Information Technology

Google Cloud on Tuesday is introducing a range of new security products, for both its private and public sector customers, as they look to respond to the quickly-evolving threat landscape. The new public sector tools will help agencies comply with President Joe Biden’s cybersecurity executive order. Meanwhile, other Google Cloud customers will have access to more automated security operations, as well new threat detection capabilities powered by Palo Alto Networks technology. 

The new products follow a series of dramatic cybersecurity incidents, including the Colonial Pipeline ransomware attack that shut down gas and oil deliveries throughout the southeast, the SolarWinds software supply chain attack and an extensive hack on Microsoft Exchange servers. For CSOs, however, there’s no room to breathe easy.  “If anything, the attack surface is going to get worse,” Sunil Potti, Google Cloud VP and GM of cloud security, said to reporters last week.Rather than “build products that fix problems with other products,” he said, Google has focused on building “invisible security” into the cloud. “Invisible security is about making security simple,” Potti said. “When you embrace GCP security, you’re not just getting a safer environment, but you’re simplifying your overall operations.”To that end, Google Cloud is introducing Autonomic Security Operations, a turnkey offering that the company is bringing to the managed security services market in partnership with BT. The service provides access to products, integrations, blueprints, technical content and an accelerator program to helps customers emulate a best-in-class Security Operations Center (SOC). 
Google
Google is also introducing Cloud IDS, a cloud-native, managed Intrusion Detection System that leverages Palo Alto Networks technology to help customers detect malware, spyware, command-and-control attacks and other network-based threats. Cloud IDS should be particularly important for industry with compliance requirements that mandate the use of an IDS, such as financial services, retail and healthcare. 

The new offering makes it easier to deploy and manage network threat detection, and it provides visibility into traffic flowing into the cloud, as well as traffic between workloads. To respond to threats detected by Cloud IDS, customers can create custom remediation workflows within Google Cloud. The data Cloud IDS generates can be integrated into SIEM (Security Information and Event Management) and SOAR (Security Orchestration and Automated Response) solutions. At public preview, Cloud IDS will integrate with Splunk Cloud Platform, Splunk Enterprise Platform, Exabeam Advanced Analytics, The Devo Platform, and Palo Alto Networks Cortex XSOAR. It should also soon integrate with Google Cloud’s Chronicle and Security Command Center. Meanwhile, Google is stepping up the capabilities in Chronicle, its cloud-native security analytics platform, by integrating it with Google’s analytics platforms Looker and BigQuery. Among other things, this will allow customers to use newly-embedded dashboards, driven by Looker, in five content categories: Chronicle security overview, data ingestion and health, IOC matches, rule detections and user sign-in data. Google is also expanding the availability of its Risk Protection Program to all Google Cloud customers in public preview. The program helps customers connect with Google’s insurer partners, Allianz Global Corporate & Specialty (AGCS) and Munich Re, who designed a specialized cyber insurance policy for Google Cloud customers. For the public sector, Google has a series of new services that will help organizations maintain compliance with the cybersecurity executive order President Biden signed in early May. The executive order comes down to a few simple goals, Mike Daniels, Google Cloud’s public sector VP, said: “accelerating the journey to a zero-trust architecture, solid cyber analytics along with diagnosis, and an ability to rapidly recover.”To aid in that effort, Google is introducing a new Zero Trust Assessment and Planning offering, delivered via Google Cloud’s professional services organization (PSO). Google’s PSO team will help organizations assess their most pressing threats based on their IT landscape and create a roadmap to zero-trust security that considers factors like budget limitations and legacy technology. “Most of the time, zero trust is something that everyone wants to get to, but no one knows where to begin,” Daniels said. Next, Google Cloud is introducing Secure Application Access Anywhere, a new, container-based service for secure application access and monitoring. Google’s PSO team provides the service in partnership with Palo Alto Networks. It gives customers access to Google Cloud’s Anthos to deploy and manage containers that provide secure access and monitoring for applications, in cloud or on-premise environments. Lasty, the new Active Cyber Threat Detection service helps government organizations quickly determine if they may have been compromised by cyberattacks that they have not yet detected. It will help them quickly analyze history and current log data, leveraging capabilities from Google’s Chronicle. It will be delivered via Google Cloud partner Fishtech CYDERES. More

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

IBM said it is adding tools to its FlashSystem portfolio of all-flash arrays to better recover from ransomware and cyberattacks. It’s no secret that ransomware is a huge scourge to multiple organizations. To that end, IBM launched IBM Safeguarded Copy for the IBM FlashSystem storage systems. Safeguarded Copy automatically creates data copies that are security isolated within the systems and cannot be accessed. These snapshots are available in the event of a data breach or cyberattack that disrupts operation. In theory, IBM’s approach can help companies and understaffed government groups to recover faster. Key items about IBM Safeguarded Copy, which is based on technology from IBM’s DS8000 storage portfolio:Storage admins can schedule automatic snapshots. Snapshots are put into safeguarded pools on the storage system. Data in this safeguarded pool is only actionable after it has been recovered. Safeguarded Copy can also be used to extract and restore data to diagnose production issues as well as validate copies. IBM Safeguarded Copy can be integrated with IBM Security QRadar platform for security monitoring. QRadar will be able to monitor for attacks and proactively trigger Safeguarded Copy to create backups.In addition, IBM said it will launch its IBM Storage as a Service for hybrid cloud storage with availability in North America and Europe in September. Customers will be able to scale up storage capacity with variable pricing. IBM Storage as a Service is part of Big Blue’s Flexible Infrastructure offerings.   More

With so many people working remotely these days, it’s more important than ever to have a powerful VPN installed on all of their devices, even on their home network. Lucky for you, not only is a 2-year subscription to the bulletproof NordVPN currently available at a 68% discount, but it also comes with a $10 credit off your next store purchase.

There are plenty of VPNs out there, but they are not all created equal and very few of them even come close to offering the level of protection that NordVPN provides. You get unrestricted, completely private access to the internet regardless of whether you are on a cellular network, using public WiFi, or anywhere else. All of your data is protected by double encryption and travels through private tunnels, so your identity remains anonymous and all of your most sensitive personal information is securely hidden.For maximum security, NordVPN will automatically disconnect you from the internet as soon as it no longer detects a connection to the company’s servers, so not a scrap of your data will ever be revealed. NordVPN maintains the strictest no-logging policy, so you can rest assured that absolutely none of your online activity is recorded anywhere.The platform offers almost 5,400 server locations around the world in almost 60 countries. That means you can also anonymously bypass geographical restrictions on content, to watch whatever you like, no matter where you happen to be. Best of all, you do not have to sacrifice speed for security, because your server connections are blazingly fast. So you’ll get instant videos with no buffering.There is no doubt whatsoever that NordVPN provides the ultimate protection, the service has gotten unbelievably impressive ratings from a wide range of sources. TechRadar gave it 4.5 out of 5 stars, while CNET, TrustPilot, and PCMag all gave it a perfect rating of 5 out of 5 stars.Don’t miss this chance to get two full years of powerful protection while it’s heavily discounted. Get your 2-year subscription to NordVPN and $10 store credit today for just $89, instead of the usual MSRP of $286.

ZDNet Recommends More

Google Could have unveiled a public preview of Cloud Armor’s Adaptive Protection — a machine learning-powered method of detecting and protecting enterprise applications and services from Layer 7 DDoS attacks. It’s the same technology that Google uses to provide Project Shield, a free service from Google parent Alphabet that protects human rights, government and media organizations against DDoS attacks.  

Google in the past has blocked mind-blowingly large DDoS attacks, including one in 2017 that clocked in at 2.56Tbps that is pinned on a Beijing-backed attacker.   SEE: Security Awareness and Training Policy (TechRepublic Premium)In November, Google unveiled Cloud Armor Adaptive Protection as part of its DDoS defense and web application firewall (WAF) service that provides customers with the same technology Google uses to protect itself. Its Adaptive Protection technology uses machine-learning models to analyze signals across web services to detect potential attacks. It can detect high volume application-layer DDoS attacks against web apps and services and accelerates mitigation by spotting abnormal traffic.The move to a public preview means that all Google Cloud customers can test out its functionality. 

“We have been building and maturing this technology with internal and external design partners and testers over the last few years. All Cloud Armor customers can try it at no extra charge during the preview period,” said Emil Kiner, a product manager for Google’s Cloud Armor. Google Cloud also released new preconfigured WAF rules and reference architecture to help customers eliminate OWASP web-app vulnerabilities. “Adaptive Protection quickly identifies and analyzes suspicious traffic patterns and provides customized, narrowly tailored rules that mitigate ongoing attacks in near-real-time,” Kiner explained. He noted that while Level 3 and Level 4 attacks can be halted on Google’s edge network, Level 7 attacks rely on “well-formed” and legitimate web requests.SEE: Google’s new cloud computing tool helps you pick the greenest data centersThese requests are generated automatically from hacked Windows, Mac and Linux devices, which make up a botnet and spew junk traffic in volumes that most websites can’t withstand. “Since attacks can come from millions of individual IPs, manual triage and analysis to generate and enforce blocking rules becomes time and resource-intensive, ultimately allowing high-volume attacks to impact applications,” Google noted. The Adaptive Protection service, which is aimed at security operations teams, provides early alerts about weird requests based on: how much backend services are used, constantly updated signatures that explain a suspected attack, and recommended custom WAF rules to block attack traffic. More

An apparent ransomware attack has resulted in hundreds of self-service ticket machines across the network being taken offline across the north of England. Customers who need to use the Northern rail company, which serves towns and cities across northern England, are urged to use the mobile app, website or ticket offices while the ticket machines remain disrupted. The attack comes just two months after 600 Northern-operated touchscreen ticket machines were installed at 420 stations across the region. “Last week we experienced technical difficulties with our self-service ticket machines, which meant all have had to be taken offline,” a spokesperson for Northern told ZDNet. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

“This is the subject of an ongoing investigation with our supplier, but indications are that the ticket machine service has been subject to a ransomware cyberattack.” SEE: Network security policy (TechRepublic Premium)It hasn’t been detailed what form of ransomware Northern, which is government run, might have fallen victim to or how cyber criminals may have compromised the network, but the company says that “swift action” taken alongside payment and ticketing systems supplier Flowbird means the incident has only affected the servers that operate the ticket machines. “The issue was first identified through cyber-monitoring systems and our initial investigations indicated that the service may have been subject to a cyberattack,” a Flowbird spokesperson told ZDNet.

Both Northern and Flowbird say no customer information or payment data has been compromised by the attack.”We are working to restore normal operation to our ticket machines as soon as possible. We are sorry for any inconvenience this incident causes,” said the Northern spokesperson.  SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chiefThere’s currently no indication as to when the self-service ticket machines will be restored or if Northern or Flowbird have been contacted by the cyber criminals behind the ransomware attack, or if a ransom demand has been made. Ransomware attacks, where cyber criminals hack into networks, encrypt data and demand payment in exchange for the decryption key, have been a major cybersecurity problem during 2021. Such is the extent of the issue that world leaders discussed ransomware at last month’s G7 summit. MORE ON CYBERSECURITY More

HP has patched a severe vulnerability that has been hidden in a printer driver for 16 years. 

On Tuesday, SentinelLabs published an analysis of the vulnerability, tracked as CVE-2021-3438 and issued a CVSS score of 8.8.  The security issue is described as a “potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers could lead to an escalation of privilege.” According to the researchers, some HP, Xerox, and Samsung printer models contained vulnerable driver software, sold worldwide since 2005.  The driver in question, SSPORT.SYS, is automatically installed and activated, whether the model was wireless or cabled. The driver is also loaded automatically by Microsoft’s Windows operating system on PC boot.  “This makes the driver a perfect candidate to target since it will always be loaded on the machine even if there is no printer connected,” the researchers say.  The vulnerable function in the driver is the acceptance of data without size parameter validation, allowing attackers to overrun the driver’s buffer theoretically. 

Local attackers could escalate their privileges to a SYSTEM account and run code in kernel mode in order to perform actions including tampering with a target machine. However, SentinelLabs says that the time was not invested in finding a way to weaponize it alone, and a successful exploit may need a chain of vulnerabilities.  SentinelLabs researcher Kasif Dekel reported the vulnerability to HP on February 18. The vendor issued a patch to resolve the security flaw on May 19. No exploits in the wild have been detected.  HP said impacted models include the HP LaserJet, Samsung CLP, Samsung MultiXpress, and Samsung Xpress series in a security advisory. The vendor has provided a patch and is asking customers to update their software. To do so, customers can visit the HP software portal, select their printer model, and apply the update.  Xerox has provided a separate security advisory (.PDF) naming Xerox B205/B210/B215, Phaser, and WorkCentre models as impacted by the bug.

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

ZDNet Recommends More

Microsoft has turned to the court system to take down domains designed to impersonate the firm in phishing attacks.

On Monday, Microsoft’s Digital Crimes Unit (DCU) said a judge in the Eastern District of Virginia issued a court order that requires domain registrars to disable websites “used to impersonate Microsoft customers and commit fraud.” The complaint (.PDF), filed to pursue a preliminary injunction and restraining order, has been issued against “John Does,” terminology used to describe anonymous or unknown plaintiffs facing legal action.  According to the DCU, Microsoft filed the case to try and clamp down on imposter domains, also known as homoglyph-based web addresses.  In homoglyph attacks, fraudsters will use similar words, phrases, letters, numbers, or symbols to masquerade as a legitimate organization, whether this is Microsoft, Google, Facebook, PayPal, or other well-known brands.  Attackers may send phishing emails, SMS messages, or social media notes containing links to an imposter domain that asks for account credentials or which may deploy exploit kits. If visitors fail to notice the small differences in a domain that reveal it is not a trusted source, they may be more likely to become a victim.    When it comes to Microsoft, homoglyph domain examples include switching “o” for a zero — such as “micr0soft.com,” or using a lowercase “l” instead of an “i” in “mlcrosoft.com.”

“We continue to see this technique used in business email compromise (BEC), nation-state activity, malware, and ransomware distribution, often combined with credential phishing and account compromise to deceive victims and infiltrate customer networks,” the company said. The court case stemmed from a customer who complained about a Microsoft-related BEC scam, resulting in the discovery of at least 17 imposter domains being used to siphon account credentials.  In this case, the attackers leveraged a legitimate email sent from a compromised Office 365 customer account asking a business for advice on processing payments. The group then sent a malicious email containing a link to a homoglyph domain, urging payment to be made as quickly as possible — but, of course, the account details for a “subsidiary account” belonged to the criminals.  Microsoft says that the attackers behind the BEC scam, who appear to originate from Africa, tend to target small businesses across the US. After using a malicious domain to grab employee credentials, the scam artists may infiltrate networks and then impersonate vendors, other members of staff, or customers to try and dupe the victim company into approving fraudulent payments and fake invoices.  Microsoft hopes that the court order will further disrupt the owners of the malicious domains and will prevent them from easily shifting their infrastructure to other third-party services.  The complaint follows 23 cases brought forward by the Redmon giant since 2010. Other legal actions include complaints against malware operators and state-sponsored hacking groups.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cybercriminals are taking advantage of the latest round of IRS payments being sent out to families across the US by launching dozens of credential harvesting sites masquerading as American Rescue Plan Act signup sites, according to a new report from DomainTools.Last week, the IRS began sending out the first round of child tax credit payments that were part of the larger American Rescue Plan Act passed earlier this year. The payments will be sent automatically by the IRS and require no sign-up. But cybercriminals have created a maze of associated websites all aiming to trick people into entering their personal information by pretending to be associated with the child tax credit payments, DomainTools’ Chad Anderson explained. Anderson said that by analyzing historical WHOIS information and OSINT techniques, the cybersecurity company was able to tie this specific credential harvesting scam to GoldenWaves Innovations, a web development firm based in Nigeria. ZDNet called and emailed GoldenWaves for comment but received no response. The fake sites look exactly like government websites, explain the payments in detail and ask users to “apply now.” One site, with the name “reliefcarefunds[.]com,” asks for names, addresses, social security numbers, photos of drivers licenses and even your mother’s maiden name. The credential harvesting sites are meant to look exactly like government websites. 
DomainTools
That site was connected to “americaforgivenrelieffund[.]com” and both were registered and hosted through NameCheap. DomainTools was able to tie those two sites and 39 other domains to an email address: goldenwaves247@gmail[.]com.

Anderson said researchers found that many of the links associated with the email were also being sent out through Bitly link shortening links, which allowed the people behind the scam to name the link “Unemployment Insurance Relief During COVID-19 Outbreak | American Rescue Plan Act.”These links brought the researchers to other sites that were hosted on Garanntor and OVH, providing them with even more information about the creator and tying all of the sites to an email address registered in Ibadan, Nigeria.”The city of Ibadan is a small, rural town which makes the registration information stand out as almost always technical contacts for Nigerian domains are located in Lagos, the capital city and technology center,” Anderson wrote. “Additional searches reveal the same username participating in sales on cybercrime forums, Steam gaming, and other social media sites.”

Anderson added that it is with “medium confidence” that DomainTools’ researchers believe GoldenWaves Innovations — which is also registered in Ibadan — was a “legitimate web design firm in front of the identity document harvesting sites.”GoldenWaves Innovations has a working website with a CEO who has a full profile on LinkedIn. “Additionally, the historical WHOIS record unearths an address in New York, New York of 120 E 87th Street. This is an apartment building with condos ranging from $900,000 to $13,000,000 in the heart of Manhattan. While at first that seems strange for a company based in Nigeria, we can see from LinkedIn that one of the company’s developers claims to live in New York City,” Anderson said.”Looking at the CEO’s current contact information on LinkedIn we can see that GoldenWaves Innovations has a new website in goldenwaves[.]com[.]ng which is also tied to the same email address and registration information. This gives DomainTools researchers high confidence that all of these credential harvesting sites are linked to GoldenWaves Innovations in Nigeria. These sites along with any new ones that have cropped up were reported to Google Safe Browsing for blocking.”Anderson included a list of the domain names being used in the scam and told ZDNet that US law enforcement was informed about the sites. When asked why a seemingly legitimate business would tie itself to credential harvesting sites, Anderson said “it’s certainly sloppy” but added that this proved the usefulness of historical WHOIS data.Other cybersecurity experts, like Digital Shadows cyber threat intelligence analyst Stefano De Blasi, said that along with extracting credentials, impersonating domains are frequently leveraged to extract financial information, deploy malware on a victim’s machine, and distribute disinformation content. “Additionally, users may be tricked into opening these malicious pages via spear-phishing emails or SMS, as well as being redirected there from other illegitimate websites. In both cases, if an attacker knows enough of social engineering techniques to pressure a victim into opening the URL and inserting their credentials,” De Blasi told ZDNet. “Social engineering attacks remain a predominant initial attack vector for threat actors, thus certifying that they keep working on many people despite its rather simplistic approach. Registering these domains is a trivial task for most attackers, thanks to prepared phishing kits and tutorials that attackers can easily find in cybercriminal forums. However, when registering hundreds of malicious domains, a careless attacker may well leave some crucial pieces of evidence behind that can then be gathered and analyzed by security researchers to assess attribution.” More