Information Technology

Consumers are spending more than ever on subscription services, according to a new report from West Monroe.West Monroe polled 2,500 consumers about how much they spend each month on a variety of subscription services, finding that people are spending 15% more than they did in 2018. The types of subscriptions have also expanded as more companies create digital platforms and offerings to lure in consistent customers. The average consumer surveyed said they spend $273 per month on subscription services, up from $237 in 2018. This extra 15% equals an additional $430 spent each year. The researchers behind the study were also very interested in people’s perception of how much they spend each month on subscriptions, finding that most people underestimate how much they dole out monthly before sitting down to calculate it. All of the respondents to the survey were unaware of how much they actually spent on subscription services off the top of their heads and most needed more than two tries to get close.In 2021, 89% underestimated what they spend each month, and in 2018, 84% underestimated what they spent each month. Nearly half of those who underestimated were off by between $100-$300.About 70% of respondents subscribed to mobile phone services and a home WiFi service as well as TV and movie providers. Half of all respondents had Amazon Prime accounts. 

The rest of the list varied widely, with respondents reporting a hodgepodge of subscriptions ranging from music streaming sites, gaming services, cloud storage sites, home security systems, newspapers, fitness apps, dating apps and meal services.There was also an increase in the number of people using subscription boxes, which now cover a range of industries like beauty, pets, toys and wellness. Services like Ipsy and Dollar Shave Club were referenced by respondents. Other subscriptions named included book services like Kindle and Audible as well as cloud storage tools like Dropbox, iCloud and OneDrive.Tinder, Match, eHarmony and other dating sites featured prominently alongside fitness apps like MyFitnessPal, Lose It! and Fitbit.Respondents also had a number of newspaper or magazine subscriptions as well as gaming services like PlayStation Now and Xbox Game Pass.ADT, Nest and Ring dominated the home security system subscriptions while identity protection services like LifeLock and Identity Guard were popular as well. Verizon, Sprint and Boost Mobile were the most popular mobile phone services and streaming sites like Spotify, Pandora and XM Radio led the way.Netflix, Hulu, cable services and premium packages were cited as well, alongside WiFi services like Comcast, AT&T and CenturyLink.
West Monroe
Dhaval Moogimane, a partner at West Monroe, said it was not surprising to see that subscription spend grew over the past three years. “It is reflective of the growth of products and services available to us as subscriptions, and the buying behavior that has changed, driven by COVID. What was most surprising to see was the perception gap between how much respondents thought they spent on subscriptions per month versus what they actually spent,” Moogimane said.”The percentage of respondents who were off by more than $200 grew to 66%, from 24% in 2018.  This increase in perception gap is indicative of how some of the subscriptions are now viewed as utilities, particularly cell phones, Wi-Fi, ID protection services, cloud storage services, and more.”Moogimane added that to capture estimates, they asked respondents to think generally about “recurring monthly expenses associated with digital services, devices, and subscription boxes” — including prompts of specific examples and service categories. Respondents were given 10 seconds to guess how much they spend each month. After recording this initial answer, they immediately asked participants to repeat the exercise with 30 seconds to think about the question more carefully. “This is how we calculated what their initial perceptions were for their monthly subscriptions. Then we took them through their subscriptions one by one and tallied up their spend per each individual subscription to determine their actual total spend,” Moogimane said.”The idea is that consumers may think they know what they are spending each month, but when they are asked what they actually pay for each subscription service and the total is added up, it reflects a different story.” More

Some systems at the Alaska Department of Health and Social Services (DHSS) are still offline after being hit by a nation-state backed cyberattack in May. As a result of the incident, an unknown number of people have potentially had their personal information stolen. This information could include full names, dates of birth, social security numbers, telephone numbers, health information, financial information and other data which cyber attackers could exploit. 

Because of the sensitive nature of the information and the potential for it to be abused, DHSS has urged all Alaskans who provided data to or had their data stored by DHSS to take action to protect themselves from identity theft. A free credit monitoring service is being made available to public members concerned that they may be caught up in the breach. See also: A winning strategy for cybersecurity (ZDNet special report).The potential breach of personal information has only just been revealed, despite the incident being first detected in May and previous updates about the attack in June and August — according to a DHSS statement, this was delayed until now to avoid interference with a criminal investigation. And four months from the initial attack, some DHSS online services still haven’t been restored, and there’s no timeline for when they’ll be back. “All affected systems remain offline as we diligently and meticulously move through the three phases of our response. Work is continuing to restore online services in a manner that will better shield DHSS and Alaskans from future cyberattacks,” said Scott McCutcheon, technology officer at DHSS. 

The attack started with the use of an unspecified exploit against a vulnerable website and spread from there. The state isn’t providing additional information at this time because “providing any further specific details could give our attackers information that would help them, and others, be more successful in future cyberattacks.” Cybersecurity company FireEye was brought into investigating the attack and have identified those behind it as “a highly sophisticated group known to conduct complex cyberattacks against organizations that include state governments and health care entities” — but no additional information is currently being revealed. However, DHSS does state this wasn’t a ransomware attack.See also: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attack.While the exact motives behind the attack aren’t currently clear, healthcare is a frequent target for cyberattacks by both nation-state groups and cyber-criminal gangs. The amount of sensitive personal information involved in healthcare provides attackers with a lot of information about individuals, potentially useful for foreign intelligence services.As a result of the attack, DHSS says it is taking action to boost the cybersecurity of networks to prevent additional incidents in future. “As systems are being brought back online, steps are being taken to build them back to be as resilient as possible to be protected from future cyberattacks. Additional steps are being planned for post-incident hardening of our IT infrastructure,” the department said in a statement. More on cybersecurity: More

The Turla hacking group is back with new weaponry, recently used in attacks against the US, Germany, and Afghanistan.

On Tuesday, Cisco Talos said that the advanced persistent threat (APT) group, Russian in origin, has developed a new backdoor for persistence and stealth.  Dubbed TinyTurla, the previously unknown backdoor is simple in design but suitable for particular purposes: dropping payloads and staying under the radar if Turla’s primary malware is wiped from a compromised machine.  Active since at least 2004, Turla, also known as Snake and Uroburos, is a sophisticated operation with a long list of high-profile victims in its portfolio. Past targets include the Pentagon, government and diplomatic agencies, military groups, research institutions, and more in at least 45 countries. Now, it appears the APT is honing in on the US, Germany, and also Afghanistan — the latter of which being targeted before the Taliban took over the country and Western military forces pulled out.  Talos says it is likely the malware was used in attempts to compromise the systems of the previous government.  A sample acquired by the team revealed that the backdoor, which is formed as a .DLL, was installed as a service on a Windows machine. The file is named w64time.dll, and as there is a legitimate Windows w32time.dll, it may not immediately appear to be malicious.

Named “Windows Time Service,” the backdoor links to a command-and-control (C2) server controlled by Turla and contacts the system via an encrypted HTTPS channel every five seconds in order to check for any new commands or instructions.  TinyTurla is able to upload and either execute files and payloads, create subprocesses, and exfiltrate data. It may be that the backdoor was limited in its functionality and code on purpose, to prevent detection as malicious software.  Talos says that the backdoor has been in use since at least 2020.    “One public reason why we attributed this backdoor to Turla is the fact that they used the same infrastructure as they used for other attacks that have been clearly attributed to their Penguin Turla Infrastructure,” the researchers say. “It’s often difficult for an administrator to verify that all running services are legitimate. It is important to have software and/or automated systems detecting unknown running services and a team of skilled professionals who can perform proper forensic analysis on potentially infected systems.” Recently, Kaspersky researchers found code overlaps between Turla, the DarkHalo/UNC2452 APT, the Sunburst backdoor, and the Kazuar backdoor. While there are shared features between Sunburst and Kazuar, it is not possible to conclude with certainty any concrete links between the threat groups and these tools.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Siemens Energy has launched a new solution for monitoring and responding to cyberthreats against the Industrial Internet of Things (IIoT).

The industrial sector is undergoing a rapid shift from legacy, separate, on-the-floor systems to connected platforms that utilize IoT for maintenance, monitoring, and to collect data suitable for operations and future business decisions, in what is known as IIoT or Smart Factory (Industry) 4.0.  However, when you create networks and bring devices online, you run the risk of allowing threat actors access unless adequate protection is in place. As IoT continues to accelerate and operational technology (OT) becomes smarter, companies need to make sure they manage and secure endpoints and industrial networks to mitigate the risk of damage, data theft, and disruption caused by external entities.  On Tuesday, Siemens said a new offering, dubbed Eos.ii — not to be confused with the blockchain protocol EOS.IO — is an artificial intelligence (AI) and machine learning (ML) Security Information and Event Management (SIEM) platform that “provides CISOs with an evergreen foundation for industrial IoT cybersecurity.” The platform collects and collates data flows from IIoT endpoints for use by security teams, with insights brought together in one interface.  The data flows are also standardized to reduce complex or junk data, and Siemens says this will give analysts a better chance of spotting anomalous behavior “that might represent a cyberthreat.”

Furthermore, Eos.ii will automatically tailor defensive practices and prioritize high-impact events with the assistance of ML algorithms.  “As new threats emerge, Eos.ii seamlessly integrates their known characteristics into automated defenses, and allows for easy manual updates to its rules-based detection engine,” said Leo Simonovich, VP and Global Head of Industrial Cyber and Digital Security at Siemens. “With Eos.ii, defenders spend less time on routine tasks and more time conducting powerful investigations.” Siemens has produced a whitepaper (.PDF) describing the impact of IIoT cyberattacks and Eos.ii’s place in protecting today’s industrial systems.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Apple is cracking down on how apps access your private data, such as location data, photos, camera, microphone, as well as what domains the apps are communicating with. And part of that is giving users the ability to find out what the apps that they have installed are up to.With this in mind, iOS 15 and iPadOS 15 has a new feature that allows users to gather information on what apps are up to.But you have to turn the feature on yourself.This new feature is called Record App Activity.To find this feature, fire up Settings and go to Privacy, and scroll all the way down to the bottom where you’ll find Record App Activity.Record App ActivityTap on this and you get into Record App Activity, and as the name suggests, this allows you to record what apps are up to. But you first have to turn the feature on by sliding the toggle switch. Then you have to wait a few days for a report to be generated.Record App Activity

Alternatively, you can export a JSON file that can be opened by any test editor, but this is quite a clunky method for the average user.What’s interesting is that Apple has documentation aimed at developers about this feature. This goes into depth about what data this feature records.Digging into this, it seems that this records each time an app accesses one of the following:The user’s photo libraryA cameraThe microphoneThe user’s contactsThe user’s media libraryLocation dataScreen sharingIt also records what domains any app accesses and how many times they are accesses.In short, it’s quite a deep dive into what’s going on but it’s important to note that you don’t get to know what specific data was accessed.While this is a great start in keeping app developers honest, I hope that more features and in-depth analysis will be added in future updates. More

Trend Micro has announced the launch of its first Australian Cloud One regional data centre in Sydney.The launch means all of Trend Micro’s SaaS services are now locally hosted in Australia in an Amazon Web Services data centre.Speaking to ZDNet, Trend Micro ANZ VP Ashley Watkins explained the move would better serve local customers, especially government and ASX100 companies that are bound by strict compliance and data sovereignty policies. “What has become clear is that our customers love our Cloud One product, but what was really clear about that feedback was, we want it to also be able to have it locally please because we are governed by requirements, be they regulatory, be they be policy-based requirements … so we’re really answering the call of our customers,” he said.At the same time, Watkins acknowledged the decision to host its services locally was timely given the increase in digital transformation projects across Australia.Trend Micro SaaS services offered to Australian companies historically have been stored in the United States. The launch of its first Sydney region is expected to be one of many globally for Trend Micro, including “several” across Asia-Pacific. 

The last time the security giant invested in the Australian market was when it picked up the Australian-based cloud security posture management firm Cloud Conformity for $70 million in 2019.At the time, the company touted the move would help address commonly overlooked security issues caused by cloud infrastructure misconfigurations.As part of the acquisition, all Cloud Conformity staff joined the company, which Watkins has now since grown. “We’ve retained [all the staff] and we’ve now more than tripled the Conformity team, from R&D to services. It’s a huge space globally for Trend Micro that has been running that business out of Australia,” he said.Related Coverage More

New Cooperative — an Iowa-based farm service provider — has been hit with a ransomware attack, continuing a streak of incidents affecting agricultural companies this year. The company did not respond to requests for comment but confirmed to Bloomberg News that it was suffering from a “cybersecurity incident” that impacted some of its devices and systems. They told Bloomberg reporters that they took systems offline to “contain the threat.”

Ransomware expert Allan Liska shared screenshots of the BlackMatter ransomware leak page with ZDNet, showing the group had troves of financial documents, network information for multiple companies involved with New Cooperative, the social security numbers and personal information for employees, R&D files and the source code for a farmer technology platform called Soil Map. The ransomware group claims to have 1,000GB of data and has set a timer that they say expires at noon on September 25.Liska confirmed that other documents show BlackMatter is demanding a $5.9 million ransom.On social media, multiple security researchers leaked chats between negotiators for New Cooperative and BlackMatter operators. Representatives for New Cooperative repeatedly say they are part of the much-discussed “16 critical sectors” that US President Joe Biden said was off-limits to ransomware actors in conversations with Russian President Vladimir Putin.In addition to saying they were part of the country’s critical infrastructure, they noted that there would be “public disruption” to the grain, pork and chicken supply chain if they are not back up and running. 

The BlackMatter threat actors refuse to back down, saying only financial losses will be incurred from the attack. The chats also show that New Cooperative said they would have no choice but to contact CISA if they are not back up and running within the next 12 hours.CISA did not respond to requests for comment, but the company told multiple outlets that law enforcement had already been contacted. Reuters reported that the cooperative is involved in a variety of aspects of the grain business, including running grain storage elevators, selling fertilizer, buying from farmers and providing technology to farmers. Don Roose, president of US Commodities in West Des Moines, Iowa, told the outlet that this was an especially important week for farmers because this is when harvests begin to ramp up, particularly for crops like soybeans. According to Bloomberg, New Cooperative said it is working with its customers to get grain to animals while they try to restore their systems. Despite the warnings from the White House, ransomware groups have not stopped their attacks on the agriculture industry. Earlier this month, the FBI released a notice warning companies in the food and agriculture sector to watch out for ransomware attacks aiming to disrupt supply chains.”Food and agriculture businesses victimized by ransomware suffer significant financial loss resulting from ransom payments, loss of productivity, and remediation costs. Companies may also experience the loss of proprietary information and personally identifiable information and may suffer reputational damage resulting from a ransomware attack,” the FBI said. The notice goes on to list multiple attacks on the food and agriculture sector since November, including a Sodinokibi/REvil ransomware attack on a US bakery company, the attack on global meat processor JBS in May, a March 2021 attack on a US beverage company and a January attack on a US farm that caused losses of approximately $9 million. JBS ended up paying an $11 million ransom to the REvil ransomware group after the attack caused meat shortages across the US, Australia and other countries. In November, the FBI also cited an attack on a US-based international food and agriculture business that was hit with a $40 million ransom demand from the OnePercent Group. The company was able to recover from backups and did not pay the ransom.Former CIA cyber official Marcus Fowler told ZDNet that the attack on New Cooperative is the fourth crippling and high-profile attack on US critical infrastructure in recent months.Fowler noted that while the Biden Administration can aspire for certain sectors to be off-limits from hackers, significant parts of the US’ infrastructure and businesses are interconnected, making it nearly impossible to separate critical from non-critical industries. “What’s more, if BlackMatter truly is DarkSide 2.0, then this is evidence that the President’s talks and warnings have had little impact. Based on the details currently available, there are striking parallels between this attack and the recent campaigns against Colonial Pipeline and JBS,” said Fowler, who is now director of strategic threat at cyber firm Darktrace.”Just like in these instances, New Cooperative took their operational technology (OT) systems offline as a precautionary measure to an IT side attack. We still need to get better at securing OT.”Jake Williams CTO at BreachQuest, noted that BlackMatter appears to be a spinoff of the REvil group and has been actively recruiting for initial accesses into victim networks in recent months. But others, like Lookout senior manager Hank Schless, said BlackMatter appears to be associated with DarkSide, the group behind the attack on Colonial Pipeline.Other experts said ransomware groups were ignoring the warnings of law enforcement because of how lucrative and costly ransomware attacks are on companies in the agriculture industry. “Companies working in the agricultural sector are particularly susceptible to ransomware activity as the harvest and fertilization of crops is highly sensitive to external factors; this typically involves weather changes and time of the year, however any delays caused by a ransomware attack could result in a significant loss of productivity and in turn lead to huge amounts of crops being wasted,” said said Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows.”The attack also comes at a time where COVID has resulted in a global shortages of truck drivers, which is impacting food supply chains.”Curtis Simpson, CISO at Armis, added that the food and agriculture industry is heavily reliant upon connected machinery to power key aspects of the business. These connected machines are growing targets for bad actors due to most companies’ limited visibility into risks and threats impacting these assets, their overall level of exposure to attacks (including through the exploitation of connected machines), and the high likelihood of being paid a ransom if the attack even approaches, let alone impacts, machine-driven operations. “Much of the food and agriculture supply chain is also enabled by small operations. Some of these operations were already strained by the pandemic and any such attack could simply knock them out of business for good. Once again, as this happens, downstream operations ranging from foodservice providers to restaurants to hospitals and consumers will all have issues sourcing products,” Simpson said.  More

F5 Networks, one of the world’s largest providers of enterprise networking gear, announced on Monday that it is acquiring cloud security company Threat Stack for $68 million.F5 said it was eager to meld its application and API protection tools with Threat Stack’s cloud security solutions to “enhance visibility across application infrastructure and workloads.”

Tech Earnings

Haiyan Song, executive vice president of Security at F5, said Threat Stack brings technology and talent “that will strengthen F5’s security capabilities” and further the company’s adaptive applications vision with broader cloud observability and actionable security insights for customers.”Applications are the backbone of today’s modern businesses, and protecting them is mission-critical for our customers,” Song said. In a statement, F5 said it would be acquiring all issued and outstanding shares of the Boston-based Threat Stack and noted that the $68 million purchase would be financed with balance sheet cash.F5 expects to deliver revenue in the range of $660 million to $680 million for the current quarter and said the new acquisition will add about $15 million in revenue for the fiscal year 2022, with no change to F5’s previously stated operating margin targets for the fiscal year 2022.The deal is expected to be finalized in F5’s first-quarter fiscal year 2022, ending December 31, 2021.

In January, the company spent half a billion dollars to acquire Volterra, a maker of distributed multi-cloud application security and load-balancing software.F5 noted that attacks targeting applications are now costing businesses $100 billion per year, prompting the need for improved security around the environments where they are distributed. “A core tenet of adaptive applications is their capacity to protect themselves by detecting and mitigating threats in real-time. Threat Stack’s proactive risk identification and real-time threat detection combined with the breadth of F5’s application insights and controls will accelerate the delivery of this capability for our customers,” F5 explained.  More