Information Technology

The majority of global businesses believe supply chain attacks can become a major threat within the next three years, with 45% experiencing at least one such attack in the last 12 months. This figure is higher, at 48%, in the Asia-Pacific region, where organisations also are reporting more ransomware attacks and paying out higher ransoms than their global counterparts. Worldwide, 84% of enterprises expressed concerns third-party attacks could become a major cyber threat over the next three years, according to a report commissioned by CrowdStrike. However, just 36% had vetted all their software suppliers for security purposes in the past year, including 40% in Asia-Pacific.Conducted by market researcher Vanson Bourne, the study surveyed 2,200 senior IT security executives and decision makers across 12 global markets between September and November this year. These included four in Asia-Pacific, where 300 respondents were from India, 200 each from Japan and Australia, and 100 from Singapore.  

At 87%, more in Asia-Pacific than the global average expressed concerns supply chain attacks were becoming a major cyber threat, the study revealed. Amongst the 48% in the region that reported at least one such attack in the past year, 36% were from Singapore where 57% could not ascertain that they had vetted all their software suppliers for security purposes.Some 69% in Asia-Pacific also encountered at least one ransomware attack in the past 12 months, higher than the global average of 66%. This figure was 64% in Singapore.APAC clock highest ransom payoutAsia-Pacific also clocked the highest average ransomware payment of $2.35 million per attack, compared to $1.55 million in the US and $1.34 million in EMEA. The global average ransomware payout climbed 63% this year to $1.79 million, up from $1.1 million last year, according to the report, which noted that attackers demanded an average $6 million in ransom payment. 

Worldwide, 96% of respondents that paid the initial ransom had to pay additional extortion fees of $792,493 on average. The report noted that 57% of companies that suffered a ransomware attack acknowledged they did not had a defence strategy in place to coordinate a response. This figure was 53% in Asia-Pacific.Singapore respondents that chose to fork out a ransom demand paid the lowest average at $1.46 million in the region, compared to India at $2.92 million, Japan at $2.25 million, and Australia $1.53 million.Some 93% of Singapore organisations that paid a ransom forked out additional extortion fees averaging $619,231 per attack, which again was the lowest in the region where their Indian counterparts paid an average of about $1.15 million in additional extortion fees per attack, while those in Japan paid $950,000, and Australia clocked at $785,345 per attack.Singapore took 119 hours to detect a cybersecurity incident, quicker than the average 205 hours in Asia-Pacific, but required a longer 15 hours to investigate and triage, compared to the regional average of 14 hours. Organisations in Singapore also took an average 30 hours to contain and remediate security incidents, almost double the Asia-Pacific average of 19 hours. Some 60% in the city-state cited remote work as the source of an intrusion, while 75% in Asia-Pacific and 69% worldwide said likewise. Globally, organisations took an average 146 hours to detect a cybersecurity incident, up from 117 hours last year, and needed 11 hours to triage and understand an incident. They required 16 hours on average to contain and remediate a security incident. Amidst the rise in frequency of security incidents, the report noted that 63% were “losing trust” in legacy software vendors including previously trusted providers such as Microsoft. In Asia-Pacific, this figure clocked at 66%. CrowdStrike CTO Michael Sentonas said: “Adversaries continue to exploit organisations around the world and circumvent outdated technologies. Today’s threat environment is costing businesses around the world millions of dollars and causing additional fallout. The evolving remote workplace is surely accentuating challenges for businesses as legacy software like Microsoft struggles to keep up in today’s accelerated digital world.”This presents a clear clarion call that businesses need to change the way they operate and evaluate more stringently the suppliers they work with,” Sentonas said. RELATED COVERAGE More

Researchers with cybersecurity firm Proofpoint have discovered a new phishing attack leveraging concern about the spread of the Omicron strain of COVID-19 to steal credentials and gain access to accounts at several prominent universities in the US. The emails — part of an attack that Proofpoint researchers said began in October but increased in November — generally contain information about COVID-19 testing and the new Omicron variant.Cybercriminals and threat actors have used concern about COVID-19 as a phishing lure since the pandemic began to cause headlines in January and February of 2020.  But with this specific attack, cybercriminals are spoofing the login portals of schools like Vanderbilt University, the University of Central Missouri and more. Some mimic generic Office 365 login portals while others use legitimate-looking university pages.”It is likely this activity will increase in the next two months as colleges and universities provide and require testing for students, faculty, and other workers traveling to and from campus during and after the holiday season, and as the Omicron variant emerges more widely,” the Proofpoint researchers wrote. “We expect more threat actors will adopt COVID-19 themes given the introduction of the Omicron variant. This assessment is based on previously published research that identified COVID-19 themes making a resurgence in email campaigns following the emergence of the Delta variant in August 2021.”In some cases, Proofpoint found that the emails actually redirected potential victims to the actual websites of their university after their credentials are stolen. The emails typically come with subject lines like “Attention Required – Information Regarding COVID-19 Omicron Variant – November 29.” Others are tagged with “COVID test.”A screenshot of one of the spoofed pages.
Proofpoint

Thousands of messages have been sent using Omicron as a lure, and the emails typically have malicious files attached or come with URLs that steal credentials for university accounts. In some cases, Proofpoint found that attacks using attachments “leveraged legitimate but compromised WordPress websites to host credential capture webpages.””In some campaigns, threat actors attempted to steal multifactor authentication (MFA) credentials, spoofing MFA providers such as Duo. Stealing MFA tokens enables the attacker to bypass the second layer of security designed to keep out threat actors who already know a victim’s username and password,” the researchers explained. “While many messages are sent via spoofed senders, Proofpoint has observed threat actors leveraging legitimate, compromised university accounts to send COVID-19 themed threats. It is likely the threat actors are stealing credentials from universities and using compromised mailboxes to send the same threats to other universities. Proofpoint does not attribute this activity to a known actor or threat group, and the ultimate objective of the threat actors is currently unknown.”Hank Schless, a senior manager at Lookout, told ZDNet that at the start of the pandemic in 2020, there was a ton of malicious phishing activity centered around the virus that tempted people with promises of increased government aid, information about shutdowns, and even self-testing apps. From Q4 2019 into Q1 2020, Schless said his company saw an 87% increase in enterprise mobile phishing. By early 2021, Schless noted that attackers changed their tune to deliver the same attacks with the promise of information around vaccines and reopenings. “Between Q4 of 2020 and Q1 of 2021, exposure to phishing increased 127% and remained at the same level through Q2 and Q3. Now, with questions around the Delta and Omicron variants, attackers are again using this as a way to convince potential victims to trust their communication and unknowingly share login credentials or download malware. Academic institutions make for ripe targets in the eyes of cybercriminals,” Schless said. “Large institutions may be conducting cutting-edge research or have massive endowments — both types of data than an attacker would want to steal or encrypt for a ransomware attack. Phishing campaigns know no industry, organization, or device type. They’re designed to be agile attacks that can be tweaked to target any individual.” He explained that while the end goal of the attackers discovered by Proofpoint is still unknown, a set of legitimate login credentials can be the most valuable asset to an attacker trying to infiltrate an organization’s infrastructure. By entering under the guise of a legitimate user, the attacker has a greater chance of accessing sensitive data without tripping any alarms, Schless added, noting that these campaigns are often the starting point for more advanced cyber attacks. More

Amazon Web Services on Tuesday announced the launch of its second Top Secret region, AWS Top Secret-West. The new region is accredited to operate workloads at the Top Secret US security classification level, meeting the needs of customers in the defense, intelligence, and national security sectors. Amazon opened its first Top Secret region, AWS Top Secret-East, back in 2014, making it the first air-gapped commercial cloud accredited to support classified workloads. The two Top Secret regions are more than 1,000 miles apart, giving customers options to store data closer to users for latency-sensitive workloads. Each region consists of multiple Availability Zones to ensure resiliency. The Top Secret region is accredited for security compliance under the Director of National Intelligence (DNI) Intelligence Community Directive (ICD 503) and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 4.AWS already has an established relationship with the defense industry, but it hasn’t been without controversy. In 2019, the US Defense Department awarded a 10-year, $10 billion Joint Enterprise Defense Infrastructure (JEDI) contract to Microsoft, and AWS almost immediately filed a lawsuit challenging the contract. AWS claimed that then-President Donald Trump’s vendetta against Amazon and then-CEO Jeff Bezos was a key factor in Microsoft’s win. Last month, the DoD asked AWS, Microsoft, Google and Oracle to submit bids for a new, multi-billion-dollar cloud contract. While it’s asking for four bids, the federal government said it anticipates awarding just two contracts — one to AWS and one to Microsoft. More

The FBI and Justice Department unsealed indictments today leveling a number of charges against 31-year-old Canadian Matthew Philbert for his alleged involvement in several ransomware attacks. Officials from the Ontario Provincial Police held a press conference on Tuesday to announce the charges and Philbert’s arrest in Ottawa.  

In a statement, US Attorney Bryan Wilson of the District of Alaska said Philbert “conspired with others known and unknown to the United States to damage computers, and in the course of that conspiracy did damage a computer belonging to the State of Alaska in April 2018.” Wilson and Canadian officials noted that they received help in the case from Dutch authorities and Europol. Canadian officials also announced charges against Philbert, noting that he had been arrested on November 30. The officials did not say which ransomware group Philbert was part of or what attacks he was responsible for. “Cyber criminals are opportunistic and will target any business or individual they identify as vulnerable,” said Ontario Provincial Police deputy commissioner Chuck Cox. Among the charges Philbert is facing are one count of conspiracy to commit fraud and another count of fraud and related activity in connection with computers.During the press conference, Cox said the FBI contacted officials in Ontario about Philbert’s activities, which included ransomware attacks on businesses, government agencies, and private citizens. 

As Philbert was being arrested, police said they were able to seize several laptops, hard drives, blank cards with magnetic stripes, and a Bitcoin seed phrase. In January, police in Florida arrested another Canadian citizen in connection with several attacks by the Netwalker ransomware group. The DOJ claimed Sebastien Vachon-Desjardins managed to make about $27.6 million through several ransomware attacks on Canadian organizations like the Northwest Territories Power Corporation, the College of Nurses of Ontario, and a Canadian tire store in B.C. Emsisoft threat analyst Brett Callow, a ransomware expert based in Canada, told ZDNet that most people assume that ransomware attacks originate from Russia or the Commonwealth of Independent States. While the ransomware may be “made” in those countries, Callow noted that the individuals who use it to carry out attacks can be based anywhere. “In fact, there’s so much money to be made from ransomware, it would be extremely surprising if individuals in countries like Canada, America, and the UK hadn’t entered the market. Those individuals may, however, be sleeping a little less well at night than they used to. In the past, there was a near-zero chance of them being prosecuted for their crimes, but that’s finally starting to change,” Callow said.  More

Earlier this year, Microsoft announced plans for secured-core servers, the server complements to secured-core PCs. Today, December 7, the first servers that have passed the “Secured-core” standards bar are available to customers. Customers interested in the new secured-core servers can find listings for them in the Windows Server and Azure Stack HCI catalogs. HPE’s Gen 10 Plus (v2) products for Azure Stack HCI 21H2 get the secured-core designation. Dell, HPE, Lenovo, AMD and NEC have a variety of server products running Windows Server 2016, 2019 and/or 2022 that get the secure-core checkmark.Secured-core servers use the Trusted Platform Module (TPM) 2.0 and secure boot to make sure only trusted components load in the boot path. Secured-core servers, as the name implies, are designed to help protect against threats that commonly targete servers, such as ransomware and exploits around cryptocurrency mining. Secured-core servers protect server infrastructure with a hardware root of trust; defend sensitive workloads against firmware-level attacks and prevent access and execution of unverified code on systems, Microsoft officials said. More

SentinelOne on Tuesday published its third quarter financial results, beating market estimates thanks to solid growth in customers with an annualized recurring revenue (ARR) over $100,000. The autonomous cybersecurity company’s total Q3 revenue was $56 million, a 128% increase over a year prior. Non-GAAP net loss per share came to 15 cents. ARR for Q3 was $237 million, a 131% year-over-year increase. Analysts were expecting a loss per share of 18 cents on revenue of $49.58 million. Shares fell in after-hours trading by more than 10%.The company did not provide specific numbers of total customers, but it said it grew more than 75% year-over-year to over 6,000 customers. Customers with ARR over $100,000 grew 140% year-over-year to 416.For the fourth quarter, the company expects total revenue in the range of $60 million to $61 million. For the full fiscal year, the company expects $199 million to $200 million.”Our business is performing extremely well. Q3 marks the third consecutive quarter of triple digit ARR growth,” said Tomer Weingarten, CEO of SentinelOne. “We continued to make progress across all aspects of our growth strategy outlined during the IPO.”

Tech Earnings More

Google announced this morning that it disrupted the command and control infrastructure of Russia-based Glupteba, a blockchain-backed botnet being used to target Windows machines. Google vice president of security Royal Hansen and general counsel Halimah DeLaine Prado wrote in a blog post on Tuesday that the company’s Threat Analysis Group has been tracking Glupteba for months and decided to take technical actions against the group as well as legal ones. Google filed a lawsuit against the blockchain-enabled botnet — litigation they called the first of its kind — hoping to “create legal liability for the botnet operators, and help deter future activity.””After a thorough investigation, we determined that the Glupteba botnet currently involves approximately one million compromised Windows devices worldwide, and at times, grows at a rate of thousands of new devices per day,” the two wrote. “Glupteba is notorious for stealing users’ credentials and data, mining cryptocurrencies on infected hosts, and setting up proxies to funnel other people’s internet traffic through infected machines and routers.”Google noted that while they were able to disrupt key Glupteba command and control infrastructure, the actions may prove to be temporary considering the group’s “sophisticated architecture and the recent actions that its organizers have taken to maintain the botnet, scale its operations, and conduct widespread criminal activity.”They believe the legal action will help make it harder for the group to take advantage of other devices. The lawsuit names Dmitry Starovikov and Alexander Filippov but notes that other unknown actors are involved. 

The lawsuit was filed in the Southern District of New York and the two are being sued for computer fraud and abuse, trademark infringement, and more. Google also filed for a temporary restraining order, an attempt to “create real legal liability for the operators.”But Google was also honest about the fact that the group’s use of blockchain technology made the botnet resilient. They also noted that more cybercrime organizations are taking advantage of blockchain technology, which allows botnets to recover more quickly because of their decentralized nature. Shane Huntley and Luca Nagy, members of Google’s Threat Analysis Group, explained in a blog post that Glupteba is known to steal user credentials and cookies, mine cryptocurrencies on infected hosts, deploy and operate proxy components targeting Windows systems and IoT devices. “TAG has observed the botnet targeting victims worldwide, including the US, India, Brazil, Vietnam, and Southeast Asia. The Glupteba malware family is primarily distributed through pay per install (PPI) networks and via traffic purchased from traffic distribution systems (TDS),” the two wrote. “For a period of time, we observed thousands of instances of malicious Glupteba downloads per day. The following image shows a webpage mimicking a software crack download which delivers a variant of Glupteba to users instead of the promised software.”The team and others at Google terminated around 63 million Google Docs observed to have distributed Glupteba, 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts associated with Glupteba distribution. About 3.5 million users were warned before downloading a malicious file through Google Safe Browsing warnings, according to Huntley and Nagy. They noted that they also worked with CloudFlare on the disruption efforts. As part of their investigation, Google used Chainalysis products and investigative services to investigate the botnet. Erin Plante, Chainalysis senior director of investigative services, told ZDNet that the botnet has two main cryptocurrency nexuses: Cryptojacking and a previously unknown tactic used to evade shutdown. Plante explained that Glupteba’s operators used the machines they compromised for several criminal schemes, including utilizing their computing power to mine cryptocurrency. According to Plante, Glupteba also used the Bitcoin blockchain to encode updated command-and-control servers (C2) into the Op_Returns of Bitcoin transactions, meaning that whenever one of Glupteba’s C2 servers was shut down, it could simply scan the blockchain to find the new C2 server domain address, which was then hidden amongst the hundreds of thousands of daily Bitcoin transactions worldwide.Most cybersecurity techniques involve disabling C2 server domains, making this Glupteba botnet tactic particularly difficult to contend with. Plante said this was the first known case of a botnet using this approach.She added that the investigation revealed cryptocurrency transactions originating in Federation Tower East, a luxury office building in Moscow where many cryptocurrency businesses known to launder criminal funds are headquartered. “Glupteba’s blockchain-based method of avoiding the shutdown of its botnet represents a never-before-seen threat vector for cryptocurrencies. In the private sector, cryptocurrency businesses and financial institutions have thus far typically been the ones tackling cases involved in blockchain analysis, usually from an AML/CFT compliance perspective,” Plante said.  “But this case shows that cybersecurity teams at virtually any company that could be a target for cybercriminals must understand cryptocurrency and blockchain analysis in order to stay ahead of cybercriminals.” More

The Israeli government’s Defense Exports Control Agency sent out a notice late on Monday indicating it would be enforcing stricter rules governing the export of offensive cyber tools. The announcement came days after multiple outlets revealed that tools from Israeli cyber firm NSO Group were used to hack into the phones of at least 11 US State Department officials based in Uganda.

The Jerusalem Post reported on Monday that the agency published a revised version of its “Final Customer Declaration”, which countries will have to sign before they can get access to powerful spyware technology like the NSO Group’s Pegasus. The declaration says countries will not use the tools to attack government critics or “political speech” and will only use it to prevent terrorism and “serious crimes.” Any country that ignores the declaration will lose access to cyber-tools, according to the document. The new rules came just days after Reuters, The Wall Street Journal, and The Washington Post reported that 11 workers at the US Embassy in Uganda had their phones hacked using Pegasus, which can be delivered to Apple phones through a text message that doesn’t even need to be opened. Apple has sued NSO Group for creating the tool and said it has already been used to hack into the devices of US citizens, despite claims from the company that it is only used for counter-terrorism efforts. Apple has since patched the vulnerability exploited by Pegasus and now notifies people when they are being targeted. The US government sanctioned NSO Group in November after months of reports showing how the technology was being used widely by dictatorships to hack into the devices of opponents, human rights activists, other world leaders and more. NSO Group continues to face a barrage of bad headlines over how its Pegasus spyware has been used around the world. Last month, a bombshell report from the University of Toronto’s Citizen Lab and the Associated Press said that even the Israeli government’s own spy agency used the tool to hack the phones of six Palestinian human rights activists. 

That report followed another about the ruler of the UAE using Pegasus to spy on his ex-wife and her British lawyers. In July, the “Pegasus Project” used information from Amnesty International, the University of Toronto’s Citizen Lab, and Forbidden Stories to uncover that the NSO Group’s spyware was used to target at least 65 business executives, 85 human rights activists, 189 journalists, and at least 600 politicians. Targeted government officials included French President Emmanuel Macron, South African President Cyril Ramaphosa, and Iraqi President Barham Salih. Cabinet ministers from dozens of countries, including Egypt and Pakistan, were also targeted. Last month, on the heels of the sanctions announcement, several US Congress members demanded the State Department further investigate how Pegasus and other spyware is being used to abuse human rights around the world.John Scott-Railton, senior researcher at Citizen Lab, told ZDNet that the latest news about Pegasus being used against US officials was years in the making.”NSO knew exactly what it was doing by selling this hacking tool and has known for years that Pegasus is used against diplomats. They are a blinking national security threat for the United States and a threat to human rights. That’s what earned them the blocklist designation by Congress,” Scott-Railton said. Scott-Railton was skeptical of the new rules handed down by the Israeli government’s Defense Exports Control Agency, questioning what good a signed declaration would do for dictators or repressive governments that have significant power within their borders. “I’m puzzled. You are asking a rogues’ gallery of dictators to promise they won’t behave badly? This sounds like a distraction, not an effective regulation. In fact, NSO has apparently made its customers certify that they wouldn’t abuse the tech for years. We’ve seen just how badly that fared,” he added, noting the wider difficulties countries will face now that the spyware industry has become so lucrative. “The problem with mercenary spyware is that it is arriving in the hands of security services long before there is effective oversight and accountability. Predictably, companies like NSO are driving the rapid proliferation of this tech, and the harms can be found wherever you look,” Scott-Railton added. “Democracies should decide what kind of technological powers they want to vest in their police services. Citizens of dictatorships don’t have the luxury of a say, and selling spyware to these regimes will help them stay undemocratic.” More