Information Technology

There’s been a rise in cyber attacks using a form of ransomware that first appeared almost two years ago. But despite being relatively old, it’s still proving successful for cyber criminals. Cybersecurity researchers at Trend Micro have detailed an increase in LockBit ransomware campaigns since the start of July. This ransomware-as-a-service first appeared in September 2019 and has been relatively successful, but has seen a surge in activity this summer.  

In adverts on underground forums, LockBit’s authors claim that LockBit 2.0 is one of the fastest file-encrypting ransomware variants in the market today. And those claims have proven interesting to cyber criminals seeking to make money from ransomware. Trend Micro researchers have seen a number of LockBit ransomware campaigns in recent weeks, predominantly targeting organisations in Chile, but also the UK, Italy and Taiwan. While LockBit has remained under the radar for much of this year, it hit the headlines with an attack against professional services firm Accenture. LockBit also appears to have benefited from the apparent disappearance of ransomware gangs including REvil and Darkside, with a significant number of affiliates of those operators turning towards LockBit as their new means of performing ransomware attacks.  The attackers often gain entry to networks using compromised Remote Desktop Protocol (RDP) or VPN accounts which have been leaked or stolen; alternatively, LockBit attacks sometimes attempt to recruit insiders to help gain access through legitimate login credentials. SEE: A winning strategy for cybersecurity (ZDNet special report)

LockBit has also gained success by following in the footsteps of prominent ransomware groups using certain tactics, techniques and procedures (TTPs) during attacks. For example, LockBit now uses Ryuk’s Wake-on-LAN feature, sending packets to wake offline devices in order to help move laterally around networks and compromise as many machines as possible.LockBit also uses a tool previously deployed by Egregor ransomware, using printers on the network to print out ransom notes. “They were heavily influenced by the Maze ransomware gang and when they shut down, they appear to have shifted their focus to Ryuk and Egregor ransomware gangs TTPs,” Jon Clay, VP of threat intelligence at Trend Micro, told ZDNet. “What we can take away from this is many malicious actor gangs likely follow the news of how successful other gangs are and look to model their TTPs themselves. Ransomware has evolved over time in order to continue to be successful for its creators,” he added. Like many of the most disruptive ransomware variants, LockBit also adds a double extortion element to attacks, stealing data from the victim and threatening to leak it if the ransom isn’t paid within a set period.  “The LockBit gang has been around for a while now and continue to update their TTPs in order to have successful attack campaigns,” said Clay. It’s expected that LockBit ransomware attacks will continue to be a cybersecurity threat for some time, particularly given that the group is actively advertising for additional affiliates. But while ransomware groups are aggressively persistent, there are actions which information security teams can take to help protect networks from attack. This includes applying the latest security patches and updates to operating systems and software, so cyber criminals can’t exploit known vulnerabilities to help launch attacks. Organisations should also apply multi-factor authentication across the network, making it harder for cyber criminals to use stolen credentials to help facilitate attacks. MORE ON CYBERSECURITY More

GitHub is urging its base of users to enable two-factor authentication as the platform shakes up how it protects accounts from compromise. 

ZDNet Recommends

The best password manager

Everyone needs a password manager. It’s the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.

Read More

In a blog post this week, Github’s Mike Hanley explained that beginning on August 13, GitHub stopped accepting account passwords when authenticating Git operations. The platform now requires people to use stronger authentication factors like personal access tokens, SSH keys, or OAuth or GitHub App installation tokens for all authenticated Git operations on GitHub.com. Hanley added that in addition to ditching passwords, GitHub has taken other measures like investing in verified devices, preventing the use of compromised passwords, supporting WebAuthn and more. GitHub announced the move in December. “If you have not done so already, please take this moment to enable 2FA for your GitHub account. The benefits of multifactor authentication are widely documented and protect against a wide range of attacks, such as phishing,” Hanley said. “There are a number of options available for using 2FA on GitHub, including: Physical security keys, such as YubiKeys. Virtual security keys built-in to your personal devices, such as laptops and phones that support. WebAuthn-enabled technologies, like Windows Hello or Face ID/Touch ID. Time-based One-Time Password (TOTP) authenticator apps Short Message Service (SMS).”Hanley added that Github was pushing users to take advantage of security keys or TOTPs instead of SMS, noting that it “does not provide the same level of protection and it is no longer recommended under NIST 800-63B.” According to Hanley, the strongest methods involve the WebAuthn secure authentication standard, some of which may even include physical security keys. 

“We are excited and optimistic about WebAuthn, which is why we have invested early and will continue to invest in it at GitHub,” Hanley said. Hanley went on to explain that once a user secures their account, they can also use a GPG key stored on their security key to digitally sign their git commits. Mark Risher, senior director of product management for Google’s Identity and Security Platforms, told ZDNet that they were excited to see GitHub move beyond passwords and instead opt for strong authentication for secure sign in. Google has been one of the leading companies behind the effort to make passwords a thing of the past.”Passwords alone are simply no longer enough for sensitive and high-risk activities; they’re too difficult to manage and too easy to steal,” Risher said. “Strong authentication has become not just important but essential to better protecting our accounts, so GitHub’s move is a huge step in the right direction, especially as we look toward a future without passwords.” More

T-Mobile has released an update on the recent claims that a hacker gained access to the names, addresses, PIN numbers, social security numbers and more of millions of T-Mobile customers.While initially denying the hacker’s claims that they had the information of 100 million T-Mobile customers, the telecom giant admitted that more than eight million customers had their information lost in the cyberattack. “Our preliminary analysis is that approximately 7.8 million current T-Mobile postpaid customer accounts’ information appears to be contained in the stolen files, as well as just over 40 million records of former or prospective customers who had previously applied for credit with T-Mobile. Importantly, no phone numbers, account numbers, PINs, passwords, or financial information were compromised in any of these files of customers or prospective customers,” T-Mobile’s public relations team said in a statement. “At this time, we have also been able to confirm approximately 850,000 active T-Mobile prepaid customer names, phone numbers and account PINs were also exposed.”The company said it will be sending out letters to victims and is offering affected customers two years of free identity protection services with McAfee’s ID Theft Protection Service.They also urged all T-Mobile postpaid customers to change their PIN numbers through their T-Mobile account online or through contacting the Customer Care team by dialing 611. T-Mobile reiterated that their investigation did not uncover evidence that any postpaid account PINs were compromised. The company will additionally be offering an “extra step” to protect the accounts of postpaid customers. 

There will also be a webpage designed to help victims understand what happened and what they should do. “We have already proactively reset ALL of the PINs on these accounts to help protect these customers, and we will be notifying accordingly right away. No Metro by T-Mobile, former Sprint prepaid, or Boost customers had their names or PINs exposed,” a T-Mobile spokesperson said, admitting that social security numbers, names, dates of birth, and driver’s license information had been accessed.”We have also confirmed that there was some additional information from inactive prepaid accounts accessed through prepaid billing files. No customer financial information, credit card information, debit or other payment information or SSN was in this inactive file.”T-Mobile called the attack “highly sophisticated” and said the investigation has been “exhaustive,” adding that law enforcement was contacted. They confirmed what the hacker said earlier this week — that the access point used to gain entry to T-Mobile’s systems had been closed.”We take our customers’ protection very seriously and we will continue to work around the clock on this forensic investigation to ensure we are taking care of our customers in light of this malicious attack,” T-Mobile explained. The company has been under fire since an unknown cyberattacker boasted about stealing 106GB of data. They offered a sample of the stolen data on an underground forum allegedly containing 30 million social security numbers and driver’s licenses for the price of six Bitcoin. The unnamed hacker later spoke to Bleeping Computer and shared a screenshot of their SSH connection to a production server running Oracle. They did not try to ransom T-Mobile because they already had buyers online, according to their interview with the news outlet.The hackers also told another security researcher that they carried out the attack in retaliation for the treatment of John Erin Binns, a cybercriminal implicated by US law enforcement in the Satori botnet conspiracy.”The breach was done to retaliate against the US for the kidnapping and torture of John Erin Binns (CIA Raven-1) in Germany by CIA and Turkish intelligence agents in 2019,” the hacker allegedly told Alon Gal, co-founder of cybercrime intelligence firm Hudson Rock.”We did it to harm US infrastructure.” More

Image: Getty Images
Twitter said on Wednesday it was conducting a test that would allow users in the United States, South Korea, and Australia to report misleading tweets. The option will appear to users after clicking on the button to report a tweet. “We’re assessing if this is an effective approach so we’re starting small,” Twitter’s safety account said. “We may not take action on and cannot respond to each report in the experiment, but your input will help us identify trends so that we can improve the speed and scale of our broader misinformation work.” In February, Twitter was joined by Facebook, Google, Microsoft, Redbubble, and TikTok in signing up to the Australian Code of Practice on Disinformation and Misinformation. Political advertising is not misinformation or disinformation for the purposes of the code. In its first transparency report under the code released in May, Twitter said it had taken action against 3.5 million accounts globally for violation of rules, including suspending 1 million accounts and removing 4.5 million pieces of content. For 3,400 accounts globally, it was in relation to misleading information about COVID-19.

In Australia specifically, 37,000 Australian Twitter accounts were actioned for violating Twitter rules, resulting in 7,200 accounts being suspending and 47,000 pieces of content authored by an Australian account being removed. Twitter began automatically labelling tweets it regarded as having misleading information about COVID-19 and its vaccines, as well as a strike system that includes temporary account locks and can led to permanent suspension. While the system has led to the repeated suspension of misinformation peddlers such as US congresswoman Marjorie Taylor Greene, the system cannot handle sarcasm from users attempting humour on the topics of COVID-19 and 5G. In April, the Australian Department of Health published a page attempting to dispell any link between vaccines and internet connectivity. “COVID-19 vaccines do not — and cannot — connect you to the internet,” it stated. “Some people believe that hydrogels are needed for electronic implants, which can connect to the internet. The Pfizer mRNA vaccine does not use hydrogels as a component.” Related Coverage More

CISA has released an alert about a slate of BlackBerry products affected by the BadAlloc vulnerability, which was spotlighted by Microsoft researchers earlier this year. On Tuesday, BlackBerry released an advisory explaining that its QNX Real Time Operating System — which is used in medical devices, cars, factories and even the International Space Station — can be affected by BadAlloc, which is a collection of vulnerabilities affecting multiple RTOSs and supporting libraries. BlackBerry recently boasted that the QNX Real Time Operating System is used in 200 million cars. CISA added that IoT devices, operational technology and some industrial control systems have incorporated QNX Real Time Operating System, making it urgent for measures to be taken to protect systems. BlackBerry released a full list of the affected products. “A remote attacker could exploit CVE-2021-22156 to cause a denial-of-service condition or execute arbitrary code on affected devices. BlackBerry QNX RTOS is used in a wide range of products whose compromise could result in a malicious actor gaining control of highly sensitive systems, increasing risk to the Nation’s critical functions,” CISA’s alert said. “At this time, CISA is not aware of active exploitation of this vulnerability. CISA strongly encourages critical infrastructure organizations and other organization developing, maintaining, supporting, or using affected QNX-based systems, to patch affected products as quickly as possible.”The alert goes on to explain that the vulnerability involves an “integer overflow vulnerability affecting the calloc() function in the C runtime library of multiple BlackBerry QNX products.”For threat actors to take advantage of the vulnerability, they need to already have “control over the parameters to a calloc() function call and the ability to control what memory is accessed after the allocation.”

Network access would allow an attacker to remotely exploit this vulnerability if the vulnerable product is running and the affected device is exposed to the internet, CISA added. The vulnerability affects every BlackBerry program with a dependency on the C runtime library.CISA warned that since many of the devices affected by the vulnerability are “safety-critical,” the potential for exploitation could risk giving cyberattackers control of systems that manage infrastructure or other critical platforms. “CISA strongly encourages critical infrastructure organizations and other organizations developing, maintaining, supporting, or using affected QNX-based systems to patch affected products as quickly as possible,” the alert said. “Manufacturers of products that incorporate vulnerable versions should contact BlackBerry to obtain the patch. Manufacturers of products who develop unique versions of RTOS software should contact BlackBerry to obtain the patch code,” CISA explained, adding that some organizations may have to create their own software patches. Some software updates for RTOS require removing devices or taking them to an off-site location for physical replacement of integrated memory, according to CISA. BlackBerry said in its own release that they had not yet seen the vulnerability used. The company suggested users of the product ensure that “only ports and protocols used by the application using the RTOS are accessible, blocking all others.” “Follow network segmentation, vulnerability scanning, and intrusion detection best practices appropriate for use of the QNX product in your cybersecurity environment to prevent malicious or unauthorized access to vulnerable devices,” BlackBerry’s notice said. There are no workarounds for the vulnerability, according to BlackBerry, but they noted that users can reduce the possibility of an attack “by enabling the capability for ASLR to randomize process segment addresses.”The notice includes a number of updates BlackBerry has released to address the vulnerability. Microsoft said in April that BadAlloc covers more than 25 CVEs and potentially affects a wide range of domains, from consumer and medical IoT to Industrial IoT.On Tuesday, Politico reported on the behind-the-scenes dispute between BlackBerry and US government officials since the BadAlloc vulnerability was disclosed in April. BlackBerry allegedly denied that the vulnerability affected their products and resisted government attempts to release public notices about the problem. BlackBerry didn’t even know how many organizations were using the QNX Real Time Operating System when asked by government officials, forcing them to go along with government efforts to publicize the vulnerability. CISA officials coordinated with affected industries and even the Defense Department on the security notice about the QNX system, according to Politico, which noted that CISA will also brief foreign officials on the vulnerability as well. BlackBerry said in June that the QNX royalty revenue backlog has increased to $490 million at the end of its first quarter of fiscal year 2022. The company boasted that it is used in millions of cars made by Aptiv, BMW, Bosch, Ford, GM, Honda, Mercedes-Benz, Toyota and Volkswagen. More

Fortinet has patched a vulnerability that attackers could have leveraged to take complete control of a device with the highest possible privileges, according to a report from cybersecurity company Rapid7.

Rapid7 researcher William Vu was credited with discovering the issue, which centers around an OS command injection vulnerability in FortiWeb’s management interface, particularly in version 6.3.11 and prior. The vulnerability allows a remote, authenticated attacker “to execute arbitrary commands on the system, via the SAML server configuration page.””This is an instance of CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’), and has a CVSSv3 base score of 8.7,” the report said.Vu added that the vulnerability appeared to be tied to CVE-2021-22123 and was patched by Fortinet in June. Fortinet FortiWeb is a web application firewall that is built to identify both known and unknown exploits targeting protected web applications before they have a chance to execute, according to Rapid7. Vu discovered the vulnerability in June and Fortinet quickly acknowledged the disclosure and patched the issue. 

Rapid7 released a detailed report about how the attack works, noting that a hacker who has already been authenticated to the management interface of the FortiWeb device could then “smuggle commands using backticks in the ‘Name’ field of the SAML Server configuration page.””An attacker can leverage this vulnerability to take complete control of the affected device, with the highest possible privileges. They might install a persistent shell, crypto mining software, or use the compromised platform to reach into the affected network beyond the DMZ,” the report said.  “Note that while authentication is a prerequisite for this exploit, this vulnerability could be combined with another authentication bypass issue, such as CVE-2020-29015.”If users are not able to patch their devices, Rapid7 suggests disabling the FortiWeb device’s management interface from untrusted networks, which they said “includes the internet.””Generally speaking, management interfaces for devices like FortiWeb should not be exposed directly to the internet anyway — instead, they should be reachable only via trusted, internal networks, or over a secure VPN connection,” the Rapid7 report explained. Fortinet has invested heavily in security features over the last year but that has done little to stop widespread concern about multiple vulnerabilities found in their products over the last six months. The FBI and CISA have released multiple alerts warning Fortinet users about insecure products being exploited by hackers. The FBI issued a flash alert in May after a local government office was attacked through Fortinet vulnerabilities. That alert came just weeks after another report was released by US agencies warning that advanced persistent threat groups are exploiting Fortinet FortiOS vulnerabilities to compromise systems belonging to government and commercial entities. More

The acronym VPN stands for virtual private network. Those three words tell a lot about how a VPN works.Let’s start with network. VPNs provide network connections, meaning they move data to and from your device. Private means they make that movement private, helping prevent hackers from seeing what you’re sending. And virtual means that you’re doing it all in software. You’re not running a new set of wires. Instead, you’re creating a software-based network connection that then moves data over the physical connection (whether that’s wireless or wired). Also: ExpressVPN review: A fine VPN service, but is it worth the price? What a VPN actually does is take data that you’re sending out over the internet and encrypt it before it leaves your machine. That encrypted data is sent to the VPN provider’s servers, where it’s decrypted, and then sent on to, say, Google or Netflix. ExpressVPN, which is the service we’re talking about in this guide, has more than 3,000 servers in 160 locations. On the flip side, a VPN takes data from a server on the internet, encrypts it on one of ExpressVPN’s servers, sends that encrypted data to your computer, which decrypts it when it arrives. This is what provides protection against, in particular, Wi-Fi snoops at airports, hotels, and schools. By virtue of your data leaving the VPN provider’s server (which, for ExpressVPN, can be in your choice of 94 countries), your actual location can be hidden, and the final server sees as your location what’s actually the location of your provider’s server. Also: ExpressVPN vs. Surfshark vs. NordVPN: Which is best?

That’s how VPNs obfuscate your location. Although it’s sometimes illegal, many people use this capability to change their apparent region to watch blacked-out sports or region-locked TV. Far more important is that activists and those concerned about stalkers use it to hide their location for their personal security. OK, so with that introduction into how VPNs, and specifically ExpressVPN works, let’s look at how to set up and install ExpressVPN. We’re going to do this on a Windows machine, but the practice is very similar for Macs, Linux, and mobile devices.

Locations: 160Countries: 94Simultaneous connections: 5Kill switch: yesLogging: noPrice: $12.95 per month, or 12 months for $99.95Trial: 30-day refund guaranteeSupported platforms: iOS, Android, MacOS, Windows, Linux, game consoles, smart TVs, routers

Installing ExpressVPN The first thing you’re going to want to do is point your browser at ExpressVPN’s website and click the Get ExpressVPN button. You’ll want to pick a plan that suits your budget, buy it, and set up an account. Once you have an ExpressVPN account, we’ll move on. Log into your account dashboard. Generally, you’ll want to hit the Download button. If your platform isn’t correct, click Setup Other Devices. Here, you’ll want to do two things. First, make a note of your activation code and click the Open file link. Next, give Windows permission to do its thing. I went ahead and closed my browser window. ExpressVPN will take a minute to install. Starting ExpressVPN Now that you’ve installed ExpressVPN, it’s time to log in. This is the same account you used to create your account, get your activation code, and download ExpressVPN. Once again, you’ll need to let Windows know you approve of this install. Next, enter the activation code you saved off from before. If you misplaced it, just open a browser tab, go to ExpressVPN.com, click the Account button, and copy it again. Go ahead and set things up to launch ExpressVPN on login. You don’t have to initiate a VPN connection when you log in, but it will be nice to have the software ready when you are. And, if you are traveling, you’ll want the VPN to come on immediately on login to protect your data. The next option is entirely your choice. I tend to hover between “Hell, no!” and “Why not?” depending on my mood. And there you are. Checking ExpressVPN’s settings Here’s the main screen for ExpressVPN. Before hitting connect, click the hamburger menu on the upper left. Next, choose Options. This is one of the most important tweaks you’ll make. We’re not going to dig into a lot of settings options, but it’s very important you make sure “Stop all internet traffic if the VPN disconnects unexpectedly” is checked. This is what VPNs call a kill switch. It means that, if the VPN disconnects, you won’t be sending traffic unprotected. You should also check “Allow access to devices on the local network (such as printers or file servers)” so you can connect to local devices. Hit OK and you’re all set up. Using ExpressVPN If you hit the big power now, you’ll connect to the nearest server. I live in the US Pacific Northwest, so that’s why Seattle is displayed. But, if you want to connect to another country, click the three little dots. I went ahead and chose the UK Once I hit the big power button, I was connected. In fact, to servers on the internet, I no longer appear to be in the US Pacific Northwest, I appear to be in Blackwall in East London. To disconnect, hit the big power button again. If you can’t find that window because you minimized it or it’s obscured behind your browser, go down to your system tray. There, you’ll find a small menu that launches and operates ExpressVPN. ExpressVPN’s cool speed test ExpressVPN has a very cool speed test feature. It will, in one shot, allow you to test all of the company’s servers and see how they all perform. Launch it from the hamburger menu. Just hit the Run Test button. Give it a few minutes and you’ll get the results of the entire ExpressVPN network. So, there you go. That’s how to use ExpressVPN. Let us know what you think in the comments below. You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV.

ZDNet Recommends More

Google and Microsoft, which now both contribute to the Chromium project, apparently share concerns about the Just-In-Time (JIT) compiler in Chrome’s V8 JavaScript engine.  Microsoft’s Edge Vulnerability Research (VR) team last week announced the start of testing Microsoft’s Super Duper Secure Mode (SDSM) for Edge, which works by removing Just-In-Time (JIT) compilation from the V8 processing pipeline. 

see also

The best browsers for privacy

If you’re like most people, you’re probably using Google Chrome as your default browser. It’s hard to fault Google’s record on security and patching but privacy is another matter for the online ad giant.

Read More

Google’s V8 JavaScript engine for Chrome was a key turning point for web applications in the history of browsers, Microsoft’s creator of TypeScript (a superset of JavaScript) acknowledged in an interview with ZDNet last year.Per MS Poweruser and Reddit users, unstable Edge Canary now includes a flag that enables SDSM in Edge. That is, JIT compilation in V8 in Edge is disabled by going to edge://flags/#edge-enable-super-duper-secure-mode. Microsoft is not alone in taking new approaches to the V8 engine’s JIT compilers. Google Project Zero is also exploring how to tackle vulnerabilities surrounding JIT compilation in V8, but with a different solution — namely, creating a custom sandbox for V8.   As Microsoft’s browser vulnerability researchers noted, JITs exist to optimise JavaScript performance. Disabling JIT would remove half of the V8 bugs that must be fixed, they argue, and go on to note that Microsoft’s tests found that disabling JIT results in virtually no changes to browser performance across memory, page load and startup times, and power consumption.   Since Microsoft Edge is based on Chromium and Google Chrome is the most widely used browser on Windows, there is a mutual area of concern for both firms.

With V8’s JIT compilation turned off, Microsoft could enable Edge memory and hardware-based protections — such as the hardware-based Control-flow Enforcement Technology (CET) from Intel, and Windows’ Arbitrary Code Guard (ACG) and Control Flow Guard (CFG) — that were previously incompatible with JIT. Google is not unaware of this, but some within Google believe that the benefits of these hardware-based protections might not be as effective as believed. Interestingly, in May, Google’s Chrome team opted to enable Intel’s CET mitigations for Chrome on Windows 10 to mitigate return-oriented programming (ROP) attacks. Earlier this month, Google Project Zero researcher Samuel Groß outlined a sandbox approach to tackle JITs within the context of V8. He warned that his proposal had many hurdles to cross. Those hurdles could come from other teams within Google, such as the Chrome team, from Microsoft, or from other interested parties. Groß explained that the problem with V8 stems from JIT compilers that can be used to trick a machine into emitting machine code that corrupts memory at runtime. “Many V8 vulnerabilities exploited by real-world attackers are effectively 2nd order vulnerabilities: the root-cause is often a logic issue in one of the JIT compilers, which can then be exploited to generate vulnerable machine code (e.g. code that is missing a runtime safety check). The generated code can then in turn be exploited to cause memory corruption at runtime,” Groß said. “This appears to be a somewhat natural problem of JIT compilers for dynamic languages, as one of their major purposes is to remove (redundant) runtime checks that would otherwise be performed by the interpreter.” He’s less confident in the technologies that Microsoft researchers highlight would be enabled by switching JIT compilers off — and hence why the better approach may be to create a custom sandbox for V8. As Groß also noted, CPU side-channel vulnerabilities, and the potency of V8 vulnerabilities, mean that “upcoming hardware security features such as memory tagging will likely be bypassable most of the time.” Also see Microsoft tests Super-Duper Secure Mode for Edge Edge Super Duper Secure Mode turns off the JavaScript JIT compiler for extra security Google Project Zero testing 30-day grace period on bug details to boost user patching More