Information Technology

Using unsupported software, allowing the use of default usernames and passwords and using single-factor authentication for remote or administrative access to systems are all dangerous behaviours when it comes to cybersecurity and should be avoided by all organisations – but particularly those supporting critical infrastructure. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

The warning comes from the US Cybersecurity and Infrastructure Security Agency (CISA) which is developing a catalogue of “exceptionally risky” behaviours  which can put critical infrastructure at extra risk of falling victim to cyber attacks. Use of single-factor authentication — where users only need to enter a username and password — is the latest risky behaviour to be added to the list, with CISA warning that single-factor authentication for remote or administrative access to systems supporting the operation of critical infrastructure “is dangerous and significantly elevates risk to national security”.  SEE: A winning strategy for cybersecurity (ZDNet special report) Using multi-factor authentication can help disrupt over 99 percent of cyber attacks. For critical infrastructure, it’s therefore particularly important to have it applied in order to help prevent cyber criminals from tampering with cyber-physical systems.  Alongside single-factor authentication as a bad practice is the use of known, fixed or default passwords, which CISA describes as “dangerous”. Default or simple passwords are good for cyber criminals because there’s a much higher chance of them being able to simply guess passwords to compromise accounts.   CISA also warns against the use of passwords which are known to have been breached previously, as that means they also provide cyber criminals with a simple means of gaining access to networks. 

The third bad practice listed by CISA is the use of unsupported or end-of-life software in critical infrastructure. By using software or operating systems which no longer receive security updates, there’s the risk that cyber criminals could exploit newly discovered security vulnerabilities which emerge as old software often doesn’t receive security patches.  “The presence of these bad practices in organizations that support critical infrastructure…is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public.” CISA said. CISA’s list of dangerous bad practices is designed as advice for organisations involved in running or supporting critical infrastructure – but it’s also useful advice for businesses and avoiding the use of single-factor authentication, default passwords and unsupported software will also help protect them from falling victim to cyber attacks. 
MORE ON CYBERSECURITY More

Verizon announced on Tuesday that it will be partnering with Microsoft to offer an on-premises private edge compute solution for businesses. Leveraging Verizon 5G Edge with Microsoft Azure Stack Edge, the solution “enables the ultra-low latency needed to deploy real-time enterprise applications,” the companies said in a statement. Sampath Sowmyanarayan, chief revenue officer of Verizon Business, said it would allow businesses to “bring compute and storage services to the edge of the network at the customer premises, providing increased efficiencies, higher levels of security, and the low lag and high bandwidth needed for applications involving computer vision, augmented and virtual reality, and machine learning.””We’re thrilled to partner with Microsoft to bring 5G Edge to enterprises, dropping latency at the edge, helping critical, performance-impacting applications respond more quickly and efficiently,” Sowmyanarayan said. “5G will usher in next-generation business applications, from core connectivity to real-time edge compute and new applications and solutions that take advantage of AI transforming nearly every industry.”Corporate vice president of Azure for Operators at Microsoft Yousef Khalidi added that through the partnership with Verizon, the companies would be able to provide customers with compute and storage service capabilities at the edge of customers’ networks, “enabling robust application experiences with increased security.””Business innovation demands powerful technology solutions and central to this is the intersection between the network and edge” Khalidi said. 

Verizon said the announcement builds on a collaboration with Microsoft that began in 2020 and has sought to provide retailers with a way to process information in near real time to gain actionable data-driven insights to increase inventory accuracy and power fast and flexible supply chains.The companies noted that businesses like Ice Mobility have already used the solution to assist with computer vision-backed product packing as a way to improve on-site quality assurance. Ice Mobility is now looking into other 5G Edge applications that can offer material automation enhancements to its business like near real-time activity-based costing.”This solution would allow them to assign overhead and indirect costs to specific customer accounts, pick and pack lines, and warehouse activities to enhance efficiencies and improve competitiveness,” the companies explained in a statement. The companies believe that the solution can help manufacturers minimize their downtime, gain greater visibility into their business processes and maximize the performance of their assets. Ghassan Abdo, Research VP at IDC, said the announcement “aligns with IDC’s view that an on-premise, private 5G edge compute deployment model will spur the growth of compelling 4th generation industrial use cases.” “This partnership is a positive development as it leverages the technology and communications leadership of both companies,” Abdo said.  More

There is rising demand for the services of Initial Access Brokers (IABs) and access credentials in cloud-based cyberattacks. 

On Tuesday, Lacework published its 2021 Cloud Threat Report vol.2, outlining how today’s cybercriminals are attempting to cut out some of the legwork involved in campaigns against cloud service providers.  Over this year, the cloud security firm’s team has observed a number of trends of note in the cloud space, including increased demand for IABs.  Initial Access Brokers, as documented by KELA, are individuals or groups which have managed to secure access to a target system. Access may have been obtained through weak, broken, or stolen credentials; an insider, or by way of a vulnerability. The average price of network access, as analyzed by the team, is currently $5,400, while the median price is $1,000, depending on the level of access obtained and the target organization.  Ransomware groups have taken an interest in IABs, and alongside these groups, other threat actors focused on exploiting cloud services are also attempting to recruit IABs for their own ends.  Lacework says that over the past few months, administrator credentials obtained by IABs appear to have become a popular resource for attackers. In addition, the scanning and probing of storage buckets, online databases, login platforms, and orchestration systems continue to increase. 

“What started as one-off marketplace postings continues to escalate as criminals begin to understand and operationalize the utility of access to cloud services above and beyond cryptocurrency mining,” the team says.  The report also explores the latest TeamTNT criminal operation activities against cloud services. The TeamTNT botnet, first spotted back in 2020, is known to install cryptocurrency-mining malware on vulnerable containers. TeamTNT is hunting for exposed Docker APIs to deploy malicious Docker images, and in numerous cases, public Docker repositories are being taken over through compromised accounts to host malware. Another tactic of note is the exploitation of canary tokens. The team suspects that the legitimate canarytokens.org service, used to alert users when a resource has been accessed, has also been abused to notify ransomware operators of malware execution on a victim’s system.  Additional points of interest include honeypot data collected by the firm, which suggests SSH, SQL, Docker, and Redis services are most commonly targeted. Tor is often employed when AWS environments are targeted; the zgrab scanner is employed to probe Docker APIs for weaknesses; and when it comes to Redis, the command line interface INFO command is most commonly used to harvest data concerning target systems.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyberattackers are now targeting their victim’s internet connection to quietly generate illicit revenue following a malware infection. 

On Tuesday, researchers from Cisco Talos said “proxyware” is becoming noticed in the cybercrime ecosystem and, as a result, is being twisted for illegal purposes.  Proxyware, also known as internet-sharing applications, are legitimate services that allow users to portion out part of their internet connection for other devices, and may also include firewalls and antivirus programs.  Other apps will allow users to ‘host’ a hotspot internet connection, providing them with cash every time a user connects to it.  It is this format, provided by legitimate services including Honeygain, PacketStream, and Nanowire, which is being used to generate passive income on behalf of cyberattackers and malware developers.  According to the researchers, proxyware is being abused in the same way as legitimate cryptocurrency mining software: quietly installed — either as a side component or as a main payload — and with efforts taken to try and stop a victim from noticing its presence, such as through resource use control and obfuscation.  In cases documented by Cisco Talos, proxyware is included in multi-stage attacks. An attack chain begins with a legitimate software program bundled together with a Trojanized installer containing malicious code.

When the software is installed, the malware is also executed. One campaign has utilized a legitimate, signed Honeygain package which was patched to also drop separate, malicious files containing an XMRig cryptocurrency miner and to redirect the victim to a landing page connected to Honeygain referral codes.  Once the victim signs up for an account, this referral earns revenue for an attacker — all the while a cryptocurrency miner is also stealing computer resources.  However, this isn’t the only method used to generate cash. In a separate campaign, a malware family was identified that tries to install Honeygain on a victim’s PC and registers the software under an attacker’s account, and so any earnings are sent to the fraudster.  “While Honeygain limits the number of devices operating under a single account, there is nothing to stop an attacker from registering multiple Honeygain accounts to scale their operation based on the number of infected systems under their control,” the researchers say.  Another variant exploited multiple avenues, bundling not only proxyware software, but also a cryptocurrency miner and information stealer for the theft of credentials and other valuable data.  “This is a recent trend, but the potential to grow is enormous,” Cisco Talos says. “We are already seeing serious abuse by threat actors that stand to make a significant amount of money off these attacks. These platforms also pose new challenges for researchers, since there is no way to identify a connection through these kinds of networks — the origin IP becomes even less meaningful in an investigation.”
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Comparitech has released a new study on the number of ransomware attacks affecting schools, colleges and universities since 2018, finding the most amount of attacks in the country’s most populous states like Texas, New York, California and Louisiana. Researchers Rebecca Moody and George Moody found that there have been a total of at least 222 ransomware attacks affecting 3,880 schools and colleges since 2018. They estimated that these attacks cost educational institutions billions in downtime and in ransom payments as ransomware groups targeted bigger school systems throughout the COVID-19 pandemic. In 2020 alone, Comparitech researchers tracked 77 individual ransomware attacks that affected more than 1,740 schools and colleges, “potentially impacting 1.36 million students,” according to their data.

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

“Schools and colleges have suffered an estimated 1,387 days of downtime due to ransomware attacks with around 9,525 days spent on recovery efforts. 22 schools/colleges revealed the amount involved in their recovery efforts with nearly $19.2 million spent by these entities in total,” the researchers explained. “This is an average of nearly $960,000. Ransom requests varied from $5,000 to $40 million. Hackers have received at least $2.95 million in ransom payments with the average payment being $268,000. Hackers have requested at least $59.1 million in ransom payments with the average request being $2.47 million.”According to the data collected by Comparitech, Texas suffered the most attacks with 19 since 2018 affecting 439 schools serving more than 300,000 students. California was second with 18 attacks affecting 288 schools, followed by New York, which saw 16 attacks impacting 138 schools, and North Carolina, which dealt with 10 attacks targeting 87 schools. Louisiana, Connecticut, Illinois, Missouri and Mississippi also saw a high number of ransomware attacks affecting their educational institutions. 

For 2021, Texas has led the way with 4 ransomware attacks, followed by Mississippi, California, Missouri and New York, which all had three from January to June this year.In 2020, the 77 ransomware attacks tracked by Comparitech led to an average of seven days of downtime and more than 55 days recovering from the attack.”Nevada had the highest number of impacted students in 2020 with 328,991 students affected by one single breach. Hackers targeted Clark County School District, which is the fifth-largest school district in the US with 374 individual schools. As the county didn’t pay the requested ransom, the hackers (Maze) dumped student records,” the report found. “The data breach report filed says 44,139 students were thought to have been affected by this aspect of the attack. The county and its staff and students also faced ongoing system disruptions in the month that followed. Due to its larger number of attacks, Texas also had a high number of students affected–245,460 in total. This was closely followed by Virginia (195,408) and Maryland (115,038).”The report lists dozens of attacks on school districts — Somerset Independent School District, Union Community School District, Athens Independent School District and Affton School District to name a few — as well as attacks on university systems or colleges like The University of California San Francisco, which paid $1.14 million to NetWalker hackers, Imperial Valley College which paid Sodinokibi hackers $55,068 and The University of Utah, which paid a ransom of $457,000. There have already been at least 39 reported ransomware attacks on educational institutions this year, and these figures do not include the Kaseya attack, which affected a number of universities tangentially.  More

Microsoft has warned Office 365 customers that they’re being targeted by a widespread phishing campaign aimed at nabbing usernames and passwords. The ongoing phishing campaign is using multiple links; clicking on them results in a series of redirections that lead victims to a Google reCAPTCHA page that leads to a bogus login page where Office 365 credentials are stolen.  

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

This particular attack relies on the email sales and marketing tool called ‘open redirects’, which has been abused in the past to redirect a visitor to a trustworthy destination to a malicious site. Google doesn’t rate open redirects for Google URLs as a security vulnerability, but it does display a ‘redirect notice’ in the browser. SEE: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attackMicrosoft warns this feature is being used by the phishing attackers. “However, attackers could abuse open redirects to link to a URL in a trusted domain and embed the eventual final malicious URL as a parameter. Such abuse may prevent users and security solutions from quickly recognizing possible malicious intent,” the Microsoft 365 Defender Threat Intelligence Team warns. This attack’s trick relies on the advice for users to hover over a link in an email to check the destination before clicking.

“Once recipients hover their cursor over the link or button in the email, they are shown the full URL. However, since the actors set up open redirect links using a legitimate service, users see a legitimate domain name that is likely associated with a company they know and trust. We believe that attackers abuse this open and reputable platform to attempt evading detection while redirecting potential victims to phishing sites,” Microsoft warns. “Users trained to hover on links and inspect for malicious artifacts in emails may still see a domain they trust and thus click it,” it said. Microsoft has found over 350 unique phishing domains used in this campaign, including free email domains, compromised domains, and domains automatically created by the attacker’s domain generation algorithm. The email subject headers were tailored to the tool the attacker was impersonating, such as a calendar alert for a Zoom meeting, an Office 365 spam notification, or a notice about the widely used but ill-advised password expiry policy. While open redirects aren’t new, Microsoft hopped on the issue after noticing a phishing campaign in August that relied on spoofed Microsoft URLs. 

ZDNet Recommends

The Google reCaptcha verification adds to the apparent legitimacy of the site since it is generally used by websites to confirm the user is not a bot. However, in this case, the user has been redirected to a page that looks like a class Microsoft login page and eventually leads to a legitimate page from Sophos, which does provide a service to detect this style of phishing attack.  SEE: The Privacy Paradox: How can businesses use personal data while also protecting user privacy?”If the user enters their password, the page refreshes and displays an error message stating that the page timed out or the password was incorrect and that they must enter their password again. This is likely done to get the user to enter their password twice, allowing attackers to ensure they obtain the correct password.”Once the user enters their password a second time, the page directs to a legitimate Sophos website that claims the email message has been released. This adds another layer of false legitimacy to the phishing campaign.”Google’s word on the matter of open redirects is that this is not a security vulnerability, though it admits it can be used to trigger other vulnerabilities. However, Google disputes the idea that hovering over a link in an app to see a destination URL is a useful phishing awareness tip. “Open redirectors take you from a Google URL to another website chosen by whoever constructed the link. Some members of the security community argue that the redirectors aid phishing, because users may be inclined to trust the mouse hover tooltip on a link and then fail to examine the address bar once the navigation takes place.”Our take on this is that tooltips are not a reliable security indicator, and can be tampered with in many ways; so, we invest in technologies to detect and alert users about phishing and abuse, but we generally hold that a small number of properly monitored redirectors offers fairly clear benefits and poses very little practical risk.” More

Singapore is offering payouts of up to $5,000 for white hackers to uncover security vulnerabilities in systems used by the public sector. The new scheme is the latest in the government’s efforts to involve the community in assessing its ICT infrastructure. The Government Technology Agency (GovTech) said its new Vulnerability Rewards Programme was the third crowdsourced initiative it has adopted to enhance the security of its ICT systems. It also runs bug bounty and vulnerability disclosure programmes, the latter of which is available to the public to report potential security holes. “The three crowdsourced vulnerability discovery programmes offer a blend of continuous reporting and seasonal in-depth testing capabilities that taps the larger community, in addition to routine penetration testing conducted by the government,” GovTech said in a statement Tuesday. 

The government CIO office said the bug bounty programmes were “seasonal”, focusing on five to 10 critical and “high-profile” systems during each run. The new rewards scheme, though, would be ongoing and “continuously test” a wider range of critical ICT systems needed to deliver essential digital services, it said.Depending on the severity of vulnerabilities uncovered, between $250 and $5,000 would be offered to hackers that are approved to participate in the rewards programme. In addition, a special bounty of up to $150,000 could be awarded for vulnerabilities identified to potentially cause “exceptional impact” on selected systems and data. Details outlining such vulnerabilities would be provided to registered hackers and would apply only to selected government systems. According to GovTech, the special bounty would be measured against global crowdsourced vulnerability programmes, such as those run by technology vendors such as Google and Microsoft. 

The new rewards scheme would initially encompass three public-sector systems, namely, SingPass and CorpPass; member e-services under the Manpower Ministry and Central Provident Fund Board; and WorkPass Integrated System 2, which is operated by the Manpower Ministry. The programme will also be extended to include more critical ICT systems progressively, GovTech said. Only hackers who meet a set of criteria will be permitted to participate in the rewards scheme, with checks to be conducted by bug bounty operator, HackerOne. Once approved, participants would have to conduct security assessments through a designated virtual private network gateway provided by HackerOne, and their access withdrawn if they breached the permitted rules of engagement. GovTech’s assistant chief executive for governance and cybersecurity, Lim Bee Kwan, said the government agency first adopted crowdsourced vulnerability discovery programmes in 2018. Since then, it had worked with more than 1,000 hackers to identified 500 valid vulnerabilities. “The new Vulnerability Rewards Programme will allow the government to further tap the global pool of cybersecurity talents to put our critical systems to the test, keeping citizens’ data secured to build a safe and secure smart nation,” Lim said. As of August 2021, the Singapore government had run four bug bounties–each lasting two to three weeks–covering 33 systems. More than $100,000 had been dished out to participants.  The public vulnerability disclosure programme was launched in October 2019 and has led to more than 900 reported vulnerabilities, as of March 2021, involving 59 government agencies. Of those, at least 400 were valid bugs that have since been plugged. A report last month revealed that half of vulnerabilities uncovered in 2020 via the Singapore government’s bug bounty and public disclosure programmes were valid. The public sector recorded a 44% increase in data incidents over the past year, though, none were assessed to be of “high severity”, according to the report by the Smart Nation and Digital Government Office. Some 1,560 SingPass accounts, needed to access e-government services, were involved in a 2014 security breach where users received notifications that their passwords had been reset, despite not requesting to do so. The government then blamed the incident on the likely use of weak passwords or malware that could have been installed on the affected users’ personal devices. Two-factor authentication (2FA) was introduced the following year as part of efforts to strengthen security on the e-government platform. RELATED COVERAGE More

Image: Getty Images
People aged under 18 living in China will now only be allowed to play online games for three hours per week.The new mandate will see minors only be allowed to play one hour of online games on Fridays, Saturdays, Sundays, and on official holidays, according to state media outlet Xinhua. The one hour of online game time for these days will also only be allowed from 8pm to 9pm. The ban, issued by China’s National Press and Publication Administration (NAAP) on Monday evening, is aimed at preventing minors from becoming addicted to online gaming, the report said. In issuing the ban, the gaming regulator reportedly called for online game providers to implement real-name registration and logins, saying online game providers should not allow minors to play online games if they fail to register and log in using their real identifications. The NAAP also reportedly told Xinhua it would increase the frequency of its inspections on online gaming companies to ensure they implement time limit and anti-addiction systems. Prior to the latest measures, Tencent at the start of the month had already announced further restrictions for how much minors could play its flagship game Honour of Kings as part of efforts to appease government concerns. In that restriction, Honour of Kings gamers under the age of 18 had their playing time limited to one hour on regular days and two hours on public holidays.

The expanded gaming ban is the latest among a flurry of moves China has made as part of its local crackdown on tech. In the area of online child protection alone, Beijing prosecutors have launched a civil public lawsuit against WeChat, accusing the company of not complying with laws focused on protecting minors, while the Cyberspace Administration of China passed a special action last month banning people under the age of 16 from appearing in content within online live-streaming and video platforms. Beyond online child protection, the Chinese government has pushed through new personal data protection laws, punished 43 apps for illegally transferring user data, and ordered local food delivery platforms to provide riders with minimum wages. It has also removed Didi from Chinese app stores and placed it under cybersecurity review, slapped Alibaba with a record 18.2 billion yuan fine, and put Tencent on notice for collecting more user data than deemed necessary when offering services.Related Coverage More