Information Technology

StackCommerce

There has never been a greater need for cybersecurity analysts because cybercrime attacks seem to be neverending these days. So if you want a well-paid career with long-term job security, you can develop the skills you’ll need with The 2022 Ultimate Cybersecurity Analyst Preparation Bundle. And for a limited time, you can use the coupon code SAVE15NOV during our sitewide pre-Black Friday sale to get 15% off and pay only $25.49.The “Ethical Hacking with Metasploit: Exploit & Post Exploit” course is a crowd favorite, with students rating it an impressive 4.8 out of 5 stars. It’s offered by Oak Academy, which was founded by a group of tech experts who offer constantly updated courses specializing in critical skills such as coding, cybersecurity, IT, mobile, app monetization, game development, and more. You’ll learn Linux commands, penetration testing, and much more.Find out how to detect, prevent and combat security threats and improve IT security overall in “Cyber Security Analyst & Enterprise Architecture”. If you have a basic understanding of HTML web apps, “Mastering Burp Suite Community Edition: Bug Hunters Perspective” will teach you how to use Burp Suite effectively for bug hunting, ethical hacking, and more.Learn how to master the tools that are essential to hackers, pen testers, and other security professionals in “PenTesting with OWASP ZAP: Mastery Course”. Cybersecurity is not all about coding, “Learn Social Engineering From Scratch” explains how to hack into personal devices and accounts.When you start applying for cybersecurity positions, certifications can really make your resume stand out among competitors. There are three courses in this bundle to help you pass the exams. “CySA+ Cybersecurity Analyst Certification Preparation Course (2022)” and “TOTAL: CompTIA CySA+ Cybersecurity Analyst (CS0-002)” prepare you for specific exams. “Cyber Security Certifications Practice Questions 2022” has the most recent practice questions for the CISSP, CISA, CISM, and Ethical Hacker exams.Since these courses are self-paced, you can complete them even when working full-time. However, boosting your productivity could help you squeeze in your lessons more comfortably. A second display might help you with that, so you may want to check out these 13 portable monitors on sale.Don’t pass up this opportunity to train as a cybersecurity analyst; get The 2022 Ultimate Cybersecurity Analyst Preparation Bundle while you can use the coupon code SAVE15NOV for a limited time only during our sitewide pre-Black Friday sale to get 15% off and pay only $25.49.

More ZDNet Academy Deals More

Four US Senators have introduced a new bipartisan amendment to the 2022 National Defense Authorization Act (NDAA) that will force critical infrastructure owners and operators as well as civilian federal agencies to report all cyberattacks and ransomware payments to CISA.Two Democrats — Gary Peters and Mark Warner — worked alongside two Republicans — Rob Portman and Susan Collins — to push the amendment, which they said was based on Peters and Portman’s Cyber Incident Reporting Act and Federal Information Security Modernization Act of 2021.The amendment only covers confirmed cyberattacks and not ones that are suspected. But it forces all federal contractors to report attacks. There is no fine component in the amendment, one of the many provisions senators had been fighting over for months. Victims organizations will have 72 hours to report attacks, another hotly debated topic among government cybersecurity experts. Some wanted it to be within 24 hours and others said it should be within a week.  But the 72 hour limit does not apply to all organizations. Some — which the senators said included businesses, nonprofits and state and local governments — would be forced to report ransomware payments to the federal government within 24 hours of payment being made. “Additionally, the amendment would update current federal government cybersecurity laws to improve coordination between federal agencies, force the government to take a risk-based approach to security, as well as require all civilian agencies to report all cyber-attacks to CISA, and major cyber incidents to Congress,” the senators said in a statement.”It also provides additional authorities to CISA to ensure they are the lead federal agency in charge of responding to cybersecurity incidents on federal civilian networks.”

Warner, chairman of the Senate Select Committee on Intelligence, said the SolarWinds hack changed how the government needs to approach cyberattacks.”It seems like every day, Americans wake up to the news of another ransomware attack or cyber intrusion, but the SolarWinds hack showed us that there is nobody responsible for collecting information on the scope and scale of these incidents,” Warner said.”We can’t rely on voluntary reporting to protect our critical infrastructure — we need a routine reporting requirement so that when vital sectors of our economy are affected by a cyber breach, the full resources of the federal government can be mobilized to respond to, and stave off, its impact. I’m glad we were able to come to a bipartisan compromise on this amendment addressing many of the core issues raised by these high-profile hacking incidents.”Peters, chairman of the Homeland Security and Governmental Affairs Committee, noted that cyberattacks and ransomware incidents have affected everything from energy sector companies to the federal government itself. He lauded the amendment for putting CISA “at the forefront of our nation’s response to serious breaches.”Portman explained that the amendment updates the Federal Information Security Modernization Act and gives the National Cyber Director, CISA, and other appropriate agencies “broad visibility” into the cyberattacks taking place across the country. “This bipartisan amendment to significantly update FISMA will provide the accountability necessary to resolve longstanding weaknesses in federal cybersecurity by clarifying roles and responsibilities and requiring the government to quickly inform the American people if their information is compromised,” Portman said. The $740 billion NDAA is sure to be passed before the end of the year but Senate Majority Leader Chuck Schumer faced backlash from Republicans and members of his own party this week for delaying the passage of the bill. The House approved their version of the bill in September and the House Armed Services Committee was finished with its version in July.It is unclear whether the cybersecurity provisions in the bill will change once Senate and House leaders reconcile their differing versions of the NDAA. While some companies and organizations have been reticent to embrace any mandatory cyberattack reporting measures, cybersecurity experts said overall, the country needs the rules in order to promote better habits. Hank Schless, senior manager at cybersecurity firm Lookout, said that as national security and cybersecurity become more intertwined, having acknowledgement of its importance from both sides of the aisle will help get more done. “This amendment follows suit of GDPR, which also requires organizations to inform any affected parties of a data breach within 72 hours. This holds organizations more accountable, and it will be interesting to see if there are any fines associated with failure to report these incidents as there are with GDPR. What’s interesting is that most entities will be required to report whether they paid the ransom in the event of a ransomware attack. It’s hard to guess what type of impact this may have,” Schless said. “If they’re required to disclose when payment is made, perhaps these entities will be less willing to pay the ransom. Seeing this type of action at the Federal level shows that the US may be closer to implementing a nation-wide data protection policy that’s the equivalent of GDPR. Regardless of whether that ends up being the case, seeing this type of action at the highest level is encouraging for the future cyber defenses of the nation.”Rick Holland, CISO at Digital Shadows, said the status quo isn’t working and expressed support for breach notification and ransomware payment requirements. “We don’t have a holistic view of how bad the problem is, and reporting mandates can at least quantify the scope of the issue. The challenge is that reporting isn’t addressing the root cause of these incidents. The status quo is analogous to patients with chronic illnesses like heart disease; it has taken years to get to this state. There isn’t a magical intervention that will mitigate the risk overnight,” Holland said. He went on to compare the amount of funding designated for cybersecurity to the funding given to fighter jet programs and other defense priorities. “We have to address the root causes of the illness, not just the symptoms. Coordination and reporting won’t solve our problems; organizations need to invest in cybersecurity, starting with people,” Holland added. “Cybersecurity needs to have the same priority as these ‘next generation’ weapons systems.”  More

Cybersecurity firm Crowdstrike announced this week that it is partnering with the the Center for Internet Security (CIS) to provide a slate of security services to US State, Local, Tribal and Territorial (SLTT) governments. CIS has been working for years to democratize cybersecurity protection through a variety of programs that provide free or low-cost tools to hospitals, schools and more. The new CIS Endpoint Security Services (ESS) platform, which is backed by Crowdstrike’s tools, is built to identify, detect and respond to security alerts from local governments. Through CrowdStrike’s Falcon system, the company will offer ESS users deployments onto endpoint devices. The platform provides antivirus solutions, endpoint detection and response, asset and software inventory, USB device monitoring, user account monitoring and host-based firewall management.CIS has previously worked with CrowdStrike on their Elections Infrastructure Information Sharing and Analysis Center project and the latest partnership will see them provide “a new, fully managed 24/7/365 next generation cybersecurity offering exclusively tailored to SLTT organizations, including more than 12,000 Multi-State Information and Analysis Center members across the US, with more than 14 million endpoints in total.”Ed Mattison, CIS executive vice president of operations and security services, said organizations who purchase ESS to protect their devices will be receiving “the combined benefit of CrowdStrike’s superior endpoint protection technology and the CIS Security Operations Center’s world-class expertise to help defend against sophisticated cyber threats at the device level.”CrowdStrike vice president of public sector and healthcare James Yeager said CIS has been a longtime partner with their company and that the two have always been aligned on initiatives to drive innovation into security programs across US SLTT organizations.

“As the leader in endpoint security, we are thrilled to expand upon our partnership with CIS’s new ESS solution, marrying their fully managed 24/7/365 services with our industry-leading endpoint and workload protection capabilities to provide state, local, tribal and territorial governments the cyber protection they need,” Yeager said. Earlier this year, CIS announced the creation of the Malicious Domain Blocking and Reporting Service, a no-cost ransomware protection service for private hospitals in the US that may not be able to afford a robust cybersecurity service. The program originally started last year as an offering to K-12 schools as well as state and county governments, signing up about 2,000 organizations ranging from kindergartens to the DMV. But the service was expanded this year to hospitals once it was found to be effective, blocking almost 800 million malicious intrusion attempts so far. More

Cloudflare released its Q3 DDoS Attack Trends report this week, capping a record-setting quarter that saw a number of devastating attacks on VoIP services. Cloudflare researchers said they saw the several “record-setting HTTP DDoS attacks, terabit-strong network-layer attacks and one of the largest botnets ever deployed (Meris),” noting the emergence of ransom DDoS attacks on voice over IP (VoIP) service providers. The attack on Bandwidth.com left dozens of companies scrambling to deal with outages. 

The US topped the list for the second quarter in a row of countries with the most targeted companies. But Cloudflare noted that companies in the UK and Canada also shot up the list. Computer software, gaming, gambling, IT and Internet companies saw an average increase in attacks of 573% compared to the previous quarter.Overall, DDoS attacks across the world increased by 44%, according to Cloudflare’s research, while the Middle East and Africa led the way with average attack increases of 80%. “Morocco recorded the highest DDoS activity in the third quarter globally — three out of every 100 packets were part of a DDoS attack. While SYN and RST attacks remain the dominant attack method used by attackers, Cloudflare observed a surge in DTLS amplification attacks — recording a 3,549% increase QoQ. Attackers targeted (and continue to target going into the fourth quarter this year) VoIP service providers with massive DDoS attack campaigns in attempts to bring SIP infrastructure down,” the researchers said. Cloudflare data showed that most DDoS attacks originated from devices and servers in China, the US and India, but the number of attacks from China decreased 30% throughout the quarter. 
Cloudflare

The report also takes time to discuss the Meris botnet, which is powered by Internet of Things (IoT) devices. IoT products, PCs, home gadgets — including cameras, VCRs, TVs, and routers — that are hijacked and become slave nodes in a botnet’s network are typically used in DDoS attacks.Cloudflare said Meris was “one of the most powerful botnets deployed to launch some of the largest HTTP DDoS attacks in history,” adding that in Q3 they saw “one of the largest recorded HTTP attacks — 17.2M rps (requests per second) — targeting a customer in the financial services industry.”Meris has been used to target networks and organizations around the world, including news sites like KrebsOnSecurity.”The Meris botnet infected routers and other networking equipment manufactured by the Latvian company MikroTik. According to MikroTik’s blog, a vulnerability in the MikroTik RouterOS (that was patched after its detection back in 2018) was exploited in still unpatched devices to build a botnet and launch coordinated DDoS attacks by bad actors,” Cloudflare stated, comparing it to the 2016 Mirai botnet.”While Mirai infected IoT devices with low computational power such as smart cameras, Meris is a growing swarm of networking infrastructure (such as routers and switches) with significantly higher processing power and data transfer capabilities than IoT devices — making them much more potent in causing harm at a larger scale.” 

Despite its power, Meris did not actually cause significant damage or outages, according to Cloudflare. The company noted that its customers on the Magic Transit and Spectrum services were targeted with network-layer attacks by a Mirai-variant botnet that “launched over a dozen UDP- and TCP-based DDoS attacks that peaked multiple times above 1 Tbps, with a max peak of approximately 1.2 Tbps.”The report notes that the number of attacks peaked in September but throughout the quarter, the number of large attacks increased, both in volume of traffic delivered and in the number of packets delivered. “QoQ data shows that the number of attacks of sizes ranging from 500 Mbps to 10 Gbps saw massive increases of 126% to 289% compared to the previous quarter. Attacks over 100 Gbps decreased by nearly 14%. The number of larger bitrate attacks increased QoQ (with the one exception being attacks over 100 Gbps, which decreased by nearly 14% QoQ). In particular, attacks ranging from 500 Mbps to 1 Gbps saw a surge of 289% QoQ and those ranging from 1 Gbps to 100 Gbps surged by 126%. This trend once again illustrates that, while (in general) a majority of the attacks are indeed smaller, the number of ‘larger’ attacks is increasing. This suggests that more attackers are garnering more resources to launch larger attacks,” the report found. “Most attacks remain under one hour in duration, reiterating the need for automated always-on DDoS mitigation solutions. As in previous quarters, most of the attacks are short-lived. To be specific, 94.4% of all DDoS attacks lasted less than an hour. On the other end of the axis, attacks over 6 hours accounted for less than 0.4% in Q3 ’21, and we did see a QoQ increase of 165% in attacks ranging 1-2 hours. Be that as it may, a longer attack does not necessarily mean a more dangerous one.”Cybercriminals typically use SYN floods as their method of attack but there was a 3,549% QoQ increase in attacks over DTLS. Vishal Jain, CTO at Valtix, told ZDNet that it’s not surprising to learn DDoS attacks are breaking records. For years, the cybersecurity community has been talking about how IoT devices will lead to larger botnets capable of stronger DDoS attacks, Jain said, adding that as the volume of vulnerable, compromised, and misconfigured IoT devices continue to grow — cloud service providers will be challenged to protect their customer’s services. “Organizations need to have an incident response plan in place that involves a DDoS mitigation service,” Jain said. “Being alerted to a possible DDoS attack and identifying what is impacted allows security teams to take a proactive approach instead of reacting to downed services. Businesses should use edge-based, volumetric L4 DDoS protections complementing L7 DDoS protections close to internet facing applications.”Digital Shadows cyber threat intelligence analyst Stefano De Blasi said that while DDoS attacks are commonly associated with technically unsophisticated attackers, recent events are a reminder that highly skilled adversaries can mount high-intensity operations that may result in severe consequences for their targets. In the past two years, De Blasi noted that Digital Shadows has frequently observed attackers combining DDoS attacks with cyber extortion tactics, potentially offering a glimpse into how the future of this cyber threat will look. “With the introduction of extortion, leading to a higher likelihood of financial gain, financially motivated threat actors likely see DDoS attacks as viable options, especially with success experienced by ransomware operators. In the coming years, cybercriminals will likely begin leveraging DDoS attacks to conduct financially motivated campaigns, while hacktivist groups will continue to use DDoS attacks for disruption purposes,” De Blasi said. “Nation-state groups primarily conduct attacks to gather competitive intelligence, which is more attainable through unauthorized network access through phishing, vulnerability exploitation, and ransomware deployment when coupled with data exfiltration.” More

A new report from BlackBerry has uncovered an initial access broker called “Zebra2104” that has connections to three malicious cybercriminal groups, some of which are involved in ransomware and phishing. 

The BlackBerry Research & Intelligence team found that Zebra2104 provided entry points to ransomware groups like MountLocker and Phobos as well as the StrongPity APT. The access was provided to a number of companies in Australia and Turkey that had been compromised.The StrongPity APT targeted Turkish businesses in the healthcare space as well as smaller companies. BlackBerry said that from their research, they believe the access broker “has a lot of manpower or they’ve set up some large ‘hidden in plain sight’ traps across the internet.”The report said their investigation led them to believe that the MountLocker ransomware group had been working with StrongPity, an APT group dating back to 2012 that some alleged was a Turkish state-sponsored group. Countries attacked by StrongPity.
BlackBerry
“While it might seem implausible for criminal groups to be sharing resources, we found these groups had a connection that is enabled by a fourth; a threat actor we have dubbed Zebra2104, which we believe to be an Initial Access Broker (IAB). There is undoubtedly a veritable cornucopia of threat groups working in cahoots, far beyond those mentioned in this blog,” the researchers said, noting that they discovered the group while conducting research for a book about cyber threat intelligence.”This single domain led us down a path where we would uncover multiple ransomware attacks, and an APT command-and-control (C2). The path also revealed what we believe to be the infrastructure of an IAB — Zebra2104. IABs typically gain entry into a victim network then sell that access to the highest bidder on underground forums located in the dark web. Later, the winning bidder will deploy ransomware and/or other financially motivated malware within the victim’s organization, depending on the objectives of their campaign.” 

ZDNet Recommends

Their research began in April 2021, when they discovered curious behavior from domains that were identified previously in a Microsoft report on servers that “had been serving malspam that resulted in varying ransomware payloads, such as Dridex, which we were able to corroborate.”

A few of the domains had been involved in a phishing campaign that went after state government departments in Australia as well as real estate companies there in September 2020. With the help of other Microsoft reports, the researchers were able to trace the campaigns further to an indicator of compromise of a MountLocker intrusion.”Sophos has supposed that the MountLocker group has links to, or has in fact become, the recently emerged AstroLocker group. This is because one of the group’s ransomware binaries has been linked to a support site of AstroLocker. It’s possible that this group is trying to shed any notoriety or baggage that it had garnered through its previous malicious activities,” the report added after explaining a number of technical links between the two groups. The BlackBerry Research & Intelligence team then used WHOIS registrant information and other data that led them to discover ties between the Phobos ransomware and MountLocker. “This new information presented a bit of a conundrum. If MountLocker owned the infrastructure, then there would be a slim chance of another ransomware operator also working from it (although it has happened before). In several instances, a delay was observed between an initial compromise using Cobalt Strike and further ransomware being deployed. Based on these factors, we can infer that the infrastructure is not that of StrongPity, MountLocker, or Phobos, but of a fourth group that has facilitated the operations of the former three. This is either done by providing initial access, or by providing Infrastructure as a Service (IaaS),” the report said. “An IAB performs the first step in the kill chain of many attacks; this is to say they gain access into a victims’ network through exploitation, phishing, or other means. Once they have established a foothold (i.e., a reliable backdoor into the victim network) they then list their access in underground forums on the dark web, advertising their wares in the hopes of finding a prospective buyer. The price for access ranges from as little as $25, going up to thousands of dollars.” Many IABs base their price on the annual revenue that the victim organization generates, creating a bidding system that allows any group to deploy whatever they want. 
BlackBerry
“This can be anything from ransomware to infostealers, and everything in between. We believe that our three threat actors — MountLocker, Phobos and StrongPity, in this instance – sourced their access through these means,” The BlackBerry Research & Intelligence team explained.The report notes that the domains resolved to IPs that were provided by the same Bulgarian ASN, Neterra LTD. While they wondered whether the access broker was based in Bulgaria, they surmised that the company was simply being taken advantage of. The researchers said the “interlinking web of malicious infrastructure” described throughout the report showed that cybercriminal groups mirrored the business world in that they are run like multinational enterprises. “They create partnerships and alliances to help advance their nefarious goals. If anything, it is safe to assume that these ‘business partnerships’ are going to become even more prevalent in future,” the researchers said. “To counter this, it is only via the tracking, documenting, and sharing of intelligence in relation to these groups (and many more) that the wider security community can monitor and defend against them. This cooperation will continue to further our collective understanding of how cybercriminals operate. If the bad guys work together, so should we!” More

By stopping third parties from scrutinizing content, E2EE can effectively create a safe harbour for criminal activity.  
Image: Getty Images / iStockphoto
Despite recent controversies, end-to-end encryption should not be weakened, the UK’s data protection watchdog has concluded – while acknowledging that some additional measures are needed to mitigate the potential harms that can stem from the privacy-protecting technology. The Information Commissioner’s Office (ICO), an independent body that oversees information rights in the UK, has published the results of initial deliberations that were carried out on end-to-end encryption (E2EE), in light of a years-long debate that has divided governments, social media platforms and freedom-of-speech activist groups. 

E2EE has long been seen as a way to protect users’ online privacy, by encrypting content in communications channels so that only the sender or recipient can access the information. This prevents any third party from accessing the data, including the provider of the platform or law enforcement agencies. SEE: Even computer experts think ending human oversight of AI is a very bad ideaThe method is one of the most reliable approaches to data protection, and is increasingly seen as a golden standard for privacy. At the same time, users are growing more aware of the implications of exchanging data online: the ICO found in a survey, for example, that 77% of respondents see protecting their personal information as essential.  To gain the trust of the public, therefore, social media platforms are turning to E2EE. Facebook is testing the technology in Messenger’s Secret Conversations, while Zoom rolled out E2EE for all video meetings last year; and platforms like Signal, Telegram or Element are seeing fast increases in their user base as their promise of fully encrypted messaging gains popularity. The ICO has reiterated its long-standing view that E2EE should be widely deployed by online communication providers. “While we do not say that organisations must encrypt in all circumstances, there must be a strong justification for not doing so. This also applies to E2EE,” said the watchdog in the report. 

The report comes off the back of recent debates surrounding E2EE, in which some governments – including the UK – have argued that although it is key to protecting user privacy, the technology also opens the door to carrying out harmful activities online without the risk of getting caught. By stopping third parties from scrutinizing content, E2EE can effectively create a safe harbour for criminal activity, since even  providers are unable to scan data to identify and respond to violations to their terms of services. This can include terrorist propaganda, violent crime, and child sexual exploitation and abuse.  Calls from governments to stop this from happening have multiplied in the past few years. Last year, for instance, the UK government published a statement calling for technology companies to implement encryption in a way that enables companies to act against illegal content, but also to allow law enforcement agencies to access content in a readable format when granted the appropriate authorization. Protecting users from harm is also at the heart of the draft Online Safety Bill published by the UK government earlier this year, which proposes to push a duty of care on social media platforms that would force technology companies to protect their users from dangerous content such as disinformation or hate speech. Although the bill makes no mention of E2EE in particular, experts say that this will effectively force platform providers to scan through private messages in search of harmful content, to ensure that they comply with the law. According to the ICO, the UK government’s position is slightly more nuanced. In a statement to the watchdog, the government said that rather than introducing backdoors to E2EE, the focus is on introducing “specific additional functionality” to companies’ services, which would enable access to messaging content by law enforcement or the platform service provider under tightly controlled circumstances.A spokesperson for the Department of Digital, Culture, Media and Sport told ZDNet: “Children will be at the heart of our new online safety laws, with tough sanctions on social media platforms that fail to protect young people from harm. We believe it is possible to implement end-to-end encryption in a way which is consistent with public safety and which does not prevent action being taken against child abuse.”The ICO seems to align with this view. The watchdog’s report states that, while the use of backdoors to encrypted channels would “unacceptably” undermine users’ rights, there is value in accelerating innovations that allow the detection of harmful content without compromising privacy. In other words, the organisation argues that safety and privacy don’t have to be in tension. With the right technologies, argues the ICO, it is possible to have both a safe online space, as well as a high-level of protection of personal data. “There should be no trade-offs,” Stephen Bonner, ICO’s executive director of regulatory futures and innovation, tells ZDNet. “We believe that privacy with E2EE is essential for online safety and can work alongside the ability to moderate online harms, plus enable law enforcement to deal with the worst offenders.” One technology that seems to balance both sides of the E2EE argument is homomorphic encryption, which enables calculations to be carried out on encrypted data without decrypting it first – although a lot more research and development will be necessary before the approach is considered a viable solution. Other tools could be deployed to control harmful communications without actually reading them, in a similar fashion to spam detectors that can recognize that an account is sending many emails at once, without having to look at the content of the messages.  “Organisations are assessing how accounts behave to detect and remove spammers, without monitoring what’s contained inside,” says Bonner. “The innovations that don’t require access to content already exist and are deployed on many E2EE platforms.” SEE: Ransomware: It’s a ‘golden era’ for cyber criminals – and it could get worse before it gets betterIt remains that many of these tools are only emerging. Although the ICO is confident that the technologies will evolve, the organisation nevertheless recommended that more attention be paid to the effectiveness of existing tools that may enable access to private content without breaking encryption standards.  Jim Killock, the executive director of Open Right Group, which is campaigning against the removal of E2EE, argues for the need to do more to prevent the governments from restricting E2EE. “The ICO’s broad approach is correct, but let’s be clear,” Killock tells ZDNet. “E2EE saves people from scams and criminality. Removing it and collecting huge amounts of material would place millions of people at deep risk of blackmail and fraud. “The government should not be arguing to make everyone unsafe, to deal with specific, limited, but horrendous problems.”The ICO has specified that the latest report is not the organisation’s final policy position on E2EE. The watchdog will now be seeking the views of multiple stakeholders, and will publish the outcomes of those discussions early next year.  More

ZDNet Recommends

Microsoft has announced it’s adding even more security features to the protection it offers to open-source operating systems.Defender for Endpoint on Linux server gained endpoint detection and response (EDR) abilities a few months ago and now has extra capabilities for Azure Defender customers. It makes sense for Microsoft to develop security products for Linux, given that Linux distributions dominate virtual machine OSes on its Azure cloud.  One key change is that Linux EDR detection and live response is now in public preview. The live response allows for in-depth investigations and quick threat containment by giving security teams forensic data, the ability to run scripts, share suspicious entities, and hunt for possible threats. See also: A winning strategy for cybersecurity (ZDNet special report).Microsoft also has extended support for Amazon Linux 2 and Fedora 33+. And it now has a public preview of RHEL6.7+, CentOS 6.7+. Previously, EDR was available for: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16.04 or higher LTS; SLES 12+; Debian 9 or newer; or Oracle Linux 7.2 or higher.”The complete set of the previously released antivirus (AV) and EDR capabilities now applies to these newly added Linux distributions. [Threat and vulnerability management] coverage will be expanded with Amazon Linux and Fedora in coming months,” Microsoft says. Users need to be on Microsoft Defender for Endpoint version 101.45.13. It also notes that previously released AV and EDR capabilities also apply to RHEL6.7+, CentOS 6.7+. Supported kernel versions are listed here. 

Microsoft is also bringing TVM to Linux Debian. A public preview of TVM for Debian 9+ public preview will be available in the coming weeks. It’s also making Defender antivirus generally available on Linux, bringing the ability to monitor processes, file system activities, and how processes interact with the OS using Microsoft’s cloud security. “With behavior monitoring, Microsoft Defender for Endpoint on Linux protection is expanded to generically intercept whole new classes of threats such as ransom, sensitive data collection, crypto mining, and others. Behavior monitoring alerts appear in the Microsoft 365 Defender alongside all other alerts and can be effectively investigated,” Microsoft notes. See also: The IoT is getting a lot bigger, but security is still getting left behind.It promises to address ransomware threats too with machine-learning techniques. “Behavior monitoring provides effective measures against ransomware attacks which can be achieved using a variety of legitimate tools (for example, gpg, openssl) while carrying similar patterns from OS behavior perspective. Many of such patterns can be picked up by the behavior monitoring engine in a generic way.”Admins can also explore security events locally using the Microsoft Defender for Endpoint on the Linux command line interface.  More

Cisco has released security updates to fix vulnerabilities in multiple products that, if left unpatched, could allow an attacker to take control of affected systems and give them the ability to perform a variety of malicious actions.The newly disclosed critical security vulnerabilities affect Cisco Policy Suite Static SSH Keys and Cisco Cisco Catalyst PON Series Switches Optical Network Terminals. The US Cybersecurity & Infrastructure Security Agency (CISA) has urged users and administrators to review the Cisco advisories and apply the necessary updates.

ZDNet Recommends

Cisco Policy Suite – a software package for data management – contains a vulnerability (CVE-2021-40119) in the key of its Secure Shell (SHH) cryptographic network authentication mechanism, which could allow an unauthenticated, remote attacker to login to unpatched systems as the root user. SEE: A winning strategy for cybersecurity (ZDNet special report)This ability could provide them with unrestricted permissions to access, read and write files, something that is extremely desirable for attackers looking to access data, install malware or perform other malicious activities.There are also two critical security vulnerabilities in Cisco Catalyst Passive Optical Network (PON) Series Switches Optical Network Terminals that are used to help deliver deliver internet access to multiple endpoints on a single network. The vulnerabilities (CVE-2021-34795 and CVE-2021-40112) in the web-based management interface of Cisco PON terminals could allow an unauthenticated, remote attacker to login with default credentials if Telnet – a network protocol used to virtually access a computer for collaboration and communications channels – is enabled.

These vulnerabilities also allow attackers to perform command injections and modify configurations, both of which could be exploited for malicious actions.The specific Cisco products vulnerable to CVE-2021-34795 and CVE-2021-40112 are:Catalyst PON Switch CGP-ONT-1PCatalyst PON Switch CGP-ONT-4PCatalyst PON Switch CGP-ONT-4PVCatalyst PON Switch CGP-ONT-4PVCCatalyst PON Switch CGP-ONT-4TVCWBy default, Cisco PON Series Switches only allow local LAN connections to the web management interface, so they’re only exploitable if remote web management has been enabled. Users are urged to visit Cisco Security Advisories as soon as possible in order to download the security patches required to fix the vulnerabilities.SEE: Ransomware: It’s a ‘golden era’ for cyber criminals – and it could get worse before it gets betterUnpatched vulnerabilities are one of the most common methods cyber criminals, nation state-backed hacking operations and other malicious operations exploit in order to enter networks.But despite cybersecurity organisations like CISA stressing the importance of patching networks, it’s still common for attackers to be able to exploit years-old vulnerabilities to gain access to networks because, in many cases, the updates aren’t being applied. MORE ON CYBERSECURITY More