Information Technology

The countries involved in the two-day ransomware summit led by the US have released a joint statement pledging to make systems more resilient against attack and outlining measures that will be taken to disrupt the criminal groups involved.  The summit included representatives from the US, Australia, Brazil, Bulgaria, Canada, Czech Republic, the Dominican Republic, Estonia, European Union, France, Germany, India, Ireland, Israel, Italy, Japan, Kenya, Lithuania, Mexico, the Netherlands, New Zealand, Nigeria, Poland, South Korea, Romania, Singapore, South Africa, Sweden, Switzerland, Ukraine, UAE, and the United Kingdom.All of the countries agreed that ransomware is an “escalating global security threat with serious economic and security consequences.” The countries reiterated that ransomware requires a “shared response” because of how complex and global the issue is. “Efforts will include improving network resilience to prevent incidents when possible and respond effectively when incidents do occur; addressing the abuse of financial mechanisms to launder ransom payments or conduct other activities that make ransomware profitable; and disrupting the ransomware ecosystem via law enforcement collaboration to investigate and prosecute ransomware actors, addressing safe havens for ransomware criminals, and continued diplomatic engagement,” the statement said.The countries pledged to make systems more resilient through policy measures, more resources, clear governance structures, well-rehearsed incident response procedures, trained workers, and private sector partnerships. They urged organizations to maintain offline data backups, require timely patches, and use MFA as well as stronger passwords. Nations should also “consider” frameworks that promote information sharing between ransomware victims and local cyber emergency response teams. 

The statement mentioned other ways to limit the effectiveness of ransomware gangs, including the disruption of payment networks. Through international cooperation, the countries said they planned to “inhibit, trace, and interdict ransomware payment flows, consistent with national laws and regulations.””Taking action to disrupt the ransomware business model requires concerted efforts to address illicit finance risks posed by all value transfer systems, including virtual assets, the primary instrument criminals use for ransomware payments and subsequent money laundering,” the statement said. “We acknowledge that uneven global implementation of the standards of the Financial Action Task Force (FATF) to virtual assets and virtual asset service providers (VASPs) creates an environment permissive to jurisdictional arbitrage by malicious actors seeking platforms to move illicit proceeds without being subject to appropriate anti-money laundering (AML) and other obligations.” Law enforcement entities and “financial intelligence units” will be deployed to help disrupt the ransomware business model, according to the statement. The countries pledged to work together to “counter cybercriminal activity emanating from within our own territory and impress urgency on others to do the same in order to eliminate safe havens for the operators who conduct such disruptive and destabilizing operations.” “We intend to cooperate with each other and with other international partners to enhance the exchange of information and provide requested assistance where able to combat ransomware activity leveraging infrastructure and financial institutions within our territories. We will consider all national tools available in taking action against those responsible for ransomware operations threatening critical infrastructure and public safety,” the countries agreed. Diplomatic efforts were also cited as a way countries can work to disrupt ransomware groups operating in certain regions. The statement said diplomacy can “serve as a force multiplier” for countries that lack the capacity to address cybercrime. The Counter Ransomware Initiative meeting held on October 13 and 14 drew headlines this week for who wasn’t involved, namely Russia. Russia, North Korea, and other countries have been accused of harboring — and in some cases actively helping — ransomware gangs conducting attacks on organizations across the globe. But when asked about Russia not being involved in the summit, the US said it already communicates directly with the country through the US-Kremlin Experts Group established this year by US President Joe Biden and Russian President Vladimir Putin.Darktrace director of strategic threat Marcus Fowler said the summit was important because even countries with relatively low cyberattack rates need to understand that their economies are vulnerable because of their dependence on fragile supply chains.”Ransomware actors are well aware of this; governments need to be too. With any political gathering, the proof is in the commitments and actions that come after. Whether this is a more formal UN resolution or increased scrutiny around cryptocurrency exchanges, combatting ransomware requires a transnational approach and strategy,” Fowler said. “Biden’s warnings and the recent crypto sanctions are solid steps in deterring attacks, especially on our most critical infrastructure — but they will not stop determined, sophisticated hackers from getting in. But accepting that attacks will get in is not accepting failure. As Chris Inglis said in this week’s CISA summit, ‘We want to create the situation where an adversary needs to beat all of us to beat one of us.'” More

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Acer has confirmed a cyberattack on its offices in India this week after hackers with the Desorden Group claimed to have breached servers and stolen 60GB of files. The group emailed ZDNet about the hack, claiming to have customer and corporate business data as well as financial information. When asked, the hackers denied it was a ransomware attack and claimed to have access to the company’s servers “over time.”A spokesperson from Acer confirmed the hack, telling ZDNet that their security team recently detected an “isolated attack” on its local after-sales service system in India.”Upon detection, we immediately initiated our security protocols and conducted a full scan of our systems,” an Acer spokesperson said. “We are notifying all potentially affected customers in India. The incident has been reported to local law enforcement and the Indian Computer Emergency Response Team, and has no material impact to our operations and business continuity.” After receiving the message from Acer, ZDNet asked the hackers whether they still had access. “Acer is a global network of vulnerable systems. We no longer have access to their India servers. This is all we can reveal now,” the hackers said in a follow-up message. This is the second cyberattack Acer has suffered this year after being hit with ransomware in March.

The REvil ransomware group claimed the attack and demanded a $50 million ransom, one of the highest reported at the time. Acer offered to pay the group $10 million, which was rejected by the hackers. The Record reported that the data stolen recently by the Desorden Group was posted to cybercriminal forum RAID as well as being sent to reporters. Acer India was hit with a similar cyberattack in 2012 by a Turkish cybercriminal group, according to DataBreaches.net. The attackers defaced the company website and leaked 20,000 user credentials at the time. DataBreaches.net reported last month that the Desorden Group recently claimed to have hacked into the Malaysian servers of ABX Express Enterprise on September 23.Like the latest attack, the group sent reporters portions of the stolen files and posted them into the RAID forum. They claimed to have stolen 200GB of information including the data of millions of Malaysians. In messages to the site, the group said their name stands for “chaos and disorder” and had reorganized after originally going by the name “Chaos CC.”The group said it plans to attack supply chains and cause “disorder and chaos” that affects as many people as possible. The Desorden Group said it plans to hold data ransom and sell it if they are not paid. At the time, they claimed to have been negotiating a ransom with an unnamed Italian automotive supply company.  More

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

HP released its latest Wolf Security Threat Insights Report, finding evidence that cybercriminals are moving even faster in taking advantage of zero-day vulnerabilities and exploiting specific problems like CVE-2021-40444 — the remote code execution vulnerability targeting the MSHTML browser engine through Microsoft Office documents.The HP Wolf Security threat research team first discovered cyberattackers exploiting CVE-2021-40444 on September 8, one week before Microsoft issued a patch. By September 10, attackers had already created scripts designed to automate the creation of this exploit and shared it on GitHub.The devastating attack gives cybercriminals a startlingly easy entry point into systems, deploying malware through an Office document that only needs to be previewed to be initiated. HP researchers compile the report by analyzing the millions of endpoints running HP Wolf Security. In the latest report, the researchers found that 12% of email malware isolated had bypassed at least one gateway scanner and 89% of malware detected was delivered via email, while web downloads were responsible for 11%. The most common attachments used to deliver malware were archive files, which HP Wolf researchers said increased in ubiquity from 17.26% last quarter to 38% this quarter.Word documents are also used in 23% of instances while spreadsheets (17%), and executable files (16%) rounded out the list. The report found that the top five most common phishing lures all used business lingo to lure victims in. Words like  “order”, “payment”, “new”, “quotation” and “request” were used prolifically in attacks. The report found 12% of malware captured was previously unknown.

Alex Holland, the senior malware analyst with the HP Wolf Security threat research team, said the average time for a business to apply, test and fully deploy patches with the proper checks is 97 days, giving cybercriminals an opportunity to exploit this ‘window of vulnerability’. “While only highly capable hackers could exploit this vulnerability at first, automated scripts have lowered the bar for entry, making this type of attack accessible to less­ knowledgeable and resourced threat actors. This increases the risk to businesses substantially, as zero-day exploits are commoditized and made available to the mass market in venues like underground forums,” Holland said. “Such novel exploits tend to be effective at evading detection tools because signatures may be imperfect and become obsolete quickly as the understanding of the scope of an exploit changes. We expect threat actors to adopt CVE-2021-40444 as part of their arsenals, and potentially even replace common exploits used to gain initial access to systems today, such as those exploiting Equation Editor.”
HP
Holland added that his team is seeing major platforms like OneDrive allowing hackers to conduct ‘flash in the pan’ attacks. While malware hosted on such platforms are generally taken down quickly, this does not deter attackers because they can often achieve their objective of delivering malware in the few hours the links are live, Holland explained. “Some threat actors are changing the script or file type they are using every few months. Malicious JavaScript and HTA files are nothing new, but they are still landing in employee inboxes, putting the enterprise at risk. One campaign deployed Vengeance Justice Worm, which can spread to other systems and USB drives,” Holland said. The HP Wolf team also found cybercriminals exploiting Cloud and web providers to host malware as well as multiple malware families being hosted on Discord and other gaming social media platforms. The report outlines how new Javascript malware has been able to slip past detection tools via malicious email attachments. One campaign uncovered by the HP Wolf Security threat research team found cybercriminals pretending to be part of the Ugandan National Social Security fund and using a spoofed web address similar to an official domain name to lure targets to a site that downloads a malicious Word document. According to the report, Trickbot Trojans are also being delivered through HTA files now, which initiate the malware once the file is opened. Ian Pratt, global head of security for personal systems at HP said relying on detection alone will no longer be sufficient because the threat landscape is too dynamic and attackers are increasingly adept at evading detection”Organizations must take a layered approach to endpoint security, following zero trust principles to contain and isolate the most common attack vectors like email, browsers, and downloads,” Pratt said. “This will eliminate the attack surface for whole classes of threats while giving organizations the breathing room needed to coordinate patch cycles securely without disrupting services.” More

Cybercriminals are distributing a new form of ransomware in attacks against victims in which they not only encrypt the network but also make threats to launch distributed denial of service (DDoS) attacks and to harass employees and business partners if a ransom isn’t paid. Dubbed Yanluowang, the ransomware was uncovered by cybersecurity researchers in Broadcom Software’s Symantec Threat Hunter team while they were investigating an attempted cyberattack against a large undisclosed organization.  

ZDNet Recommends

While the attempted attack wasn’t successful, the investigation revealed a new form of ransomware. It also provided insight into how some cybercriminals are attempting to make attacks more effective — in this case, with the threat of additional attacks.See also: A winning strategy for cybersecurity (ZDNet special report).Yanluowang drops a ransom note telling the victim they’ve been infected with ransomware, telling them to message a contact address to negotiate a ransom payment. The note warns victims not to contact the police, FBI or authorities, and not to contact a cybersecurity company — it’s implied that if the victim does this, they won’t get their data back. But the cybercriminals behind Yanluowang go even further with their threats, suggesting that if the victim calls in outside help, they’ll launch DDoS attacks against the victim — overflowing their websites with so much traffic that they’ll crash — and they’ll make calls to employees and business partners. They also suggest that if the victim isn’t cooperative, they’ll return with additional attacks or even delete the encrypted data, so it’s lost forever. “It’s difficult to say if this is a genuine threat. However, it’s certainly in line with what we’re seeing from other ransomware actors who seem to feel threatened by victims calling in law enforcement or sharing information with third parties,” Dick O’Brien, principal editor at Symantec, told ZDNet. 

It’s still unclear how the cybercriminals gained access to the network. Still, researchers uncovered the attack after identifying suspicious use of AdFind, a legitimate command line in the Active Directory query tool. This tool is often abused by ransomware attackers and is used as a reconnaissance technique for exploiting Active Directory and finding additional ways to secretly move around the network, with the ultimate goal of deploying ransomware.  In this case, the attackers attempted to deploy ransomware just days after the suspicious activity was identified — and ultimately, the attempted ransomware attack was prevented because the tell-tale signs of an attack had been recognized and blocked. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

Nonetheless, the emergence of yet another new ransomware group, particularly one making additional threats in order to coerce victims into paying ransoms, is an unwelcome development.See also: BYOD security warning: You can’t do everything securely with just personal devices.The ransomware appears to be a work in progress so that it could become more effective in future. However, there are steps that organizations can take to protect their businesses from this threat and other forms of ransomware. “Broadly speaking, they should adopt a defense in depth strategy, using multiple detections, protection, and hardening technologies to mitigate risk at each point of the potential attack chain,” said O’Brien. “Only allow RDP [Remote Desktop Protocol] from specific known IP addresses. We’d also advise implementing proper audit and control of administrative account usage,” he added. Other actions organizations can take to help protect against ransomware, and other cyberattacks include applying security patches as soon as possible, so cybercriminals can’t exploit known vulnerabilities to access the network. Organizations should also equip users with multi-factor authentication tools, so it’s more difficult for cybercriminals to take advantage of breached usernames and passwords. More on cybersecurity More

The Mercedes-AMG Petronas Formula One team is one of the most dominant F1 teams of all time and has won seven Constructor’s World Championships in a row since 2014, with seven-time World Champion Lewis Hamilton, who many consider to be the greatest ever Formula 1 driver, winning the F1 Drivers’ Championship on six of those occasions. Mercedes face challenges from nine other teams on the track during race weekends, but these are far from the only adversaries that the team has to worry about. The high-profile, high-tech nature of Formula 1 makes it a tempting target for cyber criminals and sophisticated hackers of all kinds.  

ZDNet Recommends

“The profile of this organisation, the popularity of the sport and the fact that we’ve been pretty successful over the last few years actually acts as a little bit of a target for this type of activity,” explains Michael Taylor, IT director at Mercedes-AMG Petronas Formula One. SEE: A winning strategy for cybersecurity (ZDNet special report)Most of the cyber threats an F1 team faces will be familiar to organisations around the world, such as the phishing attacks attempting to steal usernames, passwords and other sensitive information, or the constant threat of ransomware. But then in F1, you also have to factor in the challenge of securing a remote workforce that can be in three countries in as many weeks because of the busy schedule across a hectic 22-race season.  And then, add on top the threat that comes from the most sophisticated online attackers who might be interested in the secrets of a high-performance racing team. “In this hybrid world, a lot of the technology comes out of Formula One and then trickles down into the cars that we drive, so there’s a tremendous amount of technology that’s on the cutting edge that obviously needs to be protected and certainly could be a target for nation-state actors,” says George Kurtz, CEO of CrowdStrike, the cybersecurity partner of Mercedes, which provides the team with technology to help secure its networks, as well as information on the evolving nature of cyber threats. 

This includes a dossier ahead of every race weekend, where CrowdStrike security analysts detail the potential cyber threats that members of the team could face in the country where the race circuit is located, and how to stay safe from these threats. “That’s always an eye opener that always helps raise some inconvenient truths and some questions,” says Taylor. Ensuring that the cybersecurity of a Formula 1 team is strong enough to protect against all these threats starts with securing the endpoints – the laptops, tablets and other devices that members of staff use on a daily basis.  “Endpoints for us are our biggest area of risk because they have a human at the other end of them and most of the risk is inherently carried by humans doing something they probably shouldn’t do or didn’t intentionally mean to do,” Taylor explains. “The endpoint is an area where we do have control over, but not full control and that’s really the biggest focus for us in terms of reducing the risk opportunity there.”Mercedes could completely lock down machines with strict controls on what actions users can perform; but restricting user activity like that in Formula 1, where time is of the essence and the split-second strategy decisions and the data that informs them can make or break a race weekend, could put a team at a massive disadvantage. “We’re very creative in terms of problem solving and design, and historical security controls would inhibit innovation or could potentially limit innovation,” says Taylor. That means heavily restricting access to data or making it cumbersome for engineers in the pit lane to collaborate with analysts at the factory isn’t the answer. Instead, a balance is needed between ensuring security and also ensuring that staff can efficiently do their jobs in a way that isn’t detrimental to Lewis Hamilton or his teammate Valtteri Bottas during race weekends.  “It’s always a balance of risk versus reward and it’s trying to be able to provide that flexible platform enabling collaboration, but understanding the potential risks and then addressing them,” says Taylor. Seven-time World Champion Lewis Hamilton behind the wheel of his Mercedes. 
Image: Mercedes
Cybersecurity applications like firewalls, network segmentation, providing access to data on a need-to-know basis, and multi-factor authentication play a role in helping to keep the team secure, but the globe-trotting nature of Formula 1 means that staff – and computer networks – don’t stay in the same place for long before being packed up and whisked away to another circuit on the calendar. That’s why many of the applications that help manage security procedures are cloud-based, allowing Mercedes to ensure endpoints are protected against the latest threats, no matter where they are in the world. “Whether in the factory in what we class our protective environment or out in Australia, it’s still the same consistent endpoint protection that we have in place; the fact it’s calling home to a cloud location somewhere in the world massively simplifies the complexity and the challenge for us organisationally,” Taylor explains. All ten Formula 1 teams face similar challenges around protecting their networks from data breaches and cyberattacks, no matter where they are in the world, while also attempting to work as efficiently as possible in a high-paced environment. Cyber criminals have long-exploited the hectic nature of businesses, and the sheer number of emails that get sent in a day as an entry point for cyberattacks – and that’s no different for Formula 1. For example, in November last year, Formula 1 was at Imola for the Emilia Romagna Grand Prix, the 13th race in the 2020 Formula One World Championship Season. It was late in the year for an F1 race, after the start of the season was delayed from March to July because of the impact of the COVID-19 pandemic, and the races came thick and fast during the truncated calendar; just days before, the teams had been in Portugal for the previous Grand Prix. 

It was at this point that some hackers went straight for a big prize, attempting to target Zak Brown, CEO of racing team McLaren Formula 1.  SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakesThey’d created a sophisticated phishing email designed to look like business-related emails that Brown would expect to receive. But Brown never saw it, because the cybersecurity protections McLaren applies to the inboxes of all its staff meant it went straight to junk mail and the ability to click the link was disabled – despite the continued efforts of the attackers. “In terms of volume of attacks, they’ve definitely got smarter. They’re targeting individuals with phishing and spear-phishing attacks – it’s very targeted, very clever,” says Chris Hicks, group CIO at McLaren Group. “It is a cat and mouse game; the attackers will react to your changes, then we react in turn – but I feel like we’re always one step ahead”. McLaren fended off this particular attack by using technology supplied by Darktrace, the team’s official cybersecurity partner – its logo featuring prominently on the liveries of the cars driven by Lando Norris and Daniel Ricciardo. The nature of Formula 1, where team members could be in be in different parts of the world in consecutive weeks, means that blocking access to emails just because they’re being sent from an IP in an unfamiliar space wouldn’t work.  But McLaren’s email security software analyses information about previous activity and uses this to determine if the action is legitimate, meaning that important messages being delivered from unfamiliar time zones or locations don’t get blocked. Meanwhile, messages like the one cyber criminals attempted to send McLaren’s CEO get filtered out as they’re recognised as unusual or malicious. “Darktrace understands that actually the rest of the team is here, these are files you normally access, this is the normal chain so it’s okay. It works really well because we have to be seamless, we can’t be taking our staff offline,” Hicks explains. “That real-time accessibility to data and real-time collaboration wherever you are in the world is absolutely critical – anyone in Formula 1 will tell you every millisecond counts,” he adds. Lando Norris driving his McLaren Mercedes at the Austrian Grand Prix. 
Image: Getty
The sheer amount of data transferred over a race weekend is huge with potentially hundreds of thousands of emails being sent within McLaren as well as between McLaren and its partners. “On a race weekend, it’s measurable how many more attacks come into the business when Formula One’s on the TV,” says Dave Palmer, chief product officer at Darktrace. “There could be 250,000 emails over a race week and during a race weekend the number of malicious ones jumps up to about 3.5%, which is a lot – 3.5% of your inbound email has got something wrong with it, that needs to be acted on by the machine.” If just one malicious phishing email wasn’t identified and got through, that could be devastating – not only could it affect race plans, but there’s also the potential for a phishing email to be used as a gateway to a wider attack on the network.  “That’s something we’ve always been challenged with because in many areas intellectual property won’t be secret for very long – in six months or so it’s public knowledge, just due to the nature of Formula 1. But in in real time, we want to keep it close to our chest and often it’s for financial gain or various reasons why attackers might try and compromise us, so it’s imperative that we keep that IP secure,” says McLaren’s Hicks. McLaren doesn’t just rely on technology to keep staff secure – a key element of keeping the network protected from cyberattacks involves regular cybersecurity training for staff, including executives.  

“The awareness campaigns that we do are absolutely critical and it’s normally from the top down. It’s normally the CEOs you get targeted first or their PA; people right up the top”, says Hicks.  SEE: Cybersecurity: Let’s get tactical (ZDNet special feature) Williams Racing is one of the most historically successful teams on the Formula 1 grid and it too has found itself being targeted by cyberattacks attempting to launch phishing attacks against the boardroom. The high-profile nature of Formula 1 means it’s easy to find out who runs teams – they’re often right there on TV – and cyber criminals will attempt to exploit this for social engineering. “We know we are constantly a target, there are even some spear phishing attacks where they go after the CEO or CFO,” says Graeme Hackland, CIO of Williams Racing F1.  “They don’t lock you out of your account, they just sit in your account and watch. We received a reply to an email from a supplier saying ‘we’ve changed our bank account, please can you update your records’ – and that reply was sent from the hacker not from the supplier,” Hackland explains. Attackers have also registered false Williams email addresses in efforts to commit attacks against the team – for example, they’ll try to register a URL where the lower case l’s are replaced with a capital L, something that unless somebody is really examining the email address, would look authentic. “It looks just like our email address, and so I don’t blame any of our staff who got caught by those things because it was very, very sophisticated – there’s a lot more social engineering going into the phishing emails now. They learn a huge amount of information,” says Hackland. Williams was sold to new owners, American private investment company Dorilton Capital, during 2020 – and with new executives, and new staff around them, it was vital these people were aware of the potential security threats they’d face as high-profile staff of a Formula 1 team. George Russell driving for Williams Racing.
Image: Williams Racing
“We got a new CEO, so we did an education campaign with his personal assistant to remind her she’s going to be a target and we have actually seen an increase in spam emails going to her,” Hackland explains. All Williams employees go through phishing training to understand how cyber criminals could try to breach the network via email. But the sheer number of cyberattacks means that it hasn’t always been possible to protect the network from attacks – and Williams found itself the victim of a ransomware attack a few years back. The attack in 2014 started on a Friday morning and was quickly spotted by the cybersecurity team. Much of the network was protected from falling victim to the attack. But if the attack had started a few hours later, it’s likely that nobody would have noticed until the following week. “If this had happened at 6pm, it could have spent all weekend encrypting all of our data and when we come in on Monday, we would have been in massive trouble. It was lucky, it was a Friday morning and we noticed that behavior fairly early in the process,” Hackland explains. The ransomware attack got into the network after a member of staff unintentionally visited a compromised website. “They had downloaded a tech spec sheet for their washing machine. They did nothing wrong. They went to a trusted website downloaded a file and had no idea that this ransomware was running in the background,” says Hackland. At the time of the incident in 2014, cybersecurity procedures weren’t as mature as they were today – and in this case, the affected files couldn’t be recovered. But it served as a wake-up call for ensuring that networks and employees were as protected against cyberattacks as possible. Now, Williams Racing has benefited from a partnership with cybersecurity company Acronis for a number of years, helping to keep endpoints and staff – and drivers George Russell and Nicolas Latifi – secure, whether they’re at the headquarters in Grove, Oxfordshire, or at racing circuits around the world. The partnership means Williams use Acronis for endpoint protection as well as backups for keeping data secure, no matter where the user is, be they working remotely, at the factory or at a race circuit. “Motorsport teams, even at the top of the industry, are facing major challenges dealing with ever-expanding amounts of data – managing, archiving, sharing, and protecting it from cyberattacks,” says Ronan McCurtin, VP for Europe, Turkey and Israel at Acronis. With more races than ever before, Formula 1 teams are being pushed to the limit both on the track and off it. The high-profile nature of the sport and the cutting-edge technology behind it means all Formula 1 teams are tempting targets for cyber criminals and hackers.  Unfortunately, just like the Formula 1 teams they are chasing, malicious hackers are always looking for ways to improve. But unlike an F1 race, there’s no finish line in the cyber-arms race.  MORE ON CYBERSECURITY More

It’s almost 20 years since then-Microsoft boss Bill Gates wrote his famous Trustworthy Computing memo, in which he urged the company to produce more secure software. “Eventually, our software should be so fundamentally secure that customers never even worry about it,” wrote Gates. It’s a grand ambition, and despite years of work, it is not one that any software has really achieved yet. And even as engineers try to improve their products, a new wave of security threats have appeared.

Enterprise Software

“I think it was hard for anyone at the time – even in Bill Gates’ grand vision – to see we would have sophisticated state-sponsored hackers breaking those SWIFT banking system codes, people flattening oil production by wiping hard-drives. The threat landscape is beyond any science fiction novel or what John le Carré could predict,” says Dave Weston, Microsoft’s director of enterprise and Windows security.  SEE: Windows 11 upgrade: Five questions to ask firstHe admits that, as a “hardened industry professional”, he is surprised by the sophistication of attacks today. “The breadth and sophistication [of these attacks] is what continues to make this job interesting. There is never a dull moment here,” he says.”Fifteen years ago we were thinking of these attackers as basically script kiddies – people sitting in their parents’ basements on the weekend doing things for mischievous reasons. That was the archetype 15 years ago. The archetype now is somebody who is working in the military-industrial complex, who works in an office.” That’s a pretty stark contrast, Weston points out.

“If we’re up against that, are we in a better position? I would say, unequivocally, yes. Twenty years ago, the price of an exploit was cheap. Now when you’re talking about Windows 10 or 11, or browsers, you’re talking millions of dollars to acquire an exploit.”The difference between those two points is the level of defenses in the operating system, he argues. “The reality is today that there are a smaller number of people who today can attack a Windows PC than there was 10 or 15 years ago and I think that in itself is a triumph.”     That increasing threat level is one issue, while the tech security goalposts themselves have also been changing rapidly. Back in 2002 when Gates wrote his memo, the focus of security was all about the software: he didn’t even mention hardware or CPUs. Today, with an uptick in zero-day exploits, CPU attacks like Meltdown/Spectre and more, Windows security is much more concerned with hardware.    For example, in Windows 10 and Windows 11, Microsoft has brought in Control Enforcement Technology (CET), a security mitigation it co-developed with Intel. CET is an on-chip technology that targets some of the most common attack vectors, such as return oriented programming, says Weston. It’s available on Intel 11th Gen or AMD Zen 3 CPUs.Virtualization-based security, dubbed VBS at Redmond, restricts techniques used in the WannaCry ransomware attack by hardening the Windows kernel. Windows 11 also promises to make the goal of ‘Zero Trust’ – the concept of borderless networks that the Biden White House is pushing – easier by reducing the amount of configuration required for Windows endpoints.But, as Weston highlights, organizations will need to run some numbers to figure out whether to upgrade hardware and migrate to Windows 11 versus reconfiguring PCs and servers that only cut it for Windows 10. On Windows 11, admins don’t need much to configure that security; with Windows 10 they can create the same level of security – but with a bit more work.Organizations that adopt Zero Trust assume their perimeter has already been breached. It also recognizes that data needs to be protected within and outside the network on corporate-issued and employee-owned devices. Zero Trust has became more pertinent after the pandemic forced many more people to remote working.Weston, however, contends that Windows 11 does make it easier for businesses, assuming they have new hardware suitable for it. “Where the hardware fits in, we’ve been working to make sure things can be turned on by default when you meet the hardware baseline. We’re expecting a certain level of performance and reliability from recent drivers and hardware pieces. That allows us to turn on more, by default, with confidence. That’s where the hardware piece fits in with Zero Trust,” he says. 

But will customers be left behind because of hardware? “The answer is firmly ‘no’,” insists Weston. SEE: Microsoft’s Windows 11: How to get it now (or later)Even if organisations want to stay with Windows 10, many of those features like Windows Hello, Virtualization Based Security and Secure Boot are still available, he says – you’ve just got to turn it on and evaluate your own environment.”If you’ve got the hardware, you can install Windows 11, things are simple. If you don’t have that hardware or that’s something you’re planning for the future, you can still partake in all of these security baselines by taking our free security baseline and apply that to Windows 10-level hardware. You may have to do some initial analysis on performance trade-offs, which makes it a little more difficult, but you can certainly get there.”Microsoft has set October 14, 2025 for the end of Windows 10 patches. Weston reckons you can still configure Windows 10 to meet Windows 11 standards, and he optimistically bets that most organizations should have refreshed most of their hardware by 2025.    “By 2025, when the refresh cycle will have turned over for the vast majority of the businesses, you will have more reason to move to Windows 11 because by that point there will have been two or three releases of security goodness to have been added, which we think is going to provide a substantial value proposition,” he says.”My advice would be: if you need to stay on Windows 10 for hardware reasons, great; follow our security guidance from 11 and apply that to 10. Plan in your refresh cycles and security budgets to get the right hardware to get to 11 because, if you stay on 10 for too long, we will start to introduce things that are 11-specific – trust me, we have many on the way now – and we want as many customers as possible to get that value. It’s very similar to the transition we went through from Windows 7 to 10: there’s security goodness if you can get there.”  More

The White House has held a meeting with ministers and officials from 30 nations and the European Union to discuss how to combat ransomware and other cyber threats. The two-day series of meetings aimed to find an answer to ransomware and followed calls from US president Joe Biden for the Kremlin to hold Russia-based ransomware gangs accountable for their file-encrypting attacks, rather than turning a blind eye to them so long as they don’t attack Russian organizations.   

ZDNet Recommends

Notably absent from the White House-led group was Russia itself, which was not invited. In June, Biden told Russian President Vladimir Putin that 16 US critical infrastructure entities should be off-limits from ransomware attackers operating from Russia. SEE: Ransomware attackers targeted this company. Then defenders discovered something curiousThe aim of the talks was to figure out an international approach to disrupting and ultimately stopping ransomware attacks. In the two days of virtual talks, India led discussions on Thursday about resilience, while Australia focused on how to disrupt cyberattacks. The UK’s contribution focused on virtual currency, while Germany discussed diplomacy. Other countries involved included Canada, France, Brazil, Mexico, Japan, Ukraine, Ireland, Israel, and South Africa.Although Russian officials didn’t participate, a White House spokesperson said the US is in ongoing discussions with Russia via the US-Kremlin Experts Group, which is led by the White House, and was established by Biden and Putin. 

One of the most disruptive ransomware attacks on US infrastructure was against Colonial Pipeline, which halted fuel distribution on the US east coast for a week in May. The company reportedly paid the equivalent of $4.4 million in bitcoin for a decryption tool from the attackers.The FBI blamed the Colonial attack on DarkSide, which went offline shortly afterwards but resurfaced in June, according to FireEye’s incident response unit, Mandiant. 

DarkSide is one of several ransomware gangs operating as a service provider, allowing other criminal gangs to use its software to extort targets. Others, including Revil, steal data and threaten to leak it online if the ransom isn’t paid.    SEE: BYOD security warning: You can’t do everything securely with just personal devicesThe other major threat Biden has raised concerns nation-state cyber attackers, such as this year’s attacks on Microsoft Exchange email servers, which UK and US officials blamed on Chinese state-sponsored hackers, dubbed Hafnium by Microsoft. Microsoft this week reported that Kremlin-backed hackers were by far the most prolific attackers. The message from the White House is that nations need to cooperate to bolster “collective cyber defenses” against criminal and state-sponsored cyberattacks. “We’ve worked with allies and partners to hold nation states accountable for malicious cyberactivity as evidenced by, really, the broadest international support we had ever in our attributions for Russia and China’s malicious cyber activities in the last few months,” a White House official said at a media briefing.  More

Image: Getty Images/iStockphoto
The Australian Cyber Security Centre will be offering its Australian Protective Domain Name Service (AUPDNS) for free to other government entities at federal and state level across Australia. AUPDNS has already inspected 10 billion queries, and blocked 1 million connections to malicious domains, Assistant Minister for Defence Andrew Hastie said on Thursday. “A single malicious connection could result in a government network being vulnerable to attack or compromise, so it’s vital we do everything we can to prevent cybercriminals from gaining a foothold,” he said.”Currently AUPDNS is protecting over 200,000 users, and this number is growing”. The blocklist functionality was developed with Nominet Cyber. Elsewhere on Thursday, Labor deputy chair of the Parliamentary Joint Committee on Intelligence and Security — which examines national security legislation and often leads to Labor waving continuous legislation through — Anthony Byrne tended his resignation. “The work of the PJCIS is crucial to Australia’s national security and its integrity should never be questioned,” Byrne said.

“I have always put the work of this bipartisan Committee first and have always served in its best interests.” Byrne is in hot water after telling Victoria’s Independent Broad-based Anti-corruption Commission he was involved in branch stacking. Replacing Byrne to fill the ALP post will be Senator Jenny McAllister, with Peter Khalil appointed to the committee. “Byrne has served the PJCIS in a number of roles since 2005 including as Chair and Deputy Chair,” Labor leader Anthony Albanese said. “I thank Mr Byrne for his important contributions to this committee in Australia’s national interest.” On Wednesday, the Australian government announced a new set of standalone criminal offences for people who use ransomware under what it has labelled its Ransomware Action Plan. The plan creates new criminal offences for people that use ransomware to conduct cyber extortion, target critical infrastructure with ransomware, and deal with stolen data knowingly obtained in the course of committing a separate criminal offence, as well as buying or selling malware for the purposes of undertaking computer crimes.Related Coverage More