Information Technology

December 7th, 2021 won’t be a day that will live in infamy, but it is a day that will annoy many Amazon Web Services (AWS) users. And, it will also vex many more people who didn’t realize until today that Disney+, Venmo, and Robinhood all rely on AWS. No AWS, no Star Wars: The Bad Batch.  The problem? According to the AWS Service Health Dashboard: We are seeing an impact on multiple AWS APIs in the US-EAST-1 Region. This issue is also affecting some of our monitoring and incident response tooling, which is delaying our ability to provide updates. We have identified the root cause and are actively working towards recovery.So, we should be back to business as usual soon. The problem first manifested at about 10:45 AM Eastern Time. It got its start in the major US East 1 AWS region hosted in Virginia.  It may have been sparked there, but the problems showed up across AWS. Internet administrators reported that there were problems with AWS Identity and Access Management (IAM), a web service that securely controls access to AWS resources, globally.  Adding insult to injury, AWS customer service was down. So, even if your service or site wasn’t at US East 1, you could still feel the problem’s effects.  Fortunately, according to DownDetector results, AWS seems to have a handle on the problem. In a few hours, all should be back to normal. More

It wasn’t that long ago that the very idea that another language besides C would be used in the Linux kernel would have been laughed at. Things have changed. Today, not only is Rust, the high-level system language moving closer to Linux, it’s closer than ever with the next “patch series to add support for Rust as a second language to the Linux kernel.”

The biggest change in these new packages is that the Rust code proposed for the kernel now relies on the stable Rust compiler rather than the beta compilers. Going forward, Rust on Linux will be migrating every time a new stable Rust compiler is released. Currently, it’s using Rust 1.57.0.By doing this, as Linux kernel and lead Rust on Linux, developer Miguel Ojeda, put it, “By upgrading the compiler, we have been able to take off the list a few unstable features we were using.” This, in turn, means Rust on Linux will be more stable. Looking ahead, Ojeda wrote, “We will keep upgrading until we do not rely on any unstable features; at which point we may want to start declaring a minimum Rust version is supported like it is done, e.g. GCC and Clang.Senior Linux kernel developer Greg Kroah-Hartman had told me he believes “drivers are probably the first place for” Rust to appear in Linux since “they are the ‘end leaves’ of the tree of dependencies in the kernel source. They depend on core kernel functionality, but nothing depends on them.”This has been coming for several years now. At the virtual 2020 Linux Plumbers Conference, where the top Linux kernel developers hash out Linux’s future, the idea of introducing Rust as the kernel’s second language was introduced.While Linus Torvalds is sure, Linux won’t end up being written in Rust. But then, that’s not the goal. No one’s going to rewrite the kernel’s 25 million lines of C in Rust.

Led by Josh Triplett, Rust language lead, and Nick Desaulniers, a Google engineer, they proposed using the system-level Rust language inside the kernel. Why? Because it’s much safer than C, especially at handling memory errors.As Ryan Levick, a Microsoft principal cloud developer advocate, explained, “Rust is completely memory safe.” Since roughly two-thirds of security issues can be traced back to handling memory badly, this is a major improvement. In addition, “Rust prevents those issues usually without adding any runtime overhead,” Levick said.Torvalds sees the advantages. While he’s encouraging a slow but steady approach to introducing Rust into Linux, he has also said that using Rust interfaces for drivers and other non-core kernel programs makes sense: “I’m convinced it’s going to happen. It might not be Rust, but it is going to happen that we will have different models for writing these kinds of things, and C won’t be the only one.”So, as Ojeda told ZDNet this summer, “The project is not finished, but we are ready to get mainlined if high-level maintainers accept the current changes and prefer that we work inside the kernel. Most of the work is still ahead of us.” Still, work well underway now. I expect to see the first Rust code in the Linux kernel sometime in 2022.Related stories:

Enterprise Software More

Many businesses still aren’t willing to spend money on cybersecurity because they view it as an additional cost – and then find they have to spend much more cash recovering from a cyber incident after they get hacked.Cyberattacks like ransomware, business email compromise (BEC) scams and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents and their expensive fallout, many boardrooms are still reluctant to free up budget to invest in the cybersecurity measures necessary to avoid becoming the next victim.

ZDNet Recommends

The cost of falling victim to a major cyber incident like a ransomware attack can be many times more than the cost of investing in the people and procedures that can stop incidents in the first place – something many organisations only fully realise after it’s too late.SEE: A winning strategy for cybersecurity (ZDNet special report) “Organisations don’t like spending money on preventative stuff. They don’t want to overspend, so a lot of organisations will sort of be penny-wise and pound-foolish kind of places where they wait for the event to happen, and then they have the big expense of cleaning it up,” Chris Wysopal, co-founder and CTO of cybersecurity company Veracode, told ZDNet Security Update.It’s then that they realise that they could have spent less if they had prevented the attack, he said: “A lot of organisations are going through that right now”.For example, an organisation might end up paying millions of dollars to ransomware criminals for the decryption key for an encrypted network – then there’s the additional costs associated with investigating, remediating and restoring the IT infrastructure of the whole business after the incident.

“Just the ransoms that organisations are paying, if they don’t have cyber insurance, could certainly pay for a lot of cybersecurity professionals. And cyber-insurance rates are going up, so it’s getting more expensive across the board for organisations because of the threat,” said Wysopal.Even for organisations that do have a fully fledged cybersecurity strategy, training, hiring and retaining staff can still pose a challenge because of the high demand for employees with the required skills. The supply and demand issue isn’t going to be solved overnight and, while Wysopal believes long-term investment in cybersecurity is vital, there are additional measures that can be taken to help get more people with cybersecurity skills into the workforce to help protect organisations from attacks.”One thing I would like to see is cybersecurity become part of every IT or computer science students’ training, so that they they had some understanding of cybersecurity as a professional, whether it’s building and managing systems in an IT environment or building software,” he explained.SEE: This new ransomware encrypts your data and makes some nasty threats, tooIf IT or development staff have at least some understanding of cybersecurity, that can help organisations, particularly smaller ones that might not have a big budget. “I’m really pushing for that to be part of the curriculum and I’ve been working with a few colleges to make that part of the computer science curriculum,” Wysopal said.MORE ON CYBERSECURITY More

Security company Check Point Research has uncovered a hacking campaign that involves cyberattackers impersonating Iranian government bodies to infect the mobile devices of Iranian citizens through SMS messages. The SMS messages urge victims to download Android applications related to official Iranian services, such as the Iranian Electronic Judicial Services. The first messages typically claim that a complaint has been filed against the victim and that an application needs to be downloaded in order to respond. Once downloaded, the applications allow hackers to access the victim’s personal messages. Victims are asked to enter credit card information in order to cover a service fee, giving attackers access to card information that can now be used. With access to a victim’s personal messages, the attackers can also get past two-factor authentication. Check Point Research said the campaign is ongoing and is being used to infect tens of thousands of devices. In addition to the Check Point report, Iranian citizens have taken to social media to complain about the scams. Some Iranian news outlets are also covering the issue. “The threat actors then proceed to make unauthorized money withdrawals and turn each infected device into a bot, spreading the malware to others. CPR attributes attacks to threat actors, likely in Iran, who are financially motivated,” the cybersecurity company explained. “CPR estimates tens of thousands of Android devices have fallen victim, leading to theft of billions of Iranian Rial. Threat actors are using Telegram channels to transact malicious tools involved for as low as $50. CPR’s investigation reveals that data stolen from victims’ devices has not been protected, making it freely accessible to third parties online.”Check Point’s Shmuel Cohen said in one campaign, more than 1,000 people downloaded the malicious application in less than 10 days. Even if they did not enter credit card information, their device became part of the botnet. 
Check Point Research

Alexandra Gofman, threat intelligence team leader at Check Point, told ZDNet that the attacks appear to be a form of cybercrime and not attributed to any state-backed actors.The velocity and spread of these cyberattacks are unprecedented, Gofman said, adding that it is an example of a monetarily-successful campaign aimed at the general public. “The campaign exploits social engineering and causes major financial loss to its victims, despite the low quality and technical simplicity of its tools. There are a few reasons for its success. First, when official-looking government messages are involved, everyday citizens are inclined to investigate further, clicking the provided link,” Gofman said. “Second, due to the botnet nature of these attacks, where each infected device gets the command to distribute additional phishing SMS messages, these campaigns spread quickly to a large number of potential victims. Although these specific campaigns are widespread in Iran, they can take place in any other part of the world. I think it’s important to raise awareness of social engineering schemes that are employed by malicious actors.”Check Point explained that the cybercriminals behind the attack are using a technique known as “smishing botnets.” Devices that have already been compromised are used to send SMS messages to other devices. The people behind the technique now offer it to others on Telegram for up to $150, providing anyone with the infrastructure to launch similar attacks easily. Even though Iranian police were able to arrest one of the culprits, there are dozens of different cybercriminals in Iran using the tool now. The company estimates that about $1,000 to $2,000 has been stolen from most victims. The attackers are also offering the personal information that was stolen to others online. Gofman added that the general population of Iran is now in a situation where cyberattacks significantly impact day-to-day lives. These attacks began with railways, Gofman said, noting that the company traced that attack to a group called Indra. “The attacks continued with gas stations, and then the national aviation company. Now, we’re seeing yet another cyberattack that shows how even pure cybercrime can make headlines and chaos, hurting many in Iran,” Gofman said. “Although we do not see a direct connection between these latest cyberattacks and the major aforementioned attacks, our latest insights show how even unsophisticated cyber attacks create significant damage on Iran’s general population.” More

Microsoft has announced the seizure of dozens of domains used in attacks by the China-based APT group Nickel on governments and NGOs across Europe, the Americas and the Caribbean. In two blog posts published on Monday, Microsoft vice president Tom Burt, the Microsoft Digital Crimes Unit and the Microsoft Threat Intelligence Center said they have been tracking Nickel since 2016 and that a federal court in Virginia granted the company’s request to seize websites the group was using to attack organizations in the US and and other countries.Burt explained that on December 2, the company filed lawsuits in the US District Court for the Eastern District of Virginia that would allow them to “cut off Nickel’s access to its victims and prevent the websites from being used to execute attacks.” “We believe these attacks were largely being used for intelligence gathering from government agencies, think tanks and human rights organizations,” Burt said. “The court quickly granted an order that was unsealed today following completion of service on the hosting providers. Obtaining control of the malicious websites and redirecting traffic from those sites to Microsoft’s secure servers will help us protect existing and future victims while learning more about Nickel’s activities. Our disruption will not prevent Nickel from continuing other hacking activities, but we do believe we have removed a key piece of the infrastructure the group has been relying on for this latest wave of attacks.”
Microsoft
The attacks — which involved inserting hard-to-detect malware that enabled intrusions, surveillance and data theft — targeted organizations in Argentina, Barbados, Bosnia and Herzegovina, Brazil, Bulgaria, Chile, Colombia, Croatia, Czech Republic, Dominican Republic, Ecuador, El Salvador, France, Guatemala, Honduras, Hungary, Italy, Jamaica, Mali, Mexico, Montenegro, Panama, Peru, Portugal, Switzerland, Trinidad and Tobago, the UK, US and Venezuela.The Microsoft Threat Intelligence Center found that sometimes, Nickel was able to compromise VPN suppliers or obtain stolen credentials while in other instances, they took advantage of unpatched Exchange Server and SharePoint systems.

The company noted that no new vulnerabilities in Microsoft products were used as part of the attacks. But once attackers were inside of a network, they looked for ways to gain access to higher-value accounts or other footholds in the system. Microsoft said they saw Nickel actors using Mimikatz, WDigest, NTDSDump and other password dumping tools during attacks.”There is often a correlation between Nickel’s targets and China’s geopolitical interests. Others in the security community who have researched this group of actors refer to the group by other names, including ‘KE3CHANG,’ ‘APT15,’ ‘Vixen Panda,’ ‘Royal APT’ and ‘Playful Dragon,'” Burt explained. “Nation-state attacks continue to proliferate in number and sophistication. Our goal in this case, as in our previous disruptions that targeted Barium, operating from China, Strontium, operating from Russia, Phosphorus, operating from Iran, and Thallium, operating from North Korea, is to take down malicious infrastructure, better understand actor tactics, protect our customers and inform the broader debate on acceptable norms in cyberspace.” Burt added that so far, Microsoft has filed 24 lawsuits that allowed them to take down more than 10,000 malicious websites from cybercriminals and almost 600 from nation-state groups. Jake Williams, CTO of BreachQuest, noted that the techniques used by Nickel after initial access are fairly pedestrian, while many of the other tools are readily available and widely used by penetration testers. “While NICKEL certainly has access to tools that are far more capable, they turn back to these commonplace tools because they work,” Williams said. “That these readily available tools can operate at all speaks to the level of security in target networks.” More

Crypto trading platform BitMart released an update on the devastating security breach that caused about $200 million in losses, writing on Monday that the breach was “mainly caused by a stolen private key that had two of our hot wallets compromised.”

On Saturday, the platform said a security breach allowed hackers to withdraw $150 million worth of cryptocurrency. Blockchain security company PeckShield said the losses were actually around $196 million, with about $100 million in various cryptocurrencies coming from Ethereum blockchain and $96 million coming from currencies on the Binance Smart Chain. BitMart suspended withdrawals on December 4 after securing the affected Ethereum and Binance Smart Chain hot wallets.”Other assets with BitMart are safe and unharmed. BitMart will use our own funding to cover the incident and compensate affected users. We are also talking to multiple project teams to confirm the most reasonable solutions such as token swaps,” the company said on Monday. “No user assets will be harmed. We are now doing our best to retrieve security set-ups and our operation. We need time to make proper arrangements and your kind understanding during this period will be highly appreciated. In terms of asset deposit and withdrawals, we are confident that deposit and withdrawal functions will gradually begin on December 7, 2021.” BitMart CEO Sheldon Xia will hold a press conference on Monday night to discuss the breach and how those affected will be compensated. CNBC reported that the hackers behind the attack used 1inch and Tornado Cash to exchange the stolen coins for other cryptocurrencies and make it more difficult to be tracked.   

Hackers have repeatedly attacked cryptocurrency and DeFi platforms over the last year. Just last week, cybercriminals stole about $120 million from DeFi platform Badger. 

Paul Bischoff, privacy advocate with Comparitech, told ZDNet that the BitMart hack is the sixth-largest cryptocurrency heist of all time by amount of funds lost and the second big crypto heist this month that made the top 10. Several headline-grabbing hacks have taken place this year, including thefts of more than $600 million from Poly in August and $34 million from Cream Finance in September.Comparitech keeps a running list of attacks on cryptocurrency platforms and DeFi companies, which include the 2018 hack on Coincheck that involved $532 million and the Mt. Gox attack involving $470 million. In May, about $200 million was stolen from the PancakeBunny platform. “Although blockchains are reasonably secure and reliable, the same isn’t always true for the exchanges where people buy, sell, and trade crypto. Exchanges, even though they function like banks, are not insured (e.g. by the FDIC). If the exchange loses assets that belong to its customers via an external hack or inside job, customers might have no recourse to recover their funds,” Bischoff said.”It’s difficult for customers to know which exchanges have sufficient security and make an informed choice. An exchange that operates 10 years without a security incident can still be crippled and put out of business by a single large-scale heist.”The Record also keeps a tally of cyberattacks on cryptocurrency platforms, noting recent attacks on Liquid, Cream Finance, EasyFi, bZx and many other platforms. 

Tech Earnings More

On Thursday, the Department of Homeland Security (DHS) released new rules for the US’s freight railroad and passenger rail transit industry. The rules make it mandatory for companies to have a cybersecurity coordinator, report cybersecurity incidents to CISA, complete a cybersecurity self-assessment and create a cyber-incident response plan.

ZDNet Recommends

DHS officials repeatedly said the new rules were made after consultation with industry experts and meetings with rail companies. They added that the rules were pushed by the Transportation Security Administration (TSA) after CISA informed them of legitimate threats facing the rail industry. The government agency has faced backlash this year from companies in a variety of industries — as well as senior Republican lawmakers — for cybersecurity rules that some have called onerous and unnecessary. In October, Senators Roger Wicker, John Thune, Cynthia Lummis, Todd Young, Deb Fischer — all Republican leaders on the Committee on Commerce, Science and Transportation — slammed DHS’ use of emergency authority to push new rules for US railroad and airport systems, questioning whether they were “appropriate absent an immediate threat.”The Republican lawmakers said the “prescriptive requirements” rolled out by TSA “may be out of step with current practices” and may “limit affected industries’ ability to respond to evolving threats, thereby lessening security.” They also claimed the rules will impose “unnecessary operation delays at a time of unprecedented congestion in the nation’s supply chain.””Rather than prescriptive requirements that may not enhance capabilities to address future threats, TSA should consider performance standards that set goals for cybersecurity while enabling businesses to meet those goals,” the senators wrote. “If a determination is made to proceed with specific mandates, the notice and comment process would at least allow for thoughtful consideration of industry practices and concerns.” The senators additionally claimed that current practices are “working well.”

When asked about the latest regulations handed down by TSA for the rail industry, many cybersecurity experts involved in the rail industry expressed concern about how the new rules would work in practice.Jake Williams, CTO at BreachQuest, told ZDNet that at a high level, the directives seem reasonable. But a closer look at the new rules raised questions about how CISA would handle the deluge of incident reporting that is now required. “Section B.2.b of the Enhancing Rail Cybersecurity directive mandates the reporting of the discovery of malicious software on any IT system within 24 hours of discovery. It is hard to imagine how TSA will benefit from knowing about every malicious software discovery on every IT system,” Williams said. “Taken at face value, railway operators would have to report every piece of commodity malware that is discovered in the environment, even if antivirus or EDR prevented that malware from ever executing. Even if railway operators were properly staffed to create these reports, the TSA will likely miss significant reports buried in the noise. The onerous reporting requirements will likely reduce railway security, at least in the short term, as understaffed teams dedicate resources to reporting rather than network security.”Williams added that these policy language issues are typically discovered during the public comment period, which TSA chose to forego. “There are likely other significant issues in the two railway cybersecurity directives released by TSA without a public review period,” Williams noted. Ron Brash, vice president at ICS/OT software security firm aDolus Technology, echoed Williams’ concerns about the reporting requirements, explaining that most organizations lack the skill and resources to comply. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“Currently, beyond the obvious attacks such as ransomware, the majority of organizations have trouble differentiating between accidental and malicious events. For example, a forklift may clip a utility pole, and a fibre optic run is severed — connectivity may degrade or come to a full halt. Legislation such as this may result in overzealous behaviors because coordinators may jump to immediately claiming everything is cyber-related if the clock is fiercely ticking away, or conversely potentially result in the opposite of the intended effect: organizations may avoid reporting and improving infrastructure visibility altogether” Brash noted. “I hope neither occurs as that is counterproductive to the spirit of the objective and may discourage proactive action. If Biden’s XO for SBOMs and supply chain transparency overflow into rail and transportation, organizations will need accelerated security program growth and maturity yesterday. This is both a good thing and a bad thing because infrastructure resiliency certainly may increase, but bad because the overall amount of foundational catch up may lead to overanalysis paralysis or poor budget allocation.” He also said overly prescriptive approaches may result in too rigid of a structure and focus on the wrong elements, leading to a checkbox ticking exercise versus actual efforts to reduce cybersecurity risk.Amir Levintal, CEO of rail cybersecurity company Cylus, said the rail industry has made significant technological advances in the last decade, with digitization helping companies improve service, efficiency, comfort, communications, and more. But these efforts have also expanded the rail industry’s threat landscape for hackers, Levintal said.  “The TSA’s new directives, which require railways to bolster their cybersecurity measures, come as a direct response to the innovations the rail industry has onboarded recently and the resulting threats, and these regulations — along with similar ones in the EU — will only evolve as new technologies continue to be adopted across the planet,” Levintal explained. Despite the concerns about the new reporting requirements, some experts said the rail industry’s cybersecurity risks outweighed worries about overzealous reporting. Coalfire vice president John Dickson said that the potential for disruption is high given existing supply chain bottlenecks and the nature of rail networks. He noted that one or two key rail lines service entire regions of North America that are vulnerable to disruption and might cripple the US economy like the Colonial Pipeline event almost did. “We have not witnessed a rail industry event on the level of Colonial Pipeline, but a ransomware disruption, let alone a targeted attack, is a plausible scenario. Ransomware specifically, and malware automation generally, has lowered the bar so significantly for attackers that DHS CISA should be concerned and is well served to push the industry more,” Dickson said. “The railroad industry, particularly the freight portion of the railroad industry, is generally not considered to be on the bleeding edge of cybersecurity. It’s doubtful that without a regulatory ‘nudge’ from the Federal government, they are likely to not increase their cybersecurity hygiene on their own accord.”Padraic O’Reilly, chief product officer of CyberSaint, called the new rules a “good and timely development” that is “long overdue” because the rail industry is a vulnerable piece of the US critical infrastructure.With the 24-hour reporting requirement as the baseline, the industry will be moved on to the right track, O’Reilly explained, adding that it was good that government agencies had consulted groups like the Association of American Railroads (AAR) before releasing the regulations. The AAR said they and other rail industry groups had been consulting with Secretary of Homeland Security Alejandro Mayorkas and the TSA since October to “revise provisions that would have posed challenges in implementation.”The group said that with the latest regulations, “a number of the industry’s most significant concerns have been addressed.” All Class I railroad and Amtrak, as well as many commuter and short line carriers, already have chief information security officers and cybersecurity leads who will serve as the required cybersecurity coordinators, according to the AAR.Many companies also conduct cybersecurity assessments on a recurring basis and have been reporting some cyber threats to CISA through AAR’s Railway Alert Network (RAN). “For the better part of two decades, railroads have thoughtfully coordinated with each other and government officials to enhance information security, which has proven to be an effective, responsive way of addressing evolving threats,” said AAR President and CEO Ian Jefferies. “Let there be no mistake — railroads take these threats seriously and value our productive work with government partners to keep the network safe.”  More

A cyber attack has forced supermarket chain Spar to close some of its UK stores.The retailer, which has 2,600 locations in the UK, said has been hit by what it describes as an “online attack” leaving some stores without the ability to take payments by card.”There has been an online attack on our IT systems which is affecting stores’ ability to process card payments, meaning that several Spar stores are currently closed. We apologise for any inconvenience, we are working as quickly as possible to resolve the situation,” Spar UK said in a tweet sent to customers asking why branches of the store in areas of the country, including Yorkshire and Lancashire, were closed.Some stores appear to have been suffering issues since Sunday, meaning that this is a multi-day incident and one customer commented that stores with accompanying petrol stations were closed.It’s currently unclear what sort of “online attack” has forced the stores to close but a Spar spokesperson confirmed that a number of stores have been affected by a cyber attack against James Hall & Co Ltd, a business which supplies Spar stores across the North of England.”James Hall & Company are currently aware of an online attack on it’s IT system. This has not affected all SPAR stores across the North of England, but a number have been impacted over the past 24 hours and we are working to resolve this situation as quickly as possible,” said a Facebook post by Spar Oswaldtwistle. ZDNet has attempted to contact James Hall & Co but hasn’t received a response at the time of publication. The website of the company is also down at the time of writing. 

“We are aware of an issue affecting Spar stores and are working with partners to fully understand the incident,” an NCSC spokesperson told ZDNet. “The NCSC has published guidance for organisations on how to effectively detect, respond to, and resolve cyber incidents.”MORE ON CYBERSECURITY More