Information Technology

Howard University announced on Monday that it has been hit with a ransomware attack, forcing the school to shut down classes on Tuesday, according to a statement from the prominent HBCU.The school said that on September 3, members of their technology team noticed “unusual activity” on the university’s network and shut it down in order to investigate the problem. They later confirmed it was a ransomware attack but did not say which group was behind the attack. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

“The situation is still being investigated, but we are writing to provide an interim update and to share as much information as we safely and possibly can at this point in time, considering that our emails are often shared within a public domain,” Howard University said in a statement.”ETS and its partners have been working diligently to fully address this incident and restore operations as quickly as possible; but please consider that remediation, after an incident of this kind, is a long haul — not an overnight solution.”The school has contacted law enforcement and is working with forensic experts on the issue. They claim there is “no evidence of personal information being accessed or exfiltrated” but noted that the investigation is ongoing. The school was forced to cancel all classes on Tuesday in order to address the issue and the campus is only open to essential employees. Even the campus Wi-Fi is down. They noted that some cloud applications will remain accessible to students and that they will continue to update students and faculty at 2pm each day. “This is a moment in time for our campus when IT security will be at its tightest. We recognize that there has to be a balance between access and security; but at this point in time, the University’s response will be from a position of heightened security,” the school added. 

“This is a highly dynamic situation, and it is our priority to protect all sensitive personal, research and clinical data. We are in contact with the FBI and the D.C. city government, and we are installing additional safety measures to further protect the University’s and your personal data from any criminal ciphering. You will receive additional communications from ETS over the course of the next few hours and continuing into the next few days, especially surrounding phishing attempts and how to protect your data online beyond the Howard University community.” Howard University becomes yet another major educational institution to face a ransomware attack. Emsisoft researchers found that there was a 388% increase in successful ransomware attacks on the education sector between the second and third quarters of 2020.Comparitech researchers Rebecca Moody and George Moody found that there have been a total of at least 222 ransomware attacks affecting 3,880 schools and colleges since 2018.”Schools and colleges have suffered an estimated 1,387 days of downtime due to ransomware attacks with around 9,525 days spent on recovery efforts. 22 schools/colleges revealed the amount involved in their recovery efforts with nearly $19.2 million spent by these entities in total,” the researchers explained. “This is an average of nearly $960,000. Ransom requests varied from $5,000 to $40 million. Hackers have received at least $2.95 million in ransom payments with the average payment being $268,000. Hackers have requested at least $59.1 million in ransom payments with the average request being $2.47 million.”According to the report, there have already been at least 39 reported ransomware attacks on educational institutions this year, and these figures do not include the Kaseya attack, which affected a number of universities tangentially.Emsisoft threat analyst Brett Callow put the number even higher for 2021 at 62 US educational institutions that have been hit with ransomware. Cerberus Sentinel vice president Chris Clements said educational institutions and especially universities are popular targets for ransomware gangs because they are typically soft targets for cybercriminals to penetrate and have sprawling, disparate technology projects that can remain unpatched or orphaned with no centralized oversight by IT.  “Overly permissive access and permissions is another common issue in high education organizations that can easily be exploited by attackers if they gain access to a single user account. Secondly, ransomware gangs know that universities, despite being famous for budget issues, can produce huge amounts of money to pay ransoms when forced to,” Clements said. “This combination of relative ease of compromise and high ability to pay out extortion demands make universities incredibly lucrative targets for cybercriminals.”Tim Erlin, vice president of strategy at Tripwire, told ZDNet that universities are tough environments to secure. “Their populations vary greatly over the course of a year. They accept all kinds of devices into their networks, both from staff and students. And they change out their users at a high rate as students graduate and matriculate,” Erlin explained. “Not many other IT organizations have to deal with all of these factors.” More

Jenkins, a leading open source automation server, announced on Saturday that its deprecated Confluence service was successfully attacked through the Confluence CVE-2021-26084 exploit — something that US Cybercom warned of in a notice last week. See also: US Cybercom says mass exploitation of Atlassian Confluence vulnerability ‘ongoing and expected to accelerate’

In a statement, Jenkins documentation officer Mark Waite explained that the affected server was taken offline and the team is investigating the impact of the issue.”At this time we have no reason to believe that any Jenkins releases, plugins, or source code have been affected. Thus far in our investigation, we have learned that the Confluence CVE-2021-26084 exploit was used to install what we believe was a Monero miner in the container running the service,” Waite wrote. “From there an attacker would not be able to access much of our other infrastructure. Confluence did integrate with our integrated identity system which also powers Jira, Artifactory, and numerous other services.”Waite added that there is no indication that any developer credentials were taken during the attack but that they “cannot assert otherwise and are therefore assuming the worst.”Jenkins said that until it re-establishes a “chain of trust with our developer community,” it will be preventing releases. Every account password has been reset and the Jenkins infrastructure team has permanently disabled the Confluence service. The team has also rotated privileged credentials and taken measures to reduce the scope of access across their infrastructure. 

“We are working closely with our colleagues at the Linux Foundation and the Continuous Delivery Foundation to ensure that infrastructure which is not directly managed by the Jenkins project is also scrutinized,” Waite noted. “In October 2019 we made the Confluence server read-only effectively deprecating it for day-to-day use within the project. At that time, we began migrating documentation and changelogs from the wiki to GitHub repositories. That migration has been ongoing, with hundreds of plugins and many other documentation pages moved from the wiki to GitHub repositories.”The notice comes after multiple IT leaders took to social media to confirm that CVE-2021-26084 was indeed being exploited.Atlassian updated its notice — released on August 25 — to confirm that the vulnerability is being actively exploited in the wild. “Affected servers should be patched immediately. The vulnerability is exploitable by unauthenticated users regardless of configuration,” Atlassian added to their previous notice. US Cybercom caused a stir when it tweeted on Friday, “Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate. Please patch immediately if you haven’t already — this cannot wait until after the weekend.”BleepingComputer confirmed on Thursday that some threat actors are installing cryptominers on both Windows and Linux Confluence servers using the vulnerability.  Shawn Smith, director of infrastructure at nVisium, told ZDNet that the Atlassian Confluence vulnerability is “definitely still being exploited.” “If we look at the list of versions that are vulnerable, it includes nearly every version — all the way back to the 4.x.x line, which was originally released in 2011. Looking at the early details, we know that nearly 15,000 servers were present online before the vulnerability disclosure — and eight days later that number had dropped by less than 4,000,” Smith said. “Now, we’re only an additional five days beyond that and it’s unlikely that a significant number of servers were patched, especially considering it was a holiday weekend in the United States.”
Censys
Cybersecurity company Censys updated their own blog post on Sunday to say that the number of vulnerable Confluence instances dropped from 11,689 to 8,597 since last Thursday. Bad Packets reported that CVE-2021-26084 exploit activity was being detected from hosts based in Russia targeting their Atlassian Confluence honeypots. They previously said they “detected mass scanning and exploited activity from hosts in Brazil, China, Hong Kong, Nepal, Romania, Russia and the US targeting Atlassian Confluence servers vulnerable to remote code execution.” More

Image: ProtonMail
Hosted email service provider ProtonMail has responded to criticism about its end-to-end encryption capabilities after French authorities obtained the IP address of a French climate activist who used the company’s services, saying all companies have to comply with laws, such as court orders, so long as they operate within 15 miles of land. “No matter what service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law,” Yen said in a blog post.First reported by TechCrunch, the data collection performed by French authorities was part of an investigation into a group of climate activists who have occupied a number of apartments and commercial spaces in Paris. According to ProtonMail, French authorities, with the help of Europol, were able to acquire the IP address through receiving approval from Swiss courts to do so. After Swiss courts issued the legal order, ProtonMail was required to log IP information on a climate activist’s account, which was then provided to French authorities and led to the individual being identified and arrested.ProtonMail founder and CEO Andy Yen said that while it is not subject to French or EU requests, due to being based in Switzerland, it still must comply with requests from Swiss authorities. “Proton can be forced to collect information on accounts belonging to users under Swiss criminal investigation. This is obviously not done by default, but only if Proton gets a legal order for a specific account,” the company said. “The internet is generally not anonymous, and if you are breaking Swiss law, a law-abiding company such as ProtonMail can be legally compelled to log your IP address.”

Yen noted that ProtonMail neither collects the identity of its users nor user data due to it being encrypted — which meant the activist’s emails, attachments, calendars, and files were not accessed by French authorities — as there is no requirement to do so under Swiss laws. Certain court orders can compel ProtonMail to delay notifying users about their private data being used in criminal proceedings, however, according to the company’s law enforcement page.When stating the requirements that ProtonMail must follow under Swiss law, Yen also took the opportunity to criticise the approach taken by French authorities to acquire the IP address. “We are on your side, and our shared fight is with the authorities and the unjust laws we have been campaigning against for years. The prosecution in this particular case was very aggressive. Unfortunately, this is a pattern we have increasingly seen in recent years around the world,” Yen said. According to ProtonMail’s most recent transparency report, the number of orders the company receives from Swiss authorities has grown exponentially, rising from 13 in 2017 to 3,572 last year. Of the 3,572 orders it received last year, 195 of them were foreign requests.  Related Coverage More

It seems that every tech security vendor is talking up ‘zero trust’ as an answer to increasingly dangerous cyberattacks, but UK cybersecurity experts warn customers its definition is a bit slippery and they should proceed with caution. The UK’s National Cyber Security Centre (NCSC) this week said zero trust has become a “very fashionable term” in the tech world. To address the slipperiness of its definition, NCSC has outlined a few traps and pitfalls that organizations running a zero trust migration should be mindful of. 

see also

Best VPN services

Virtual private networks are essential to staying safe online — especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

So what is zero trust, according to the NCSC?   “Zero trust is the idea of removing inherent trust from the network. Just because a device is within the internal “trusted” side of a firewall or VPN, it should not be trusted by default,” it explains in a new blogpost.  “Instead, you should look to build confidence in the various transactions occurring. You can do this by developing a context through the inspection of a number of signals. These signals are pieces of information like device health or location, and can give the confidence needed to grant access to a resource.”SEE: Developers, DevOps, or cybersecurity? Which is the top tech talent employers are looking for now?However, NCSC acknowledges that not every organization will be ready to adopt a zero trust architecture. It also stressed it isn’t a standard or specification, but rather “an approach to designing a network” — meaning it can be difficult to know if you’re doing it right. 

On top of this, there may be direct and indirect costs that arise from a migration to a zero trust network design. Direct costs include new products, devices, and services. Indirect costs include training engineers, new licensing costs, and subscriptions. NCSC notes that these ongoing costs could, however, be less than the cost of maintaining and refreshing existing network services.”Moving to a zero trust architecture can be a very disruptive exercise for an organisation,” NCSC warns. “It can take several years to migrate to a “fully zero trust” model due to the extent to which changes may need to be made across your enterprise.”Defining an end state for a migration is difficult when the model you’re aiming for may evolve during rollout.”There are also broader implications for the many organizations that run big systems that just don’t mesh with zero trust concepts, for example a legacy payroll system that lacks modern authentication methods, such as two-factor authentication.   Then there are products and services that don’t mesh well with zero trust, such as BYOD architectures. Organizations could have difficulties assessing whether devices are secure without intruding on the privacy of workers. Alternatively, an air-gapped network might not able to use a cloud-based zero trust service. Finally, NCSC warns of vendor lock-in and cloud lock-in that may restrict an organization’s ability to move some systems to other services in the future.SEE: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attackJust last week, Google announced a $10 billion commitment to help the US improve the security of critical infrastructure after a meeting with US president Joe Biden. Microsoft committed $20 billion. Both companies are focussing on zero trust capabilities to address recent software supply chain and ransomware attacks on critical infrastructure. IBM is also boosting its zero trust services through the relatively new category of Secure Access Service Edge (SASE) services. All three, including 15 more vendors, are working with the US NIST to create benchmarks for zero trust architectures.   NCSC lays out five reasons why zero trust might be a good philosophy to adopt:In a zero trust model, every action a user or device takes is subject to some form of policy decision. This allows the organisation to verify every attempt to access data or resources, “making life very difficult for an attacker”.Zero trust allows strong authentication and authorisation, while reducing the network overhead of extending your corporate network out into your users’ homes.Some zero trust security controls can enable a much better user experience. For example, by using single sign-on users only have to enter credentials once, rather than every time they want to use a different application.Greater control over data access means you can grant access to specific data to the right audience.Enhancing your logging capability to include events from user devices and services gives you a much richer picture of what’s happening in your environment, allowing you to detect compromises with more accuracy. More

A very popular NPM package called ‘pac-resolver’ for the JavaScript programming language has been fixed to address a remote code execution flaw that could affect a lot of Node.js applications. The flaw in the pac-resolver dependency was found by developer Tim Perry who notes it could have allowed an attacker on a local network to remotely run malicious code inside a Node.js process whenever an operator tried to send an HTTP request. Note.js is the popular JavaScript runtime for running JavaScript web applications. 

see also

Best VPN services

Virtual private networks are essential to staying safe online — especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

“This package is used for PAC file support in Pac-Proxy-Agent, which is used in turn in Proxy-Agent, which then used all over the place as the standard go-to package for HTTP proxy autodetection & configuration in Node.js,” explains Perry. SEE: Developers, DevOps, or cybersecurity? Which is the top tech talent employers are looking for now?PAC or “Proxy-Auto Config” refers to PAC files written in JavaScript to distribute complex proxy rules that instruct an HTTP client which proxy to use for a given hostname, notes Perry, adding these are widely used in enterprise systems. They’re distributed from local network servers and from remote servers, often insecurely over HTTP rather than HTTPs.  It’s a widespread issue as Proxy-Agent is used in Amazon Web Services Cloud Development Kit (CDK), the Mailgun SDK and Google’s Firebase CLI. The package gets three million downloads per week and has 285,000 public dependent repos on GitHub, Perry notes in a blogpost. 

The vulnerability was fixed in v5.0.0 of all those packages recently and was marked as CVE-2021-23406 after it was disclosed last week.It will mean a lot of developers with Node.js applications are potentially affected and will need to update to version 5.0. It affects anyone who depends on Pac-Resolver prior to version 5.0 in a Node.js application. It affects these applications if developers have done any of three configurations: Explicitly use PAC files for proxy configurationRead and use the operating system proxy configuration in Node.js, on systems with WPAD enabledUse proxy configuration (env vars, config files, remote config endpoints, command-line arguments) from any other source that you wouldn’t 100% trust to freely run code on your computer”In any of those cases, an attacker (by configuring a malicious PAC URL, intercepting PAC file requests with a malicious file, or using WPAD) can remotely run arbitrary code on your computer any time you send an HTTP request using this proxy configuration,” notes Perry.  More

Researchers have explored what the perfect victim looks like to today’s ransomware groups.

On Monday, KELA published a report on listings made by ransomware operators in the underground, including access requests — the way to gain an initial foothold into a target system — revealing that many want to buy a way into US companies with a minimum revenue of over $100 million. Initial access is now big business. Ransomware groups such as Blackmatter and Lockbit may cut out some of the legwork involved in a cyberattack by purchasing access, including working credentials or the knowledge of a vulnerability in a corporate system.  When you consider a successful ransomware campaign can result in payments worth millions of dollars, this cost becomes inconsequential — and can mean that cybercriminals can free up time to strike more targets.  The cybersecurity company’s findings, based on observations in dark web forums during July 2021, suggest that threat actors are seeking large US firms, but Canadian, Australian, and European targets are also considered.  Russian targets are usually rejected immediately, and others are considered “unwanted” — including those located in developing countries — likely because potential payouts are low.  Roughly half of ransomware operators will, however, reject offers for access into organizations in the healthcare and education sector, no matter the country. In some cases, government entities and non-profits are also off the table.

In addition, there are preferred methods of access. Remote Desktop Protocol (RDP), Virtual Private Network (VPN)-based access prove popular. Specifically, access to products developed by companies including Citrix, Palo Alto Networks, VMWare, Cisco, and Fortinet.   “As for the level of privileges, some attackers stated they prefer domain admin rights, though it does not seem to be critical,” the report states.
KELA
KELA also found offerings for e-commerce panels, unsecured databases, and Microsoft Exchange servers — although these may be more appealing for data stealers and criminals attempting to implant spyware and cryptocurrency miners.   “All these types of access are undoubtedly dangerous and can enable threat actors to perform various malicious actions, but they rarely provide access to a corporate network,” the researchers noted. Roughly 40% of listings were created by players in the Ransomware-as-a-Service (RaaS) space. 
KELA
Ransomware operators are willing to pay, on average, up to $100,000 for valuable initial access services. In a past study, KELA observed another trend of note in the ransomware space: increasing demand for negotiators. RaaS operators are attempting to better monetize the stage of an attack when a victim will contact ransomware operators to negotiate a payment, but as language barriers can cause miscommunication, ransomware groups are trying to secure new team members able to manage conversational English.  Intel 471 has also found that cybercriminals involved in Business Email Compromise (BEC) scams are trying to recruit native English speakers. As phishing email red flags include poor grammar and spelling mistakes, scam artists are trying to avoid being detected at the first hurdle by paying English speakers to write convincing copy.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Working in cybersecurity can be challenging, but it’s important for information security professionals to maintain a healthy work/life balance – otherwise they risk burnout.All parts of the technology industry have their own pressures, but the demand on security staff has certainly increased recently. Businesses of all sizes need a cybersecurity team to help keep users secure and the organisation safe from phishing, malware, ransomware, and other cyber threats. Defending the network against data breaches and cyber criminals was already tricky, but things have only got tougher in the past 18 months as many cybersecurity teams have needed to adapt to the rise of remote working, which has made keeping users safe from online threats even more difficult. 

On top of that, many cybersecurity staff are doing this activity while working from home themselves, an environment that can make it difficult to separate working life from home life. It’s become common for people to work extra hours now their day isn’t being broken up by travelling to and from an office, and research has identified increasing hours and workloads in cybersecurity – already a high intensity environment for people to work in.SEE: A winning strategy for cybersecurity (ZDNet special report) While many security professionals feel as if working those extra hours is necessary to help keep the business secure and safe from cyberattacks, it could be coming at the cost of their own wellbeing.Cybersecurity workers get a real buzz out of solving problems, John Donovan, chief information security officer at Malwarebytes, told the ZDNet Security Update video series. “But I think we’ve got to balance that – there are definitely some folks on the team who do handle it well, but even they need to remember to take a break and to deal with their stress,” he said. 

In order to help this process along, human resources teams or senior managers need to get involved in the activity to encourage people to take breaks and make sure that they’re not working overly long hours. “If you have a people or human resources team, it’s really important to take in the human element, not just for cybersecurity training and awareness, but making sure that people are taking care of their mental health, making sure that people do take time off, and when you take time off, to actually really take time off,” said Donovan. SEE: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attackSmall tweaks can help, like for staff working remotely, it could be useful to mark holidays, breaks and lunchtime in the calendar, so there’s actually an alert reminding them that they should step away from the screen for a bit. Doing this can help staff better divide up their work time and their personal time. Not only is this good for the mental wellbeing of people in cybersecurity, being well rested and in a good place will help if they do need to react to a cybersecurity incident. “It’s important to make sure that you figure out how to have that work/life balance, because you’re not going to be any good if you’re stressed out when that big incident happens. You need to be ready and prepared to take it on,” said Donovan. MORE ON CYBERSECURITY More

Apple has paused plans to scan devices for child abuse and exploitation material after the tool prompted concern among users and privacy groups.  

Announced last month, the new safety features were intended for inclusion in iOS 15, iPadOS 15, watchOS 8, and macOS Monterey. The first was a feature for monitoring the Messages application, with client-side machine learning implemented to scan and alert when sexually explicit images are sent, requiring input from the user of whether or not they want to view the material. “As an additional precaution, the child can also be told that, to make sure they are safe, their parents will get a message if they do view it,” the company explained. The second batch of changes impacted Siri and Search, with updates included to provide additional information for parents and children to warn them when they stumbled into “unsafe” situations, as well as to “intervene” if a search for Child Sexual Abuse Material (CSAM) was performed by a user. The third was a CSAM-scanning tool, touted as a means to “protect children from predators who use communication tools to recruit and exploit them.” According to the iPhone and iPad maker, the tool would use cryptography “to help limit the spread of CSAM online” while also catering to user privacy. Images would not be scanned in the cloud, rather, on-device matching would be performed in which images would be compared against hashes linked to known CSAM images. “CSAM detection will help Apple provide valuable information to law enforcement on collections of CSAM in iCloud Photos,” the company said. “This program is ambitious, and protecting children is an important responsibility. These efforts will evolve and expand over time.”

In a technical paper (.PDF) describing the tool, Apple said: “CSAM Detection enables Apple to accurately identify and report iCloud users who store known CSAM in their iCloud Photos accounts. Apple servers flag accounts exceeding a threshold number of images that match a known database of CSAM image hashes so that Apple can provide relevant information to the National Center for Missing and Exploited Children (NCMEC). This process is secure, and is expressly designed to preserve user privacy.”However, the scanner gained controversy online, prompting criticism from privacy advocates and cryptography experts.Associate Professor at the Johns Hopkins Information Security Institute and cryptography expert Matthew Green said the implementation of cryptography to scan for images containing specific hashes could become “a key ingredient in adding surveillance to encrypted messaging systems.” While created with good intentions, such a tool could become a powerful weapon in the wrong hands, such as those of authoritarian governments and dictatorships.  The Electronic Frontier Foundation also slammed the plans and launched a petition to put pressure on Apple to backtrack. At the time of writing, the plea has over 27,000 signatures. Fight for the Future and OpenMedia also launched similar petitions.  On September 3, Apple said the rollout has been halted in order to take “additional time” to analyze the tools and their potential future impact.  “Previously we announced plans for features intended to help protect children from predators who use communication tools to recruit and exploit them and to help limit the spread of Child Sexual Abuse Material,” Apple said. “Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features.” Green said it was a positive move on Apple’s part to take the time to consider the rollout. The EFF said it was “pleased” with Apple’s decision, but added that listening is not enough — the tech giant should “drop its plans to put a backdoor into its encryption entirely.” “The features Apple announced a month ago, intending to help protect children, would create an infrastructure that is all too easy to redirect to greater surveillance and censorship,” the digital rights group says. “These features would create an enormous danger to iPhone users’ privacy and security, offering authoritarian governments a new mass surveillance system to spy on citizens.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More