Information Technology

One of the most prolific families of ransomware now has additional Linux and VMware ESXi variants that have been spotted actively targeting organisations in recent months.Analysis by cybersecurity researchers at Trend Micro identified LockBit Linux-ESXi Locker version 1.0 being advertised on an underground forum. Previously, LockBit ransomware – which was by far the most active ransomware family at one point last year – was focused on Windows.

ZDNet Recommends

LockBit has a reputation as one of the most sneaky forms of ransomware. And now the Linux and VMware ESXi variant means that the ransomware could potentially spread itself even further, encrypting a wider variety of servers and files – and driving up the pressure for a victim to give in and pay a ransom for the decryption key. SEE: A winning strategy for cybersecurity (ZDNet special report) “The release of this variant is in line with how modern ransomware groups have been shifting their efforts to target and encrypt Linux hosts such as ESXi servers,” said Junestherry Dela Cruz, threats analyst at Trend Micro.”An ESXi server typically hosts multiple VMs, which in turn hold important data or services for an organization. The successful encryption by ransomware of ESXi servers could therefore have a large impact on targeted companies.”By targeting Linux, LockBit is following in the footsteps of other ransomware groups, including REvil and DarkSide, but the popularity of LockBit ransomware-as-a-service means that attacks could have a much wider impact and organisations should be aware of the potential threat.

Like many other ransomware attacks, LockBit steals information from compromised networks and threatens to publish it if the ransom isn’t received – and that ransom demand can amount to millions of dollars.As with previous versions of LockBit, the Linux variant features a note from the attackers that attempts to lure people into handing over corporate account details to further spread ransomware, in exchange for a cut of the profits – although it’s unclear if attempting to attract insiders to give up secrets in this way actually works.Researchers suggest that ransomware is harder to detect on Linux, but that implementing best security practices still provides the best chance of preventing the network from falling victim to an attack.This includes keeping systems up to date with the latest security patches to prevent intrusions, especially as LockBit is known to exploit vulnerable servers to help it spread. Those behind LockBit attacks have also been known to exploit stolen usernames and passwords, so if it’s known that a password has been part of a data breach, it should be changed. It’s also recommended that multi-factor authentication is applied across the entire ecosystem in order to provide an additional layer of defence against attacks.MORE ON CYBERSECURITY More

The number of data breaches hit a record high last year, and experts are concerned explicitly with the increasing number of cyberattacks.

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

According to the 2021 Annual Data Breach Report published by the Identity Theft Resource Center (ITRC) on Monday, the overall number of data compromises (1,862) is up more than 68% compared to 2020  (1,108). Out of the 1,862 compromises, 1,600 of those were cyberattacks.”The thing that probably concerns me the most is that not only was last year a record high for data compromises but that so many of them were cyberattacks. And particularly, they were the kind of cyberattacks that it’s very difficult for individuals to react to,” James E. Lee, the COO of ITRC, told ZDNet.Lee said the previous all-time high for all data breaches for all causes was 1,500 back in 2017, so the fact that cyberattacks alone accounted for 1,600 compromises last year is a considerable concern for individuals and businesses alike.”We’re talking about losing control over our data by another party, and there’s not very much a consumer can do to prevent that from happening,” he said. “To me, that is very concerning that we’ve now gotten to the point where we’ve got so many cyberattacks going on, it’s hard for an individual consumer to keep up.”Another concern outlined in the report is the increasing amount of ransomware attacks. Over the past two years, ransomware-related data breaches have doubled — from 83 in 2019 to 321 in 2021.”If we continue on pace where we are right now, ransomware will become the number one root cause of data breaches by the end of 2022, surpassing phishing,” Lee said.

Even with the number of overall data compromises reaching an all-time high, the report revealed that the number of victims continues to decrease (down 5% in 2021 compared to 2020) as identity criminals focus more on specific data types than mass data acquisition. Lee said the reason for this is because there has been a shift from identity theft, or stealing someone’s data, to identify fraud, or committing some other crime or making money off that stolen data.”People who are seeking data are being more sophisticated about it, their attacks are more complex, and then how they turn around and use that how they monetize that equally as sophisticated, equally as complex,” he said.Lee said that the ITRC also found that fewer details are being published in breach notices, making it more difficult for businesses and consumers to figure out how to protect themselves or find out a breach even occurred.To help with this problem, the IRTC is introducing a free alert service to consumers within the next two months. The service will allow individuals to create a list of companies they interact with — whether that be their bank, mobile phone carrier, or credit card company — and receive email alerts from the IRTC when the organization was breached with a link to full details. In addition, Lee said the IRTC would introduce the same type of service for businesses to pay to use that would be even more robust.

Lee added that if people find out that they have been affected by a data breach this year, it doesn’t always mean the worst.”The first thing to remember is a data breach does not mean your information is being misused; it just means it’s been exposed,” he said. “There’s no reason to panic just because you got a data breach notice. However, you do need to act on it.”Consumers can do some things if they receive a notification about a data breach, or even proactively prepare for one, to change their passwords frequently and make sure they are long and unique. Lee said it’s also important to freeze your credit if you get a data breach notification and get in the habit of using a multi-factor authentication app.As far as the business side, Lee said training should be a huge priority for everyone in an organization.”More than anything else, security has to be part of an organization’s culture,” he said. “You have to make it something that everybody understands that they have both a personal and a professional responsibility to help.” More

The BRATA Android remote access trojan began life as spyware but was upgraded to a banking trojan and now can perform a device factory reset, according to new research. Victims of Android malware are often advised to perform a factory reset after cleaning up an infection, but BRATA now does the reset for another reason: in order to wipe any evidence after conducting an illicit wire transfer from the victim’s online bank account.

ZDNet Recommends

BRATA or “Brazilian RAT Android” was named by Kaspersky researchers in 2019 because it exclusively targets Android users in Brazil. Since then, it has broadened its reach to US and Spain bank brands, according to McAfee.SEE: A winning strategy for cybersecurity (ZDNet special report)Security firm Cleafy analyzed three new BRATA variants and its researchers reckon BRATA’s authors are using the factory reset in order to impede victims from discovering an unauthorized wire transfer attempt. This blocks victims from reporting and stopping a fraudulent transaction. The factory reset acts as a kill switch that is executed after a successful illicit wire transfer or when it detects analysis by installed security software. “It appears that [threat actors] are leveraging this feature to erase any trace, right after an unauthorized wire transfer attempt,” Cleafy notes.

“In this way, the victim is going to lose even more time before understanding that a malicious action happened.”The factory reset is achieved by BRATA posing as a legitimate security app that requests the vicim grant it the powerful Android “device admin” permission, which allows the app to erase all data, change the screen lock and set password rules.  Beyond the factory reset functionality, BRATA now has the ability to monitor the victim’s bank app through VNC and by using mobile keylogging techniques. Additionally, BRATA has expanded its targets to include bank brands from the UK and Poland, in addition to existing financial brands in Italy and Latin America. BRATA is spread using SMS that impersonates a bank and contains a link to a website where the victim is duped into downloading an anti-spam app, according to Cleafy. The fraudsters then call the victim and trick them to install the banking trojan app, which allows the attacker to capture second-factor authentication codes sent by the bank to conduct fraud.To monitor accounts, the malicious BRATA Android apps obtain Android Accessibility Services permissions to view how victims use their banking apps. The VNC modules helps them see what’s on the bank app’s screen, such as the account balance and transaction history. BRATA also takes screen shots of the victim’s screen and sends this information to an attacker-controlled server.  More

Insider threats cost organizations approximately $15.4 million every year, with negligence a common reason for security incidents, new research suggests. 

Enterprise players today are facing cybersecurity challenges from every angle. Weak endpoint security, unsecured cloud systems, vulnerabilities — whether unpatched or zero-days — the introduction of unregulated internet of things (IoT) devices to corporate networks and remote work systems can all become conduits for a cyberattack to take place. When it comes to the human element of security, a lack of training or cybersecurity awareness, mistakes, or deliberate, malicious actions also needs to be acknowledged in managing threat detection and response.  According to Proofpoint’s 2022 Cost of Insider Threats Global Report, published on Tuesday, insider threats now cost organizations $15.4 million annually, an increase of 34% in comparison to 2020 estimates.  The report, conducted by the Ponemon Institute, includes survey responses from over 1,000 IT professionals worldwide, all of which have experienced a recent cybersecurity incident due to an insider threat. Over the past two years, insider threats have increased “dramatically,” the report says, with 56% of insider-related incidents caused by a negligent employee. In total, 26% of incidents were linked to criminal inside activities, whereas 18% of threats were caused by the theft of employee credentials, potentially made possible through failures to manage personal device security or weak password use.  Staff or contractor negligence has cost the organizations included in the research roughly $6.6 million; criminal activity — which could include insider damage, data theft, or the deliberate deployment of malware — accounted for $4.1 million, and attacks made possible by credential theft cost $4.6 million. 

When a cybersecurity incident was detected, it took impacted organizations an average of 85 days to resolve the situation — an increase from 77 days in Proofpoint’s previous report. Only 12% of reported incidents were contained within 30 days.  The average cost to contain an insider-related cybersecurity incident was reported as $184,548, but this amount can be far higher depending on the size of the firm impacted. Annually, US companies spent $17.53 million to resolve insider incidents, whereas European organizations spent roughly $15.44 million. “Months of sustained remote and hybrid working leading up to “The Great Resignation” has resulted in an increased risk around insider threat incidents, as people leave organizations and take data with them,” commented Ryan Kalember, executive VP of cybersecurity strategy at Proofpoint. “In addition, organizational insiders, including employees, contractors, and third-party vendors, are an attractive attack vector for cybercriminals due to their far-reaching access to critical systems, data, and infrastructure.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft is warning that Office 365 customers are receiving phishing emails that aim to trick them into giving OAuth permissions to a bogus app that then lets attackers read and write emails.   Microsoft’s Security Intelligence team warned this week that attackers are sending the OAuth phishing emails to “hundreds” of Office 365 customers. 

ZDNet Recommends

The potentially malicious app, dubbed ‘Upgrade’, asks users to grant it OAuth permissions that would allow attackers to create inbox rules, read and write emails and calendar items, and read contacts, according to Microsoft Security Intelligence.  SEE: Cloud computing is the key to business success. But unlocking its benefits is hard work Targets would see a notification asking them to grant the app various permissions, such as to read and write your files, read calendars and so forth.   The OAuth standard is supported by cloud and identity providers, including Google, Twitter, Facebook and Microsoft, as a way for users to grant third-party apps access to account information and data within apps from these companies.  OAuth has been abused by attackers in the past and this trend forced Google to introduce stricter verification requirements for developers who use it to connect to Google apps. 

“The phishing messages mislead users into granting the app permissions that could allow attackers to create inbox rules, read and write emails and calendar items, and read contacts. Microsoft has deactivated the app in Azure AD and has notified affected customers,” Microsoft said in a tweet.  Twitter user and threat hunter @ffforward reported the OAuth phishing campaign to Microsoft. The Upgrade app was listed as coming from the verified publisher Counseling Services Yuma PC, according to @ffforward. The same Upgrade app was previously being offered to Office 365 users but via an unverified account.   Microsoft recently said consent-phishing emails or “illicit consent grants” that abuse OAuth requests have steadily increased over the past few years.   Consent phishing is an alternative for attackers to credential phishing. Instead of capturing passwords with phishing login pages, attackers use OAuth permission request screens to lure victims into granting access tokens that give the attacker account data from connected apps. In this scenario, sign-in is handled by an identity provider, such as Microsoft or Google, rather than the end user. Despite lacking a password, the attacker can still do things like set a rule to forward emails from a target to an attacker-controlled email account, laying the groundwork for future attacks. “In most cases, consent phishing attacks do not involve password theft, as access tokens don’t require knowledge of the user’s password, yet attackers are still able to steal confidential data and other sensitive information. Attackers can then maintain persistence in the target organization and perform reconnaissance to further compromise the network,” Microsoft noted.  More

Chip designer Arm has released a prototype of its Morello development board for researchers at Google, Microsoft and industry to test its goal for a CPU design that wipes out a chunk of memory-related security flaws in code.The Morello board is the product of a collaboration between Arm, Cambridge University, Microsoft and others based on the Capability Hardware Enhanced RISC Instructions (CHERI) architecture. Microsoft says the board and system on chip (SoC) is the first high-performance implementation of CHERI, which provides “fine-grained spatial memory safety at a hardware level”. If it proves successful after testing with legacy software, it could pave the way for future CPU designs.

CHERI architectural extensions are designed to mitigate memory safety vulnerabilities. CHERI augments pointers – the variables in computer code that reference where data is stored in memory – with limits as to how those references can be used, the address ranges that they can use to access, and which functionality they can use. “Once baked into silicon, they cannot be forged in software,” Arm explained. CHERI was developed by the University of Cambridge and SRI International after it received funding from DARPA’s Clean-slate design of Resilient, Adaptive, Secure Hosts (CRASH) program.SEE: The IT skills gap is getting worse. Here are 10 ways you can avoid a crisisThe Morello architecture is based on CHERI. Arm kicked off work on hardware for the Morello program in 2019 with backing from the UK government’s Digital Security by Design (DSbD) program and UK Research and Innovation (UKRI).       The Morello demonstrator board is a tweaked Arm Neoverse N1, a 2.5GHz quad-core server core CPU with support for Armv8.2a 64-bit architecture that has extra features to enable CHERI-based “compartmentalization” to counter exploits against memory-related security flaws. “For any research project, this phase is both exciting and critical. There has never been a silicon implementation of this hardware capability technology in a high-performance CPU,” said Arm.

The Morello board is a significant advancement for CHERI, which has been in development for over a decade. Saar Amar, of Microsoft’s Security Research and Defense team, notes the top existing implementation of CHERI topped was Toooba, which –while a “significant achievement” – could only run in an FPGA at 50MHz in a dual-core configuration. It was “roughly equivalent in microarchitecture to a mid-’90s CPU” that wasn’t good enough for testing complex software stacks at scale.  The CHERI and Morello architectures may be one way of tackling memory-related security flaws that stem from code written in programming languages like C and C++. Microsoft and Google say the majority of security bugs are memory safety issues and they’re often due to coding issues written in these languages. The volume of these bugs and patches they require has prompted major software firms like Microsoft, Google and Amazon to explore ‘type safe’ languages like Rust for systems programming. However, Rust is generally used to write new components because vast, existing code bases written in C or C++ are left in place, as Google is doing for Android’s code base.     The Morello boards are being shared with researchers to test the hypothesis of CHERI’s compartmentalization approach and whether it is a viable security architecture for businesses and consumers in the future. As detailed in a paper about CHERI by Google researcher Ben Laurie and peers, various CHERI modes can be more effective and efficient than mitigations in conventional memory management unit (MMU) hardware, which are used to translate virtual memory addresses to physical addresses. CHERI allows for software compartmentalization in a similar way to process isolation in software for today’s operating systems, notes Laurie. It also includes an in-process memory safety mechanism that avoids the need to make major changes to source-code – a potentially major benefit for existing code bases.    “Contemporary type-safe languages prevent big classes by construction, whereas CHERI memory protection prevents the exploitation of some of these bug classes,” writes Microsoft’s Armar. “There are billions of lines of C and C++ code in widespread use, and CHERI’s strong source-level compatibility provides a path to achieving the goals of high-performance memory safety without requiring a ground-up rewrite.” More

Botnets built from the Mirai codebase continue to wreak havoc in the technology arena, with cyberattackers taking advantage of lax Internet of Things (IoT) security in widespread attacks. 

Computers and other connected devices, including IoT and NAS storage, are compromised through weak credentials, vulnerabilities, exploit kits, and other security weaknesses. These systems join a network of slave devices that can be commanded to perform malicious activities.Attack types commonly associated with botnets are the launch of Distributed Denial-of-Service (DDoS) attacks, brute-force attacks leading to information theft and ransomware deployment, and the covert installation of cryptocurrency mining software on vulnerable, Internet-facing servers.  The most well-known, perhaps, is Mirai, which made its debut with catastrophic DDoS attacks in 2016 against DNS provider Dyn and the website of cybersecurity expert & reporter Brian Krebs.  Mirai’s source code was then released online, opening up an avenue for variants to be created including Okiru, Satori, and Masuta.  Despite the age of the original botnet, the code underpinning the network and the use of its code in mutated versions means that Mirai is still a risk to organizations today. 

On Tuesday, Intel 471 published a new report on Mirai’s fracturing into new forms and a reported surge in attacks during 2020 and 2021 against IoT devices using these botnet variations.  “Threat actors seized the opportunity to not only create large botnets, but also steal confidential data from IoT devices linked to compromised organizations, and potentially sell it on underground marketplaces,” the researchers say. As IoT device numbers are expected to reach approximately 30.9 billion by 2025, the team expects the threat – and overall power – of botnets to only continue to expand.  At present, Gafgyt and Mirai, alongside multiple botnets based on Mirai code such as BotenaGo, Echobot, Loli, Moonet, and Mozi, are being used to target devices primarily based in Europe and North America.  Threat actors are commonly using the below vulnerabilities in exploit kits to compromise IoT devices and increase the power of their networks: CVE-2018-4068, CVE-2018-4070 and CVE-2018-4071: Information leaks in Sierra Wireless AirLink (ES450 FW version 4.9.3) CVE-2019-12258, CVE-2019-12259, CVE-2019-12262 and CVE-2019-12264: DoS vulnerabilities in the Wind River Systems VxWorks RTOS CVE-2019-12255, CVE-2019-12260, CVE-2019-12261 and CVE-2019-12263: Memory corruption flaws in the VxWorks RTOS CVE-2021-28372: An authentication bypass bug in the ThroughTek Kalay P2P SDK (versions 3.1.5 and earlier) CVE-2021-31251: An improper authentication issue in Chiyu Technology firmware”The cybercriminal underground will continue to build off of Mirai, targeting every piece of equipment it can as the IoT market continues to boom,” the cybersecurity firm says. Intel 471 recommends that organizations implement IoT device monitoring processes, perform regular security audits, routinely change up credentials and keys, and maintain regular patch application cycles.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

An activist group in Belarus launched a ransomware attack against the country’s railway system in protest of Belarus President Alexander Lukashenko and Russian troop movements through the country. On Monday, The Belarusian Cyber-Partisans took to Twitter to say they encrypted the networks of Belarusian Railways, crippling the system and disrupting ticket sales. The group criticized Lukashenko and provided a list of demands in exchange for the encryption keys needed to unlock the system. “At the command of the terrorist Lukashenko, #Belarusian Railway allows the occupying troops to enter our land. We encrypted some of BR’s servers, databases and workstations to disrupt its operations. Automation and security systems were NOT affected to avoid emergency situations,” the group said. “We have encryption keys, and we are ready to return Belarusian Railroad’s systems to normal mode. Our conditions: Release of the 50 political prisoners who are most in need of medical assistance. Preventing the presence of Russian troops on the territory of #Belarus.”

We have encryption keys, and we are ready to return Belarusian Railroad’s systems to normal mode. Our conditions:🔺 Release of the 50 political prisoners who are most in need of medical assistance.🔺Preventing the presence of Russian troops on the territory of #Belarus. https://t.co/QBf0vtcNbK— Belarusian Cyber-Partisans (@cpartisans) January 24, 2022

Yuliana Shemetovets, a Belarusian activist and spokesperson for the group, told ZDNet that their goal was to disrupt the railway system “so it can indirectly affect the Russian troops using it for their purposes (potential attack on Ukraine).” According to The Washington Post, the Belarusian Defense Ministry said on Monday that Russian troops were coming to the country for military exercises. Russia is also sending 12 Su-35 fighters, two S-400 battalions and a Pantsir-S air defense system to Belarus as part of the troop movement, but US officials said it was all part of a Russian plan to invade Ukraine from the north. “[Belarusian Cyber-Partisans] don’t want Russian soldiers in Belarus since it compromises the sovereignty of the country and puts it in danger of occupation. It also pulls Belarus into a war with Ukraine. And probably Belarusian soldiers would have to participate in it and die for this meaningless war,” Shemetovets said. 

Shemetovets explained that the group encrypted the bulk of the railway’s servers, databases and workstations. They first gained access to the railway’s systems in December. “The backups have been destroyed. Dozens of databases have been attacked, including AS-Sledd, AS-USOGDP, SAP, AC-Pred, http://pass.rw.by, uprava, IRC, etc. Automation and security systems were deliberately not affected by a cyber attack in order to avoid emergency situations,” Shemetovets added. Shemetovets noted that the attack did affect some Belarusians trying to use the train system’s ticket platform and said they would work to restore the system so average citizens were not affected. The Belarusian Railways website was back online by Monday night. “We received so far only positive feedback (people that were writing to us are ready to put up with it a little so the major goal is achieved). The major target was freight trains but it looks like the passenger schedules were also affected,” Shemetovets said.”The government refused to make any comments. We need to wait a little longer to see how it actually affected them. As long as Lukashenko’s dictatorship regime stays CPs will continue their work.” The government did not respond to requests for comment and has not released a statement about the situation. But Belarusian Railways did issue a statement acknowledging the issue and said any web resources or services “issuing electronic travel documents” are temporarily unavailable. They added that they are working to restore the system and urged customers to contact their offices for travel documents. Since protests against Lukashenko began in 2020, the Belarusian Cyber-Partisans have worked to undermine the dictatorship by leaking hacked documents showing widespread corruption and police abuse. The group is made up of former IT workers from Belarus, according to profiles by Bloomberg, The MIT Technology Review and The Washington Post.Ransomware experts told ZDNet that they had never seen ransomware used in this way before. Emsisoft threat analyst Brett Callow said he was not aware of any situation where ransomware was deployed like this.”In terms of helping hactivists achieve their objectives, ransomware is as effective, perhaps more effective, than any other tool in their arsenal. And, of course, the entry barriers are lower than ever thanks to both user credentials and off-the-shelf ransomware being readily available,” Callow said, Recorded Future’s Allan Liska echoed those remarks, telling ZDNet he had never seen anything like this before. “This reminds me a bit of the escalation we saw with the Red Brigades kidnappings in the 70s and 80s. What started as simple kidnappings escalated to more radical behavior and assassination. Ransomware has evolved from encrypting single machines to whole networks and the the types of extortion demanded has continued to evolve,” Liska said.”This could be the next jump in the evolution of ransomware, or it could be an outlier.” More