Information Technology

Ransomware is so lucrative for the gangs involved that other parts of the cybercrime ecosystem are being repurposed into a system for delivering potential victims.

ZDNet Recommends

“The gravitational force of ransomware’s black hole is pulling in other cyberthreats to form one massive, interconnected ransomware delivery system — with significant implications for IT security,” said security company Sophos in a report. Ransomware is considered by many experts to be most pressing security risk facing businesses — and its extremely lucrative for the gangs involved, with ransom payouts increasing significantly.See also: A winning strategy for cybersecurity (ZDNet special report).Sophos said that ransomware is becoming more modular, with different groups specialising in particular elements of an attack. It also pointed to the linked rise of ‘ransomware as-a-service’, where criminal gangs are able to purchase access to tools to run their own ransomware attacks when they lack the technical ability to create those tools themselves.These so-called ransomware ‘affiliates’ don’t even have to find their own potential victims: the ransomware ecosystem has developed so that they can go to other groups who specialise in gaining access to corporate networks and who will sell that backdoor on to them.As well as doing business with these ‘initial access brokers’, would-be ransomware attackers can turn to botnet operators and malware delivery platforms to find and target potential victims. And because of the potential profit to be made, these groups are increasingly focusing on serving ransomware gangs rather than concentrating on less lucrative forms of online crime, Sophos said.

“Established cyberthreats will continue to adapt to distribute and deliver ransomware. These include loaders, droppers and other commodity malware; increasingly advanced, human-operated Initial Access Brokers; spam; and adware,” said the security company.The idea of ransomware-as-a-service has been around for a while, and has often been a way for lower-skilled or less well-funded attackers to get started. But what has changed now, said Chester Wisniewski, principal research scientist at Sophos, is that ransomware developers are now using this as-a-service model to optimise their code and get biggest payouts, offloading to others the tasks of finding victims, installing and executing the malware, and laundering the cryptocurrencies. See also: Ransomware: It’s a ‘golden era’ for cybercriminals – and it could get worse before it gets better.Separate research has even suggested that ransomware gangs are now rich enough to start buying their own zero-day flaws, something that was previously only available to state-backed hackers.”This is distorting the cyberthreat landscape,” Wisniewski said, as common threats such as loaders, droppers, and Initial Access Brokers — which were around and causing disruption well before the ascendancy of ransomware — are now servicing the demands of ransomware gangs. More

Palo Alto Networks on Thursday published solid first quarter financial results and raised its FY 2022 revenue guidance. Non-GAAP net income for the first quarter was $170.3 million, or $1.64 per diluted share. First-quarter revenue grew 32% year-over-year to $1.2 billion. Analysts were expecting earnings of $1.57 per share on revenue of $1.2 billion.”Q1 was a strong start to fiscal year 2022, driven by strength in both our product and Next-Generation Security businesses, giving us confidence to raise our revenue and billings guidance for the year,” chairman and CEO Nikesh Arora said in a statement. “We continue to see strong customer demand and have continued to release key innovations which give us confidence in the durable growth we presented at our September Analyst Day.”   First-quarter billings grew 28% year-over-year to $1.4 billion. Remaining performance obligation (RPO) grew 37% to $6 billion.
Palo Alto Networks
The company highlighted the performance of Primsa SASE, noting rapid adoption of the secure access service edge (SASE) service. Prisma SASE saw 100% year-over-year ARR growth. Meanwhile, more than 25% of new Prisma SASE customers are new to Palo Alto Networks over the last 12 months. The company now has 1,756 SASE customers, up 61% year-over-year.In the area of cloud-native security, Palo Alto reported that it now has 1,676 Prisma Cloud customers up 26% year-over-year.

For Q2 2022, Palo Alto expects revenue in the range of $1.265 billion to $1.285 billion. Analysts are expecting revenue of $1.27 billion. For the full fiscal year 2022, the company expects total revenue in the range of $5.35 billion to $5.40 billion, representing year-over-year growth of between 26% and 27%. Last quarter, the company forecast FY2022 revenue in the range of $5.275 billion to $5.325 billion.

Tech Earnings More

Lacework has raised $1.3 billion in a new funding round to bolster its position in the cloud security market. 

Announced on Thursday, the Series D funding round was led by existing investors Sutter Hill Ventures, Altimeter Capital, D1 Capital Partners, and Tiger Global Management. New investors have joined, including Liberty Global, General Catalyst, Snowflake Ventures, and Morgan Stanley Investment Management.Founded in 2015, Lacework develops cloud security solutions for the cloud, containers, and DevOps teams. The Lacework Cloud Security Platform collects, analyzes, and compiles security and threat data for anomaly detection, event and alert visualization, and compliance.  The San Jose, Calif.-based company counts Cloudera, VMware, Nextdoor, and Snowflake among its customers.  Lacework says the cash injection will be used to expand go-to-market strategies in the cloud security sector and to fund product development and innovation.  In addition, the security firm says that some of the funding will be used to “pursue additional strategic acquisitions,” building upon the recent purchase of Soluble. 

Soluble, a cloud infrastructure management company, was acquired earlier this month. The purchase price was not disclosed.  Lacework previously closed a $525 million funding round. The company has now completed five separate funding rounds since 2015. “Lacework’s Cloud Security Platform was built in the cloud, for the cloud. It’s a fundamentally different — and better — approach to security that is already dramatically reshaping the security market,” commented Mike Speiser, Managing Director of Sutter Hill Ventures. “With an outstanding platform and an exceptional team, Lacework has repeatedly exceeded every goal over the last 18 months. We continue to believe this is one of our most promising portfolio companies.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Botnets are one of the key drivers of cyberattacks, used to distribute malware, ransomware and other malicious payloads – and dark web forums are now offering lessons on how to make money from them, a move that is likely to increase the threat over time.Infected computers and devices in a cyber criminal-controlled botnet can be used to send phishing emails or malware to even more devices. It’s common for botnet operators to lease out their collection of unwittingly controlled machines – which can number in the thousands – to other cyber criminals. 

ZDNet Recommends

For example, TrickBot malware ropes machines into a botnet, providing the attacker with a backdoor into them. That access is often sold to cyber criminals who can then use them to deploy ransomware, using that access to encrypt files and demand a significant ransom payment. Many botnets are used to steal usernames and passwords, while others will take the processing power of the machines they control and lease them out to launch DDoS attacks in order to overflow websites with traffic and take them down. SEE: A winning strategy for cybersecurity (ZDNet special report) Botnet operators can, therefore, make significant sums of money, and now there are dark web operators who are offering online courses to train others on using botnets – and they operate much like their legitimate counterparts teaching cybersecurity and other skills in online courses. Cybersecurity researchers at Recorded Future analysed advertising and activity in a botnet school on a prominent underground forum and found that these courses are in demand – something that could be a potential issue for organisations that might be targeted by cyber criminals learning these skills. “It’s essentially like as if you’re in college,” Danny Panton, cybercrime intelligence analyst at Recorded Future told ZDNet. “You’ll have a director and they’ll be virtually teaching you – I don’t believe cameras are going to be on the person – but they have access to a platform and are taught insights into what you need to do to leverage botnets against potential victims.” 

Those teaching the courses include individuals who run large botnets themselves. The courses aren’t cheap – they cost over $1,400 dollars – but promise to provide even novice cyber criminals with knowledge on how to build, maintain and monetise botnets.”It really is a range of cybercrime experience and levels. You might have people who are seasoned cybercrime fraudsters, but aren’t really familiar with using botnets,” Panton explained. “Then there are people who are just completely new to cybercrime as a whole and just are curious and want to become better seasoned and increase their skills,” he added.Given the nature of the cybercrime world, some might be suspicious that if they hand over money to take part in the course, they’ll be scammed and get nothing in return. But it seems like legitimate a service and the course is subject to reviews, which suggest that the botnet school really offers what it says it does. If it was a scam, it wouldn’t have lasted so long.

Researchers don’t have the data to detail how many wannabe cyber criminals have taken the course in total, but during the time spent analysing this activity, the number of people taking the classes at any one time could vary; sometimes as few as five people, sometimes as many as 100.SEE: This mysterious malware could threaten millions of routers and IoT devicesThe course covers subjects including how to run a botnet in a way designed to avoid law enforcement attention – because, as demonstrated by the Emotet takedown, the authorities will clamp down hard on botnets when they can. And researchers warn that the existence of these courses likely leads to an increases in the threat of botnets – although by how much is hard to quantify without being able to track the activity of individual users.”It is highly likely that, as a result of these courses, more threat actors become proficient in botnet-oriented attacks,” said Panton. Botnets remain a significant threat to computer networks, but there are measures that can be taken to avoid becoming a victim. These include ensuring networks are updated with the latest security patches, making sure that default manufacturer passwords aren’t in use, and ensuring that internet-facing ports that aren’t necessary for the function of devices are closed. MORE ON CYBERSECURITY More

Image: Fortinet, ZDNet
Cyber authorities across the US, UK, and Australia have called for administrators to immediately patch a quartet of vulnerabilities — CVE-2021-34473, 2020-12812, 2019-5591, and 2018-13379 — after attributing some attacks that used them to attackers backed by Iran. “FBI and CISA have observed this Iranian government-sponsored APT group exploit Fortinet vulnerabilities since at least March 2021, and a Microsoft Exchange ProxyShell vulnerability since at least October 2021 to gain initial access to systems in advance of follow-on operations, which include deploying ransomware,” a joint release stated. “ACSC is also aware this APT group has used the same Microsoft Exchange vulnerability in Australia.” Rather than going after a certain sector of the economy, the authorities said the attackers were simply focused on exploiting the vulnerabilities where possible and, following operation, they then tried to turn that initial access into data exfiltration, a ransomware attack, or extortion. Using the Fortinet and Exchange holes for access, the attackers would then add tasks to the Windows Task Scheduler and create new accounts on domain controllers and other systems to look like existing accounts to maintain access. The next step was to turn on BitLocker, leave a ransom note, and get the data out via FTP. In April, the FBI and CISA issued warnings of the vulnerabilities in Fortinet gear being actively exploited, and the full quartet of authorities placed Fortinet on the top 30 exploited vulnerabilities in July. Separately on Wednesday, Microsoft issued its own warning of six Iranian groups using vulnerabilities in the same pair of products to drop ransomware.

The Exchange vulnerabilities cited, known as ProxyShell, were initially exploited by Beijing-backed hackers. ASD is confident it can remain on top of technology Speaking in Canberra on Thursday, the director-general of the Australian Signals Directorate, of which the Australian Cyber Security Centre (ACSC) is a part, Rachel Noble, said the Five Eyes were ready to handle new technology such as quantum cryptography. “A lot of planning is going ahead now among the Five Eyes for quantum-resistant cryptography, so we’ll be ready when quantum computing is out there [and] encryption keys that protect our military and government secrets will be resistant to that,” she said. “We’ve always sort of stayed on top of technology in that regard, and we love to be first to have that and I’m sure we’ll continue to do that in the future. I think quantum computing has an enormous ability to assist us with our signals intelligence and cyber defensive missions. “So of course, we’re investing in making sure we’re ready to go when the world delivers it to us.” The director-general said there were times previously when the ASD believed intelligence-gathering avenues could go dark, but that has not come to pass. “I recall at the time the conversations in ASD about how difficult this would be for us. The irony now is that we feared the lack of communications on the airways and yet now most of us will connect to the Internet by Wi-Fi,” Noble said. “That’s not to say that the change didn’t bring huge challenges for us. Through a mastery of our business and innovation — the people of ASD prevailed.” Noble said efforts last year to take down COVID-19 scammers saw ASD resort to offensive cyber operations because trying to get local telcos to block each IP was not working and became a game of whack-a-mole. “We used our covert online operations and computer network attack capabilities to infiltrate the syndicate and tear it down from the inside. I am proud to say that to this day, that syndicate has not been able to restart their vile business and we’ll be there if they try,” she said. “In cyberspace, ASD is increasingly becoming the first and last line of digital defence that protects our country from cyber attacks, and thwarts those who seek to attack Australia by launching offensive cyber operations of our own. And we are right now fighting that battle with criminals — state actors and serious and organised crime.” Earlier this year, Noble revealed a nationally-known company resisted approaches from the ASD after being hacked, and called in the lawyers. Speaking on Thursday, Noble said ASD could bring signals intelligence expertise to bear in such situations. “It is this intelligence, the decades of investment in capabilities, and the expertise of our people that give us a cutting edge as cybersecurity experts over and above any private company and any other governments in the world,” she said. “So when we ring you and tell you we think you’ve got a problem, and give you some advice about what you might want to do about that, I implore you to take that advice and understand that it might be coming from some of the most top secret and sensitive insights in the world. “We might not be able to tell you the details of what those insights are and in the end you can take your own chances for not listening. “But in the national interest, we would prefer that you didn’t take that chance.” Related Coverage More

Singapore has again pushed back the deployment of its next-generation electronic road pricing (ERP) system, this time, due to the global chip shortage. The satellite-based network is now expected to be rolled out in the second half of 2023, instead of end-2021. It was originally slated to be implemented from 2020, but this was delayed to early this year with completion set for mid-2023. The government then had pointed to the impact of COVID-19 on global supply chains as the reason for the revised timeline. With the Global Navigation Satellite System (GNSS) ERP network now anticipated to be rolled out only from the second half of 2023, it would mean a delay of almost two years before implementation works–spanning 18 months–would be completed. These will include the installation of a new on-board unit, to replace current in-vehicle units, which are mandatory for all registered vehicles in Singapore, with few exceptions that include vehicles that do not use public roads on the mainland or are subject to usage restrictions such as tractors and construction equipment.  

The on-board unit is described as “central” to the new ERP system, providing various services to motorists such as alerts on electric charging locations and real-time traffic data. The supply of critical microchips needed for these units, however, had been affected by the “worsening” global shortage, which also had impacted other industries, said the Land Transport Authority (LTA) in a statement Wednesday. The industry regulator noted that, amidst accelerated global demand during the pandemic, the suspension of operations in major semiconductor foundries across multiple countries had affected production. This, in turn, severely impacted the production of electronic devices in multiple sectors including consumer electronics, industrial machines, and automotive. According to LTA, parts required for the on-board units had to be sourced from different suppliers, some of which had indicated their inability to meet the required delivery schedules for critical components. This shortage was expected to continue throughout 2022, with chip production projected to ramp up gradually from end-2022 to mid-2023. 

Due to the uncertainty in the supply chain, implementation of the on-board units should only commence when production was “stable and sufficient”, it said. “To ensure a smooth and uninterrupted installation exercise for all motorists, the installation of on-board units is now planned to commence in the second half of 2023, instead of end-2021,” LTA said. It added that it would work with local systems integrator NCS and Mitsubishi Heavy Industries (MHI) Engine System Asia on the production and installation of the on-board units. MHI Machinery Systems’ president Naoaki Ikeda said the company was “working closely” with its supply chain partners to source for the affected components and “safeguard their availability” for the installation.Singapore’s current ERP system, launched in 1998, uses a combination of smart card and RFID (radio frequency identification) technology to collect toll charges as vehicles, including motorbikes, drive through gantries. These typically are located along highways and roads that are frequently congested during peak hours. Smart cards carrying stored cash value, also dubbed CashCards, are inserted into the in-vehicle units and funds are deducted each time the vehicle passes through an ERP gantry that is in operation. According to LTA, the current system is increasingly expensive to maintain and the new GNSS infrastructure will do away with the need for bulky gantries, which will be replaced with slimmer ones.As of October 2021, Singapore has a vehicle population of 987,450 that comprises cars, taxis, buses, and motorcycles.RELATED COVERAGE More

Microsoft has detailed the activities of six Iranian hacker groups that are behind waves of ransomware attacks that have arrived every six to eight weeks since September 2020. Russia is often seen as the home of the biggest cyber-criminal ransomware threats, but state-sponsored attackers from North Korea and Iran have also shown a growing interest in ransomware. 

ZDNet Recommends

Microsoft said Iranian hacking groups are using ransomware to either collect funds or disrupt their targets, and are “patient and persistent” while engaging with their targets – although they will use aggressive brute-force attacks.SEE: A winning strategy for cybersecurity (ZDNet special report)The most consistent of the six Iranian threat groups is one Microsoft tracks as Phosphorus (others call it APT35). Microsoft has been playing cat and mouse with the group for the past two years. While initially known for cyber espionage, Microsoft details the group’s strategies for deploying ransomware on targeted networks, often using Microsoft’s Windows disk-encryption tool BitLocker to encrypt victim files. Other cybersecurity firms last year detected a rise in ransomware from Iranian state-backed hackers using known Microsoft Exchange vulnerabilities to install persistent web shells on email servers and Thanos ransomware.    According to Microsoft, Phosphorus was also targeting unpatched on-premise Exchange servers and Fortinet’s FortiOS SSL VPN in order to deploy ransomware.

In the second half of 2021, the group started scanning for the four Exchange flaws known as ProxyShell that were initially exploited as zero days by Beijing-backed hackers.Microsoft released patches for CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 in April. ProxyLogon was one of several exploits that made up ProxyShell. An account by security specialist DFIR Report notes Phosphorus used BitLocker on servers and DiskCryptor on PCs. Their activity stood out because it didn’t rely on ransomware-as-a-service offerings that are popular among cyber criminals and didn’t create custom encryptors. “After compromising the initial server (through vulnerable VPN or Exchange Server), the actors moved laterally to a different system on the victim network to gain access to higher value resources,” the Microsoft Threat Intelligence Center (MSTIC) notes in a blogpost. “From there, they deployed a script to encrypt the drives on multiple systems. Victims were instructed to reach out to a specific Telegram page to pay for the decryption key.”The group also tries to steal credentials by sending “interview requests” to targeted individuals through emails that contain tracking links to confirm whether the user has opened the file. Once a response is received from the target user, the attackers send a link to a list of interview questions and then a link to a fake Google Meeting, which would steal login details.SEE: Ransomware: It’s a ‘golden era’ for cyber criminals – and it could get worse before it gets betterOther groups mentioned in Microsoft’s report included an emerging Iranian hacking group that recently targeted Israel and US organizations in the Persian Gulf with password-spraying attacks. Microsoft highlights that the adoption of ransomware aided the Iranian hackers’ efforts in espionage, disruption and destruction, and to support physical operations. Their arsenal of attacks included ransomware, disk wipers, mobile malware, phishing, password-spray attacks, mass exploitation of vulnerabilities, and supply chain attacks.         More

Ransomware is the most significant cybersecurity threat facing the country today, but many businesses still aren’t taking the threat as seriously as they should be, the National Cyber Security Centre (NCSC) has warned. In its newly published annual review, the NCSC – the cybersecurity arm of intelligence agency GCHQ – details the incidents and threats the UK has faced during the past 12 months, including cyberattacks against the health service and vaccine developers during the coronavirus pandemic, state-sponsored cyber-espionage campaigns, phishing scams and more.  

But, because of the likely impact a successful attack could have on essential services or critical national infrastructure, it’s ransomware that is viewed as the most dangerous cyber threat – and one that more leadership teams need to think about.SEE: A winning strategy for cybersecurity (ZDNet special report) “One of the trends that the NCSC has seen over the last year was a worrying growth in criminal groups using ransomware to extort organisations. In my view it is now the most immediate cybersecurity threat to UK businesses and one that I think should be higher on the boardroom agenda,” said Lindy Cameron, CEO of the NCSC.  The number of ransomware attacks has grown significantly during the past year, reaching the same number of incidents in April 2021 as there had been in all of 2020. “In the first four months of 2021, the NCSC handled the same number of ransomware incidents as for the whole of 2020 – which was itself a number more than three times greater than in 2019,” said the NCSC report. 

The severity of some ransomware attacks means organisations can take a long time to recover. The NCSC paper notes that Hackney London Borough Council suffered significant disruption to services when a cyberattack resulted in IT systems being down for months, affecting the availability of local services, and requiring a recovery that cost millions of pounds.  Alongside local governments, universities have been a common victim of ransomware attacks, to the extent the NCSC has issued specific advice on how these institutions can protect themselves against attacks. “In the UK there was an increase in the scale and severity of ransomware attacks, targeting all sectors from businesses to public services. In response, the NCSC has identified and mitigated numerous threats, whether committed by sophisticated state actors, organised criminal groups or lone offenders,” said Sir Jeremy Fleming, director of GCHQ.  In total, including ransomware attacks, the NCSC has helped handle 777 incidents during the past year, up from 723 on the previous year and an average of 643 a year since the NCSC launched in 2016. 

But while ransomware is a significant and ever-evolving threat, there are measures that organisations can take to help avoid falling victim to an attack, or lessen the impact should the network be compromised by file-encrypting malware. SEE: Ransomware: It’s a ‘golden era’ for cyber criminals – and it could get worse before it gets betterAs detailed by the paper, the most common entry point for ransomware attacks are remote desktop protocol (RDP) attacks, where hackers take advantage of insecure RDP configurations to gain access to the network. Organisations can counter this by encouraging users to use unique, difficult-to-guess passwords – the NCSC recommends using three memorable words for accounts and introducing multi-factor authentication as an extra barrier to attacks. The shift towards remote working has led to a big rise in the use of Virtual Private Networks (VPNs) which, if not managed properly, can provide a gateway for outside attackers to enter the network. The paper also notes how ransomware gangs take advantage of unpatched devices and advises organisations to ensure security updates are rolled out in a timely fashion to help protect the network from cyber criminals exploiting known vulnerabilities. The NCSC regularly publishes advice on threats and now to protect networks from attacks – and one of the key aims of the organisation is to make sure the message gets heard by those who need to hear it. “Ransomware, mostly, doesn’t need a specific response, it needs the things we’ve been telling people to do for a long time. Part of our challenge is helping people do that or understanding what they need to do to apply it as much as possible,” said Cameron.  MORE ON CYBERSECURITY More