Information Technology

Bitdefender has released a universal decryptor for REvil/Sodinokibi victims infected before July 13, 2021.In a statement, the cybersecurity company said it created the tool with “a trusted law enforcement partner” in an effort to help the many victims who had been infected with the ransomware. There are multiple REvil victims who either refused to pay a ransom or paid a ransom but did not get working decryption keys before the ransomware group went dark on July 13 following a massive July 4 attack on Kaseya, an IT solutions developer for MSPs and enterprise clients.The group has since resurfaced and leaked information about multiple victims, even announcing a new victim on Thursday as Bitdefender rolled out its decryptor. Bogdan Botezatu, director of threat research and reporting at Bitdefender, told ZDNet that they began seeing dozens of downloads of the decryptor as soon as they released it. The company has also been contacted privately by several victims who have been waiting for help since the emergence of the group. Botezatu noted that it is impossible to estimate how many victims REvil has managed to infect since 2019 because not all victims report infections or reach out for support.When asked why the decryptor only works for victims infected before July 13 and not after, Botezatu said that he could not discuss specifics, but explained that the main difference is “related to the decryption keys that we have available from our trusted law enforcement partner.”

“We have tested the tool against recent attacks and our tool cannot yet decrypt attacks after the July 13 date,” Botezatu said. “We are pleased we are helping victims who have been impacted. Like other industry researchers, we have seen REvil activity start back up. Based on our experience we believe new ransomware attacks are imminent and organizations of all sizes and in all industries should be on high alert.” Botezatu added that the company is working on new versions of decryptors, as well as on decryptors of the most prominent families of ransomware.In a longer statement, Bitdefender said victims with encrypted data were left in the lurch when parts of REvil’s infrastructure went offline and confirmed that they will not be able to comment on certain details of the case until they are allowed to by “the lead investigating law enforcement partner.” “Both parties believe it is important to release the universal decryptor before the investigation is completed to help as many victims as possible,” Bitdefender said. “We believe new REvil attacks are imminent after the ransomware gang’s servers and supporting infrastructure recently came back online after a two month hiatus. We urge organizations to be on high alert and to take necessary precautions.”The company noted that REvil operators are most likely based in a Commonwealth of Independent States (CIS) country and that the group emerged as a derivative of the GandCrab ransomware in 2019. REvil has attacked thousands of companies across the world, demanding exorbitant ransoms in return for not leaking data. Ransomware expert and Emsisoft threat analyst Brett Callow, who has worked on decryptors for other ransomware strains, said the release will definitely help any pre-13th July victims who’ve been unable to fully recover their data by other means in the weeks since.”The fact that the decryptor was ‘created in collaboration with a trusted law enforcement partner’ would imply that that partner had recovered the keys,” Callow added. Callow noted that REvil attacked at least 360 US-based organizations this year. The RansomWhere research site says the group has brought in at least $11 million this year, with high profile attacks on Acer, JBS, Quanta Computer and more.  More

Aruba announced a new partnership with Cincinnati-based Major League Soccer franchise FC Cincinnati that will see the company outfit the team’s 26,000-seat TQL Stadium with its edge services platform network. The facility is fully digitized and designed to be entirely cashless, leveraging a slate of wired and wireless Aruba products. Jeffrey Weaver, director of high-density solutions for Aruba, told ZDNet that the company was proud to help the MLS team deliver immersive fan experiences and called TQL Stadium one of the most ambitious soccer-specific stadiums globally.”From our Wi-Fi 6 access points and mobility controllers to our CX Series switches and ClearPass network access control solution, all of the network elements are working in tandem to ensure that fans and visitors to TQL Stadium have premier and engaging experiences that enhance their enjoyment of the games and special events they attend,” Weaver said. “The network infrastructure also supports more secure and streamlined stadium operations, from the point of sale devices and security cameras to door access solutions.” The digital fan experience starts from the second you get to the stadium, thanks to mobile ticketing provided by SeatGeek and paperless entry with Fortress wireless scanners. “Mobile ticketing is also important from a business perspective as it eliminates much of the counterfeit ticketing that is widespread throughout entertainment,” said Dan Lolli, vice president of facilities and stadium general manager for FC Cincinnati.

TQL Stadium also has two large Daktronics scoreboards and 14,370 feet of SACO V-STICK S to help show replays, live gameplay, stats and other fun stadium graphics. The stadium has about 200 point-of-sale devices run by Appetize, all of which are cloud-enabled.
Aruba
There are dozens of other digital tools in use at the stadium, including security cameras, door access devices and business applications. Lolli said the goal of the new stadium was to create a next-generation fan experience. “Working with our IT-as-a-Service partner Atomic Data, we determined Aruba was the leader in stadium deployments that provide fans with superior, high-performance, reliable, and consistent experiences while being efficient and cost-effective to manage,” Lolli said. Aruba explained that the stadium had deployed its Wi-Fi 6 indoor and outdoor access points as well as a number of mobility controllers alongside the company’s access switches at the edge for IP audio and video. Lolli explained that the stadium processed more than 16,000 food and beverage transactions over a few hours, with most completed in less than half a second, on opening day. “Our network enables us to provide the exceptional experiences that help us differentiate ourselves from other sporting and non-sporting entertainment options,” Lolli said. “During stadium construction, Aruba’s robust tools enabled Atomic Data to stage our entire network off-site and ship it to our stadium. This streamlined deployment by four to eight weeks versus the traditional on-site approach, helping us meet our opening day deadlines. Since then, Aruba’s software automation has ensured efficient network management on a day-to-day basis.”

ZDNet Recommends More

Google recently pledged $100 million to groups that manage open source security priorities and help fix vulnerabilities, and it has now detailed eight of the projects it has chosen to support. Just last month, the Linux Foundation announced it would directly fund people to work on the security of open-source projects. It’s got support from Google, Microsoft, the Open Source Security Foundation and the Linux Foundation Public Health foundation. The Linux Foundation coordinates fixes when bugs are found.  The foundation and peers are looking for previously unknown security issues via security audits that will be undertaken by the Open Source Technology Improvement Fund (OSTIF). These projects include two Linux kernel security audits.

ZDNet Recommends

Now Google has thrown its weight behind a chunk of OSTIF’s immediate audit plans. “Google’s support will allow OSTIF to launch the Managed Audit Program (MAP), which will expand in-depth security reviews to critical projects vital to the open source ecosystem,” said Kaylin Trychon, a security comms manager on the Google Open Source Security team.Probably the biggest of the eight audit projects Google is funding is Git, the “de facto” version control software created by Linux kernel creator Linus Torvalds and which forms the basis of platforms like GitHub and GitLab.”Git is the second-most critical application in C and the 10th-most critical application across all platforms,” OSTIF notes, adding that it is “undoubtedly one of the most critical pieces of open-source software in the world.”   

The rest are important JavaScript and Java tools and frameworks for web development, including: Lodash, a modern JavaScript utility library for web development that’s used in Chrome and other browsers; Laravel, a PHP web application framework; SLF4J or Simple Logging Facade for Java; the Jackson-core JSON for Java and the Jackson-databind package; and Httpcomponents-core and Httpcomponents-client. “The eight libraries, frameworks and apps that were selected for this round are those that would benefit the most from security improvements and make the largest impact on the open-source ecosystem that relies on them,” explained Trychon. The contribution from Google will help OSTIF find and fix bugs in key open source projects. OSTIF has identified a total of 25 MAP projects targeted for funding, including the eight that Google has funded to date. Other projects with funding pending support include well-known systems and tools developers use, such as the Drupal and Joomla web content management systems, webpack, reprepro, cephs, Facebook-maintained React Native, salt, Gatsby, Google-maintained Angular, Red Hat’s Ansible, and Google’s Guava Java framework.    After a meeting between US president Joe Biden and top US tech companies last month, Google announced a $10 billion commitment to improving expanding zero-trust programs, helping to secure software supply chains, and enhancing open source security.  More

Now that travel is becoming more normal; you may want to start thinking about a couple of things in addition to where you go and what you’ll pack. Especially if you’ll be visiting foreign destinations, you may want to learn a new language and choose a powerful VPN. So it’s a good thing you can get a great deal on three years of HotSpot Shield VPN Premium at the moment.

When comparing VPNs, there are several different factors you need to consider. Obviously, you want one with powerful security, and HotSpot Shield has you covered. You get military-grade encryption, as well as a kill switch. So if you get disconnected from a HotSpot Shield server, you automatically get disconnected from the internet, which ensures not one single bit of your data is put at risk.

HotSpot Shield also offers the ultimate privacy protection. There is a strict policy of zero-logging, and you are guarded against phishing attempts. Also, when traveling internationally, you don’t want to have to worry about what content is available where when you’re ready to stream your favorite shows. With over 3,200 servers spread among 80 countries, HotSpot Shield makes that a non-issue.Speed is another factor. While some VPNs have to sacrifice at least a little bit of connection speed to maintain the highest security, HotSpot Shield actually offers super-fast connections that go up to 1Gbps. So no matter what you’re doing online, you don’t have to worry about latency or buffering. As a matter of fact, there are actually has specific gaming and streaming modes. TechRadar said HotSpot Shield had “More than twice the top speed we’ve seen from many competitors”, while Ookla’s Speedtest called it the “world’s fastest VPN” for two years in a row.You don’t want to miss this opportunity to grab an excellent bargain on three years of speedy, powerful VPN protection that includes unlimited bandwidth. Get HotSpot Shield VPN Premium: 3-Yr Subscription today while it’s available for just $89.99.

ZDNet Academy Deals More

A new strain of malware, written in Go, has been spotted in cyberattacks launched against WordPress and Linux systems. 

On Thursday, Larry Cashdollar, senior security researcher at Akamai said the malware, dubbed Capoae, is written in the Golang programming language — fast becoming a firm favorite with threat actors due to its cross-platform capabilities — and spreads through known bugs and weak administrative credentials.  Vulnerabilities exploited by Capoae include CVE-2020-14882, a remote code execution (RCE) flaw in Oracle WebLogic Server, and CVE-2018-20062, another RCE in ThinkPHP. The malware was spotted after a sample targeted an Akamai honeypot. A PHP malware sample arrived through a backdoor linked to a WordPress plugin called Download-monitor, installed after the honeypot’s lax credentials had been obtained through a brute-force attack. This plugin was then used as a conduit to deploy the main Capoae payload to /tmp, a 3MB UPX packed binary, which was then decoded. XMRig is then installed in order to mine for the Monero (XMR) cryptocurrency. Alongside the cryptocurrency miner, several web shells are also installed, one of which is able to upload files stolen from the compromised system. In addition, a port scanner has been bundled with the miner to find open ports for further exploitation.  “After the Capoae malware is executed, it has a pretty clever means of persistence,” Cashdollar says. “The malware first chooses a legitimate-looking system path from a small list of locations on a disk where you’d likely find system binaries. It then generates a random six-character filename, and uses these two pieces to copy itself into the new location on the disk and deletes itself. Once this is done, it injects/updates a Crontab entry that will trigger the execution of this newly created binary.”

Capoae will attempt to brute-force attack WordPress installations to spread and may also utilize CVE-2019-1003029 and CVE-2019-1003030, both of which are RCE flaws impacting Jenkins, and infections have been traced to Linux servers.  Cashdollar said that the Capoae campaign highlights “just how intent these operators are on getting a foothold on as many machines as possible.” Major signs of infection include high system resource use, unexpected or unrecognizable system processes in operation, and strange log entries or artifacts, such as files and SSH keys. “The good news is, the same techniques we recommend for most organizations to keep systems and networks secure still apply here,” Cashdollar commented. “Don’t use weak or default credentials for servers or deployed applications. Ensure you’re keeping those deployed applications up to date with the latest security patches and check in on them from time to time.” In a second blog post, Akamai has also examined the evolution of Kinsing, malware that utilizes known vulnerabilities in unpatched systems to operate and spread a cryptocurrency mining botnet.  According to researcher Evyatar Saias, Kinsing was first spotted in February by Akamai and, at first, only targeted Linux. However, a recent upgrade has allowed the botnet to also strike Windows systems across the Americas, Asia, and Europe. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has detailed how it recently saw hackers exploiting a dangerous remote code execution vulnerability in the MSHTML aka Trident rendering engine of Internet Explorer through rigged Office documents and targeted developers.Microsoft security researchers discovered the flaw being actively exploited on Windows systems in August and this week’s Patch Tuesday update included a patch for the previously unknown bug, tracked as CVE-2021-40444.  

The attacks were not widespread and the vulnerability was used as part of an early stage attack that distributed custom Cobalt Strike Beacon loaders. Cobalt Strike is a penetration testing tool. SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakesRather than the work of state-sponsored hackers, Microsoft found the loaders communicated with infrastructure that it links to several cyber-criminal campaigns, including human-operated ransomware, according to Microsoft’s analysis of the attacks. The social-engineering lure used in some of the attacks suggesting an element of deliberate targeting, Microsoft said: “The campaign purported to seek a developer for a mobile application, with multiple application development organizations being targeted.” At least one organization that was successfully compromised by this campaign was previously compromised by a wave of similarly themed malware, Microsoft said. In a later wave of activity, however, the lure changed from targeting application developers to a “small claims court” legal threat.

The attackers in this case were using the IE rendering-engine flaw to load a malicious ActiveX control via an Office document. Despite the attack gaining access to affected devices, the attackers still relied on stealing credentials and moving laterally to affect the entire organization. Microsoft recommends customers apply Tuesday’s patch to fully mitigate the vulnerability, but also recommends hardening the network, cleaning up key credentials, and taking steps to mitigate lateral movement. SEE: Half of businesses can’t spot these signs of insider cybersecurity threatsMicrosoft considers this attack to be the work of an emerging or “developing” threat actor and is tracking the use of the Cobalt Strike infrastructure as DEV-0365. It seems to be operated by a single operator. However, Microsoft believes that follow-on activity, for example, delivered the Conti ransomware. The software giant suggests it could be a command-and-control infrastructure that’s sold as a service to other cybercriminals. “Some of the infrastructure that hosted the oleObjects utilized in the August 2021 attacks abusing CVE-2021-40444 were also involved in the delivery of BazaLoader and Trickbot payloads — activity that overlaps with a group Microsoft tracks as DEV-0193. DEV-0193 activities overlap with actions tracked by Mandiant as UNC1878,” Microsoft notes. The BazaLoader malware has been used by malicious call center operators who use social engineering to trick targets into calling operators who attempt to trick victims into voluntarily installing malware. The groups do not use malicious links in emails reaching out to targets, thereby bypassing common email-filtering rules. More

The Federal Trade Commission (FTC) has warned that health apps and devices that collect or use personal health information must comply with rules requiring them to notify consumers if their health data is leaked.”Digital apps are routinely caught playing fast and loose with user data, leaving users’ sensitive health information susceptible to hacks and breaches,” said FTC chair Lina Khan.

ZDNet Recommends

The best smartwatch: Apple and Samsung battle for your wrist

It’s been six years since the first Apple Watch was released, and it’s pretty clear to most that Apple’s wearable is the best smartwatch available. It requires an iPhone, though, so Android phone owners need a different companion… and there are plenty of good options available.

Read More

She pointed to a study warning of problems with health apps ranging from insecure transmission of user data including geolocation, to unauthorized dissemination of data to advertisers and other third parties in violation of the apps’ own privacy policies.”While users have been adopting health apps at a rapid rate, the commercial owners of these apps too often fail to invest in adequate privacy and data security, leaving users exposed,” Khan said. SEE: Over 60 million wearable, fitness tracking records exposed via unsecured databaseThe Commission said that health apps, which track everything from glucose levels to heart health to fertility and sleep, are collecting sensitive and personal data. Consequently, the data they collect must be secured, and unauthorized access prevented.The FTC’s Health Breach Notification Rule requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media when that data is disclosed or acquired without the consumers’ authorization.

“In practical terms, this means that entities covered by the rule who have experienced breaches cannot conceal this fact from those who have entrusted them with sensitive health information,” the FTC said.Under the rule a ‘breach’ is not just defined by a cyberattack; unauthorized access, including sharing of covered information without an individual’s permission, also triggers notification obligations. “As many Americans turn to apps and other technologies to track diseases, diagnoses, treatment, medications, fitness, fertility, sleep, mental health, diet, and other vital areas, this Rule is more important than ever. Firms offering these services should take appropriate care to secure and protect consumer data,” the FTC said. Although the Health Breach Notification Rule has been in place for over a decade, it has never been used. And the FTC worries that, with the rise of health apps and other connected devices, there are still too few privacy protections in place. The Commission said it “intends to bring actions to enforce the rule” with violations leading to civil penalties of $43,792 per violation per day.SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakesThe breach notification rule provides some accountability for tech firms that abuse our personal information, but a more fundamental problem is the commodification of sensitive health information, with companies using this data to feed behavioral ads or power user analytics, said Khan. “Given the growing prevalence of surveillance-based advertising, the Commission should be scrutinizing what data is being collected in the first place and whether particular types of business models create incentives that necessarily place users at risk,” she said.The FTC said a health app would be covered under the rule if it collects health information from a consumer and has the technical capacity to draw information through an API that enables syncing with a consumer’s fitness tracker. More

Image: Getty Images
Australia, the UK, and the US are setting up a trilateral partnership aimed at addressing defence and security concerns in the Indo-Pacific region. The security partnership, called AUKUS, will look to promote deeper information and technology sharing between the three governments, with Australian Prime Minister Scott Morrison saying the new security partnership would enhance existing networks such as ANZU, the Quad, and the Five Eyes alliance. “We will foster deeper integration of security and defense-related science, technology, industrial bases, and supply chains. And in particular, we will significantly deepen cooperation on a range of security and defense capabilities,” the governments said in a joint statement. While the three countries didn’t mention China by name, the initiative appears to be a response to China’s expansionist drive in the South China Sea and increasing belligerence towards Taiwan. “Our world is becoming more complex, especially here in our region, the Indo-Pacific,” Australian Prime Minister Scott Morrison said on Thursday morning, alongside the respective leaders of the UK and US. Speaking from Washington DC, US President Joe Biden said the three countries needed to address “the current strategic environment in the region and how it may evolve”. “The future of each of our nations and indeed the world, depends on a free and open Indo-Pacific enduring and flourishing in the decades ahead,” Biden added.

The first initiative AUKUS will embark on is helping Australia acquire nuclear-powered submarines. Morrison said the three countries would spend the next 18 months drawing up a joint plan to assemble the new Australian nuclear-powered submarine fleet. The submarine fleet will be built in Adelaide. UK Prime Minister Boris Johnson, meanwhile, touted the project would be “one of the most complex and technically demanding projects in the world, lasting decades and requiring the most advanced technology”. In announcing this initiative, the governments jointly said the submarines are not an attempt to acquire nuclear weapons or establish a civil nuclear capability, and that the countries would continue to meet their nuclear non-proliferation obligations. Along with the submarines, AUKUS will also look to create initiatives that increase cyber capabilities, artificial intelligence, quantum technologies, and additional undersea capabilities, the governments said.The new trilateral partnership follows the three governments, along with the North Atlantic Treaty Organization (NATO) and other nations accusing China of being the actor responsible for Exchange hack back in April.Meanwhile, Australia last year did almost everything but name China as the actor responsible for cyber attacks that targeted all levels of government in Australia, as well as the private sector.”Australia doesn’t judge lightly in public attributions, and when and if we choose to do so, it is always done in the context of what we believe to be in our strategic national interest,” Morrison said at the time.  Related Coverage More