Information Technology

A new report from cybersecurity firm Avanan found that their customers in the IT, healthcare and manufacturing industries were facing the highest number of phishing emails. The company’s researchers examined more than 905 million emails for the 1H 2021 Global Phish Cyber Attack Report, finding that the IT industry specifically saw 9,000 phishing emails in a one month span out of almost 400,000 total emails. Their healthcare industry customers saw more than 6,000 phishing emails in one month out of an average of over 450,000 emails and manufacturing saw a bit less than 6,000 phishing emails out of about 330,000 total emails. 

ZDNet Recommends

Avanan researchers said these industries are ripe targets because of the massive amount of personal data they collect and because they are often stocked with outdated technology that can be easily attacked. Gil Friedrich, CEO of Avanan, said the report highlighted the perilous situation facing thousands of hospitals around the world. “The Avanan research shows that hackers are using one of the most basic tactics to get in ‒- phishing attacks,” Friedrich said.About 5% of all emails are phishing, according to the report, and many hackers are now attempting to target “low-hanging fruit” as opposed to more important C-level executive accounts. Most phishing attacks involve either impersonation or credential harvesting, the researchers found. More than half of all phishing attacks involve credential harvesting and that figure has grown by almost 15% since 2019. About 20% of all phishing attacks are related to Business Email Compromise. 

Non-executive accounts are targeted 77% more than other accounts, the report said, and nearly 52% of all impersonation emails are pretending to be from a non-executive account at an enterprise. “There are a few reasons behind this. One, security admins might be spending a lot of time providing extra attention to the C-Suite and hackers have adjusted. Two, non-executives still hold sensitive information and have access to financial data. There is no need to go all the way up the food chain,” Avanan researchers said. Avanan works as a second layer of defense behind Microsoft’s EOP, ATP/Defender, Google Workspace and other tools. The report said more than 8% of all phishing emails managed to get past the first layers of defense and into people’s inboxes “because of an allow or block list misconfiguration, a 5% increase from last year, and 15.4% of email attacks are on an Allow List.””The most commonly used tactic is using non-standard characters and limited sender reputation. Non-standard characters are used in 50.6% of phishing links and 84.3% of phishing emails do not have a significant historical reputation with the victim,” the report said. Avanan researchers also noted the Junk Email folder in many inboxes has become a haven for phishing emails, confusing many users who look through their Junk folders for marketing emails and subscriptions. The report said SCL scores of 5,6, and 9 will be sent to a Microsoft user’s Junk folder, leaving them alongside more legitimate emails offering deals and other things. “You now have monthly subscriptions, newsletters, and targeted phishing attacks in your spam folder, and you have to leave it up to the end-user to decide which ones are safe to open,” one unnamed CIO told Avanan researchers. The same happens for Google users but Microsoft users see 89% more emails in Junk than Google does, according to the report. “An easy way to determine if an email is suspicious is by looking at sender reputation. It’s no wonder, then, that 84.3% of all phishing emails do not have a significant historical reputation with the victim. Further, 43.35% of all phishing emails come from domains with very low traffic,” the report said.  More

An underground virtual private network (VPN) service used by cyber criminals to hide their activities while conducting ransomware attacks, phishing campaigns and other malicious hacking operations has been taken down in a major international law enforcement operation. DoubleVPN offered users the ability to mask their locations and identities, allowing cyber criminals to carry out activities anonymously, according to police.

ZDNet Recommends

Now its servers and web domains have been seized by a coordinated law enforcement takedown led by the the Dutch National Police (Politie) and involving agencies including Europol’s European Cybercrime Centre (EC3), Eurojust, the FBI, and the UK National Crime Agency. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)    DoubleVPN was heavily advertised across Russian and English-speaking dark web cybercrime forums as means for criminals, including ransomware gangs and phishing operations, to hide their activities, according to Europol. The cheapest VPN connection on offer cost just $25, while more expensive services offered what’s described as double, triple and even quadruple VPN connections to criminal clients. Servers hosting DoubleVPN around the world have been seized and web domains relating to the service have been replaced with a takedown notice, reading: “On 29th of June 2021, law enforcement took down DoubleVPN. Law enforcement gained access to the servers of DoubleVPN and seized personal information, logs and statistics kept by DoubleVPN about all of its customers. Double VPN’s owners failed to provide the services they promised.” Dutch public prosecutor Wieteke Koorn said: “This criminal investigation concerns perpetrators who think they can remain anonymous, while facilitating large-scale cybercrime operations.

“By taking legal action, including the special investigatory power for digital intrusion, we want to make it very clear there cannot be any safe havens for these kind of criminals. Their criminal acts damage the digitalised society and erode the trust of citizens and companies in digital technologies, therefore their behaviour has to be stopped,” she added. The joint operation involved more than 30 coordination meetings and four workshops to prepare for the final stage of the takedown that was organised on the day the via virtual command post was set up by Europol. SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chief “Law enforcement is most effective when working together and today’s announcement sends a strong message to the criminals using such services: the golden age of criminal VPNs is over. Together with our international partners, we are committed to getting this message across loud and clear,” said Edvardas Šileris, head of Europol’s EC3. Law enforcement services from Germany, Canada, Sweden, Italy, Bulgaria and Switzerland also participated in the takedown, which was was carried out following the the framework of the European Multidisciplinary Platform Against Criminal Threats (EMPACT).

MORE ON CYBERSECURITY More

Every business, large of small, is a target of cybercriminals and should look at minimising security risks, not simply preventing them. This is essential as more businesses move to the cloud and organisations in Asia largely still lack an urgency in addressing security. Unlike their peers in the US, where enterprises across most sectors considered security as part of their business process, Asia-Pacific companies had yet to do so, said Paul Hadjy, CEO and co-founder of Horangi. The Singapore-based security startup’s flagship product, Warden, is a cloud security posture management software touted to safeguard against misconfigurations and compliance breaches. Likely distracted by having to keep the business running and day-to-day management, Hadjy noted that Asia-Pacific organisations generally did not regard security as topmost on their agenda when it would be commonly discussed at every meeting in the boardroom and amongst C-level executives in the US. 

This was changing, though, he said, adding that focus on security would intensify as more regulations were introduced around the use of cloud and businesses would be concerned about staying in compliance.And they would reasons to be anxious. By 2023, at least 99% of cloud security failures were projected to be the customer’s fault, according to Gartner. The research firm also predicted that half of enterprises this year would unknowingly and erroneously expose some cloud services or applications to the public internet, including storage, APIs (application programming interfaces), and network segments. Hadjy noted that most customers Horangi worked with had no prior cloud security framework in place. “If you’re not using a cloud security platform, you’re going to have issues because you don’t have visibility across the cloud architecture,” he said. “You can use tools to do so manually, but you’ll need to repeatedly follow [the steps] to do so when you use different cloud platforms.”He stressed the need for proper security and processes, such as patch management, to be in place to address any potential misconfigurations. 

He warned that no business today was too small to be a target and all were at risk of cybersecurity attacks. Hackers also would target organisations that did not take security seriously. Technology, too, was no different from any other business, with opportunities for mistakes to be made, he said, especially if there was no automation involved. IT environments also could become challenging to manage over time, with organisations challenged to manage systems and software that were more than a decade old alongside modern applications running on cloud.Hadjy added that the move to remote work further complicated IT infrastructures, where traditional methods of ring-fencing corporate networks were no longer effective as more employees worked from home. Noting that no security solution was perfect, he noted the need for organisations to focus on mitigating risks and their ability to react quickly to reduce their risks should they suffer a security breach. Founded in 2016, Horangi last month was added to Amazon Web Services’ (AWS) ISV Accelerate programme, having obtained the cloud vendor’s security competency status. The Singapore startup last year secured $20 million in Series B funding, adding to its Series A $3.1 million haul, and might embark on another fund-raising initiative this or next year, Hadjy told ZDNet.Horangi’s Warden is pitched as a multi-cloud security platform designed to automatically safeguard against misconfigurations and compliance violations. It identifies “critical cloud resource configurations that may become entry points for attackers”, according to the startup. RELATED COVERAGE More

DevOps platform maker JFrog, the first company to develop a binary code management repository for developers, said June 29 that it is acquiring Tel Aviv-based Vdoo in a cash- and stock-based deal valued at about $300 million. Vdoo makes an integrated security platform for connected, IoT, and embedded devices.

see also

Best VPN services

Virtual private networks are essential to staying safe online, especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

JFrog founder and CEO Shlomi Ben Haim told ZDNet that adding Vdoo’s intellectual property was important to his company’s efforts to develop a next-generation security offering to support DevOps users as they respond to a disruption in the market for continuous software delivery. Both companies focus on protecting binary code in enterprise IT systems, a central target for hackers, Ben Haim said.Sunnyvale, Calif.-based JFrog is expanding its end-to-end DevOps platform offering, which provides holistic security ranging from the development environment all the way to edge systems, IoT, and other devices. DevOps is a set of best practices that combines software development and IT operations, with its purpose to shorten a system’s development life cycle and provide continuous delivery with high software quality. Affiliated with DevOps is a relatively new segment called “liquid software,” which describes the flow of software packages from the moment they are created all the way to deployment. Whereas software companies years ago used to publish one or two updates per year, they now often produce updates and patches whenever they are needed–sometimes multiple times per day. Because of these developments, namely all this new software filling the internet traffic lanes every second, new security processes are required, Ben Haim said.Most current DevOps and liquid software solutions lack proper security capabilities that are fully integrated into the software lifecycle, Ben Haim said. These security tools are point products with their own data sets, which create friction between development and security teams and slow the release of software updates. This problem is especially acute when updates are continuously delivered to the edge or across a large fleet of devices. As a result, many of these security tools are not delivering on the promise of fast, automated, and secure releases, Ben Haim said.”The main motivation behind this is that we want to provide the world with a real DevSecOps solution, all the way from the DevOps pipeline, to the edge, to whatever destination,” Ben Haim said. “What we built during the past four years is technology–and better software security–around focusing on binary. We identify binary as the highest priority.”

Vdoo’s product security platform automates software security tasks throughout the entire product lifecycle, ensuring that all findings are prioritized, communicated, and mitigated. The company’s security experts and vulnerability researchers will join the JFrog team to develop advanced security solutions for developers and security engineers, CEO and co-founder Nati Davidi told ZDNet.JFrog said it will expand its JFrog Xray vulnerability detection product to include Vdoo’s data and improved scanning across multiple dimensions, including configuration and applicability scanning, by the end of this year. In addition, JFrog expects to fully integrate Vdoo’s technology into its DevOps platform to provide an all-in-one secured platform in 2022, Ben Haim said. More

Google is outlining new security standards for its Nest smart home devices and updating its privacy commitments as part of an effort to make its positions on both privacy and security more straightforward for Nest users. 

Google said its new Nest security practices include adopting standards Google has long held as well as implementing new updates that are specific to Nest’s connected home devices and services. Specifically, Google will begin certifying Nest devices sold in 2019 or later using an independent security standard, including those developed by the Internet of Secure Things Alliance (ioXt). The company will also publish the validation results that explain how its products hold up to those standards, and will assess new products against the standards prior to launch. Meanwhile, Google said Nest will now participate in the Google vulnerability rewards program, which pays outside security researchers for finding vulnerabilities and reporting them to the Nest Security team. Google has also committed to patching critical issues known to Google Nest, promising automatic bug and security fix support for a minimum of 5 years.Nest devices will also be added to the Google device activity page to give users visibility into which devices are connected to their account. It’s worth noting that Nest users have already had access to these security protections, providing they coupled their devices with an active Google account. In terms of privacy, Google said it has updated a section in its privacy commitments to better reflect its focus on openness. Nest product manager Ryan Campbell said in a blog post:Two years ago Nest shared our commitments to privacy to give you a better understanding of how our products work in your home. Today, we’re publishing new security commitments and putting it all in one place: Nest’s new Safety Center. The Safety Center is meant to give you a clear picture of the work we do each day to build trustworthy products and create a safer and more helpful home.Finally, we want to acknowledge the way this technology is evolving — for example, our recent announcements on Matter and our work on Project Connected Home over IP ). That’s why we’ve updated a small section in our privacy commitments to better reflect our focus on openness.

Google’s latest security updates to the Nest product family builds on changes made by Google to try and bolster the security posture of its products. In February 2020, Google rolled out two-factor authentication (2FA) to Nest devices, and prior to that, reCAPTCHA Enterprise was integrated with Nest accounts to mitigate the risk of credential stuffing attacks.RELATED: More

A new survey from cybersecurity company Armis found that awareness of major cybersecurity incidents in the US is lacking.Last month, the company surveyed more than 2,000 professionals, discovering that almost 25% had never heard about the ransomware attack on Colonial Pipeline that caused gas shortages along the East Coast. More than 23% said the attack would not have any longstanding effects on the fuel industry in the US, despite the highly-publicized cybersecurity changes oil and gas companies were forced to make by the Biden Administration following the attack. Nearly half of respondents had not heard about the malicious takeover of the water treatment plant in Oldsmar, Florida.More than half of all respondents said their devices did not pose a cybersecurity risk when it came to personal cybersecurity. Over 70% said they expected to bring their devices from home into the office once COVID-19 restrictions were lifted. Curtis Simpson, CISO at Armis, said the responses showed that organizations have to prioritize cybersecurity on their own because employees have little awareness of the cyber threat landscape. “The attacks on our critical infrastructure are clear evidence of the need for cybersecurity and assurance to all our utility providers and players. Organizations must be able to know what they have, track behavior, identify threats, and immediately take action to protect the safety and security of their operation,” Simpson said. 

“This data shows that there is less consumer attention on these attacks as we might expect, and so that responsibility falls to businesses to shore up their defenses.”A bipartisan group of US House of Representatives members introduced the American Cybersecurity Literacy Act last week in an effort to improve the country’s understanding of cybersecurity and kickstart public awareness campaigns. Rep. Adam Kinzinger, one of the leading voices behind the bill, noted on Twitter that a cyberattack occurs every 39 seconds and that since the pandemic started, cybercrime has increased drastically. “We must protect ourselves and our interests — and it starts with cyber education. As technological advancements increase and become more complex, it is critical that everyone is aware of the risks posed by cyberattacks and how to mitigate those risks for personal security,” Kinzinger said. “In order to prevent these attacks going forward, we must combine public awareness with targeted cyber education.”Rep. Gus Bilirakis, the Congressman for Oldsmar, Florida, added that the bill would help “develop a national education campaign to raise awareness of attacks and the practical steps that can be taken to thwart future bad actors.” “In my district, a hacker was recently able to penetrate a local government’s security measures and temporarily change the chemical settings of the city’s water supply to a potentially dangerous level,” Bilirakis said. “This is a matter of national security, and we must do everything we can to protect all Americans from those who wish to do us harm.”

more coverage More

IBM has contributed the Kestrel threat analysis language to the Open Cybersecurity Alliance (OCA). 

On Tuesday, the tech giant said that Kestrel helps Security Operations Center (SOC) analysts and other professionals in the industry “streamline threat discovery,” allowing experts to more quickly tackle cyberforensics investigations, breaches, and other incidents. Kestrel made its debut this year at the RSA Conference. The open source programming language, developed jointly between IBM Research and IBM Security, is based on experiments performed via DARPA’s Transparent Computing initiative. Kestrel is used to compose ‘hunt’ flows for threats, including known patterns, sources, analytics, and applying detection logic to create a process for cybersecurity professionals to leave repetitive jobs in the hands of automation and instead focus on other tasks which require the intuition and skill of human staff.  Normally, proactive threat hunting to protect an organization’s networks takes a lot of human hours and skill, but as it requires hypotheses and likely sources for attack to be created alongside detection procedures, the vendor believes that cybersecurity staff often end up “rewriting the same programs following each attack.” This is where Kestrel comes in. 
IBM
“Kestrel threat hunting language provides an abstraction for threat hunters to focus on what to hunt instead of how to hunt,” IBM says. “The composable hunting flows enable the reuse of best practices and help reduce the time to create new hunts.”

The project is open source, and now accepted by the OCA — of which members include Cybereason, McAfee, IBM Security, and Tenable — it is hoped that the language will further the alliance’s promotion of interoperable cybersecurity products.  “Instead of dissecting indicators of compromise we will be dissecting playbooks of entire hunt logic and across data sources,” commented Sheldon Shaw, VP of Innovation & Infrastructure at CyberNB. “As adoption of the language continues to roll out, our collective hunt teams will be able to collaborate and approach cyber investigations differently.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Ireland’s Health Service Executive (HSE) has been praised for its response after falling victim to a major ransomware attack and for not giving into cyber criminals and paying a ransom. HSE was hit with Conti ransomware in May, significantly impacting frontline health services. The attackers initially demanded a ransom of $20 million in bitcoin for the decryption key to restore the network.

While the gang eventually handed over a decryption key without receiving a ransom, they still published stolen patient data – a common technique by ransomware attackers, designed to pressure victims into paying. SEE: Have we reached peak ransomware? How the internet’s biggest security problem has grown and what happens next HSE’s decision not to pay the ransom has been praised by the head of the UK’s National Cyber Security Centre (NCSC), Lindy Cameron, especially as the attack had “crossed a line” by disrupting hospital appointments and health services across Ireland. “I would like to praise the Irish response not to pay the ransom. Cyber criminals are out to make money – the more times a method is successful, the more times it will be used,” she said in a speech to the Institute of International and European Affairs (IIEA), an Irish think tank. The HSE ransomware attack happened around the same time as two other high-profile incidents – the Colonial Pipeline ransomware attack and the JBS ransomware attack. Unlike HSE, both of these organisations paid cyber criminals millions of dollars in bitcoin in exchange for the decryption key.

Colonial and JBS are far from alone in paying ransoms. But many in law enforcement argue that paying the ransom perpetuates the problem, and provides gangs with resources to launch even more ambitious attacks against other targets. There’s also no certainty that paying the ransom will even solve the problem, because it involves trusting that criminals will hold up their end of the bargain – they could easily just take the money and run, or return with an additional ransomware attack. “Payment of ransoms is no guarantee that you will get your data back – and certainly no guarantee you won’t be attacked again – in fact, advertising a willingness to pay makes someone a more interesting prospect,” said Cameron.

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

“So it’s important that we do all we can to ensure this is not a criminal model that yields returns. The government’s strong action of refusing to pay will likely deter ransomware operators from further attacks on health sector organisations – in Ireland or elsewhere,” she added. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) Despite receiving the decryption key, restoring the network has been a long and arduous process for HSE and disruption to health services across Ireland is expected for months to come. The NCSC has been helping Ireland’s defence forces in the aftermath of the incident, using experience from the WannaCry ransomware attack, which disrupted NHS networks across England. “As you would expect from a close partner, we did all we could to support our partners in Ireland when the HSE attack took place. This included sharing as much relevant information as we could – both from a cybercrime and a law enforcement perspective,” said Cameron. “The global nature of the cyber threat means that our international partnerships are critical to countering and deterring malicious cyber actors who want to cause harm to the UK,” she added.

MORE ON CYBERSECURITY More