More stories

  • in

    1 in 15 organizations runs actively exploited version of SolarWinds: Report

    ZDNet Recommends

    Best security key 2021

    While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

    Read More

    A new report from cybersecurity company Randori has categorized the most tempting internet-exposed assets that an attacker is likely to go after and exploit, finding that one in 15 organizations currently runs a version of SolarWinds that is known to be actively exploited.In the 2021 Randori Attack Surface Report, researchers assigned each asset with a “Temptation Score” — effectively the likelihood an attacker will go after it. Any exposed asset with a score over 30 is considered to be high, with the highest-ranking assets currently within their corpus reaching an attacker Temptation Score of 55. The version of SolarWinds being actively exploited have an average Temptation Score of 40. The report found that more than 25% of organizations have RDP exposed to the internet, while 15% of organizations are still running outdated versions of IIS 6, which Microsoft hasn’t supported for six years. Randori gave the IIS 6 a Temptation Score of 37.Nearly 40% of organizations use Cisco’s Adaptive Security Appliance (ASA) firewall, which has a history of public vulnerabilities and a Temptation Score of 37. Almost half of all organizations run Citrix NetScaler, which has a score of 33 and multiple public exploits. Both CiscoWeb VPN and Palo Alto Global Protect joined Citrix NetScaler as VPNs listed in the report with high Temptation Scores.Just 3% of organizations are still running versions of Microsoft Outlook Web Access, but this alarmed Randori researchers, who noted the recent Exchange hacks and several known exploits for the tool. It was one of the highest on the Temptation Score scale at 38. “Many of the exposed assets — like SolarWinds and OWA — are there because of ignorance, not negligence. Organizations struggle to know what they have been exposed to on the internet. Cloud migration and the work-from-home boom dramatically increased the number of exposed assets — but it is possible to deploy security measures to help you secure the unknown,” David Wolpoff, CTO of Randori, told ZDNet.

    The report notes that the SolarWinds issue ranked high in the report because it has publicly disclosed vulnerabilities, it is a mission-critical technology for many businesses, and it is widely used. “Many assume prioritizing based on vulnerability severity will keep you safe.  But that’s simply not true. Attackers think differently, and vulnerability severity is just one of many factors weighed by an attacker. Our hope with releasing this report is that people will get deeper into the attacker’s mindset, apply attacker logic to their security programs, and get one step ahead,” Wolpoff said. Wolpoff explained that the report is based on attack surface data from millions of internet-exposed assets and noted that The Temptation Score applies a proprietary weighting of six different attributes to determine the Temptation Score of an asset: enumerability, exploitability, criticality, applicability, post-exploitation potential, and research potential. Wolpoff said he is continually surprised to see that low effort, easy-to-break-in attacks still work at successful enterprises — like exploitable OWA. “What strikes me is the lack of focus on the basics, like hardening the default configurations or seeing default settings that contain admin/admin as the username and password. The number of times that the default username and password ‘admin/admin’ has gotten us into boxes is extremely surprising,” Wolpoff said. “For example, many enterprises are running old Microsoft OWA with the default settings — exposing the name, version, and, better yet, configuration information! The more an attacker knows about a system, the more tempting it is — it makes it easier for an attacker to cross-check to see if there are any known public vulnerabilities or exploits weaponized against that specific version and to confirm if an exploit will land.”He was also shocked by the high percentage of people not using MFA. He explained that his attack team often successfully conducts an attack with previously disclosed credentials because MFA wasn’t deployed.Wolpoff suggested security teams always change the default settings so the version number isn’t publicly visible, noting that if enterprises are unable to patch or upgrade a tool, they should at least hide it. He urged security teams to find ways to reduce their attack surfaces by taking things offline or disabling functionalities that go unused. It is no longer appropriate for organizations to settle for the configuration the manufacturer sets as default, and Wolpoff added that enterprises should segment critical assets as well as appliance and IoT devices.  More

  • in

    Australia's new ransomware plan to create ransomware offences and reporting regime

    The Australian government has announced a new set of standalone criminal offences for people who use ransomware under what it has labelled its Ransomware Action Plan.Under the new plan [PDF], people who use ransomware to conduct cyber extortion will be slapped with new stand-alone aggravated criminal charges.A new criminal offence has also been created for people that target critical infrastructure with ransomware. The acts of dealing with stolen data knowingly obtained in the course of committing a separate criminal offence as well as buying or selling malware for the purposes of undertaking computer crimes are also both now criminalised.”The Ransomware Action Plan takes a decisive stance — the Australian Government does not condone ransom payments being made to cybercriminals. Any ransom payment, small or large, fuels the ransomware business model, putting other Australians at risk,” Minister for Home Affairs Karen Andrews said.Alongside the new criminal offences, the plan will also roll out a new mandatory ransomware incident reporting regime, which would require organisations with a turnover of over $10 million per year to formally notify government if they experience a cyber attack. The new plan will also see government work to introduce additional legislative reforms that potentially allow law enforcement to track, seize or freeze ransomware gangs’ proceeds of crime. 

    All of the new measures will be developed through a new tranche of legislation rather than through the Security Legislation Amendment (Critical Infrastructure) Bill 2020 currently being considered by Parliament. This is in spite of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 already containing provisions that seek to create mandatory reporting requirements for organisations that suffer a cyber attack and provide more powers for government to undertake action against cyber attacks.While the plan itself says some of the new measures will be regulated through the Security Legislation Amendment (Critical Infrastructure) Bill 2020, a federal government representative clarified that the Bill would just be providing clarity surrounding the definitions of critical infrastructure.The government representative also said the new tranche of legislation would be primarily focused on introducing new offenses to allow law enforcement to charge cybercriminals on ransomware grounds, while the Security Legislation Amendment (Critical Infrastructure) Bill 2020 is focused on providing government more powers to intervene during cyber attacks.That Bill received the tick of approval from a parliamentary joint committee two weeks ago, with the parliamentary committee saying at the time there was compelling evidence that the complexity and frequency of cyber attacks on critical infrastructure was increasing.”Australia is not immune and there is clear recognition from government and industry that we need to do more to protect our nation against sophisticated cyber threats, particularly against our critical infrastructure,” committee chair Senator James Paterson said at the time.The Bill was originally meant to be broader in scope, but the committee advised that other “less urgent” aspects of the Bill should be introduced under a second, separate Bill following further consultation.Under the government’s new ransomware plan, a multi-agency taskforce led by the Australian Federal Police, called Operation Orcus, has also been created. Created in July, the government has touted the new taskforce as being the country’s “strongest response to the surging ransomware threat”.According to Andrews, these new measures all fall within one of the plan’s three objectives, which are to build Australia’s resilience to ransomware attacks; strengthen responses to ransomware attacks; and disrupt and deter cybercriminals through tougher laws. To achieve these three objectives, Andrews said the federal government would work closely with state and territory governments and industry stakeholders.The new plan builds on Australia’s overarching 2020 Cyber Security Strategy, which aims to impose cyber standards on operators of critical infrastructure and systems of national significance and create powers that allow the federal government to get on the offensive and actively defend networks and critical infrastructure.Updated at 2:30pm AEST, 13 October 2021: Updated article to reflect clarifications from the federal government about how the ransomware plan’s new measures would be legislated. MORE ON THE BILL More

  • in

    Olympus suffers second cyberattack in 2021

    Japanese tech manufacturer Olympus said on Tuesday that it was investigating a cyberattack on its IT systems in the US, Canada and Latin America.The company said the cybersecurity incident was detected on Sunday but despite the help of forensics experts, they are still working to resolve the issue. “As part of the investigation and containment, we have suspended affected systems and have informed the relevant external partners. The current results of our investigation indicate the incident was contained to the Americas with no known impact to other regions,” the company statement said. “We are working with appropriate third parties on this situation and will continue to take all necessary measures to serve our customers and business partners in a secure way.”The latest incident follows another cyberattack that the company reported on September 11. The statement from that incident is almost identical to the one released today, but Bleeping Computer reported that the earlier attack involved ransomware.The ransomware incident, believed to have been perpetrated by the BlackMatter ransomware group, hit the company’s EMEA IT systems. TechCrunch managed to obtain a letter on infected computers from BlackMatter indicating they were behind the attack. By September 14, Olympus released another statement describing the incident as “an attempted malware attack” and saying no data was accessed during the incident. 

    Olympus has more than 31,000 employees across the world. The company did not respond to requests for comment about who may be behind the latest attack.BlackMatter has been one of the most prolific ransomware groups working after emerging this summer from the ashes of the DarkSide ransomware group. Just last month they shut down an Iowa-based farm service provider and demanded nearly $6 million to restore the damaged systems. Neil Jones, cybersecurity evangelist at Egnyte, said the second cyberattack on a technology giant like Olympus in just a month’s time should be a major wake-up call: no large global corporation should consider itself exempt from ransomware attacks. “Senior executives and IT leaders should also be aware that no technological solution is 100% effective, but a large percentage of ransomware attacks can be prevented with diligent preparation,” Jones said. “Unfortunately, even in technologically sophisticated organizations like Olympus, the methods and tools being employed don’t meet the security and control needs to combat today’s threats.” More

  • in

    Microsoft Azure fends off huge DDoS Attack

    Distributed Denial of Service (DDoS) attacks are happening ever more often and growing ever bigger. At 2.4 terabits per second (Tbps), the DDoS attack Microsoft just successfully defended European Azure cloud users against could be the biggest one to date.What we know for certain is it’s the biggest DDoS attack on an Azure cloud customer. It was bigger than the previous high, 2020’s Azure 1 Tbps attack, and Microsoft reported it was “higher than any network volumetric event previously detected on Azure.” 

    Who was targeted? We don’t know. Microsoft isn’t talking. The attack itself came from over 70,000 sources. It was orchestrated from multiple Asia-Pacific countries such as Malaysia, Vietnam, Taiwan, Japan, and China, and from the United States. The attack vector was a User Datagram Protocol (UDP) reflection attack. The attack lasted over 10 minutes with very short-lived bursts. Each of these bursts ramped up in seconds to terabit volumes. In total, Microsoft saw three main peaks, the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps.In a UDP reflection attack, the attacker exploits the fact that UDP is a stateless protocol. That means the attackers can create a valid UDP request packet listing the attack target’s IP address as the UDP source IP address. It looks as if the attack is being reflected back and forth within the local network, hence the name. This relies on the UDP request packet’s source Internet Protocol (IP) being spoofed, i.e. falsified. The UDP packet contains the spoofed source IP and is sent by the attacker to a middleman server. The server is tricked into sending its UDP response packets to the targeted victim IP rather than back to the attacker. The middleman machine helps strengthen the attack by generating network traffic that is several times larger than the request packet, thus amplifying the attack traffic.How big the amplification can get depends on the attack protocol being abused. Such common internet protocols as DNS, NTP, memcached, CharGen, or QOTD can all be turned into network DDoS attack dogs. The nastiest of these is memcached. Memcached is an open-source, high-performance, distributed, object-caching system. It’s commonly used by social networks such as Facebook and its creator LiveJournal as an in-memory key-value store for small chunks of arbitrary data. There it’s very useful. When abused, however, Cloudflare, the web performance and security company, has found 15 bytes of request can cause 750KB of attack traffic — that’s a 51,200x amplification! That’s bad. 

    Microsoft isn’t saying which was used in this case but it did mention DNS. Attacks exploiting DNS can produce 28 to 54 times the original number of bytes. So, if an attacker sends a request payload of 64 bytes to a DNS server, they can generate over 3,400 bytes of unwanted traffic to an attack target. While Microsoft also didn’t go into detail about how it blocked the attack, the company said Azure’s DDoS protection platform, built on distributed DDoS detection and mitigation pipelines, can absorb tens of terabits of DDoS attacks: “This aggregated, distributed mitigation capacity can massively scale to absorb the highest volume of DDoS threats, providing our customers the protection they need.”Generally speaking this works by Azure’s DDoS control plane logic kicking in when it detects a DDoS storm building up. “This cuts through normal detection steps, needed for lower-volume floods, to immediately kick-in mitigation. This ensures the fastest time-to-mitigation and prevents collateral damage from such large attacks.”Some DDoS protection is provided for all of Azure’s users. For better, more comprehensive protection, Microsoft recommends you subscribe to Azure DDoS Protection Standard. Besides blocking DDoS attacks, it also offers cost protection. This provides data transfer and application scale-out service credit for resource costs incurred because of documented DDoS attacks.Related Stories: More

  • in

    Microsoft October 2021 Patch Tuesday: 71 vulnerabilities, four zero-days squashed

    Microsoft has released 71 security fixes for software including an actively-exploited zero-day bug in Win32k. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for a total of four zero-day flaws, three of which are public.Products impacted by October’s security update include Microsoft Office, Exchange Server, MSHTML, Visual Studio, and the Edge browser. The zero-day bugs are tracked as CVE-2021-40449, CVE-2021-41338, CVE-2021-40469, and CVE-2021-41335.   CVE-2021-40449 is being actively exploited. Issued a CVSS severity score of 7.8, this vulnerability impacts the Win32K kernel driver. Boris Larin (oct0xor) with Kaspersky reported the flaw to Microsoft, and in a blog post published today, the cybersecurity firm said a clutter of activity, dubbed MysterySnail, is utilizing the use-after-free flaw.”Besides finding the zero-day in the wild, we analyzed the malware payload used along with the zero-day exploit, and found that variants of the malware were detected in widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities,” Kaspersky says.Immersive Labs’ Kevin Breen, Director of Cyber Threat Research, said that this issue “should definitely be a priority to patch.” 

    “It’s noted as ‘exploitation detected’, meaning attackers are already using it against organizations to gain admin rights,” Breen commented. “Gaining this level of access on a compromised host is the first step towards becoming a domain admin — and securing full access to a network.”Read on: The three other zero-day vulnerabilities resolved in this round of patches are CVE-2021-41338 (CVSS 5.5), a Windows AppContainer Firewall bug that permits attackers to bypass security features; CVE-2021-40469 (CVSS 7.2), an RCE in Windows DNS Server; and CVE-2021-41335 (CVSS 7.8), an elevation of privilege bug in the Windows Kernel. Three critical bugs, CVE-2021-40486, CVE-2021-38672, and CVE-2021-40461, are also of note. The first security flaw impacts Microsoft Word whereas the other two affect Hyper-V. If exploited, all of them can lead to remote code execution.According to the Zero Day Initiative (ZDI), 11 of the security flaws patched this month were submitted through the ZDI program, including bugs resolved earlier in the month by the Edge browser team.Last month, Microsoft resolved over 60 bugs in the September batch of security fixes including an RCE flaw in MSHTML and a Windows DNS privilege escalation zero-day vulnerability. A month prior, the tech giant tackled 45 security flaws — seven of which were deemed critical — during the August Patch Tuesday.In other Microsoft news, the tech giant is readying a new Feedback Portal, expected to be ready in preview mode, by the end of 2021. The portal will be opened first for Microsoft 365 and Microsoft Edge products. The Redmond giant has also recently warned of password spraying attacks being launched against Office 365 customers. Alongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below. More

  • in

    1Password unveils secure sharing tool for passwords, secrets

    1Password announced the release of a new feature that allows users to send items to anyone, including non-1Password users, securely. Named “Psst!” after ‘Password Secure Sharing Tool,’ the feature was built in response to studies showing that people increasingly have no choice but to share private information or secrets through insecure platforms like email, chat services, spreadsheets and texts. 1Password CEO Jeff Shiner told ZDNet that users have frequently requested functions that allow them to send passwords or other secret content to non-1Password users. Akshay Bhargava, the company’s chief product officer, said at its core, the feature is competing with the impulse to copy and paste sensitive information into an insecure channel simply. Hence, 1Password focused on creating something that was easy to use and simple. “It’s kind of a universal problem. Historically what’s happened is that to share those things, often people resort to bad security hygiene. We wanted to provide a really secure, simple, easy way to share with everyone regardless of if you have 1Password installed or not,” Shiner said. A recent study produced by 1Password found that 64% of respondents reused corporate credentials, API tokens, keys and certificates between projects. Other surveys show 76% of families share passwords by writing them down or sending them through text. Bhargava explained that users could share items by receiving a unique link that they can customize depending on their needs. Some links can be made to last for hours, while others can be set to be available for up to 30 days. 

    The links automatically expire, and users can limit who is able to view whatever is inside the link by forcing the person to verify their email address. 
    1Password
    Chris Harris, director of data services at IT services company InfoStructure, vouched for the service, noting that he and his colleagues have to share lots of passwords with vendors and customers. The lack of a secure solution for this endangers both sides of the exchange. A number of other companies expressed frustration with the same issue and said they planned to use the 1Password tool for passwords and other business. The announcement was made alongside news that 1Password has more than 100,000 business customers. “Crossing the 100,000 business customers mark is a clear indication that businesses understand the need to safeguard their passwords and other sensitive information online,” Shiner said.   More

  • in

    Biden signs school cybersecurity act into law

    Biden signs the act into law. 
    Gary Peters
    Cybersecurity experts hailed the K-12 Cybersecurity Act this week after US President Joe Biden signed it into law on October 8, officially kicking off efforts by CISA to examine the cybersecurity risks associated with K-12 educational institutions.The law, which became one of the rare bills to pass in both the House and Senate, instructs CISA to examine the threats facing the nation’s schools and then provide recommendations as well as toolkits to educators on cybersecurity hygiene. There have been hundreds of cyberattacks against schools as cybercriminals seek out sensitive student and employee records over the last few years. The problem has gotten even worse since remote learning became the dominant mode of operation duringthe COVID-19 pandemic. Schools now face a barrage of ransomware attacks alongside other incidents that leak critical data from students and administrators alike. “This law highlights the significance of protecting the sensitive information maintained by schools across the country, and my Administration looks forward to providing important tools and guidance to help secure our school’s information systems,” Biden said while signing the law. “The global pandemic has impacted an entire generation of students and educators and underscores the importance of safeguarding their sensitive information, as well as for all Americans. This law is an important step forward to meeting the continuing threat posed by criminals, malicious actors, and adversaries in cyberspace. My Administration is marshalling a whole-of-nation effort to confront cyber threats.”The bill was originally introduced by US Senator Gary Peters and co-sponsored by Senators Jacky Rosen, Rick Scott and Bill Cassidy in 2019.

    Rosen noted that she supported the bill after her state’s Clark County School District was hit with a ransomware attack last year. Rosen said schools in Nevada and across the country are increasingly becoming targets for ransomware and other cyberattacks, risking the personal information of students, faculty, and staff. “I’m proud to see this bipartisan legislation that I co-sponsored signed into law, and I know that the K-12 Cybersecurity Act will help school systems like the Clark County School District prevent debilitating ransomware attacks and have the tools and resources to combat cyber threats,” Rosen said.Experts said that while the bill seems relatively simple, it will be a major help to school districts that are often overburdened and lack the technical staff to manage a widening array of cybersecurity threats. Michael Webb, CTO at education security platform Identity Automation, said the law will be a catalyst for the changes that have already begun as a result of districts being threatened daily by malicious actors.Any amount of help is welcome to districts struggling to upgrade their cybersecurity strategy, Webb added. “The law will be effective at two things: raising awareness of the need to protect students online and offering guidance on how to do so. Making it happen? That’s the hard part. Most districts lack the capability of managing digital identities, which is the cornerstone of a strong cybersecurity posture today,” Webb said. “The acknowledgement of tools is an interesting one. What those tools are and how effective they will be is unknown. For example, you can use a free online tool today to find out whether your password has been exposed on the dark web, but how quickly do you take steps to find out, and how quickly do you change your password? It’s going to be almost a year before districts have something tangible to help them improve their cybersecurity approach.”Others noted that the initiatives would help funding-strapped schools that are unable to hire cybersecurity teams. Untangle senior vice president Heather Paunet said few educational institutions have a deep enough understanding of how to go about protecting themselves and having official guidelines and laws such as this one will help strengthen security as a priority in a standardized way across the country. She noted that cyberattackers are demanding higher sums, and some schools have been forced to close while dealing with the attack.But Netenrich threat hunter John Bambenek explained that many local government units, especially schools, simply don’t have money to spare. “While studying the risks and creating free resources and guides is a good first step, the reality is that smaller and poorer districts won’t be able to implement much of what is in the guide CISA will create, assuming they have any staff that can read and understand it in the first place,” Bambenek said. “This law is a good first step, but it cannot, and must not, be the last step.” More

  • in

    Oracle joins multi-cloud security notification project

    Oracle is joining the Cloud Security Notification Framework project (CSNF), an initiative looking to develop a standardized framework for dealing with cloud security issues in enterprise environments, which often use a variety of different cloud services. That reliance on multiple providers can make keeping up with and reacting to security notifications and alerts difficult, because many cloud service providers have their own systems set up for security reporting. The disparate nature can make managing cloud security difficult for businesses – particularly following the growth in the use of cloud services over the past 18 months. 

    ZDNet Recommends

    The best cloud storage services

    Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

    Read More

    As more organisations shift services towards the cloud, more are adopting a multi-cloud strategy. But while this provides benefits, it also brings challenges with a rise in the number of alerts for different services and additional cybersecurity challenges. It’s because of this that CSNF is establishing a common information model, so alerts can be processed at scale while also ensuring the security of services. SEE: Ransomware attackers targeted this company. Then defenders discovered something curiousEstablished by ONUG – a collaborative body with the aim of identifying and providing cross-industry solutions to enterprise issues such as cybersecurity and data protection – the Cloud Security Notification Framework project was set up to help fix this problem. Major cloud providers Microsoft, Google and IBM were all already members of the scheme and now they’ve been joined by Oracle Cloud. “Multi-cloud is rapidly evolving from an accidental to a purposeful strategy for most organizations,” said Bala Chandran, vice president of software and general manager of security products at Oracle.  “I am excited to be joining the ONUG steering committee to help define standards that make cloud security simple and integrated for customers across their cloud platforms.” 

    In addition to Oracle, Sysdig, Wiz, Intuit, Adobe, Qualys and F5 have joined the collaboration to work alongside cloud consumers, such as FedEx, Cigna, Raytheon Technologies, Fidelity, Goldman Sachs, and Kaiser, and cloud service providers, including Microsoft Azure, Google Cloud and IBM. Nick Lippis, co-founder and co-chairman of ONUG, said: “As more prominent industry players join the community, we are making even greater progress in creating an open-source standard to reduce the wall of worry that comes from increasing security alerts in multi-cloud environments.” MORE ON CYBERSECURITY More