Information Technology

Image: Google
France’s privacy regulator has found instances where using Google Analytics is not compliant with the European Union’s General Data Protection Regulation (GDPR). Through an investigation into unnamed local website’s data practices, the Commission nationale de l’informatique et des libertés (CNIL) found that the website’s use of Google Analytics was in violation of the GDPR. The French regulator said using the tool breached Article 44, which bans personal data transfers from within the bloc to “third-party countries” that do not have equivalent privacy protections in place. Among the countries that fail to meet this threshold is the US as it does not provide non-US citizens with the means to know how their data is acquired or used. US laws also do not provide non-US citizens with the ability for recourse when their data is misused.   The regulator’s investigation into the unnamed local website was done in conjunction with looking into 100 other complaints that were filed to privacy advocacy group Noyb shortly after the European Court of Justice struck down the EU-US Privacy Shield agreement in 2020. The complaints were filed to Noyb, whose founder, Max Schrems, was the one who initiated proceedings to invalidate the Privacy Shield agreement. With this finding, the CNIL has ordered the unnamed local website to comply with the GDPR. In doling out this order, the regulator said, if necessary, the website would have to stop using Google Analytics under the current conditions. The website will have one month to comply with the order.

“Although Google has adopted additional measures to regulate data transfers in the context of the Google Analytics functionality, these are not sufficient to exclude the accessibility of this data for US intelligence services,” CNIL said in a statement. “There is therefore a risk for French website users who use this service and whose data is exported.” The CNIL clarified, however, that there may be some instances where use of Google Analytics does meet GDPR requirements such as ensuring the tool is only used to produce anonymous statistical data. CNIL explained that using Google Analytics in this way would create a consent exemption so long as the data is not transferred illegally. In addition to issuing the order, CNIL said it would launch an evaluation to determine which audience measurement and ad tools are exempt from consent. The French GDPR interpretation follows Google urging lawmakers in the US and Europe to establish new rules for a secure data transfer framework last month. In expressing its concern, Google called for more transparency on how to interpret the GDPR, with its global affairs president Kent Walker claiming the lack of a data transfer framework would lead to a lack of legal stability. Other US tech giants, like Meta, have similarly not taken favourably to the lack of an EU-US data transfer framework. In light of the current lack of one, Meta “threatened” to pull its services out of Europe in its annual filing to the US Securities Exchange Commission. The tech giant subsequently walked back on its comments, however, after the “threat” made headlines on various outlets and received criticism from European politicians. “Meta is not wanting or ‘threatening’ to leave Europe and any reporting that implies we do is simply not true. Much like 70 other EU and US companies, we are identifying a business risk resulting from uncertainty around international data transfers,” said Markus Reinisch, Meta Europe public policy VP. Related Coverage More

Moxa users are being urged to upgrade MXview to version 3.2.4 or higher to remediate five vulnerabilities discovered by Claroty’s Team82.The issues affect the Taiwanese company’s MXview web-based network management system versions 3.x to 3.2.2 and collectively, ICS-CERT scored the vulnerabilities a 10.0, its highest criticality score.According to Team82, an unauthenticated attacker successfully chaining two or more of these vulnerabilities could achieve remote code execution on any unpatched MXview server. The US Cybersecurity and Infrastructure Security Agency (CISA) released an ICS advisory for the vulnerabilities in October, noting that successful exploitation of these vulnerabilities “may allow an attacker to create or overwrite critical files to execute code, gain access to the program, obtain credentials, disable the software, read and modify otherwise inaccessible data, allow remote connections to internal communication channels, or interact and use MQTT remotely.”The web-based network management system was designed for monitoring and managing Moxa-based devices. Team 82 disclosed five vulnerabilities (CVE-2021-38452, CVE-2021-38456, CVE-2021-38460, CVE-2021-38458 and CVE-2021-38454) in the MXView platform. The company also provided a proof of concept showing how an attack would work. Bugcrowd CTO Casey Ellis said it is “an impactful set of vulnerabilities.” “Command injection via MQTT is an interesting and seldom discussed technique, and only goes to demonstrate the increasing complexity of the input vectors any given application may have,” Ellis said. “Proper sanitization is important everywhere, not just on real-time inputs which are exposed directly to users.”

Moxa’s MXview is a significant player in the ICS and overall IoT market with their focus on converged networks — few network management vendors focus on this space — and therefore the significance of these vulnerabilities is high, according to Viakoo CEO Bud Broomhead.Broomhead added that with manufacturing and line-of-business organizations using them, not all their end users will have the IT resources or knowledge to quickly remediate these vulnerabilities — making the high severity vulnerabilities that much more dangerous. “These vulnerabilities, without question, will have a major impact. All 5 vulnerabilities have a 10/10 severity score, and because they are focused on converged networks it increases the likelihood of threat actors exploiting them in order to move laterally into corporate networks,” Broomhead told ZDNet.  “In addition, these vulnerabilities enable privilege management exploits; vulnerabilities in privilege management almost always will be viewed as a high level risk, especially given the damage that cyber criminals with root-level privileges can do such as placing malware, controlling critical infrastructure, or covering the tracks of a threat actor.”  More

Victims of ransomware spent nearly $700 million paying off their attackers in 2020, according to a new report from blockchain analysis firm Chainalysis. 

In the company’s last report, they pegged the figure at around $350 million, but increased the figure “due to both underreporting by ransomware victims and our continuing identification of ransomware addresses that have received previous victim payments.”Right now, the latest figures show more than $692 million was spent on ransomware payments in 2020. For 2021, they have already tracked over $602 million worth of ransomware payments but noted that like 2020, it is an underestimate.”In fact, despite these numbers, anecdotal evidence, plus the fact that ransomware revenue in the first half of 2021 exceeded that of the first half of 2020, suggests to us that 2021 will eventually be revealed to have been an even bigger year for ransomware,” Chainalysis said. The report also listed the most prolific ransomware groups by total payments received, finding that Conti led the way with at least $180 million made from ransoms. 
Chainalysis
The report notes that conversely, law enforcement agencies have made some headway in getting ransoms back, giving organizations even more incentive to report attacks. Unfortunately, 2021 also saw more active individual ransomware strains than any other year on record, according to the blockchain research organization. Their data shows that at least 140 ransomware strains received payments from victims at some point in 2021. The number was 119 in 2020 and 79 in 2019. 

The researchers added that more than ever, groups were also shutting down and restarting under new names, providing one explanation for the increase in ransomware strains. The average number of days a ransomware strain stayed active in 2021 was 60, far lower than the 168 days in 2020 and 378 in 2019. Chainalysis claimed one criminal group — Evil Corp — had some amount of ties to the Doppelpaymer, Bitpaymer, WastedLocker, Hades, Phoenix Cryptolocker, Grief, Macaw, and PayloadBIN ransomware strains. The researchers were able to tie some of the ransomware groups based on their cryptocurrency transaction histories.The company estimates that Evil Corp made at least $85 million from its various ransomware strains. 

ZDNet Recommends

Now that more ransomware groups are targeting larger, more profitable organizations, the average ransomware payment size increased to over $118,000 in 2021, up from $88,000 in 2020 and $25,000 in 2019, according to the company’s data. Most ransomware groups appear to send their ransoms to centralized exchanges or mixers as a way to launder their stolen funds. Chainalysis said more than half of the funds sent from ransomware addresses since 2020 have wound up at one of six cryptocurrency businesses: three large international exchanges, one high-risk exchange based in Russia, and two mixing services.Chainalysis also included a rundown of their involvement in the investigation of the ransomware attack on Colonial Pipeline last May. The company helped the FBI track the 75 bitcoin Colonial Pipeline paid to DarkSide, and eventually the Justice Department was able to claw back about $2.3 million of the ransom. The address that initially received the ransom transferred it to accounts controlled by DarkSide’s administrators, who then sent 63.7 bitcoin to the affiliate who led the attack. The affiliate had previously received payments from addresses associated with NetWalker, another ransomware strain disrupted by law enforcement in January 2021.That affiliate received 595.3 bitcoin in four different chunks from the NetWalker administrator in late May and early June of 2020.”After tracking the funds to the affiliate’s address, FBI investigators were able to seize the funds on May 28, 2021,” the researchers said. “The seizure represents a huge step forward in the fight against ransomware, and especially ransomware strains that attack our critical infrastructure.” More

Network security and content delivery network provider Cloudflare this afternoon reported Q4 revenue that topped expectations and profit that narrowly beat Wall Street’s forecast. Revenue in Q4 rose 54%, year over year, to $193.6 million, yielding an EPS of $0.00. Analysts had been modeling $184.7 million and and a loss per share of -$0.01.

The report sent Cloudflare shares up nearly 7% in late trading. For the full year, the company saw a revenue of $656.4 million, a 52% year-over-year increase, and a non-GAAP net loss of $15.1 million.”The full year represented a 52% year-over-year increase in revenue growth and a 71% year-over-year increase in large customer growth. It was also the fifth straight year we achieved 50%, or greater, compounded growth,” said Matthew Prince, co-founder and CEO of Cloudflare. “Our continued success is fueled by a culture of relentless innovation on top of a highly scalable platform. That’s why we’re uniquely positioned to extend our network, introduce new Zero Trust capabilities, and grow our total addressable market. We’ve never been more motivated to take on this huge opportunity as corporate networks transition to the cloud, and developers line-up to build on our edge.”

In Q1, Cloudflare expects a revenue between $205 million and $206 million as well as a non-GAAP net income per share of $0.00 to $0.01. In fiscal 2022, the company is aiming for a revenue between $927 million and $931 million. They predicted a non-GAAP net income per share between $0.03 and $0.04. The company also announced on Thursday that it is acquiring security company Vectrix for an undisclosed sum. 

Tech Earnings More

Credit: Microsoft
As of today, Windows Insider testers in the Beta and Release Preview channels now can kick the tires of some of the new features that Microsoft officials have promised to roll out to mainstream users in February.Windows 11 build 22000.526 (KB5010414) includes a bunch of fixes. It also includes previews of the weather widget, which will be on the left side of the task bar; the ability to share open application windows directly from taskbars to a Teams call; and the ability to instantly mute and unmute Teams calls from the taskbar. Today’s test build also includes a feature that Microsoft ended up cutting from Windows 10 21H2 just before it rolled out: Windows Hello for Business Cloud Trust. Microsoft’s blog post explains Hello for Business Cloud Trust this way: “This is a new deployment model for hybrid deployments of Windows Hello for Business. It uses the same technology and deployment steps that support on-premises single sign-on (SSO) for Fast IDentity Online (FIDO) security keys. Cloud Trust removes the public-key infrastructure (PKI) requirements for deploying Windows and simplifies the Windows Hello for Business deployment experience.” Build 22000.526 also adds the requested ability to see the clock and date on the taskbars of connected monitors. It includes a substantial number of additional fixes that are detailed in the blog post.Microsoft officials said a couple of weeks ago that they planned to release several new features in February to Windows 11 users — well ahead of the Windows 11 22H2 feature update expected around October this year. Officials said mainstream Windows 11 users (not Insider testers) will get a public preview of Android apps on Windows 11, taskbar improvements with call mute and unmute, easier window sharing, and the weather icon on the taskbar. (Plus, users will get the redesigned Notepad and Media Player apps in February.) Microsoft plans to deliver these various features to users’ PCs using its Feature Experience Pack, Online Service Experience Pack, and Web Experience Pack mechanisms, officials said.

Windows 11 More

Apple
Apple on Thursday laid out a series of steps it’s taking to address privacy and safety issues related to

AirTags

, following reports that the devices have been used for malicious and criminal activity. Some of the more significant changes will come later this year. Apple plans to alert users more quickly when an unwanted device may be traveling with them and also plans to make it easier to find those devices with louder tones and precision finding. 

With precision finding, iPhone 11, iPhone 12, and iPhone 13 users will be able to see the distance and direction to an unknown AirTag when it is in range. The feature relies on input from the phone’s camera, ARKit, accelerometer, and gyroscope. In the meantime, Apple is taking more incremental steps to address the problem. First, in an upcoming software update, users setting up their AirTags for the first time will see a new privacy warning. The new message states that using AirTags to track people without consent can be a crime, that the AirTag is designed to be detected by victims, and that law enforcement can request identifying information about the owner of the AirTag.Apple said it’s been “actively working with law enforcement on all AirTag-related requests [it has] received,” providing user information in response to subpoenas or valid requests. The company is also updating the alert users receive when possibly unwanted

AirPods

have been traveling with them. Instead of receiving an “unknown accessory” alert, users will receive a message that AirPods are traveling with them. Also: How tech is a weapon in modern domestic abuse — and how to protect yourself

Lastly, Apple is updating its unwanted tracking support article to communicate the safety features built into AirTags, AirPods, and Find My network accessories. This isn’t the first time Apple has acknowledged problems associated with AirTags. Just last month, the company updated its Personal Safety User Guide in an attempt to better help customers and potential victims understand what to do if they find an unwanted AirTag.The update followed a spate of local and national news reports about stalking incidents and auto theft attempts involving AirTags. The reports typically involve someone finding an unknown AirTag secreted away in a handbag, tucked behind their vehicle’s license plate, or stashed somewhere else that will help a criminal track their location.While Apple is starting to address the issue, there are more significant steps they could take to protect consumers, as Adrian Kingsley-Hughes recently noted on ZDNet. As he suggested, Apple could work with Google to bring comprehensive tag tracking to both iOS and Android. Additionally, he said, Apple could make it harder to modify AirTags. Meanwhile, as ZDNet’s Michael Gariffo noted, this problem isn’t strictly about Apple devices. Products from

Tile,

Samsung,

and other brands with similar tracking capabilities, including

devices to track lost pets,

could be used for malicious purposes. More

Adobe urged customers using the Magento 1 e-commerce platform to upgrade to the latest version of Adobe Commerce after security company Sansec detected a mass breach of over 500 stores running the platform.

ZDNet Recommends

In a statement to ZDNet, Adobe said it ended support for Magento 1 on June 30, 2020. “We continue to encourage merchants to upgrade to the latest version of Adobe Commerce for the most up-to-date security, flexibility, extensibility, and scalability,” an Adobe spokesperson said. “At a minimum, we recommend Magento Open Source merchants on Magento 1 to upgrade to the latest version of Magento Open Source (built on Magento 2), to which Adobe contributes key security updates.”On Tuesday, Sansec released a report revealing that hundreds of stores were the victims of a payment skimmer loaded from the naturalfreshmall.com domain. 

More than 350 ecommerce stores infected with malware in a single day.Today our global crawler discovered 374 ecommerce stores infected with the same strain of malware. 370 of these stores load the malware via https://naturalfreshmall[.]com/image/pixel[.]js.— Sansec (@sansecio) January 25, 2022

“We invited victims to reach out to us, so we could find a common point of entry and protect other merchants against a potential new attack. The first investigation is now completed: attackers used a clever combination of an SQL injection (SQLi) and PHP Object Injection (POI) attack to gain control of the Magento store,” the researchers explained. “Attackers abused a (known) leak in the Quickview plugin. While this is typically abused to inject rogue Magento admin users, in this case the attacker used the flaw to run code directly on the server.”

In their examination of one attack, researchers found the threat actor left 19 backdoors on the system. They recommended victims use a malware scanner to identify all of the instances of malicious files or Magento code that had malicious code added to them.

Sansec noted that even though Adobe has ended support for Magento, thousands of businesses still use it. Magento has long been a source of issues for Adobe and the online merchants who use it. In November, the National Cyber Security Centre (NCSC) identified a total of 4,151 retailers that had been compromised by hackers attempting to exploit vulnerabilities on checkout pages to divert payments and steal details. The majority of the online shops that cybercriminals exploited for payment-skimming attacks were compromised by known vulnerabilities in the e-commerce platform Magento. In February 2021, Magento received a slew of security fixes from Adobe. Specifically, Magento Commerce and Magento Open Source on all platforms were subject to a total of 18 bugs, varying in severity from critical to moderate. More than 2,000 Magento online stores were hacked in September 2020, attacks that were also spotted by Sansec at the time. Attacks against sites running the now-deprecated Magento 1.x software were anticipated by Adobe, which issued the first alert in November 2019 about store owners needing to update to the 2.x branch.Adobe’s initial warning about impending attacks on Magento 1.x stores was later echoed in similar security advisories issued by Mastercard and Visa.Even the FBI warned in 2020 that hackers were exploiting a three-year-old vulnerability in a Magento plugin to take over online stores and plant a malicious script that records and steals buyers’ payment card data. More

Two powerful forms of Android malware are being spread in attacks which share the same infection tactics and delivery infrastructure.Detailed by cybersecurity researchers at ThreatFabric, the campaigns involves FluBot malware – also known as Cabassous – and another Android banking trojan, Medusa.FluBot is one of the most notorious forms of Android malware, which steals passwords, bank details and other sensitive information from infected smartphones. It also gains access to contact books in order to spread itself to other victims via malicious SMS messages, which are often designed to look like an alert about a missed package delivery. FluBot is so prolific that national cybersecurity agencies have issued warnings about it. The success of FluBot has also been noticed by other cyber criminals, to the extent that those behind Medusa – which is designed to steal sensitive information via keylogging, taking screenshots and collecting data about how the phone is used – have copied its techniques for spreading their malware.Medusa campaigns have been seen using the same app names, package names and similar icons used in successful FluBot campaigns, including one which delivers links to malware in messages which claim to come from DHL. But Medusa campaigns don’t just look the same as FluBot attacks, they’re being delivered via the same SMSishing service. The malware isn’t new, it first emerged in 2020, but the adoption of new tactics could see Medusa become a common threat for Android users.

“Despite the fact that Medusa is not extremely widespread at the moment, we do see an increase in volume of campaigns and a sufficiently greater number of different campaigns,” warn ThreatFabric researchers. SEE: A winning strategy for cybersecurity (ZDNet special report)While FluBot malware campaigns tend to be restricted to victims in Europe, Medusa has a more widespread focus. The malware initially started out by focusing on Turkey, but now it’s also targeting users in North America and Europe.”Powered with multiple remote access features, Medusa poses a critical threat to financial organisations in targeted regions,” said researchers.However, the additional spread of Medusa doesn’t mean that FluBot is about to become any less of an issue. Researchers note that the creators of FluBot continue to add additional functionality, including the ability to replace or interact with app notifications. This enables the attackers to manipulate applications, allowing them both to direct users towards apps they want to steal information from, and also take control of messaging apps.Both Medusa and FluBot remain a threat to Android users but there are steps which can be taken in an effort to avoid becoming a victim. One of those is that it’s unlikely that any company will ask you to download an application from a direct link, so any unexpected text message asking you to download a link should be regarded with caution. As long as users don’t click on the links, they’ll avoid infection.MORE ON CYBERSECURITY More