Cabinet of Ministers of Ukraine, and another platform that hosts some Ukrainian government sites are facing the most DDoS attacks. Internet access in Ukraine on Thursday. 
    Netblocks
    “The internet of Ukraine is under severe stress presently. Following the initiation of hostilities last night, we began seeing sporadic outages across the country. At the same time, the DDoS attacks directed against Ukrainian institutions that began last week are continuing,” Madory said. Netblocks has also confirmed a number of outages throughout Ukraine since the invasion began, including ones in major cities like Kharkiv and Mariupol. Madory added that he is also seeing DDoS attacks against Russian government websites. Some online, including Netblocks, confirmed that some Russian government sites were inaccessible but opinions were split on whether access was being intentionally stopped by Russian officials or if DDoS incidents were causing the issues. 

    Russia released its own alert about potential cyberattacks, warning that “in the current tense geopolitical situation, we expect an increase in the intensity of computer attacks on Russian information resources, including critical information infrastructure facilities.”Many experts urged restraint on both sides, warning that cyberattacks on infrastructure have been a red line that few countries have crossed. Coalfire Field CISO John Hellickson said launching a cyberattack would set a dangerous precedent going forward. “Would this cyberattack be considered a direct act of war?” Hellickson asked. “Given the challenges in executing strong cybersecurity across critical infrastructure here at home, a retaliation by Russia and/or their sympathetic allies could have devasting impacts on these services that Americans rely upon. I believe we need to avoid crossing the line of such considerations as it’s difficult to predict the impacts of a likely retaliation.” More

  • in

    How to avoid being unwillingly drafted as a cyber combatant in the Russia-Ukraine war

    Got a security roll-out plan for the next few years? Escalate it. Thinking about recruiting more security engineers? Start hiring. Looking for the right time to patch vulnerabilities and refresh passwords? Now’s the time. The Ukraine conflict may feel far away to some of you, but the risk of your network being caught in the crossfire is increasing.Ukraine’s relationship with NATO   News reports say that a shooting war is beginning on the Russia/Ukraine border. To understand how this conflict may escalate outside the Baltic region, it’s important to understand Ukraine’s relationship with NATO.Also: Ten steps you can take to improve your cybersecurity defenses nowNATO member states have a series of obligations they have agreed upon, most notably a mutual protection pact. Ukraine, while not a NATO member, is considered a NATO partner. The NATO document, “Relations with Ukraine,” provides important insights into how NATO will interpret hostilities towards Ukraine: “NATO has adopted a firm position in full support of Ukraine’s sovereignty and territorial integrity within its internationally recognised borders.”

    Ukraine Crisis

    Right now, that full support doesn’t include sending troops up against Russian forces. In fact, NATO’s position is more denunciation than outright hostility. The members state, “The Allies strongly condemn and will not recognise Russia’s illegal and illegitimate annexation of Crimea, and denounce its temporary occupation.”Fundamentally, the NATO allies can’t ignore Russia’s actions. And while nobody wants World War III, NATO likely isn’t going to sit this thing out. Enter cyberwar. Russia and cyberwar Russia’s hacking activities have been making news for years:While not all these activities can be traced directly back to government operatives, there’s almost always a government link somewhere in the chain.  Next, let’s look at how much the global IT industry has accepted Russian companies as full partners. At the top of the list is Kaspersky. Statista lists Kaspersky as the fourth largest (in terms of market share) anti-malware vendor for Windows machines. Kaspersky has long been fighting allegations of being cozy with the Russian government but there is a case for why the connection is under scrutiny. If Russia wanted to attack the west, it’s got a ready-made channel to do so: the anti-malware software designed to defend against just that risk. Keep in mind that Russian developers have built a lot of the code we incorporate into our projects. Normally, that wouldn’t cause any more worry than working with any other developer. But if Russia suddenly takes an adversarial position with NATO allies, the Russian coders we’ve been working with may suddenly turn into enemy combatants.In 2020, Russia’s IT outsourcing market hit $6.75 billion, according to a report from IDC in ComputerWeekly. Outsourcing is the process of assigning IT operations to other organizations, so the client company doesn’t have to do the work. Unfortunately, outsourcing also assigns control of IT operations to the vendor organization. If Russia turns into an adversarial actor, the control ceded by western companies to Russian outsourcing operations may well be the equivalent of giving all their passwords and authentication codes to the Russian government.So let’s sum up the risk: In general, working with our fellow IT professionals in Russia can be a productive and positive experience. But if they suddenly turn to the dark side of the force due to this war, western IT security could be badly exposed. Prepare your networksRussia already has a history of attacking and breaching western companies and networks, and even tampering with elections. How bad will it get if there’s a shooting war between Russia and Ukraine and a rhetoric war between NATO and Russia? Most likely, both sides — who don’t want to chance a nuclear conflagration — will lob soft attacks at each other. We can expect propaganda attacks through social media, designed to give western populations a false view of the issues of the day. According to the FBI, Russian misinformation has been an ongoing problem. And then there’s cyberwar. Expect both sides to launch attacks against each other. Cyberattacks have some degree of plausible deniability, they’re sometimes hard to trace, it’s difficult to point to rubble and bodies on the news, but the damage they do is still considerable. If the situation on the Russia/Ukraine border escalates, expect Russia to launch cyberattacks. They won’t necessarily be visible attacks, either. Distributed denial of service attacks are messy, but they’re like active sonar — you can tell when you’ve been pinged. Advanced persistent threats, on the other hand, are stealthy. They dig into your networks and camp out. Sometimes they exfiltrate information. Sometimes they modify information. Sometimes, they break things. APTs have been known to enter a network and live there for months and even years. These attacks aren’t just going to be limited to government networks. They’ll target networks all across NATO economies, possibly even yours. When that attack hits, you’re suddenly in the line of fire. If you’re one of the many IT pros who read ZDNet, mitigating that attack is your responsibility. And that’s why, due to a war halfway around the globe, there’s a chance your network will be a target. Stay vigilant If you outsource to a Russian IT vendor or use Russian-based security software, it might be time to evaluate your potential risk level. We can’t automatically assume that Russian vendors will give up their market advantage to support a war, but you’ll need to watch those relationships with great care. If your vendors suddenly seem to change attitude or personality, pay attention. And make sure you have a failover plan in place with alternative vendors.I know you have other priorities. We always do. But here’s the thing. Any network manager stands a good chance of being in the line of fire for a cyberwar with Russia. If this thing goes long or escalates, it will no longer be a matter of if, but when.You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

  • in

    Want to boost you cybersecurity? Here are ten steps you can take to improve your defenses now

    Ukraine was being hit by cyber-attacks well before Russia launched its invasion. DDoS attacks and wiper malware were among the cyber threats which targeted Ukrainian government ministries, banks, media and other services, but there are also other examples from recent history.

    Ukraine Crisis

    Russia has been accused of being behind attacks that took down Ukrainian power grids in December 2015, and it’s thought that the Russian military was also behind the widespread and disruptive NotPetya malware attack of June 2017. NotPetya was designed to target organisations in the Ukrainian financial, energy and government sectors, but the impact quickly spread to organisations around the world. And as the conflict continues, firms far from that geography have been urged to check their security posture. As NCSC CEO Lindy Cameron commented just a few days ago “Cyber attacks do not respect geographic boundaries” warning that cyber attacks that have international consequences – intentional or not. The NCSC has urged organisations to take action to secure their networks. And there are steps which can be taken – some of which are relatively simple – which can increase resilience against most any cyber attacks. 1. Apply patches and security updates Applying patches and security updates to operating systems and software is the best way to close vulnerabilities in networks. Many cyber attacks actively look to exploit unpatched software as an easy backdoor into networks. Devices and software with known security vulnerabilities should be patched immediately. 2. Use strong passwords  A common way for cyber attackers to breach networks is to simply guess usernames and passwords – particularly if the organisation uses cloud services like Microsoft Office 365 or Google Workspace. Users should be urged not to use common, easy to guess passwords and instead to manage passwords with a password manager. Any devices on the network with default passwords should have them changed. 3. Use multi-factor authentication Multi-factor authentication (MFA) provides an additional barrier to cyber attacks and should be applied to all users. The benefit of multi-factor authentication is that even if a username and password has been stolen or correctly guessed, it’s still very difficult for attackers to access the account. If MFA is correctly configured, the user will be alerted to any attempts to login to their account – and they are alerted to an attempt to access an account and it wasn’t them, they should be encouraged to report it to the information security team. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)4. Teach phishing awareness Many cyber attacks start with phishing emails and staff should be trained in how to identify some of the most common techniques cyber attackers use, as well as how to report phishing emails for further investigation. Some phishing attacks are more sophisticated and harder to identify, but even in those cases, if a user thinks they’ve fallen victim to a phishing attack, they should be encouraged to come forward – without repercussions – in order to help identify and detect the attack in order to remove the intruders and secure accounts. 5. Use antivirus software and ensure that it works Antivirus software and firewalls can help to detect suspicious links, malware and other threats distributed by cyber attacks and they should be installed on every device. Like other software, it’s important to confirm that antivirus software is up to date with the latest updates and that it’s active and working correctly. 6. Know your networkYou can’t defend your network if you don’t know what’s on it, so information security teams should actively be able to identify all devices and users on the network – as well as being able to detect potentially suspicious activity. If a device or user account is acting unusually, by accessing files they don’t need for their job, or moving to parts of the network that are irrelevant to them, it could be an indication that their account has been compromised by cyber criminals attempting to plant malware. Keep logging activity for at least month, so older activity can be traced to identify how a breach happened. SEE: A winning strategy for cybersecurity (ZDNet special report)7. Backup your network – and regularly test backups Backups are a vital component to ensuring cyber resilience and they can play a big role in minimizing disruption in the event of a cyber attack, particularly ransomware or wiper malware. Backups should be made at regular intervals, a copy of the backups should be stored offline and they should be regularly tested to make sure they work. 8. Be mindful of third-party access to your network and supply chains Managing IT networks can be complex and that sometimes requires organisations to bring in outside help, providing non-regular users with high level access. Organisations should have a comprehensive grasp on what access outside users can have and be mindful of removing security controls.  Any access that’s no longer required should be removed. Organisations should also attempt to understand the security practices of businesses in their supply chain – it’s possible that if one of those is breached, their network could be used as a gateway to the larger target. 9. Have an incident response plan Even if organisations have followed all of the relevant advice, they should still draw up a plan of how to react in the event of a cyber attack. For example, if the network is down, how will they communicate a response? Thinking about different scenarios, plannning ahead and running training exercises can reduce the impact of a successful cyber attack. “Organisations should recognise the risk that cyber presents to their operations and ensure that they have strong cyber resilience and an ability to detect, respond and remediate threats, and make sure plans are in place to counter any disruptive attacks,” says Stuart McKenzie, SVP of consulting at Mandiant. 10. Brief the wider organisation about cyber threats It’s the job of information security to know about cyber attacks and how to deal with them, but outside the cybersecurity team, it’s unlikely to be common knowledge. Staff ranging from the boardroom to juniors should be aware of the importance of cybersecurity and be made aware of how to report suspected security events. In order for a business to be secure, it’s crucial for everyone to play a part. MORE ON CYBERSECURITY More

  • in

    SockDetour backdoor used in attacks on defense contractors, says Unit 42

    Researchers at Palo Alto Network’s Unit 42 said they discovered a tool — named SockDetour — that serves as a backup backdoor in case the primary one is removed. They believe it’s possible that is has “been in the wild since at least July 2019.”The researchers said the backdoor, which is compiled in 64-bit PE file format, stood out and is hard to detect because it operations filelessly and socketlessly on compromised Windows servers. 

    ZDNet Recommends

    “One of the command and control (C2) infrastructures that the threat actor used for malware distribution for the TiltedTemple campaign hosted SockDetour along with other miscellaneous tools such as a memory dumping tool and several webshells. We are tracking SockDetour as one campaign within TiltedTemple, but cannot yet say definitively whether the activities stem from a single or multiple threat actors,” the researchers explained. “Based on Unit 42’s telemetry data and the analysis of the collected samples, we believe the threat actor behind SockDetour has been focused on targeting US-based defense contractors using the tools. Unit 42 has evidence of at least four defense contractors being targeted by this campaign, with a compromise of at least one contractor.”SockDetour allows attackers to remain stealthily on compromised Windows servers by loading filelessly in legitimate service processes and using legitimate processes’ network sockets to establish its own encrypted C2 channel.The researchers did not find any additional SockDetour samples on public repositories, and the plugin DLL remains unknown. They added that it is being delivered through SockDetour’s encrypted channel and communicating via hijacked sockets.Unit 42 noted that the type of NAS server found hosting SockDetour is typically used by small businesses. The company tied the backdoor to a larger APT campaign they named TiltedTemple. They first identified TiltedTemple while investigating its use of the Zoho ManageEngine ADSelfService Plus vulnerability CVE-2021-40539 and ServiceDesk Plus vulnerability CVE-2021-44077. “Our initial publications on TiltedTemple focused on attacks that occurred through compromised ManageEngine ADSelfService Plus servers and through ManageEngine ServiceDesk Plus,” the researchers said. “The TiltedTemple campaign has compromised organizations across the technology, energy, healthcare, education, finance, and defense industries and conducted reconnaissance activities against these industries and others, including infrastructure associated with five US states. We found SockDetour hosted on infrastructure associated with TiltedTemple, though we have not yet determined whether this is the work of a single threat actor or several.”Unit 42 began its investigation of the TitledTemple campaign in August 2021 and found evidence that SockDetour “was delivered from an external FTP server to a U.S.-based defense contractor’s internet-facing Windows server on July 27, 2021.” The FTP server also hosted other tools used by the threat actor, such as a memory dumping tool and ASP webshells, according to Unit 42. The company found that after analyzing the attack, at least three other U.S.-based defense contractors were targeted by the same actor.”The FTP server that hosted SockDetour was a compromised Quality Network Appliance Provider (QNAP) small office and home office (SOHO) network-attached storage (NAS) server. The NAS server is known to have multiple vulnerabilities, including a remote code execution vulnerability, CVE-2021-28799,” the researchers said. “This vulnerability was leveraged by various ransomware families in massive infection campaigns in April 2021. We believe the threat actor behind SockDetour likely also leveraged these vulnerabilities to compromise the NAS server. In fact, the NAS server was already infected with QLocker from the previous ransomware campaigns.”Unit 42 noted that the threat actor managed to convert SockDetour into a shellcode using the Donut framework open source shellcode generator. When injected into manually chosen target processes, the backdoor “leverages the Microsoft Detours library package, which is designed for the monitoring and instrumentation of API calls on Windows to hijack a network socket.” More

  • in

    This new ransomware has been spotted in two very different attacks, say researchers

    A new form of ransomware has been spotted by security company researchers after they saw it being used against two different organisations.Dubbed Entropy, the new ransomware has been detailed by cybersecurity researchers at Sophos who uncovered it on the networks of two organisations – a media company and a regional government – after being called in to investigate the two separate incidents within the space of a week.  

    ZDNet Recommends

    The attackers compromised the media company by exploiting ProxyShell vulnerabilities to install remote shells on unpatched Microsoft Exchange servers, before using Cobalt Strike, a legitimate penetration testing tool often exploited by cyber criminals, to investigate the network over a four-month period. Analysis of infected machines also revealed that Dridex trojan malware had been installed. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Dridex was also detected on the network of the regional government organisation. In this case, Dridex was directly delivered via a phishing email. Then the malware was itself used to deliver additional malware and remote access. In this attack, it was only 75 hours between the initial compromise and the cyber criminals stealing data. “They were both using Dridex, and that obviously set off a few alarm bells,” Peter Mackenzie, director of incident response at Sophos, told ZDNet. Dridex has been active since at least 2011 and became a popular tool for cyber criminals to distribute malware, ransomware and other malicious payloads. In 2019, the US Department of Justice announced charges against two Russian nationals suspected of being behind Dridex. In fact, when analysing Entropy, a new ransomware variant, detection tools initially identified it as Dridex itself because of similarities in the code. Not only that, but analysis of the malware showed that additional work had been done to optimise it. The updated code also contains text that mentions the targeted organisation’s name, followed by “…falls apart. Entropy Increases”, which is a line from John Green’s 2005 novel, Looking For Alaska. Dridex is linked to Evil Corp, a cyber-criminal gang behind a string of ransomware attacks, deploying variants including BitPaymer, DoppelPaymer, WastedLocker, Hades and Macaw ransomware. However, it’s also possible that the code has been borrowed or stolen and this could be a misdirection attempt from other cyber criminals. The nature of the malware ecosystem means it’s extremely difficult to be 100% confident of attribution. As researchers note, both targets had vulnerable Windows systems that lacked current patches and updates, which allowed them to be compromised. As is the case with many common cyberattacks, including ransomware, patching networks with the appropriate security updates can go a long way to preventing intruders from getting onto the network in the first place – as can applying multi-factor authentication. “In both cases, the attackers relied upon a lack of diligence – both targets had vulnerable Windows systems that lacked current patches and updates,” Sophos said. It noted that properly patched machines, like the Exchange server, would have forced the attackers to work harder to make their initial access into the organizations they penetrated. “A requirement to use multi-factor authentication, had it been in place, would have created further challenges for unauthorized users to log in to those or other machines,” it noted.SEE: A winning strategy for cybersecurity (ZDNet special report)Organisations can also help prevent attacks by actively monitoring their networks for suspicious activity by potential intruders, which might indicate that something should be investigated and removed. “They will keep trying unless someone kicks them off the network. They’re just going to keep trying, so you have to have a security team either internally or externally that is monitoring your environment and is looking out for these signs that someone is in,” said Mackenzie. “If you don’t support those warning signs, it is just a matter of time before they will eventually win,” he said.  MORE ON CYBERSECURITY More

  • in

    Salesforce paid more than $2.8 million in 2021 bug bounties, $12.2 million since 2015

    Salesforce announced this week that it rewarded ethical hackers with more than $2.8 million in bounties for finding vulnerabilities throughout 2021. More than 4,700 reports on suspected vulnerabilities were submitted to Salesforce last year, and the highest bounty paid was $30,000.  Since launching its bug bounty program in 2015, Salesforce has paid out about $12.2 million in total and accepted about 22,200 reports. More than $9.5 million of that has come since 2019, according to Salesforce data. Salesforce software engineer Anup Ghatage said engineering teams use data from the bug bounty program “to better understand the tendencies and methodologies of malicious hackers.””Being able to understand the methods the hackers use to find vulnerabilities allows me to employ the same methods to better secure our software,” Ghatage said.Salesforce explained that once products and features are tested internally, ethical hackers are asked to take a crack at testing security features in sandboxes. As an example, they said the Trailhead Slack App was used as a bounty promotion in August before it was released in September. One hacker who participated in the program, Inhibitor181, said he started out in ethical hacking after becoming a developer. “Not only is it more stimulating and less monotonous to use my programming skills to legally hack into global companies’ products, but it also allows me to do my part in preventing cybercrime. Not all hackers are bad,” they said. In October, Google and Salesforce announced the creation of a vendor-neutral cybersecurity baseline called the Minimum Viable Security Product (MVSP), which they said was an effort to “raise the bar for security while simplifying the vetting process” for third-party vendors.   More