Information Technology

Compromising a business supply chain is a key goal for cyber attackers, because by gaining access to a company that provides software or services to many other companies, it’s possible to find a potential way into thousands of targets at once.Several major incidents during the past 12 months have demonstrated the large-scale consequences supply chain attacks can have. In one of the biggest cybersecurity incidents in recent years, cyber attackers working for the Russian foreign intelligence service compromised updates from IT services provider SolarWinds that were downloaded by 18,000 customers, with the attackers then going on to target around 100 of those customers including several US government agencies.

ZDNet Recommends

Other cyber criminals were able to carry out a supply chain attack using a vulnerability in software from Kaseya to launch a ransomware attack that affected thousands of its customers around the world. SEE: A winning strategy for cybersecurity (ZDNet special report)”The issue of the threat to IT service providers as part of a supply chain was clearly one of the features of the last year,” said Simon Mehdian-Staffell, UK government affairs manager at Microsoft, speaking during a Chatham House Cyber 2021 Conference discussion on the rise of state-backed cyberattacks.Some of these attacks have been identified because they’ve been on such a large scale, like the ones above. But there are means of supply chain compromise that are far less likely to draw attention, but can be very effective. And a more tightly focused campaign might be harder to detect.  “Clearly there’s trade-offs to be made between where they cast their net and the potential increased likelihood of being detected, so operators are having to make those trade-offs,” said Jamie Collier, cyber threat intelligence consultant at Mandiant, also speaking during the Chatham House panel. 

While big attacks get the attention, the past few years have seen “other vectors of supply chain compromise that are dominating the numbers that maybe don’t get the attention they deserve”, he added. These lower-scale, less obvious supply chain attacks can be just as effective for cyber attackers, providing discreet pathways into networks. In particular, developer or mobile environments can provide this gateway – and cyber attackers have noticed.  “First of all would be developer environments, we see a huge amount of supply chain compromise around there. And the second would be mobile.” said Collier. “So, while we want to focus on the likes of SolarWinds, there is a wider landscape out there and it’s important we recognise that broader spectrum,” he added. Given the success of major supply chain attacks thus far, they’ll remain a cybersecurity threat for the foreseeable future. 

“Supply chain attacks continue to be an attractive vector at the hand of sophisticated actors and the threat from these attacks is likely to grow. Especially as we anticipate technology supply chains will become increasingly complicated in the coming years,” Lindy Cameron, CEO of the National Cyber Security Centre (NCSC), said in a keynote address to the Cyber 2021 Conference. SEE: A company spotted a security breach. Then investigators found this new mysterious malwareThe threat of supply chain attacks means that organisations should examine what they can do to make themselves more resilient to cyberattacks. They should also examine how to protect themselves in the event of one of their suppliers unknowingly falling victim to a malicious cyber campaign. “First, organisations need to establish a clear security direction with their suppliers, asking for and incentivising good security through the supply chain. This is often relatively straightforward security practices, such as controlling how privileged access is managed,” said Cameron. “Second, organisations should take an approach where their design is resilient if a technology supplier is compromised. The SolarWinds incident is a good example. To be blunt, if your SolarWinds installation couldn’t talk directly to the internet – which it shouldn’t have been able to do – then the whole attack was irrelevant to your network,” she added. Organisations and their information security teams can go a long way to helping to protect the network from attacks by knowing exactly what’s on it and what is connected to the internet. By ensuring infrastructure that doesn’t need to be connected directly to the internet isn’t directly connected, you can provide a major barrier to attacks being successful.  MORE ON CYBERSECURITY More

Image: Cisco
51% of Asia Pacific small to medium-sized businesses that were hit with a cyber incident in the past year saw the cost of that incident exceed $500,000, according to a survey conducted by Cisco. Sampling 3,750 businesses employing between 10 and 999 employees in 14 countries around the region, Cisco said 83% reported an incident in excess of $100,000, and 13% had an incident cost more than $1 million. The survey was conducted between April and July. In Australia, where 306 qualifying businesses responded, the numbers were more stark, with 64% reporting an incident costing over $500,000, and 33% saying they were hit more than $1 million in cost. For businesses that ran simulation exercises, Cisco said 85% of respondents found issues in their defences. “Of those that identified weaknesses, 95% said the exercises revealed issues with not having the right technology solutions in place to detect a cyber attack or threat. The same number found they had too many technologies and struggled to integrate them together, while 96% discovered they did not have the right technology solutions to block an attack,” the company said. The main vector that attacked the sampled businesses was malware, which was used 85% of the time and led to 75% of attacks getting customer information, 62% finding internal emails, and 61% of attacks hitting employee data, intellectual property, or financial data. In its 2020-21 annual report released earlier this week, the Australian Signals Directorate (ASD) said it has seen a 15% increase in ransomware attacks over the past year.

“ASD responded to more than 1,630 cybersecurity incidents during 2020–21. Compared to the previous financial year, the total number of cybersecurity incidents in the 2020-21 financial year decreased by 28%,” it said. “A higher proportion of cybersecurity incidents this financial year were categorised by the ACSC as ‘substantial’ in impact. This change is due in part to an increase in attacks by cybercriminals on larger organisations and the impact of these attacks on the victims. The attacks included data theft, extortion, and/or rendering services offline.” Thanks to the pandemic, ASD said it has shifted more of its workforce to flexible and home-based work and taken down 7,700 sites that were hosting “cybercrime activity” related to COVID-19. Related Coverage More

Business process outsourcing (BPO) and customer relationship management multinational Atento has been hit by a cyberattack, with the greatest impact seen in Brazil, its largest operation in Latin America.The Madrid-headquartered firm informed its customers on Sunday (17) about the attack against its systems in Brazil, which caused an interruption of service as the company sought to contain and evaluate the extent of the threat, according to local news website Neofeed.Atento’s note to customers added that its security team was working towards containing it and ensuring the security of the affected environments before bringing them back online as soon as possible.

Contacted by ZDNet, the company was working on an official press statement relating to the matter, which had not been published at the time of writing. Brazil is one of Atento’s main global markets. More than 45% of the company’s global workforce, which employs over 150,000 people, is concentrated in the Brazilian operation, which serves major telecommunications companies and banks such as Bradesco and Itaú. The BPO firm is the latest of a string of companies operating in Brazil that have suffered cyberattacks recently. Last week, one of Brazil’s largest insurance groups, Porto Seguro, suffered a cyberattack that resulted in instability to its service channels and some of its systems.Another company also targeted by cybercriminals, CVC, one of the country’s largest travel operators, was hit by a ransomware attack that brought its operations to a standstill earlier this month.

Despite the increase in security threats, 56% of the Brazilian companies currently invest 10% or less of their IT budget in cybersecurity, according to a study by consulting firm Marsh on behalf of Microsoft. The research noted that 52% of Brazilian organizations said investments in security had not changed since the start of the pandemic. In terms of employee practices around security, only 23% of the Brazilian organizations that took part in the study said their workforce is using company-provided equipment to work. The study noted this practice significantly increased exposure to some type of cyber incident, but remote access security is a priority for only 12% of respondents and the second item on the list for 7% of respondents. More

Twitter has suspended a hacker who allegedly stole all of the data from Argentina’s database holding the IDs and information of all 45 million citizens of the country. A threat actor using the handle @aniballeaks said they managed to hack into Argentina’s National Registry of Persons — also known as RENAPER or Registro Nacional de las Personas — and was offering to sell the data on a cybercriminal forum. The leaked data includes names, home addresses, birthdays, Trámite numbers, citizen numbers, government photo IDs, labor identification codes, ID card issuance and expiration dates. Originally, the hacker began leaking the information of famous Argentines like Lionel Messi and Sergio Aguero. But in a conversation with The Record, the hacker said they planned to publish the information of “1 million or 2 million people” while looking for buyers interested in the data. The hacker also tacitly confirmed how they managed to break into the National Registry of Persons, noting that it was “careless employees” that allowed them into the system. The government of Argentina released a statement on October 13 denying that the National Registry of Persons had been hacked. But the statement also says that a VPN from someone within the Ministry of Health had been used to access the Digital Identity System right before the Twitter account leaked the initial data on the high-profile Argentines. Tony Pepper, CEO of cybersecurity firm Egress, called the hack “monumental.”

“The black market for stolen data is big business, and cybercriminals will stop at nothing to find their next big payday. This attack should be a warning to governments: cybercriminals have the means to execute large-scale, sophisticated attacks, and their citizens’ data is under threat,” Pepper said. “With the data of millions at risk, Argentinian citizens are now prime targets for follow-up attacks, such as financial fraud, sophisticated phishing attempts and impersonation scams, aimed at stealing further personal data, identities and even their money.” More

CISA, the FBI and NSA officially implicated the BlackMatter ransomware group in the recent attacks on two agriculture companies, confirming the assessments of some security researchers who said the gang was behind incidents involving New Cooperative and Crystal Valley in September.New Cooperative — an Iowa-based farm service provider — was hit with a ransomware attack on September 20 and BlackMatter demanded a $5.9 million ransom. Crystal Valley, based in Minnesota, was attacked two days later. Both attacks came as harvests began to ramp up for farmers.In the advisory, CISA, the FBI and NSA said BlackMatter has targeted multiple US critical infrastructure entities since July. The advisory provides a detailed examination of BlackMatter’s tactics and outlines how the group typically attacks organizations. “Using embedded, previously compromised credentials, BlackMatter leverages the Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) protocol to access the Active Directory (AD) to discover all hosts on the network,” CISA said in the advisory. “BlackMatter then remotely encrypts the hosts and shared drives as they are found. Ransomware attacks against critical infrastructure entities could directly affect consumer access to critical infrastructure services; therefore, CISA, the FBI, and NSA urge all organizations, including critical infrastructure organizations, to implement the recommendations listed in the Mitigations section of this joint advisory.”The law enforcement organizations noted that BlackMatter operates as ransomware-as-a-service and may possibly be a rebrand of DarkSide, a ransomware group that allegedly closed shop in May after attacking Colonial Pipeline. They added that BlackMatter has demanded ransom payments ranging from $80,000 to $15,000,000 in Bitcoin and Monero.

“Notably, this variant of BlackMatter leverages the embedded credentials and SMB protocol to remotely encrypt, from the original compromised host, all discovered shares’ contents, including ADMIN$, C$, SYSVOL, and NETLOGON. BlackMatter actors use a separate encryption binary for Linux-based machines and routinely encrypt ESXi virtual machines. Rather than encrypting backup systems, BlackMatter actors wipe or reformat backup data stores and appliances,” the advisory explained.”BlackMatter leverages legitimate remote monitoring and management software and remote desktop software, often by setting up trial accounts, to maintain persistence on victim networks. BlackMatter attempts to exfiltrate data for extortion. BlackMatter remotely encrypts shares via SMB protocol and drops a ransomware note in each directory. BlackMatter may wipe backup systems.”The notice lists dozens of measures organizations should take to protect themselves from BlackMatter, including the implementation of detection signatures, strong passwords, MFA, routine patching, network segmentation and access limitations.Due to the increase in ransomware attacks on weekends and holidays, CISA suggested organizations implement time-based access for accounts set at the admin-level and higher.In September, the FBI released its own notice warning companies in the food and agriculture sector to watch out for ransomware attacks aiming to disrupt supply chains. The FBI note said ransomware groups are seeking to “disrupt operations, cause financial loss, and negatively impact the food supply chain.” “Ransomware may impact businesses across the sector, from small farms to large producers, processors and manufacturers, and markets and restaurants. Cybercriminal threat actors exploit network vulnerabilities to exfiltrate data and encrypt systems in a sector that is increasingly reliant on smart technologies, industrial control systems, and internet-based automation systems,” the FBI said. “Food and agriculture businesses victimized by ransomware suffer significant financial loss resulting from ransom payments, loss of productivity, and remediation costs. Companies may also experience the loss of proprietary information and personally identifiable information and may suffer reputational damage resulting from a ransomware attack.”The notice listed multiple attacks on the food and agriculture sector since November, including a Sodinokibi/REvil ransomware attack on a US bakery company, the attack on global meat processor JBS in May, a March 2021 attack on a US beverage company and a January attack on a US farm that caused losses of approximately $9 million. In November 2020, the FBI also cited an attack on a US-based international food and agriculture business that was hit with a $40 million ransom demand from the OnePercent Group. The company was able to recover from backups and did not pay the ransom. More

A new survey of 300 US-based IT decision-makers found that 64% have been victims of a ransomware attack in the last 12 months, and 83% of those attack victims paid the ransom demand.

ZDNet Recommends

Cybersecurity company ThycoticCentrify released its “2021 State of Ransomware Survey & Report” on Tuesday, featuring the insights of IT leaders who have dealt with ransomware attacks over the last year. Of those surveyed, 72% have seen cybersecurity budgets increase due to ransomware threats, and 93% are allocating special budgets to fight ransomware threats. Half of the respondents said they experienced a loss of revenue and reputational damage from a ransomware attack, while 42% indicated they had lost customers as a result of an attack. More than 30% said they were forced to lay off employees as well.Respondents said the most vulnerable vectors for ransomware attacks were email (53%), followed by applications (41%) and the cloud (38%).26% of respondents cited the top attack vector was privileged access, followed closely by vulnerable endpoints (25%). “Organizations are spending their increased cyber security budgets investing in ransomware prevention with network security (49%) and cloud security (41%) solutions. It is interesting to note that in this survey, identity access management (24%), endpoint security (23%) and privileged access management (19%) are lower priorities for budget spend,” the survey said. “The most common steps taken to prevent ransomware attacks include backing up critical data (57%), regularly updating systems and software (56%), and enforcing password best practices (50%). Last on the list was adopting a least privilege posture (34%).”

Experts were not surprised by the survey’s findings, considering how many companies have been public about paying ransoms. Major corporations like Colonial Pipeline and JBS admitted to paying ransoms after devastating ransomware incidents, and studies show many organizations end up paying ransoms. “Naive statements like ‘never pay the ransom’ simply ignore the reality of the situation and do not have any chance in actually changing anything. Over the years, we have gotten better at recovery from breaches, and attackers are trying new ways to get paid. It has been increasingly frequent in recent months where supply chain breaches are leading to ransom demands to not leak data belonging to the victim organization,” said John Bambenek, threat intelligence advisor at Netenrich. “Frankly, as long as the economics are in favor of paying, most organizations will pay. However, the paying of ransoms doesn’t guarantee results.” More

It looks like more than ghosts are wreaking havoc on haunted networks. We’re less than a full week into October, and Cybersecurity Awareness Month isn’t quite taking shape the way we expected. Ostensibly, orgs decided to pivot and use this time to confess their wrongdoings before Halloween. Let’s take a trip through what’s happened so far and the lessons we’ve learned. Luckiest breach announcement timing… ever? Before October 4, you likely had not heard of Syniverse, though it works with 95% of the top 100 telecoms in the world. If you learned about them on October 4, it was first thing in the morning, and then … other stuff happened. Unfortunately, your texts, call records, and more were likely hoovered up by hackers in yet another third-party telecom breach. What makes this breach unique — for now anyway — is that the unauthorized access went unnoticed or undisclosed for five years, topping SolarWinds by an order of magnitude. It also highlights the risks of SMS and geolocation data, which could play a critical role in misinformation/disinformation and espionage. 

Facebook disappeared from the internet — literally — and that effectively buried the Syniverse news under a mountain of speculation about the Facebook outage. In an ironic twist of fate, Facebook simultaneously contended with the outage and experienced a deluge of rumors on the cause. Speculation ranged from an insider show of solidarity with the whistleblower to the opposite, using the outage to draw attention away from the whistleblower testifying to the US Congress. The truth is less salacious but far more realistic: a faulty configuration change interrupted communication between data centers. While Facebook data centers could not communicate, few tried to communicate at all about Syniverse. And that’s troubling, since Syniverse “processes 740 billion texts yearly and has over 300-plus direct connections to mobile operators” per its website. This breach is not limited to an individual consumer’s text messages and records. Twilio is a minority owner of Syniverse and is mentioned as one of its major contributors to revenue, behind only AT&T. That makes this breach relevant from a B2C and B2B perspective, given Twilio’s reach into the developer world. The long tail of this breach will have far-reaching consequences as Sen. Ron Wyden told Motherboard: “The information flowing through Syniverse’s systems is espionage gold.” Expect security and privacy events that trace back to this one for years. Attackers reveal how Twitch fails livestreamers In what’s certainly damaging to users — but perhaps more so damaging to the platform itself — Twitch, the dominant livestreaming choice for content creators, experienced a massive data leak. This one features partner, platform, and product security issues. And  the ugliest part of all? It provides a serious glimpse into gender and racial pay gap disparities between content creators. The payout rates negotiated between Twitch, sponsors, and streamers are now publicly available and exposed. There’s zero doubt Twitch — already facing competition from YouTube for streamers — could see a talent exodus as feelings of unequal treatment get confirmed as fact. As a platform, Twitch sits between content creators, sponsors, advertisers, and viewers, facilitating and monetizing parasocial relationships. That ecosystem requires trust, which data breaches and disclosure of sensitive intellectual property threatens. 

Breaches often come at the worst possible time, and Twitch already had serious issues with content creators facing harassment from viewers and other streamers on occasion. Hot tub streams, hate raids, swatting, racism, and sexism plague Twitch. A data breach is not the most serious problem the company faces given those other items, but it’s certainly not making things easier. The power of incident response compels you If this month keeps going the way it is, the “X” in XDR (extended detection and response) might stand for eXorcism, given the ratio of breach announcements-to-days of October we’ve experienced so far. Add this to the volume and severity of breaches reported in 2021, and we’re swimming in pea soup. Yet, according to Forrester Analytics Business Technographics® Security Survey, 2021, just 12% of respondents list breach and attack simulation as a top information/IT security priority over the next 12 months. Firms should revisit, revise, and rehearse incident response and crisis management plans at least biannually, if not quarterly, to keep up with attackers and their tactics. At least one of those breach simulations should be a ransomware attack, and all exercises should assume data exfiltration. Those concerned about data that could come from Twitch should consider a crisis management exercise. For customers, platforms, and partners, trust is on the line. Don’t wait until the incident is underway to assemble your crisis management ecosystem of critical third parties like legal, digital forensics, and incident response, along with PR to ensure notifications, handoffs, and all communication flows smoothly. Consider media training for key executives who will be seen as the face of any crisis affecting your firm. Zero Trust to the rescue The old way to approaching security architecture is already widely known to be a failure from a technical perspective (see the above examples if you aren’t convinced). Add in the business realities of the interconnectedness of relationships between platforms, partners, and customers without shifting your strategy, and security, risk, and privacy leaders will get totally left behind. This makes a shift to Zero Trust architectures a requirement. Customers and business partners demand dependability, believing that you’re protecting the entire ecosystem by forgoing inherent trust in any user, device, or system. Zero Trust enables you and your ecosystem to be both resilient and protected. At the end of the day, organizations don’t want another mystery on their hands. To learn more about Zero Trust, register to attend Forrester Security & Risk Forum here. This post was written by Forrester Vice President, Principal Analyst Jeff Pollard and it originally appeared here.  More

The US Federal Communications Commission (FCC) is due to consider a new proposal to clamp down on robot texts.

On October 18, FCC Acting Chairwoman Jessica Rosenworcel unveiled a new set of proposed rules that would force wireless carriers to block illegal robot texts, potentially at the network level. According to the chairwoman, the US regulator received roughly 14,000 complaints from consumers concerning unwanted, robot texts in 2020. So far, the commission has received over 9,800 complaints, which suggests that this is a rising trend that needs to be tackled alongside robot calls.  Research conducted by RoboKiller found that spam text message rates in the US are far higher than the rate of complaints received by the FCC, with an estimated 7.4 billion spam SMS messages sent in March alone. Robocalls and robotexts are often pushed out to consumers for the same purpose: to lure them into scams — such as insurance claims or, more recently, coronavirus-themed services — as well as to share Personally identifiable information (PII), banking details, or to visit malicious and fraudulent websites in phishing campaigns.  Rosenworcel said that if the proposal is accepted, mobile carriers in the United States would be required to protect customers from illegal text messages, and this could include initiatives such as blocking texts at the network level — or “applying caller authentication standards to text messaging.” The proposals build upon rules discussed in September to protect 911 call centers from robocalls. As a critical service, call handlers certainly do not need to also have to deal with influxes of scam calls — and the FCC’s proposal would force service providers to stop robocalls from reaching numbers on do-not-call registries. 

In addition, the watchdog is attempting to stop telecoms firms from accepting calls on their networks from voice service providers that are not registered in the FCC’s Robocall Mitigation Database. “We’ve seen a rise in scammers trying to take advantage of our trust of text messages by sending bogus robotexts that try to trick consumers to share sensitive information or click on malicious links,” Rosenworcel commented. “It’s time we take steps to confront this latest wave of fraud and identify how mobile carriers can block these automated messages before they have the opportunity to cause any harm.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More