Information Technology

Microsoft has carried out another legal-technical takedown against cyber criminals, this time to dismantle the ZLoader botnet’s infrastructure.ZLoader malware has infected thousands of organizations, mostly in the US, Canada and India, and is known to have distributed the Conti ransomware.      

Microsoft has now received a court order from the US District Court for the Northern District of Georgia that allowed it to seize 65 domains the ZLoader gang had been using for command and control (C&C) for its botnet built from malware that infected businesses, hospitals, schools, and homes.SEE: Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned upThose domains now direct to a Microsoft sinkhole, outside of the control of the ZLoader gang. Microsoft also gained control over the domains ZLoader used for its domain generation algorithm (DGA), which are used to automatically create new domains for the botnet’s C2.”Zloader contains a domain generation algorithm (DGA) embedded within the malware that creates additional domains as a fallback or backup communication channel for the botnet. In addition to the hardcoded domains, the court order allows us to take control of an additional 319 currently registered DGA domains. We are also working to block the future registration of DGA domains,” said Amy Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit. Microsoft led the action against ZLoader in partnership with researchers from ESET, Lumen’s Black Lotus Labs, and Palo Alto Networks Unit 42. Avast also assisted in Microsoft’s DCU European investigation. According to ESET, Zloader had about 14,000 unique samples and more than 1,300 unique C&C servers.Microsoft acknowledges ZLoader is not finished and is also working with ISPs to identify and remediate infections on infected systems. It’s also referred the case to law enforcement. Microsoft in 2020 used a similar legal-technical approach to taking down the Trickbot botnet.  Microsoft in its technical analysis of ZLoader notes that the group used Google Ads to distribute Ryuk ransomware, allowing it to bypass email security and have it appear in the browser instead. Malicious ads and email were its primary delivery mechanisms. Each campaign impersonated known tech brands, including Java, Zoom, TeamViewer, and Discord.   “The actors would purchase Google Ads for key terms associated with those products, such as “zoom videoconference.” Users who performed Google searches for those terms during a specific time would be presented with an advertisement that led to the form grabbing malicious domains,” Microsoft explains. For email delivery, the group often used Microsoft Office attachments and abused macros to infect machines. The lures to trick victims into opening a document and enable macros included COVID-19 alerts, overdue invoice payments and fake resumes.  It is probably not the end of the story yet, though. “Our disruption is intended to disable ZLoader’s infrastructure and make it more difficult for this organized criminal gang to continue their activities. We expect the defendants to make efforts to revive ZLoader’s operations,” Microsoft said. More

Hackers have developed custom tools to gain full system access to a number of industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices, according to the US Cybersecurity and Infrastructure Security Agency (CISA). The warning comes in a joint cybersecurity advisory released by the Department of Energy (DOE), CISA, the NSA, and the FBI that urges all critical infrastructure operators to immediately bolster the security of their ICS/SCADA devices and networks. 

ZDNet Recommends

The custom-made tools have been developed for programmable logic controllers (PLCs) from Schneider Electric and OMRON Sysmac NEX, as well as Open Platform Communications Unified Architecture (OPC UA) servers.SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydaysCISA says the tools allow for “highly automated exploits” against targeted devices.  ICS security firm Dragos, which has studied the tools, dubs it Pipedream, the seventh-known piece of ICS-specific malware following Stuxnet, Havex, BlackEnergy, Crashoverride, and Trisis. It attributes the malware to an advanced persistent threat (APT) actor it calls Chevronite. “Pipedream is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment,” Dragos explains. Mandiant calls the malware INCONTROLLER. In early 2022, it worked with Schneider Electric to analyze the malware.  The APT group can disrupt ICS devices after gaining a foothold in a target’s operational technology (OT) network, which should be isolated from the internet. The attackers can also compromise Windows workstations used by engineers with an exploit for known vulnerabilities in ASRock motherboard drivers, according to CISA. One known ASRock vulnerability is tracked as CVE-2020-15368 and affects the AsrDrv103.sys. The exploit for it can be used to execute malicious code in the Windows kernel, which is below the visibility of anti-malware technology.The agencies stress that energy sector organizations in particular need to implement detections and mitigations detailed in the alert. “By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions,” CISA notes. Devices known to be targeted by the APT group include: Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078;OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and OPC Unified Architecture (OPC UA) servers.   Schneider Electric notes in a security bulletin about the malware that it is not aware of any confirmed or potential use of the malware, but notes: “The framework has capabilities related to disruption, sabotage, and potentially physical destruction.”   The agencies are urging organizations to “isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters.” They also recommend using multi-factor authentication for remote access to ICS networks and devices, to change all passwords to them regularly, and remove all default passwords.   The alert for the energy sector follows multiple warnings from the US government for all organizations to bolster cybersecurity amid rising tensions after Russia’s invasion of Ukraine. Satellite operator Viasat recently confirmed wiper malware knocked out thousands of end-user modems in Europe on the day Russia invaded Ukraine. More

Image: Getty Images/iStockphoto
Three out of four government agencies and critical infrastructure entities in the Asia-Pacific region have flagged extended detection and response (EDR-XDR) solutions as being the most difficult to implement for bolstering cyberdefence efforts, according to a Trellix cybersecurity survey.The findings arise after cybersecurity firm Trellix surveyed 200 IT security professionals from Indian, Australian, and Japanese government agencies and critical infrastructure providers that have 500 or more employees.The survey comes amidst government agencies and critical infrastructure entities in the region facing increasingly more cyber attacks, Trellix said.Last month, IBM said the Asia-Pacific was the most targeted region last year, accounting for one in four cybersecurity attacks launched worldwide. In that region, Australia, India, and Japan experienced the most incidents.Among Australian and Indian respondents, 76% and 77% of them, respectively, identified EDR-XDR solutions as the most difficult for organisations to implement. Meanwhile, for Japanese respondents, 71%, said the same thing.The root of this difficulty differed between the countries, however, with 60% of Indian respondents identifying a lack of implementation expertise as the biggest barrier for implementing new cybersecurity solutions. For almost half of Australian respondents, they said a lack of in-house staff resources was the biggest barriers for the implementation of new cybersecurity solutions. Japanese respondents flagged a lack of implementation expertise and a lack of recognition from leadership for the need to invest as the top barriers.Due to the rising number of cyberthreats, organisations also told Trellix that the task of uplifting software supply chain risk management policies and processes was “extremely or highly difficult”.74% percent of surveyed Japanese respondents said this was the case, while 65% and 63% of Indian and Australian respondents, respectively, echoed the same sentiment. 79% of Australian respondents, 82% of Indian respondents, and 66% of Japanese respondents also voiced concerns that there has historically been little oversight over how and where cybersecurity products are developed.In terms of what the surveyed organisations believed would be most beneficial for upping cybersecurity standards across the Asia-Pacific region, 86% flagged government prescribing higher cybersecurity standards as one of the core solutions. “The software supply chain attacks on SolarWinds and Microsoft focused global attention on the seriousness of software supply chain cyber threats and how complicated it is to protect against them. They also realise that their governments can play a significant role in improving their cyber defenses,” Trellix said.Another new survey, this one performed by BDO, revealed that organisations in Australia and New Zealand are making less ransomware payments but have also seen other adverse impacts grow. For instance, the number of security incidents involving data recovery efforts saw a rise of nearly 160%, with a 5% increase in reportable data breaches accompanying this.”Respondents are realising it’s important to look at cyber security incidents as more than just ransoms paid. Industry professionals have noticed that although the number of ransoms being paid is decreasing, the targeting of larger organisations or ‘big game hunting’ of ransoms is maturing,” BDO said.According to BDO, the increase in data recovery exercises correlates with respondent data that indicated a 175% year-on-year increase of emails being the source of respondent data breaches. BDO said this uptick is another instance of remote work introducing a range of new systems and issues, such as document sharing and distribution.Cyber attacks are also becoming more advanced, requiring significantly more time to recover from, respondents told BDO. Compared to 2020, the number of cyber attacks in 2021 causing multiple days of system downtime increased by nearly 215%.Amidst this growing landscape, the Australian and Japanese governments have added more resources to protect against threats. Last year, Japan’s Ministry of Defense announced plans to bolster its cybersecurity unit by bringing on 800 new cyber staff to help defend against increasingly sophisticated attacks. In Australia, the federal government pledged to create 1,900 new government jobs over the next five years for one of its cyber agencies, although some experts have expressed concern that those jobs may not be filled due to the country’s tech skills shortage.Related coverage More

I will start this out by reminding everyone that you should be using a password manager to store and protect all of your passwords. We’ve reached a point where password managers should be considered an absolute must to help with privacy and security.

That being said, if you’re a user of macOS, then there’s a way to manage your passwords with a built-in tool. Said tool is the Keychain Access tool which is built-into macOS and is ready to serve in the traditional user-friendly way of Apple apps. So, if you’re still not ready to jump on board the password manager trend (you should be), at least you have an option that’s ready to serve.I’m going to show you how to open the Keychain Access tool and how to use it to locate (and even change) a saved password in macOS and even create a new Keychain item.The only thing you’ll need to follow along is an Apple laptop or desktop. I’ll demonstrate it on a MacBook Pro running macOS Monterey (version 12.2.1). With that said, let’s get to work.Opening the Keychain Access toolTo open the Keychain Access tool, click on the Launchpad located in the Dock. From there, type keychain and then click on the icon for Keychain Access. In the resulting window, click on the Passwords tab to reveal every entry (Figure 1) that’s been saved to macOS.Figure 1The macOS Keychain Access saves passwords, secure notes, certificates, and keys.Make sure to click Local items in the left navigation and you’ll see every password entry that’s been saved locally.Viewing a password within the Keychain Access toolYou can either scroll through the listing or use the search tool to locate the entry you want to view. Once you’ve located the entry in question, double-click it or right-click it and click Get Info from the resulting menu.A new window will appear (Figure 2) containing all of the information for that entry.Figure 2An entry for a server I have on my LAN includes plenty of information.As you can see, the password is hidden from sight. To view the password for the entry, click Show password and, when prompted, type the password for your user account. The password will then appear in the field. You can then either copy it to the clipboard and use it or you can change it (if necessary).To change the password, simply erase what’s there and type the new entry. After changing the password, make sure to click Save Changes and the password will be updated.Creating a password entryCreating a new password entry in Keychain Access is just as simple. From the Passwords tab, make sure to click Local Items and then click the New icon at the top (small square with a diagonal line). When the new window appears (Figure 3), type a name (or URL) for the Keychain item, add an account name (a username), and then type the password associated with the item.Figure 3Creating a new password entry to be stored in the Keychain Access tool.

ZDNet Recommends

The best Macs

Apple’s Mac lineup can be confusing as the company transitions from Intel processors to its own Apple Silicon processors. But we’re here to help.

Read More

Make sure to pay attention to the Password Strength indicator. You always want to be using strong passwords. If your password is weak or fair, make it more complicated until you reach an Excellent rating.Click Add to save the new entry. And that’s all there is to locating/editing a password entry in macOS and even creating a new entry. If you’re not ready to migrate to a full-blown password manager, you should at least start using the Keychain Access tool until you’re ready to make the jump.Read also: More

Vendor Aethon has patched five critical vulnerabilities in hospital robots used to deliver medical supplies.

The world of health-related cybersecurity issues is still relatively untouched. In recent years, we’ve seen the impact of ransomware outbreaks in hospitals; software vulnerabilities including those that could, in theory, stop a pacemaker from working, and countless patient data leaks at providers worldwide.However, unless there’s a clear-cut financial benefit, many cyberattackers will ignore medical devices in favor of hitting businesses likely to provide them with illicit revenue. This doesn’t mean that vendors, or defenders, should ignore vulnerabilities and security issues surrounding medicine, especially as digital health, personalized medicine, and remote care continue to develop. Medical devices can fall short of adequate security measures, as recently revealed in Cynerio’s public disclosure of Jekyllbot:5 (.PDF), five critical vulnerabilities in Aethon TUG robots. Read on: Black Hat: How your pacemaker could become an insider threat to national securityAethon’s mobile robots are autonomous devices used by hundreds of hospitals to perform basic, repetitive tasks to augment existing workforces. TUGs run errands including medicine delivery, cleaning, and dropping off linen and other supplies to healthcare professionals. Stanford is a healthcare provider that uses the robots in drug deliveries, which can move at 2mph down pre-determined routes. According to Cynerio, the five vulnerabilities allow attackers to take over a robot’s activities, including taking photos; snooping on the hospital in real-time via camera feeds, accessing patient records; disrupting or blocking drug delivery, all of which could impact patient care. In addition, the team says the bugs could be used to hijack user sessions or “take control of the robot’s movement and crash them into people or objects, or use them to harass patients and staff.” The vulnerabilities, now assigned CVEs, are below: CVE-2022-1066 (CVSS 8.2): Missing authorization checks, allowing unauthenticated attackers to add or modify existing user accounts CVE-2022-26423 (CVSS 8.2): Missing authorization checks, allowing free access to hashed credentials CVE-2022-1070 (CVSS 9.8): Failures to verify end users, permitting attackers to access the TUG Home Base Server and take control of connected robots CVE-2022-27494 (CVSS 7.6): User-controlled input is not neutralized, allowing XSS attackers to trigger on report pages CVE-2022-1059 (CVSS 7.6): User-controlled input is not neutralized before being shown in a web portal, and so Fleet page users may be subject to reflected XSS attacksThe critical flaws were found during an audit on behalf of a client healthcare provider. While Cynerio’s customer had not connected their robots to the internet — and, therefore, they were safe from active exploit — the cybersecurity firm said “several” hospitals had internet-connected robots that could be remotely controlled in the Cynerio Live research lab. The vendor was notified of the vulnerabilities through the US Cybersecurity and Infrastructure Security Agency (CISA). Cynerio worked with Aethon to develop suitable patches, and the latest version of TUG firmware contains fixes. In addition, Aethon developed firewall updates at customer hospitals to restrict public access.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Apple products are secure and don’t get malware or hacked. This is a dangerous myth that continues to circulate despite being total garbage.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

In fact, the number of vulnerabilities in Apple’s products is rapidly catching up with companies like Google and Microsoft.A report by Atlas VPN (based on data from Telefonica Tech Cybersecurity) shows how vulnerabilities found in Apple products surged by 467% during the second half of 2021 to 380 exploits, a dramatic rise from the 67 uncovered during the first half of 2021.In fact, this puts the number of vulnerabilities found in Apple products in the latter six months of 2021 a stone’s throw away from the top generators of vulnerabilities — Google (511 vulnerabilities) and Microsoft (428 vulnerabilities).Companies with the most vulnerabilities in 2021 H1 and H2
Atlas VPN/Telefonica Tech
According to the report, a good chunk of Apple’s vulnerabilities seems to relate to the Safari web browser and its various operating systems, while the majority of Microsoft’s vulnerabilities are associated with Windows OS versions, Office tools, and the Microsoft Edge browser, while Google’s vulnerabilities are mostly focused around the Android operating system and the Chrome browser.So, what does this mean for Apple users?First, let go of the perilous myth that your Apple gadgets are immune to hacking and malware.They’re not invulnerable.Next, get serious about patching your iPhones, Macs, iPads, and other Apple products. Do it quickly, and check for any updates you might have missed often.Finally, be aware of when your Apple products stop being supported by security updates. Once this point is reached, your devices can start to collect vulnerabilities at a rapid pace. As painful as it is, having an eye on replacing obsolete devices is essential to securing your digital information. More

Apple chief Tim Cook has hit out at proposed competition laws that would force it to allow apps to be downloaded from other app stores, something known as ‘sideloading’ which he warned could undermine security. Cook on Tuesday used his speech at the International Association of Privacy Professionals (IAPP) summit to express Apple’s alarm about US and European proposals that could force it to let users sideload apps on the iPhone outside of the App Store.  Two competition proposals that do threaten Apple’s services-oriented business are the EU’s Digital Markets Act (DMA) and the America’s Open App Markets Act. Both target “gatekeepers” such as Apple and Google. The US proposal, which as of February gained broad support from US lawmakers, aims to require sideloading of apps and remove the need for developers to use Apple’s and Google’s in-app payment systems. Meanwhile, members of the European Parliament agreed to support the DMA last month, which would require messaging platforms from Google, Apple, Meta and others work together, just like SMS works today. Apple on multiple occasions has argued against sideloading because it’s a malware risk to iPhones and it isn’t fond of the DMA either for security reasons. Google is worried the DMA will “reduce innovation and the choice available to Europeans”.Cook said Apple is concerned that these competition regulations put users’ privacy and security at risk.Apple is committed to “protecting people from a data industrial complex built on a foundation of surveillance,” he said, echoing  a phrase he used in 2018 when petitioning US federal lawmakers to create a federal privacy law that emulates Europe’s General Data Protection Regulation (GDPR).   “We have long been supporters of the GDPR … and we continue to call for a strong privacy law in the United States,” said Cook.”We are deeply concerned by regulations that would undermine privacy and security in service of some other aim.””Here in the United States, policy makers are taking steps that would force Apple to let apps on the iPhone that would circumvent the App Store through a process call sideloading. That means data hungry companies would be able to avoid our privacy rules and once again track users against their will.””It would also potentially give bad actors a way around the comprehensive security protections we put in place, putting them in direct contact with our users. And we have already seen the vulnerability that that creates on other companies’ devices.”He noted that during the early part of the pandemic, smartphone users were downloading legitimate COVID-19 tracing apps that turned out to be ransomware.   “But these victims weren’t iPhone users because the scheme directly targeted those that could install apps from websites that lacked the App Stores defenses. Proponents of these legislation argue that no harm would be done by simply giving users the choice. But taking away a more secure option will leave users with less choice,” said Cook.    More

Novice hackers who didn’t know what they were doing spent months inside a government agency network without being detected – before higher-skilled attackers came in after them and launched a ransomware attack. Analysis of the incident at an unspecified US regional government agency by cybersecurity researchers at Sophos found that the amateur intruders left plenty of indicators they were in the network. Yet despite a lack of subtly and leaving a trail behind, they weren’t detected because what Sophos researchers describe as “strategic choices” made by the IT team that made life easy for them. The attackers initially broke into the network using one of the most popular techniques deployed by cyber criminals – breaching the password of internet-facing Windows Remote Desktop Protocol (RDP) on a firewall. It’s uncertain how the password itself was breached, but common methods include brute-force attacks and phishing emails. They also got lucky, because the compromised RDP account wasn’t only a local admin on the server, but also had domain administrator permissions, allowing the account to be exploited to create admin accounts on other servers and desktops. But despite all this power, the intruders didn’t seem to know what to do once they had access to the network. Analysis of activity logs suggested they used the servers they controlled inside the network to run Google searches to look for hacking tools, then following pop-up ads to pirated software downloads. Researchers say this left the server riddled with adware and the hackers unintentionally infecting the servers they controlled with malware. The victim organisation didn’t notice any of this was happening.  SEE: Cloud security in 2022: A business guide to essential tools and best practicesLog data suggests that the attackers were regularly disappearing for days at a time before returning to look around the network, occasionally creating new accounts to gain access to other machines. This continued for months, with the attackers seemingly learning how to hack networks as they went along, as well as installing cryptomining malware on the compromised servers. “This was a very messy attack,” says Andrew Brandt, principal security researcher at Sophos. “They then seemed unsure of what to do next”. But after four months, the attacks suddenly became more focused and more sophisticated. Following a three-week hiatus with no activity, attackers remotely connected and installed the password-sniffing tool Mimikatz in order to gain access to additional usernames and passwords, storing them all in a text file on the desktop of admin-level accounts they created.  These attackers also looked to remove the coinminer which had previously been installed and attempted to uninstall antivirus software on endpoints. It’s likely that the higher sophistication of the attacks mean new intruders had gained access to the network. “When you see an abrupt change in both goals and skill level in an attack like this, in which the original ingress point is at that point still open as it was in this case, the safe bet is that another attacker has entered the space” says Brandt.It was at this point the IT department noticed something strange was happening, taking servers offline to investigate – but in order to do this, they also disabled some cybersecurity protections – and the attackers took advantage.  The intruders repeatedly dumped new account credentials and created new accounts in order to continue their attacks. The logs were also wiped repeatedly, in what could have been an attempt to cover their tracks. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)The new, much more sophisticated attackers also stole a set of sensitive files as they worked towards the apparent end goal of a ransomware attack, which fully encrypted some of the machines on the network with LockBit ransomware. But the attack didn’t affect all the machines and the IT department, with the aid of Sophos analysts, were able to clean up and restore services. However, the whole attack could’ve been prevented if better cybersecurity strategies were in place, as attackers were able to freely enter and move around the network without being detected – particularly as measures were implemented to improve efficiency rather than improving cybersecurity, even when it was clear the organisation was under attack. “Disabling features like tamper protection on endpoint security software seemed to be the critical lever the attackers needed to completely remove protection and complete their jobs without hindrance,” researchers said in the blog post. Applying multi-factor authentication to user accounts would have helped prevent them from being exploited and login notifications would’ve provided a warning that something suspicious was under way.  Meanwhile, properly monitoring the network would’ve had indicated something was wrong when the attackers were snooping around, and certainly before another set of hackers broke in and laid the foundation for a ransomware attack.  “Defenders have to keep watch on their network, whether in-house or through a managed-services partner. Keeping an eye out for smaller oddities or incidents – even something as simple as someone logging into a system at odd hours or from an unusual location – can make the difference,” said Brandt. MORE ON CYBERSECURITY More