Information Technology

US President Joe Biden responded forcefully to reports of a wide-ranging cyberattack on Ukrainian government systems Wednesday afternoon, telling reporters that the US would respond with its own cyberattacks if Russia continues to target Ukraine’s digital infrastructure.  “The question is if it’s something significantly short of an…invasion or major military forces coming across,” Biden said in response to a question about how the US would respond to a Russian invasion of Ukraine. “For example, it’s one thing to determine that if they continue to use cyber efforts, well, we can respond the same way, with cyber.”

[embedded content]

The Daily Beast later asked White House Press Secretary Jen Psaki and she confirmed that if Russia continued to launch cyberattacks, they would be answered with a “decisive, reciprocal, and united response.”Biden’s comments come after Ukrainian officials told journalist Kim Zetter that dozens of systems within at least two government agencies were wiped during a cyberattack last week. Microsoft released a detailed blog about wiping malware, named “WhisperGate,” and said it was first discovered on January 13. In a follow-up examination of WhisperGate, security company CrowdStrike said the malware aims “to irrevocably corrupt the infected hosts’ data and attempt to masquerade as genuine modern ransomware operations.” “However, the WhisperGate bootloader has no decryption or data-recovery mechanism, and has inconsistencies with malware commonly deployed in ransomware operations,” CrowdStrike explained.

“The activity is reminiscent of VOODOO BEAR’s destructive NotPetya malware, which included a component impersonating the legitimate chkdsk utility after a reboot and corrupted the infected host’s Master File Table (MFT) — a critical component of Microsoft’s NTFS file system. However, the WhisperGate bootloader is less sophisticated, and no technical overlap could currently be identified with VOODOO BEAR operations.”Yurii Shchyhol, head of the State Service of Special Communications and Information Protection of Ukraine, told The Washington Post that one of the agencies affected by the wiper was the Motor Vehicle Insurance Bureau. The wipers were launched days after more than 70 Ukrainian government websites were defaced by groups allegedly associated with Russian secret services. While it was initially unclear whether the website defacements and the wiper attacks were coordinated, Ukrainian officials confirmed this week that they occurred at the same time. Kitsoft, the company that built about 50 of the government websites, told Zetter that it too discovered WhisperGate malware on its systems. Ukraine’s State Service for Special Communications and Protection confirmed Zetter’s reporting in a statement. Ukrainian officials floated several theories for how hackers got into their systems, theorizing that a CMS vulnerability may have been the cause. The Cyberpolice Department of the National Police of Ukraine also said hackers may have gotten in using the Log4J vulnerability or through compromised employee accounts. According to The Washington Post, Russia has brought more than 100,000 troops to its border with Ukraine. The Associated Press reported this week that Poland was also raising its nationwide cybersecurity terror threat level in response to the attacks on Ukraine.  More

ProtonMail announced on Wednesday that it will be blocking tracking pixels and hiding IP addresses as part of a new “enhanced tracking protection” feature.ProtonMail’s Lydia Pang explained in a blog post that the company believes “reading emails should be as private as our end-to-end encryption makes sending them.””Today, we’re happy to introduce enhanced tracking protection, a feature that will provide an additional layer of privacy to your inbox. Now you can read your emails without letting advertisers watch you, build a profile on you, or serve you ads based on your mail activity,” Pang said.”By default, ProtonMail on the web now protects your privacy by: Blocking tracking pixels commonly found in newsletters and promotional emails, preventing senders from spying on your mail. Hiding your IP address from third parties so your location remains private. With enhanced tracking protection, you can continue to use your ProtonMail address to subscribe to newsletters and register for online accounts everywhere while enjoying a better, more private email-reading experience.”
ProtonMail
The company said about 40% of emails sent and received daily are tracked and that email tracking has increased in recent years. Companies are able to track emails by embedding pixels in the emails sent to you. The pixels log details about your activity and ProtonMail said every time you open an email with spy pixels in them, it collects information like when you opened it, how many times you opened it, your location and IP address. “The gathered data is sent to the email sender, all without your consent. Email trackers can sometimes even expose your information to third parties, allowing them to track you across the web and connect your online activity to your email address, further shaping your invisible online profile,” Pang explained. 

“The feature is enabled by default on our web app, so you can enjoy peace of mind knowing that your emails are always protected.”ProtonMail has become well-known as one of the most privacy-focused email services available but faced backlash in September after it revealed it can be “forced to collect information on accounts belonging to users under Swiss criminal investigation.” More

The Open Source Security Foundation (OpenSSF), GitHub, and Google announced on Wednesday the launch of Scorecards V4, which includes larger scaling, a new security check, and a new Scorecards GitHub Action for easier security automation.OpenSSF launched the Scorecards in November 2020, creating an automated security tool that produces a “risk score” for open source projects and helps reduce the toil and manual effort required to continually evaluate changing packages when maintaining a project’s supply chain.Since Google and OpenSSF’s July 2021 announcement of Scorecards V2, the Scorecards project has grown steadily to over 40 unique contributors and 18 implemented security checks.

Open Source

The Scorecards Action, released in partnership with GitHub, automates the process on how to judge whether changes to a project affected its security. Previously, tasks like this had to be done manually. The Action is available from GitHub’s Marketplace and is free to use. It can be installed on any public repository by following these directions.”Since our July announcement of Scorecards V2, the Scorecards project—an automated security tool to flag risky supply chain practices in open source projects—has grown steadily to over 40 unique contributors and 18 implemented security checks. Today we are proud to announce the V4 release of Scorecards, with larger scaling, a new security check, and a new Scorecards GitHub Action for easier security automation,” said Google Open Source Security Team members Laurent Simon and Azeem Shaikh.”The Scorecards Action is released in partnership with GitHub and is available from GitHub’s Marketplace. The Action makes using Scorecards easier than ever: it runs automatically on repository changes to alert developers about risky supply-chain practices. Maintainers can view the alerts on GitHub’s code scanning dashboard, which is available for free to public repositories on GitHub.com and via GitHub Advanced Security for private repositories.”

The two added that they have scaled their weekly Scorecards scans to over one million GitHub repositories and partnered with the Open Source Insights website for easy user access to the data.
Google
The Open Source Security Foundation explained in a blog post that although the world runs on open-source software, many open source projects engage in at least one risky behavior — like not enabling branch protection, not pinning dependencies, or not enabling automatic dependency updates. “Scorecards makes it simple to evaluate a package before consuming it: a scan run with a single line of code returns individual scores from 0 to 10 rating each individual security practice (“checks”) for the project and an aggregate score for the project’s overall security. Today’s release of a Scorecards GitHub Action makes it easier than ever for developers to stay on top of their security posture,” the organization said. “The new Scorecards GitHub Action automates this process: once installed, the Action runs a Scorecards scan after any repository change. Maintainers can view security alerts in GitHub’s scanning dashboard and remediate any risky supply-chain practices introduced by the change.”All of the alerts will now include the severity of the risk, the file and line where the problem occurs, and the remediation steps to fix the issue. The latest release also adds the License check, which detects the presence of a project license, and the Dangerous-Workflow check, which detects dangerous usage of the pull_request_target trigger and risks of script injections in GitHub workflows.A number of open-source projects have already adopted the Scorecards Action, including Envoy, distroless, cosign, rekor, kaniko. “Scorecards provides us the ability to rapidly litmus test new dependencies in the Envoy project,” said Envoy’s Harvey Tuch. “We have found this a valuable step in vetting new dependencies for well-known attributes and we have integrated Scorecards into our dependency acceptance criteria. Machine checkable properties are an essential part of a sound security process.”  More

Password manager 1Password said it closed its latest funding round on Wednesday, raising $620 million and boosting its valuation to $6.8 billion.

The Series C funding round included the participation of ICONIQ Growth, Tiger Global, Lightspeed Venture Partners, Backbone Angels, and Accel, which led the Canadian company’s series A and B rounds. Celebrities like Ryan Reynolds, Scarlett Johansson, Robert Downey Jr., Matthew McConaughey, Chris Evans, Rita Wilson, Ashton Kutcher, Trevor Noah, Justin Timberlake, and Pharrell Williams also participated in the series C round. Executives like Robert Iger and LinkedIn’s Jeff Weiner invested in the company as well. “Our mission has always been to ease the tension between security and convenience, and the opportunity to deliver on this has never been bigger for 1Password. We create products and solutions that improve upon and easily layer into a company’s existing security infrastructure, nurturing better habits for employees while strengthening a company’s security posture from within,” said Jeff Shiner, CEO of 1Password.”That way, we can tackle the biggest security threats facing the modern workforce and deliver on the promise of providing a safer life online for families and businesses around the world,” Shiner continued.1Password told ZDNet it would use the money to scale the platform and expand its offerings. Over the last year, the company increased its B2B business footprint, adding more than 100,000 companies as customers over the last 24 months. The company has also grown to 570 employees and launched several new products, including a password sharing tool and more. 

Will Griffith, a founding partner at ICONIQ Growth, said more than one hundred CISOs, CIOs, CTOs, developers, and IT leaders were impressed by “1Password’s ability to balance strict security standards with a profound understanding of how humans behave.” “By making safe online behavior second nature, 1Password is not only protecting individuals but also the enterprises where they work.” Griffith said. 

Tech Earnings More

A new Bugcrowd report has revealed significant increases in the number of critical vulnerabilities reported in 2021. The company’s 2022 Priority One report covers a variety of security trends over the last year. The report said their platform experienced a 185% increase in the last 12 months for Priority One (P1) submissions with financial services companies. Bugcrowd said P1 submissions involve vulnerabilities that cause a privilege escalation from unprivileged to admin or allow for remote code execution, financial theft, and more. Overall, P1 vulnerabilities increased 186% in 2021. Bugcrowd founder Casey Ellis added that the global shift to remote work prompted organizations to put more assets online. That led to more investment in ethical hackers, and Bugcrowd saw that 24% of all valid submissions for the year involved P1 and P2 threats. P2 threats are vulnerabilities that affect the security of software and impact the processes it supports.Ellis noted that nation-state hackers have also become far more brazen and less concerned about stealth, using attacks on known vulnerabilities far more frequently in 2021. “Significantly, we’ve seen a democratization of such threats due to an emerging ransomware economy and a continued blurring of lines between state actors and e-Crime organizations,” Ellis said. “All of which, combined with growing and more lucrative attack surfaces, have made for a highly combustible environment. In 2022, we expect more of the same.”Even P3 submissions, which involve vulnerabilities that affect multiple users and require little or no user interaction to trigger, saw year-over-year increases in 2021.Submissions were up 82% overall while payouts for those submissions were up 106%. The software sector saw total payouts increase by 73% as well. Submissions for the government sector were up 1000% in 2021 through Q3 compared to 2020. 

Bugcrowd also found that cross site scripting was the most commonly identified vulnerability type and sensitive data exposure moved up to #3 from #9 on the Top 10 list. “There was some change at the top in 2021, where Cross-Site Scripting overtook Broken Access Control as the most commonly identified vulnerability type, reverting to the 2019 top two and reflecting the rapid deployment of home-grown web applications throughout 2020 and 2021,” Bugcrowd explained. “In third place, Sensitive Data Exposure involving Internal Assets leapt six places from ninth last year, brought on by an increased emphasis on scanning as a means of uncovering vulnerabilities. This was a direct consequence of the expansion and increased complexity of attack surfaces during pandemic-induced digital transformation, as well as the speed at which this transformation took place. The changes in the top 10 most commonly identified vulnerability types demonstrates the natural life cycle of vulnerability categories and the “cat and mouse” nature of the interaction between builders and breakers: the Crowd is incentivized to find new, prevalent vulnerability types, those vulnerabilities are eventually addressed by automated tools (causing incentives to fall), and then new vulnerability types emerge that the Crowd is highly incentivized to find.” More

US President Joe Biden signed a memorandum on Tuesday concerning the cybersecurity of the Defense Department and the country’s intelligence agencies, sketching out exactly how an executive order he signed in May 2021 will be implemented. 

Government

“This NSM requires that, at minimum, National Security Systems employ the same network cybersecurity measures as those required of federal civilian networks in Executive Order 14028. The NSM builds on the Biden Administration’s work to protect our Nation from sophisticated malicious cyber activity, from both nation-state actors and cybercriminals,” the White House said. The memorandum goes into detail about how the executive order applies to national security systems and provides timelines for implementing things like multifactor authentication, encryption, cloud technologies, and endpoint detection services. Within two months of the memorandum, the head of each executive department or agency that owns or operates an NSS is required to update agency plans concerning cloud technology, and within 180 days, agencies need to implement multifactor authentication and encryption for NSS data-at-rest and data-in-transit. It also forces agencies to “identify their national security systems and report cyber-incidents that occur on them to the National Security Agency.”The memorandum gives the National Security Agency broad powers to issue binding directives that force agencies to “take specific actions against known or suspected cybersecurity threats and vulnerabilities.” The White House noted that this directive was modeled after the Department of Homeland Security’s Binding Operational Directive authority for civilian government networks. The NSA and DHS will work together on certain directives and share information about requirements and threats. 

Additionally, the memorandum forces agencies to be aware of and secure cross-domain tools that allow agencies to transfer data between classified and unclassified systems. “Adversaries can seek to leverage these tools to get access to our classified networks, and the NSM directs decisive action to mitigate this threat. The NSM requires agencies to inventory their cross-domain solutions and directs NSA to establish security standards and testing requirements to better protect these critical systems,” the White House said.The memorandum includes a range of other deadlines and orders for agencies working with sensitive information.It comes on the heels of multiple warnings released by the Cybersecurity and Infrastructure Security Agency (CISA) about potential threats coming from Russia. CISA sent out a warning about potential Russian attacks on critical infrastructure and, this week, warned businesses working with Ukrainian organizations about potential cybersecurity issues. The country is still recovering from the SolarWinds scandal, which saw Russian hackers invade multiple US agencies and spend months inside the country’s most sensitive information systems. Nine government agencies were hacked, including the Department of State, Department of Homeland Security; National Institutes of Health; the Pentagon; Department of the Treasury; Department of Commerce, and the Department of Energy.  More

Deloitte has launched a new threat detection and response platform for enterprise clients. 

On Wednesday, the professional services giant said that the latest solution added to the Deloitte cybersecurity portfolio is called Managed Extended Detect and Response (MXDR), a Software-as-a-Service (SaaS) platform for “flexible, technology-enabled, human-powered security operations.”The MXDR SaaS solution aims to provide an “integrated, unified, composable and modular managed detection and response” suite to clients, including threat detection, response, and remediation capabilities.  Cloud security workloads, zero trust identity management systems, insider threats, attack surface & vulnerability management, as well as log and analytics management are included in the suite. Security operation centers in the US and in FedRAMP-authorized centers worldwide manage the service 24/7, 365 days a year.  According to Deloitte, MXDR was initially operationalized by AWS, CrowdStrike, Exabeam, Google Cloud Chronicle, ServiceNow, Splunk, and Zscaler. More vendors will contribute to MXDR as the product line evolves.  “As threats become more frequent, sophisticated and impactful, leading organizations are considering creative, divergent approaches that meet attackers where they are, while simultaneously fortifying the defenses around their most important assets. But, the cost and complexity of consolidating, building and maintaining such cybersecurity infrastructure in-house can be high,” commented Curt Aubley, MXDR by Deloitte leader. “We designed Managed Extended Detection and Response by Deloitte to offer our clients access to a broad suite of industry-leading capabilities that align with their current and future cyber needs.” Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Interpol and the Nigerian Police Force (NPF) arrested 11 people allegedly involved in a “prolific” cybercrime ring known for running Business Email Compromise (BEC) scams that targeted thousands of companies around the world. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

In a statement, the law enforcement agencies said the NPF and Interpol’s National Central Bureau in Nigeria coordinated to conduct the raids in Lagos and Asaba between December 13 to December 22. Some of those arrested are allegedly members of a cybercrime network called ‘SilverTerrier.’After the raids, police found one suspect with a laptop containing more than 800,000 potential victim domain credentials, and in total, the group was connected to BEC criminal schemes targeting more than 50,000 organizations. According to Interpol, one suspect was spying on conversations between 16 different companies and their clients, planning to divert funds when transactions were about to be made eventually. Interpol found other evidence implicating another person in a range of BEC crimes across Gambia, Ghana and Nigeria.More than six countries were involved in the effort, according to Interpol. Assistant Inspector General of Police Garba Baba Umar, head of NCB Abuja and Interpol Vice President for Africa, said Interpol’s alerts and technology helped them break up the cybercrime ring. “The outstanding results of Operation Falcon II have served to disrupt this dangerous cyber gang and protect Nigerian citizens from further attack. I encourage fellow African countries to also work with Interpol in ridding our continent of cybercrime to make the cyber world a safer place,” Umar said. Craig Jones, Interpol director of cybercrime, said the investigation into SilverTerrier has helped them build a “very clear picture of how such groups function and corrupt for financial gain.”

“Thanks to Operation Falcon II, we know where and whom to target next,” Jones said. Palo Alto Networks’ Unit 42 and Group-IB’s APAC Cyber Investigations Team assisted Interpol and the NPF in the investigation, providing detailed examinations of the group’s activities. Palo Alto Networks released a blog about the investigation with information about some members of SilverTerrier. They noted that global losses from BEC scams grew to $1.8 billion in 2020, according to FBI statistics. “This recent operation was novel in its approach in that it didn’t target the easily identifiable money mules or flashy Instagram influencers who are typically seen benefiting from these schemes. Instead, it focused predominantly on the technical backbone of BEC operations by targeting the actors who possess the skills and knowledge to build and deploy the malware and domain infrastructure used in these schemes,” Palo Alto Networks explained. The company named six of those involved in SilverTerrier, tying each to a range of different BEC scams and malware used during attacks like LokiBot, PredatorPain, ISRStealer, Pony, NanoCore, AzoRult, ISpySoftware, Agent Tesla and Keybase. Many of those identified had thousands of domains registered to their names or aliases, supporting other BEC actors. A number of those involved had been working on BEC scams since 2014 or 2015. More