Information Technology

Major comic book company Diamond Comic Distributors is struggling to keep up with its planned shipments after being hit with a ransomware attack on Sunday. In a statement, the company said its planned shipments for Wednesday would be delayed about two to four days throughout the country due to the attack; reorders are expected to resume within the next 72 hours. The delays will also affect international retailers. The company said it was dealing with a ransomware attack affecting its order processing systems as well as its internal communications platforms.”Our IT department and a team of third-party experts are working around the clock to address these issues and restore full operations,” Diamond Comic Distributors said. “We want to assure you that customer data and financial information is not stored on our network, and as such, we have no reason to believe it has been impacted by this attack.”Based in Maryland, Diamond Comic Distributors said it was working with Agility Recovery to deal with the incident and added that law enforcement has been contacted.The company is one of the biggest print comic book distributors in the world, and hundreds of retailers depend on them for some of the biggest comics available. 

Josh Rickard, security solutions architect at cybersecurity firm Swimlane, said the attack was evidence that — even without the theft of customer or business data — ransomware groups could still cause significant damage. “Diamond Comic Distributors’ website has been temporarily taken down, and its ability to process customer orders has been disrupted, affecting not only Diamond Comic Distributors’ business and success, but also the other retailers it is responsible for selling several comic book publications to on a regular basis,” Rickard explained. More

Researchers with cybersecurity firm Randori have discovered a remote code execution vulnerability in Palo Alto Networks firewalls using the GlobalProtect Portal VPN. 

ZDNet Recommends

The zero-day — which has a severity rating of 9.8 — allows for unauthenticated, remote code execution on vulnerable installations of the product. The issue affects multiple versions of PAN-OS 8.1 prior to 8.1.17, and Randori said it found numerous vulnerable instances exposed on internet-facing assets, in excess of 70,000 assets. It is used by a number of Fortune 500 companies and other global enterprises.Palo Alto has released an update that patches CVE-2021-3064 after being notified about the issue in September. Aaron Portnoy, principal scientist at Randori, told ZDNet that the original catalyst for their research into Palo Alto Networks firewalls was identifying its presence on customer perimeters.”Once an attacker has control over the firewall, they will have visibility into the internal network and can proceed to move laterally. Randori believes the best way to identify potential points of attack is to assess the attack surface. We then devoted resources into assessing the attack surface of the firewall itself in a lab environment. This process allowed us to identify the components an attacker would have to exploit in order to compromise the device,” Portnoy explained.”As is the case with many closed-source products, simply setting up an environment in which to develop an exploit is challenging. Complex products such as PAN firewalls include protections that make this process difficult regardless of the vulnerability. We have found the overall security posture of the affected devices to be on par with other vendors in the space.” 

Portnoy said that exploitation is difficult but possible on devices with ASLR enabled, which appears to be the case in most hardware devices. “On virtualized devices (VM-series firewalls), exploitation is significantly easier due to lack of ASLR, and Randori expects public exploits will surface,” Portnoy said. According to Portnoy, in October 2020, his team was tasked with researching vulnerabilities with the GlobalProtect Portal VPN. By November 2020, his team discovered CVE-2021-3064, began authorized exploitation of Randori customers, and successfully landed it at one of their customers — over the internet — not just in a lab.The exploit gains root privileges — complete control over the device — and can execute arbitrary code. Portnoy said his team was able to gain a shell on the affected target, access sensitive configuration data, extract credentials and more while moving laterally from there and gaining visibility into the internal network. Randori exploited Palo Alto Networks PA-5220, including PAN-OS 8.1.16 and PAN-OS 8.1.15.”The vulnerability chain consists of a method for bypassing validations made by an external web server (HTTP smuggling) and a stack-based buffer overflow. Exploitation of the vulnerability chain has been proven and allows for remote code execution on both physical and virtual firewall products. Publicly available exploit code does not exist at this time,” Randori said.”VPN devices are attractive targets for malicious actors, and exploitation of PA-VM virtual devices, in particular, is made easier due to their lack of Address Space Layout Randomization (ASLR). CVE-2021-3064 is a buffer overflow that occurs while parsing user-supplied input into a fixed-length location on the stack. The problematic code is not reachable externally without utilizing an HTTP smuggling technique. The exploitation of these together yields remote code execution as a low privileged user on the firewall device.”Randori noted that in order to exploit the vulnerability, the attacker must have network access to the device on the global protect service port (default port 443). As the affected product is a VPN portal, they added that this port is often accessible over the internet. In addition to the patch, Randori suggested affected organizations look through the available Threat Prevention signatures 91820 and 91855 that Palo Alto Networks made available. They can be enabled to thwart exploitation while organizations plan for the software upgrade. For those that do not use the VPN capability as part of the firewall, Randori recommended disabling the VPN functionality.Portnoy and Randori touted the situation as an example of the ethical use of zero-days to protect companies from the kind of threats they face from nation-state actors. Portnoy estimates that the vulnerability would be worth several hundred thousand dollars on the black market. More

Congress passed a bipartisan $1 trillion infrastructure bill on Friday that included about $2 billion in cybersecurity funding. The bill — now heading to President Joe Biden’s desk — includes $1 billion in state, local, tribal and territorial cyberdefense grants, $100 million for the Department of Homeland Security, and $21 million for National Cyber Director Chris Inglis. 

The four-year, $1 billion grant fund is something state and local governments have been waiting for to help tackle their growing cybersecurity to-do list. To receive a portion of the millions of dollars in grant funding each year, states have to match a specified percentage of the federal dollars. The percentage starts at 10% and grows to 40% over the next four years. The idea is that states will get used to accounting for cyber funding in their budgets as a result.The Washington Post noted that for the cybersecurity grant program, 1% will go to each state and 0.25% will go to all four US territories. Another 3% will go to tribal governments. The rest of the funding will be split between states based on their population size and specifically their rural population numbers. States are required to devote at least 25% of the funding to cyber programs in rural areas. The bill says $200 million in grants will be handed out in 2022, $400 million will be spent in 2023, $300 million in 2024, and $100 million in 2025. The Federal Highway Administration is also required to create a tool that can help them respond to cyberattacks.  Jonathan Reiber, former chief strategy officer for cyber policy in the office of the US Secretary of Defense during the Obama administration, told ZDNet that the bill addresses some of the biggest concerns experts have about the country’s cybersecurity readiness and infrastructure. “This investment will help the country achieve a state of real cybersecurity readiness where it matters most. This bill also focuses on securing elements of our critical infrastructure that could cause national-level systemic risks if disrupted. Vulnerabilities in the energy sector present a strategic risk for the US — from our electric utilities to oil and gas distribution, as we saw with the Colonial Pipeline attack — and hostile actors have been targeting the energy sector for years,” said Reiber, who is now a senior director at AttackIQ. “This bill will not only help ensure cybersecurity capabilities are built and deployed — it also calls for continuous assessments to ensure that our cyberdefense investments work as intended. It’s not enough to have built the best defense capabilities; they need to be exercised and ready when the adversary attacks. These resources can help ensure effectiveness.” 

He added that Inglis is “one of the most talented cybersecurity leaders in the world” and that it was a positive step to see the amount of money given to support the office of the National Cyber Director. Drew Jaehnig, industry practice leader of the public sector at Bizagi, honed in on the parts of the bill that focused on securing industrial or operational technology (OT) systems. Jaehnig spent 20 years at the Department of Defense and said the increased funding for OT systems was sorely needed. He noted that it was also “well overdue” for the federal government to provide support for state, local, tribal, and territorial cyber training, recruitment, and non-profit security grants. “In the long run, however, this will also require state and local officials to respond proportionally. It is interesting to note that FEMA will be responsible for the allocation and distribution of the appropriate funds to state, local, and non-profit organizations. This needs to be a preventative process to avert cyber-disasters and FEMA will need to be judicious in fund allocation to maximize the effects. State and local governments should consider consolidated actions to maximize the investment impact,” Jaehnig said. “Congress got a good start on the training aspects of cybersecurity strategy. The continued focus on CyberSentry and the hardening of the federal space are welcome advances. A nod of encouragement was given to a new generation of emergency protocols for cybersecurity, but this will certainly require additional funding from state and local partners to be successful.”Experts online noted that the grants to states and local governments specifically say the funding cannot be used for ransom payments to hackers.  Mark Carrigan, vice president of OT cybersecurity at Hexagon, said the $50 billion dedicated to improving the resiliency of power and water systems was an important part of the bill considering it protects them from cyberattacks and natural disasters. The Environmental Protection Agency and CISA will get a significant slice of the funding in the bill to beef up the security of water systems after a spate of attacks over the last year. Implemented properly, this program could make a considerable difference by making the country’s critical infrastructure more resilient to inevitable events — hurricanes, droughts, floods, and cyber-attacks, Carrigan explained.Some questioned whether enough people were working in cybersecurity to enact some of the measures in the bill and wondered whether government organizations would use the funding for one-time projects instead of looking at it as a recurring investment. Lookout’s federal sales engineer Victoria Mosby said the additional funding dedicated to increasing cybersecurity across all levels of the government will have a ripple effect across multiple vectors, not just the procurement of new tools. “Funding will give many cybersecurity teams the funds needed to continue updating antiquated systems and procedures. Many of these changes will spread outside of infosec teams into general IT infrastructure and new policy adoption to account for moving certain systems to the cloud and allowing for increased remote working,” Mosby said. “Increased hiring to bolster existing security teams and training to beef up the skills of existing professionals, with the increasing reliance on the cloud and remote workforce professionals need to have a better understanding of cloud security and the concept of ‘zero trust’. It would be curious to see if some of those funds funnel down into K-12 and higher education to create a new degree and certificate programs to bolster the incoming cyber workforce.”Other experts said it was important that the federal government is using the bill to request new cybersecurity programs to protect the development of new and current highways, rail, and supply chain programs. James McQuiggan, a security awareness advocate at KnowBe4, said these programs focus on aspects of cybersecurity risk management, incident response, and require the use of the National Institutes of Standards and Technology (NIST) Cybersecurity Framework (CSF). McQuiggan touted the measures in the modernization of transportation (Division A) section that say that all-controlling and monitoring systems (SCADA) should contain security features for access control, prevent exploitation of the systems and comply with the new cybersecurity requirements for the federal government’s supply chain and the use of zero trust. He also said the billions provided for programs expanding broadband access would come with upsides and downsides. “Throughout the bill, there are many requirements for training. Training for cyber incident response, workforce development training, safety training, but missing is the need to increase a more robust cybersecurity culture within the government at the federal, state, and county levels,” McQuiggan explained. “Several key areas in the bill seem to focus on the symptoms of an issue and not the root cause. The broadband internet section (Division F – broadband) requests the implementation of higher internet speeds to people who don’t have within their areas. One item lacking is the need for the people benefitting from this to understand the internet’s benefits and dangers. Broadband providers should provide free email filters for phishing and malicious attachments to reduce the risk of people falling victim to identity theft and loss of finances due to online scams.” Some cybersecurity experts echoed McQuiggan’s concerns about the expansion of broadband access, noting how important it is for the country but also warning that it would introduce a host of cybersecurity issues. Perry Carpenter, chief evangelist, and strategy officer at KnowBe4, said the increased internet access for everyone would create a “richer” environment for cybercriminals. “We are about to potentially see the largest infrastructure upgrade of our lifetimes. It will impact us, our children, and potentially our grandchildren,” said KnowBe4’s Carpenter. “It’s imperative that we minimize mistakes of our past and start right. Build security in. Make it fundamental to how success is defined.” More

Cyber attacks targeting vulnerabilities in virtual private networks (VPN) are on the rise, and many organisations are struggling to protect their networks.The Covid-19 pandemic forced many businesses to suddenly move to higher levels of remote working than before, with many organisations dealing with it for the first time. While this was necessary to keep businesses operating, the sudden rise in remote working also provided benefits for cyber criminals, who looked to take advantage of it to carry out attacks against public-facing VPN and cloud services in order to breach networks.

Many organisations still aren’t taking the action required to fully protect their networks from these attacks, say researchers.”Organisations aren’t prepared for these incidents,” Bart Vanautgaerden, senior incident response consultant at Mandiant, told ZDNet. “They’re familiar with compromises on Windows, but with a VPN compromise, they’re not trained or technically prepared to deal with an incident like that”.In a presentation at Black Hat Europe, Vanautgaerden detailed how VPN vulnerabilities were being exploited by numerous cyber criminal groups. These include at least eight Advanced Persistent Threat (APT) hacking operations aimed at cyber espionage, as well as various ransomware gangs targeting vulnerabilities in VPNs to launch ransomware attacks.

Cyber attackers can breach usernames and passwords to access VPN services – especially if multi-factor authentication isn’t used as an additional layer of protection – as well as exploit vulnerabilities in VPN appliances themselves. For example, earlier this year, Mandiant disclosed vulnerabilities in Pulse Secure’s VPN. Pulse Secure later released security updates to protect against the vulnerabilities. Other providers, including Fortinet and Palo Alto Networks, have also had to release critical security updates to protect VPNs from attacks. SEE: A winning strategy for cybersecurity (ZDNet special report) Many organisations may be unaware this is an issue they need to think about – meaning patches aren’t being applied, and VPN servers remain open to compromise. “For many organisations we’ve talked to, it’s the first time they’ve had such an incident, so they’re not on the lookout for it,” said Vanautgaerden.To remain robust against cyber attacks, organisations should apply security patches as soon as possible. Not being able to use VPNs for a short time while the updates are applied isn’t ideal, but it’s better than having to uproot the entire network after a full-scale breach.”Organisations should really focus on an aggressive patching strategy, not to lose any time as soon as there’s a vulnerability disclosed to implement the patch itself,” Vanautgaerden said.”It may sound straightforward, but with so much reliance on VPN tunnels, organisations often don’t want to face the downtime that’s often required when patching these applications. It’s easier said than done, but organisations need to have systems in place to ensure they have a fast and aggressive policy.”Businesses should also ensure they have a response plan at the ready to reset accounts and assess damage in the event that a cyber security breach does take place, said Vanautgaerden. “[Organisations] need to be able to investigate and reset VPN appliances and also provide additional entry to the network so legitimate users can still access the network while they investigate.”MORE ON CYBERSECURITY More

IT professionals have seen increased cyber risk over the last 12 months, according to a survey from cybersecurity company Armis.Armis and Censuswide spoke with 400 IT professionals working in healthcare organizations across the US as well as 2,030 general respondents, finding that nearly 60% of IT respondents had dealt with a ransomware incident at their organization over the last year.  According to Armis, there are about 430 million connected medical devices already in deployment worldwide, leaving many hospitals vulnerable to a variety of cybersecurity flaws in pneumatic tubes, technologies used in HVAC systems, B. Braun infusion pumps and more.

More than 32% of general respondents said they had been the victim of a healthcare cybersecurity attack and IT professionals said they are most worried about the kind of hospital data breaches that have become commonplace in recent years. More than half of IT respondents said data breaches leading to the leak of confidential patient data was a top concern. After data breaches, 23% of IT professionals were most concerned about attacks on hospital operations and 13% cited ransomware attacks as a concern. Building systems like HVACs and electrical devices were the most risky from a cybersecurity perspective, according to 54% of IT professionals, followed by imaging machines, medication dispensing equipment, check-in kiosks and vital sign monitoring equipment.Thankfully, many IT respondents said their healthcare organization was taking steps to make cybersecurity a priority, with 86% saying their organization has hired a CISO and 95% saying their connected devices were up to date with the latest software. 

But 75% said recent attacks have been the driving force behind cybersecurity changes. More than half of IT workers said their healthcare organization is allocating more money as a way to secure systems. More than 62% of respondents said their healthcare organization has had to submit a cyber insurance claim. “Continuous visibility, context and alignment of security analytics to enterprise risk is the beacon to which we need to move to improve how we view device and asset management,” said Oscar Miranda, CTO for healthcare at Armis. “It is critical for healthcare organizations to take the entire patient journey into consideration when thinking about security. A strong healthcare security strategy is multi-faceted and requires a holistic view.”From a potential patient perspective, nearly half of respondents said they would change hospitals if they knew their hospital had been hit with a ransomware attack and 37% were concerned about hospitals using online portals for patient information. The survey comes on the heels of a report from Forescout Technologies and Medigate about more than a dozen vulnerabilities in Siemens software affecting about 4,000 devices made by a range of vendors. First reported by CNN, the vulnerabilities affect versions of the Nucleus Real-time Operating System, which manages patient monitors, anesthesia tools, ultrasound machines and x-ray devices. More

Well, there we have it. The Apple CEO has said it. If you want to sideload apps on a smartphone, buy an Android.Speaking at The New York Times “DealBook” summit, Cook set out the battle lines:”I think that people have that choice today, Andrew, if you want to sideload, you can buy an Android phone. That choice exists when you go into the carrier shop. If that is important to you, then you should buy an Android phone. From our point of view, it would be like if I were an automobile manufacturer telling [customers] not to put airbags and seat belts in the car. He would never think about doing this in today’s time. It’s just too risky to do that. And so, it would not be an iPhone if it didn’t maximize security and privacy.”

Putting aside the fact that the bulk of the automobile industry fought tooth and nail to not have to fit seatbelts and airbags, this is Apple flat out telling users who want the ability to sideload apps to buy an Android smartphone.And this is happening at a time when there are a lot of legal and governmental eyes on Apple’s App Store practices, and how iPhone users buy and download apps.Sideloading would allow iPhone owners the ability to bypass the Apple App Store and get their apps via a third party.While I’m all for giving users options, I think Cook is right here.The App Store offers a safe, convenient one-stop-shop for apps.

But there’s more than that.The bottom line is that the vast majority of iPhone users won’t care one jot about sideloading.Nope.Not a jot.In fact, I’d be willing to bet a steak dinner (or vegetarian equivalent) that the number of Android users who sideload is a tiny drop in the ocean.It’s a bit like iOS jailbreaking. Yes, there are people who do jailbreak, and who find it useful to be able to do so, but there’s no need to exaggerate how widespread it is.It’s a tiny fraction of iPhone users.In fact, the people who seem to care the most about this are those who own multibillion-dollar corporations who either are unhappy about Apple making money from the App Store or who are unhappy that Apple doesn’t give them unfettered access to user’s data.Changes made to iOS in recent months have companies that trade in user data — such as Facebook — worried. Being able to bypass Apple’s App Store rules would allow companies better and deeper access to user data.And it’s hard to frame that in a way that makes it sound good for users.I agree with Cook. If users want to sideload, let them go to Android.

ZDNet Recommends More

Microsoft has released security updates for its Exchange on-premises email server software that businesses should take on board.

ZDNet Recommends

The security updates are for flaws in Exchange Server 2013, 2016, and 2019 — the on-premises versions of Exchange that were compromised earlier this year by the Beijing-backed hacking group that Microsoft calls Hafnium. Four vulnerabilities in on-premises Exchange server software were exploited, and now Microsoft has warned that one newly-patched flaw — tracked as CVE-2021-42321 — is also under attack. The Exchange security updates were released as part of Microsoft’s November 2021 Patch Tuesday updates for Windows, the Edge browser, the Office suite, and other software products. “The Exchange bug CVE-2021-42321 is a “post-authentication vulnerability in Exchange 2016 and 2019. Our recommendation is to install these updates immediately to protect your environment,” Microsoft said in a blog post about the new Exchange bugs. “These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action,” Microsoft notes.  Attacks that affect users after authentication are risky because they affect users who have authenticated with legitimate but stolen credentials. Some post-authentication attacks can render two-factor authentication useless since the malware does its trick after a person has authenticated with a second factor. The China-based attackers accessed Exchange Servers through the four bugs or stolen credentials, allowing them to create web shells — a command-line interface — to remotely communicate with an infected computer. Web shells are handy for attackers because they can survive on a system after a patch and need to be manually removed.

Attackers generally go after admin credentials to run malware, but they also use connections that aren’t protected by a VPN. Alternatively, they attack VPNs themselves. Microsoft provides detailed update instructions that Exchange admins should follow, including updating the relevant cumulative updates (CU) for Exchange Server 2013, 2016, and 2019. The company cautions that admins should update to one of the supported CUs: it won’t be providing updates to unsupported CUs, which won’t be able to install the November security updates.  Microsoft confirmed that two-factor authentication (2fa) won’t necessarily protect against attackers exploiting the new Exchange flaws, particularly if an account has already been compromised. “If auth is successful (2FA or not) then CVE-2021-42321 could be exploitable,” says Microsoft program manager Nino Bilic.  “But indeed, 2FA can make authentication be harder to go through so in that respect, it can ‘help’. But let’s say if there is an account with 2FA that has been compromised — well, in that case it would make no difference,” Bilic adds. To detect compromises, Microsoft recommends running the PowerShell query on your Exchange server to check for specific events in the Event Log: Get-EventLog -LogName Application -Source “MSExchange Common” -EntryType Error | Where-Object { $_.Message -like “*BinaryFormatter.Deserialize*” } More

A new spying campaign involving PhoneSpy malware has infected thousands of victim devices to date. 

On Wednesday, Zimperium zLabs published a new report on PhoneSpy, spyware developed to infiltrate handsets operating on Google’s Android OS. To date, 23 malicious apps harboring the spyware have been found, but none of the samples were discovered in the official Google Play Store — suggesting that PhoneSpy is being distributed via third-party platforms.  Also: How to find and remove spyware from your phoneThe latest PhoneSpy campaign appears to be focused on South Korea, with the malware bundled into seemingly-benign mobile apps including messaging, yoga instruction, photo collection and browsing utilities, and TV/video streaming software.  zLabs suspects that the initial infection vector is a common one: the use of phishing links posted to websites or social media channels.  Once a victim installs and executes the app’s APK file, PhoneSpy is deployed. PhoneSpy targets Korean-speakers and will throw up a phishing page, pretending to be from a popular service — such as the Kakao Talk messaging app — in order to request permissions and to steal credentials. 

When you think of spyware right now, it may be that Pegasus comes to mind — a silent, pernicious form of malware that has been used to spy on high-profile lawyers, activists, government figures, and journalists.  While PhoneSpy appears to be more run-of-the-mill, the malware’s capabilities, too, cannot be dismissed out of hand. The malware is described as an “advanced” Remote Access Trojan (RAT) capable of quietly conducting surveillance on a victim and sending data to a command-and-control (C2) server.  PhoneSpy’s functionality includes monitoring a victim’s location via GPS; recording audio, images, and video in real-time by hijacking mobile microphones and both front and rear cameras; intercepting and stealing SMS messages, call forwarding, call log and contact list theft, sending messages on behalf of the malware’s operator, and exfiltrating device information.  In addition, PhoneSpy has been developed with obfuscation and concealment features and will hide its icon to stay undetected — a common tactic employed by spyware and stalkerware. The malware may also attempt to uninstall user apps, including mobile security software. zLabs believes that the campaign has been used to gather “significant amounts of personal and corporate information [from] victims, including private communications and photos.” The campaign is still ongoing. US and Korean authorities have been informed.  “The victims were broadcasting their private information to the malicious actors with zero indication that something was amiss,” the researchers say. “Even though thousands of South Korean victims have fallen prey to the spyware campaign, it is unclear whether they have any connections with each other. But with the ability to download contact lists and send SMS messages on behalf of the victim, there is a high chance that the malicious actors are targeting connections of current victims with phishing links.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

ZDNet Recommends More