Information Technology

Google announced on Friday that it would be delivering a slate of new cybersecurity protection features for high-risk users one day after telling about 14,000 Gmail users that they had been targets of Russian-government group APT28.

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

In a blog post, Google said an increasing number of cyberattacks targeted high profile individuals and groups, forcing them to take extra measures and create a team “dedicated to detecting and stopping the world’s most sophisticated cybercriminals.””We’re excited to be working with these leading organizations to protect high-risk user groups and earn more about the needs of at-risk users and organizations. These collaborations help us make the world’s most advanced security even stronger, more inclusive and easier to use — helping everyone stay safer with Google,” the company explained. In addition to touting the Advanced Protection Program (APP) that users can turn on to beef up their protection from certain attacks, Google said it was partnering with organizations across the globe to provide free security keys to over 10,000 high-risk users throughout 2021. “APP brings Google’s strongest security protections together into a holistic program that is constantly upgraded in response to emerging threats. APP is available to all users but is specifically designed for individuals and organizations at higher risk of targeted online attacks, such as elected officials, political campaigns, human rights activists and journalists,” Google explained. “Users who enroll in APP are protected against a wide variety of online threats, including sophisticated phishing attacks (through the use of security keys), malware and other malicious downloads on Chrome and Android, and unauthorized access to their personal account data (such as Gmail, Drive or Photos).  As new threats are discovered, APP evolves to provide the latest protections.”Google also announced new partnerships with the International Foundation for Electoral Systems (IFES), UN Women and nonprofit Defending Digital Campaigns (DDC). 

Google is working with IFES on global educational security programming for human rights workers and groups online, providing free security keys for attendees of the group’s global cyber hygiene trainings. The group has provided specific support to journalists in the Middle East and women activists in Asia through their virtual “She Leads” series.By next year, Google said it plans to expand its work with the group “through a continued contribution of Titan Security keys and educational materials for their high-risk user trainings.””Equipping our participants with Google Titan Keys alongside the Advanced Protection Program Team has allowed us to improve our participant’s cyber hygiene with a more secure method for protecting and authenticating their accounts,” said Dr. Stephen Boyce, senior global advisory for election technology and cybersecurity at IFES.  Google said it will continue offering consultations on online safety and security workshops to UN Women and the many chapters worldwide that support women who are at higher risk of online attacks, including journalists, activists, politicians and executives. According to the blog, workshop attendees are trained on tools to protect better their organizations and the high-risk women they support.Titan Security Keys were also provided by Google to more than 180 eligible federal campaigns during the 2020 US election season through DDC. They are now working with DDC to provide further protection for state-level campaigns and political parties, committees, and related organizations, including workshops and training on protecting against cyberattacks. By the 2022 US midterm elections, Google said the DDC will have already worked on cybersecurity trainings for members of both political parties in every state in the country. Michael Kaiser, CEO of DDC, said candidates, their family members and close associates, campaign staffers and volunteers, state party staff, vendors to campaigns and virtually anyone who works in the political space are at greater risk for being attacked than most computer users.”DDC’s collaboration with Google around the provision of Titan Keys and training is designed to address the most significant and likely vector of compromise: people’s accounts,” Kaiser said. “The number one recommendation DDC has for any campaign is to use security keys. We know that when a campaign uses security keys and turns on Google’s Advanced Protection Program, they have greatly enhanced their cybersecurity and at the same time  protecting our Democracy.”The DDC has already trained hundreds of local campaign workers, state party staff members, and people who work at related political organizations across 21 states. Google also noted that it partnered with the DDC to deploy a publicly available cybersecurity Knowledge Base to help campaigns and political organizations with cybersecurity information.”The Knowledge Base includes step-by-step instructions for turning on better security protections including APP. Through the Knowledge Base and direct work with eligible campaigns, DDC provides hands-on assistance for getting cybersecurity tools implemented,” Google explained.The announcements come hours after Shane Huntley, director of Google’s Threat Analysis Group, wrote a thread on Twitter warning that it blocked attempts by Russian-government backed groups to attack thousands of high-profile people. “The warning really mostly tells people you are a potential target for the next attack so, now may be a good time to take some security actions. If you are an activist/journalist/government official or work in NatSec, this warning honestly shouldn’t be a surprise. At some point, some govt backed entity probably will try to send you something,” Huntley said. “What we see over and over again is that much of the initial targeting of government-backed threats is blockable with good security basics like security keys, patching and awareness, so that’s why we warn.” More

Keith Alexander before the US Senate Intelligence Committee in 2017
Image: Getty Images
Russian ransomware operators need to be called out and suffer real consequences, according to retired general Keith Alexander, former head of the US National Security Agency (NSA) and US Cyber Command. “Right now, the ransomware guys, in Russia predominantly, get off pretty much free. There is very limited downside for them,” Alexander told a seminar at the Australian Strategic Policy Institute’s International Cyber Policy Centre last week. “We have to attribute who’s doing it and make them pay a price.” We call out cybercrime groups like REvil and DarkSide, but we need to do more, he said. “Imagine if we indicted and put their picture up, and said, ‘That’s the guy, and if we can, we will arrest you. You can’t move out of Russia. You’re gonna have to stay there for the rest of your life’.” Alexander has always sat at the hawkish end of the cyber spectrum. In 2013 he echoed then-McAfee vice-president Dmitri Alperovitch’s description of cybercrime and cyber espionage as the greatest transfer of wealth in history — perhaps forgetting for a moment the vast empires of the European colonial powers.

Now he notes the importance of international cooperation against the cyber forces of nation-states and their puppets. “All the attacks that are going on there [in Australia], here [in the US], in Europe, the theft of intellectual property, this is something that we need to collectively get out in front of,” he said. Alexander described the July 1 speech by China’s president Xi Jinping as “a gauntlet being laid down that said there would be bloodshed and bashing of heads”. If the West pushes China over Taiwan or the South China Sea, “there’s no limit to where they will go”. “I think we have to set that red line, and we have to work together to do it.” That cooperation has to extend into the private sector, he said. Incident response is not a defensive measure “I think the biggest problem that I faced in government, and that we face today, is governments — not just ours but yours as well — can’t see attacks on the private sector. Yet the government is responsible for defending the private sector,” Alexander said. “How are you going to defend that which you can’t see? Incident response is not a defensive measure. That’s after everything bad has happened.” The SolarWinds supply chain attack is a prime example. The government didn’t find out about it until after the fact. “Now people push on the government, ‘Hey, why didn’t you know?’ And the answer is because the government doesn’t have the authority, nor the capability, to see all the attacks on critical infrastructure,” Alexander said. “We need … I’ll call it an event generator, that shows events that are hitting companies at network speed, that can be anonymized, pushed up to the cloud, and create a radar picture, so you can now see all the companies where these types of events are hitting.” Needless to say, the conversation was peppered with words such as “behavioural analytics”, “expert system”, “machine learning” and “artificial intelligence”. Overcoming fears of sharing data with governments This need for cooperation, partnerships, and information sharing has been cited at every conference since the cybers were all in Roman numerals. But if everyone agrees that it’s a good thing, why doesn’t it just happen? “The real key issue is what are we talking about sharing?” Alexander said. If you’re talking about sharing the details of cyber events as we know them today, that is, things that you’re blocking, then that sharing is “almost useless”, because you’re already blocking it. Alexander says we have to share “all the things you don’t know”. To your correspondent, that sounds like private sector organisations having to share a lot more raw data with government agencies. Data about things they don’t yet know are a threat. Data which they might prefer, for whatever reasons, to keep out of government hands. The head of the Australian Cyber Security Centre (ACSC), Abigail Bradshaw, has noted a reluctance for organisations to share data with the agency. Sometimes they even lawyer up to prevent ACSC involvement in a breach investigation. “Perhaps there’s a commercial stigma or reputational stigma about reporting and alerting the public, and therefore shareholders, about a weakness,” Bradshaw said. “We’ve made it super, super clear that the ACSC is not a regulator,” she said. “The consequence of that is I become very boring in media interviews, because I refuse to talk about the juiciest case that’s come along. And apologies to all journalists, but it’s something that I will continue to defend.” It’s no accident that IronNet, the company Alexander founded when he left the NSA in 2014, has developed a “collective defense platform” which “leverages advanced AI-driven network detection and response capabilities to detect and prioritize anomalous activity inside individual enterprise network environments”. The obvious pitch is that governments could engage such a private sector system to correlate both government and non-government data, perhaps allaying some of the fears that would surround a purely government-owned platform. Bradshaw said that one of “the best parts” of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and its architecture is that there’s a “clear separation” between the regulators and the ACSC in its cyber assistance and response function. The Department of Home Affairs has repeatedly requested for that the Bill be rushed through Parliament. However, the Parliamentary Joint Committee on Intelligence and Security has recommended it be split in two so it’s more controversial aspects can be discussed in more depth. AUKUS and The Quad: not a modern jazz combo Alexander also praised the recently announced AUKUS defence technology agreement between Australia, the US, and the UK. At the heart of AUKUS is an intention for Australia to obtain a fleet of eight nuclear-powered submarines, but other technologies will be shared as well. “Cyber is going to be hugely important for our future,” Alexander said. “It’s the one area where adversaries can attack Australia, and the United States, without trying to cross the oceans. They can do it in cyber, and we have tremendous vulnerability. So getting out in front of that, I think is hugely important.” Alexander envisages a cyber radar picture that covers not just the AUKUS nations but other allies such as the Quadrilateral Security Dialogue (the Quad) of Australia, India, Japan, and the US. “Imagine if we could build, and we built, a radar picture for cyber that covered not only what impacts Australia, but what impacts other countries. And we could share in real time threats that are hitting our countries, and protect from that,” he said. “I think when you start thinking about the Quad and other things, that’s the type of thing I would say, as we move forward, that’s where our partnership has to go.” Related Coverage More

The Japanese Fair Trade Commission (JFTC) is reportedly commencing a new antitrust investigation into Apple and Google-parent Alphabet’s conduct across various technology areas. According to Nikkei, the Japanese competition watchdog will conduct interviews and surveys with OS operators, app developers, and smartphone users to assess whether Apple and Google have created anti-competitive market conditions in the smartphones, smartwatches, and other wearables sectors. The JFTC will reportedly work with the government-run Digital Market Competition Council during the probe. The new investigation comes just over a month after the JFTC closed an investigation into Apple’s in-app purchasing system. In that investigation, the Japanese competition watchdog found Apple acted anti-competitively in requiring developers to pay Apple’s commission on in-app purchases, and that it should allow them to point users to external payment options, like their own websites. To close that investigation, Apple made a deal with JFTC to allow developers of “reader” apps to link to external websites for setting up and managing accounts. The update will take effect sometime next year, Apple said in September. Reader apps are those that provide previously purchased content or content subscriptions for digital magazines, newspapers, books, audio, music, and video, such as Spotify and Netflix. Around the world, regulators have set their eyes on the market dominance of Apple and Google. In Australia, the government is undertaking various probes on the two companies focusing on a wide range of areas, spanning from ad tech to browsers to mobile OS systems. In the US, various states have issued a lawsuit against Google for its alleged anti-competitive control over the app store market. A US probe that wrapped up last October found Amazon, Facebook, Apple, and Google all had an “alarming pattern” of using innovation-stifling practices. In light of those findings, the government in August introduced a Bill into Congress that is aimed at curbing “big tech bullying”.

The European Union, meanwhile, has doled out billions of dollars worth of fines to both Google and Apple for alleged anti-competitive behaviour. Related Coverage More

Apache released additional fixes for CVE-2021-41773 on Thursday as government agencies like CISA warned that one vulnerability related to the Apache HTTP Server issue had been exploited in the wild. As ZDNet reported on Wednesday, developers behind the Apache HTTP Server Project urged users to apply a fix immediately to resolve a zero-day vulnerability. The Apache Software Foundation released Apache HTTP Server version 2.4.50 to address two vulnerabilities that would allow an attacker to take control of an affected system. In a notice on Wednesday, CISA said one of the vulnerabilities, CVE-2021-41773, has already been exploited in the wild.”It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration “require all denied”, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution,” Apache said in a notice.”This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.”CISA said that “active scanning of Apache HTTP Server CVE-2021-41773 & CVE-2021-42013 is ongoing and expected to accelerate, likely leading to exploitation.” “These vulnerabilities have been exploited in the wild. Please patch immediately if you haven’t already — this cannot wait until after the weekend,” the government agency added. 

According to Bleeping Computer, about 25% of websites worldwide are backed by the open-source, cross-platform Apache HTTP Server. Sonatype researchers said that approximately 112,000 Apache servers are running the vulnerable version, with roughly 40% located in the United States. Rapid7 Labs said it identified about 65,000 potentially vulnerable versions of Apache httpd exposed to the public internet on Wednesday. Researchers say the issue is actively being scanned for in the wild.
Censys
“The vulnerability itself is not exploitable in normal or default conditions. The biggest impact this issue will have will be on applications that have packaged Apache 2.4.49 and a configuration that enables the vulnerability. One such application is Control Webpanel (also known as CentOS Webpanel), which is used by hosting providers to administer websites, similar to cPanel,” said Derek Abdine, CTO at Censys. “There are currently just over 21,000 of these that are Internet-facing and appear vulnerable.”  Censys senior security researcher Mark Ellzey added that he expects there to be some fallout for this but that it may not be widespread. Compared to recent vulnerabilities related to Confluence or VMware, he said the urgency and effectiveness of exploits for this issue don’t rise to a similar level. “Anything outside of the bad config is probably going to be a targeted attack on specific applications. I’d wager that we might see some code leaks,” Ellzey said. The vulnerabilities were first discovered by Ash Daulton of the cPanel security team and the latest issues were found by Shungo Kumasaka, Dreamlab Technologies’ Juan Escobar and NULL Life CTF’s Fernando Muñoz. Exploits were quickly created and released once the vulnerability was publicized.  More

Security researchers at JFrog worked with biotechnology company 23andMe to address a vulnerability with Yamale, a tool written by the company and used by over 200 repositories.CVE-2021-38305 allows attackers to bypass existing protections and run arbitrary Python code by manipulating the schema file provided as input to Yamale, according to the JFrog security research team. A 23andMe spokesperson told ZDNet that 23andMe Security was notified of a workaround to a patch made to Yamale, the open-source library created by the company to verify that YAML files are in the right format and have all the correct fields. In a blog post and in interviews with ZDNet, JFrog’s senior director of security research Shachar Menashe said the vulnerability is “extremely severe if the prerequisites for the attack exist, due to the fact that the impact is the highest (remote code execution) and exploitation is trivial and stable (command injection).” The blog highlights the cases where the team believes the vulnerability would be most exploitable. “The JFrog security research team is currently conducting a scan of the entire PyPI database in order to improve the landscape of open source Python code. By automatically detecting vulnerabilities and disclosing them, our goal is to help mitigate vulnerabilities that threaten customer systems and national infrastructure,” Menashe said. “The finding was discovered using our automated vulnerability detection technology; these are the same types of code scanners that found the malicious PyPI packages that we disclosed in July. We are running our scanners on the entire PyPI database and performing responsible disclosures on all found vulnerabilities, after we verify them. Since Yamale is available through PyPI, it was scanned as part of this effort. 23andMe actually wrote Yamale for use as an internal tool.”

Yamale is a popular schema validator for YAML that’s used widely. An attacker that can control the contents of the schema file that’s supplied to Yamale can provide a seemingly valid schema file that will cause arbitrary Python code to run, Menashe explained. Menashe noted the underlying issue is that through Python reflection, an attacker can “claw back” any needed builtin and run arbitrary code.In the blog post, JFrog researchers said an attacker needs to be able to specify the contents of the schema file in order to inject Python code, but noted that this can be exploited remotely if some piece of vendor code allows an attacker to do that. The most likely exploitation, the security company said, would involve vulnerabilities triggered through command line parameters via a separate parameter injection issue. JFrog Security CTO Asaf Karas added that because YAML is so popular, compatible, and widely used, it’s often the target of attacks. “This gap allows attackers that can provide an input schema file to perform Python code injection that leads to code execution with the privileges of the Yamale process. We recommend sanitizing any input going to eval() extensively and – preferably – replacing eval() calls with more specific APIs required for your task,” Karas said.The company lauded Yamale’s maintainers for validating and fixing the issue “in record time” and for “responsibly creating a CVE for the issue after the fixed version was available.”The 23andMe spokesperson said the original patch was intended to cover a vulnerability for users parsing untrusted YAML schema. “YAML files have remained unaffected and are parsed with a safe loader. 23andMe is actively working on a solution. In the meantime, we will add a note on the project readme that more explicitly states that YAML schemas should always come from a trusted source,” the spokesperson said. “This tool is not implemented in any 23andMe company processes and doesn’t affect the customer experience or customer data in any way. We are grateful for the white hat hackers who alerted our team and invite others to join our recently established Bug Bounty Program,” the company added.  More

At the VMworld conference this week, VMware is rolling out a series of security advancements that cover multi-cloud, applications and the workspace. For stronger, flexible cloud-to-cloud security, VMware is introducing the industry-first elastic application security edge (EASE, pronounced as “easy”). EASE is a set of data plane services for networking, security and observability — delivered with a unique scale-out distributed architecture that allows an EASE environment to grow and shrink as app needs change. In other words, as you expand your application up and down with more traffic, VMware can expand the infrastructure so services like the firewall or load balancer also get bigger or smaller to meet the needs of the application.”This is a big departure from the way things have historically been done,” Ambika Kapur, VP of Product Marketing for VMware’s Networking and Advanced Security Business Unit, said to ZDNet. “When you look at public cloud environments, we now have the ability to auto-scale applications to meet the workload. But when you look at services that protect and connect these applications — networking, security, observability — they’re rigid.” Kapur said that EASE illustrates VMware’s approach to security: Rather than compete with the many vendors and solutions that already exist, the company is searching for gaps in innovation and trying to fill them with simple-to-use solutions. “The big thing we’ve been asking ourselves is, if the world we live and work in has changed so dramatically, how do we expect traditional security solutions to be appropriate for this world?” she said. Along with securing cloud-to-cloud workloads, VMware is also introducing new ways to harden the workload itself. It’s integrating a version of VMware Carbon Black into vSphere and VMware cloud, making it easy and intuitive to use. It offers next-gen anti-virus, workload inventory and lifecycle management, EDR for workloads and threat intelligence. Within the network, VMware has a three-step process to ensure workloads in the VMware cloud are secure. That includes segmentation of traffic, signature-based analytics, as well as new non-signature based, tapless traffic analysis. VMware’s micro-segmentation capabilities include advanced east-west controls. 

As east-west traffic increases, VMware’s 20 TB internal scale-out firewall keeps it secure. It’s also helped customers reduce firewall rules by up to 90% making security more manageable.
VMware
In terms of securing applications, VMware’s new Tanzu Service Mesh gives developers the ability to understand API behavior, even across multi-cloud environments, for better DevSecOps. This capability comes as a result of VMware’s Mesh7 acquisition. Additionally, CloudHealth Secure State now delivers Kubernetes Security Posture Management to provide deep visibility into misconfiguration vulnerabilities across both Kubernetes clusters and connected public cloud resources.To secure devices, VMware is updating Workspace ONE with a compliance engine that examines thousands of posture checks on device, OS and apps. This will allow for remediation to a desired state with minimal impact on the end-user experience. Additionally, VMware Carbon Black integrates with Workspace ONE and is now optimized for Horizon VDI environments.VMware is also working with Intel to create a direct link between the Intel vPro platform and VMware Workspace ONE. This will enable automated out-of-band maintenance that keeps PCs up to date on the latest security patches and infosec policies, no matter where they are located or the state of the operating system.

More VMWare More

You’d hope that even though ransomware is a lucrative criminal enterprise, there might be some targets that are kept off the list for ethical reasons. 

This is not so with FIN12, a big game hunting ransomware group of which one in five of the group’s victims is within the healthcare sector.  The deployment of ransomware is popular and prolific cybercriminal activity, with potential destructive impacts outweighing other forms of crime such as straight data theft, cryptojacking, and insider threats.  This year alone, ransomware has been used to wreak havoc in high-profile cases such as the widespread Microsoft Exchange Server hacking spree, the Colonial Pipeline attack that caused fuel shortages in the US, and the disruption of supply chains due to the compromise of systems belonging to global meatpacker JBS USA.  Research conducted by KELA in August on the initial access broker (IAB) space found that healthcare-related ads offering access were few and far between, and so you would hope this sector — alongside funeral services, charities, and critical services — might be sectioned off by ransomware groups.  However, there was another case this year that shows this is not always the case: the fall of Ireland’s Health Service Executive (HSE) to ransomware, a security incident that caused disruption for weeks to critical care services.  If a ransomware outbreak restricts access to key medical records, appointment details, treatment notes, and patient data, this can lead to delays and in the worst scenarios, death, according to research conducted by The Ponemon Institute and Censinet. 

On Thursday, Mandiant said that FIN12 — upgraded from UNC1878 by the cybersecurity firm — is a financially driven group that targets organizations with average annual revenue of over $6 billion. Almost all of the threat group’s victims generate a revenue of at least $300 million. “This number could be inflated by a few extreme outliers and collection bias; however, FIN12 generally appears to target larger organizations than the average ransomware affiliate,” the researchers say.Speaking to ZDNet, Joshua Shilko, Principal Analyst at Mandiant said the group has earned itself a place in the “top tier of big game hunters” — the operations which focus on the targets most likely to offer the biggest financial rewards in ransom payments.”By all measures, FIN12 has been the most prolific ransomware actor that we track who is focused on high-value targets,” Shilko said. “The average annual revenue for FIN12 victims was in the multi-billions. FIN12 is also our most frequently observed ransomware deployment actor.”Active since at least 2018, FIN12 used to focus on North America but over the past year has expanded its victim range to Europe and the Asia Pacific region. Mandiant says that FIN12 intrusions now make up close to 20% of incidents the firm’s response team has worked on since September last year.
Mandiant
Threat actors will often purchase initial access to a target system to cut out the legwork of finding working credentials, VPN access, or a software vulnerability ripe for exploit. Mandiant believes with “high confidence” that the group relies on others for initial access. Zach Riddle, Senior Analyst at Mandiant told us: “Actors providing initial access to ransomware operators typically receive payment in the form of a percentage of the ransom after a victim has paid, though actors may also purchase access to victims’ networks for a set price. While the percentage paid for initial access can likely vary based on several factors, we have seen evidence that FIN12 has paid up to 30-35% of a ransom payment to a suspected initial access provider.”The cybercriminals seem to have no moral compass, either, with 20% of its victims belonging to the healthcare sector. Many ransomware-as-a-service (RaaS) outfits do not allow hospitals to be targeted, but as a result, Mandiant says that it may be cheaper for FIN12 to buy initial access due to low demand elsewhere.  However, this might not explain FIN12’s willingness to target healthcare. “We do not believe that others refusing to target healthcare has a direct correlation to FIN12’s willingness to target this industry,” commented Riddle. “FIN12 may perceive that there is a higher willingness for hospitals to quickly pay ransoms to recover critical systems rather than spend weeks negotiating with actors and/or remediating the issue. Ultimately, the criticality of the services they provide not only likely results in a higher chance that FIN12 will receive a payment from the victim, but also a quicker payment process.”FIN12 is closely linked to Trickbot, a botnet operation that offers cybercriminals modular options including means of exploit and persistence. Despite having its infrastructure disrupted by Microsoft, the threat actors have recently returned with campaigns against legal and insurance companies in North America. The group’s main goal is to deploy Ryuk ransomware. Ryuk is a prolific and dangerous variant of malware, containing not only the typical functions of ransomware — the ability to encrypt systems to allow operators to demand payment in return for a decryption key  — but also new worm-like capabilities to spread and infect additional systems. Mandiant suspects that FIN12 is of Russian-speaking origin, with all currently identified Ryuk ransomware operators speaking this language. In addition, other malware used by FIN12, dubbed Grimagent — and, so far, remaining unconnected to any other threat group — contains files and components in Russian.FIN12’s average time-to-ransom is just under four days, with its speed increasing year-over-year. In some cases, a successful ransomware campaign was managed in just two-and-a-half days.  “While it is possible that they will test out other backdoors or even sponsor the development of private tools in the future, they seemingly have settled into a pattern of disguising their beacon activity using malleable C2 profiles and obfuscating their common payloads with a range of in-memory loaders,” Shilko said. “Notably, actors also sometimes make changes based on public reporting and it would not be surprising if the group made changes based on our reporting; however, we anticipate that these changes would largely focus on limiting detection rather than rethinking their larger playbook.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Twitch has announced that it reset all stream keys as it seeks to address the massive data breach that was revealed yesterday. A hacker leaked the entirety of Twitch’s source code alongside a 128GB trove of data that included creator payouts going back to 2019, proprietary SDKs and internal AWS services used by Twitch, as well as all of the company’s internal cybersecurity red teaming tools. While much of the press attention initially focused on the eye-popping revenues brought in by certain Twitch streamers, concern over the privacy and security of all Twitch streamers began to grow later in the day. Experts warned that all Twitch streamers needed to take immediate actions to protect their bank accounts and themselves from a potential wave of attacks by opportunistic cybercriminals. Late on Wednesday evening, Twitch announced that it was resetting all stream keys, directing streamers to this website for new stream keys. “Depending on which broadcast software you use, you may need to manually update your software with this new key to start your next stream. Twitch Studio, Streamlabs, Xbox, PlayStation, and Twitch Mobile App users should not need to take any action for your new key to work,” Twitch explained. “OBS users who have connected their Twitch account should also not need to take any action. OBS users that have not connected their Twitch account to OBS will need to manually copy their stream key from their Twitch Dashboard and paste it into OBS. For all others, please refer to specific setup instructions for your software of choice.”

Twitch emailed the statement to all streamers, according to multiple experts. In an earlier statement, the company said it learned that the breach originated from a Twitch server configuration change error that left data exposed to the internet. Twitch added that it was still trying to understand the scope of the breach as it continues to investigate the incident. “We understand that this situation raises concerns, and we want to address some of those here while our investigation continues. At this time, we have no indication that login credentials have been exposed. We are continuing to investigate. Additionally, full credit card numbers are not stored by Twitch, so full credit card numbers were not exposed,” Twitch claimed. But experts have laid out a litany of problems facing those connected to the gaming platform, which has an average of 15 million daily users and more than 2 million Twitch creators broadcasting monthly.Quentin Rhoads-Herrera, a director at CRITICALSTART, told ZDNet that Malware authors could potentially use Twitch’s code being released to infect the user base of Twitch by possibly finding flaws in the applications code. “Now that the data has been released, there isn’t much Twitch can do. They should try and prevent it from being put up on platforms like GitHub, BitBucket, or other popular code/file-sharing platforms. Still, the data is already out and will be shared forever through many different channels,” Rhoads-Herrera said. “What they can do is evaluate exactly what was stolen, reset user passwords that were compromised, and determine the risk to their IP (especially from what was stolen of Vapor which is supposedly going to compete with Steam) and how it will impact their business overall. The largest risk to Amazon’s Twitch is the data that is now freely available to their competitors. As a result of this event, Twitch might lose some user following and trust they may have had in their users. The biggest impact is the leaked data that is unique to their intellectual property that could be leveraged by competitors.”The hacker behind the attack said that what was released yesterday was only the first section of the stolen data.  More