Information Technology

The City of Tulsa has notified residents that some of their personal information may be on the dark web thanks to a ransomware attack last month by prolific cybercriminal group Conti. In a statement posted to the city’s website this week, the city said more than 18,000 city files — mostly police citations and internal department files — were shared on the dark web. Names, dates of birth, addresses and license numbers are on all police citations. 

see also

Best VPN services

Virtual private networks are essential to staying safe online, especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

“No other files are known to have been shared as of today, but out of an abundance of caution, anyone who has filed a police report, received a police citation, made a payment with the City, or interacted with the City in any way where PII was shared, whether online, in-person or on paper, prior to May 2021, is being asked to take monitoring precautions,” the city said in a statement to its 500,000 residents. Tulsa’s Incident Response Team is working with federal law enforcement on the breach but is still struggling to restore services and resources that were heavily damaged by the attack. The ransomware attack brought down the city’s public-facing systems, internal communications and network access functions. The city admitted that it prioritized restoring systems over everything else. The city notified residents that on May 6, multiple servers “were actively communicating with a known threat site and a ransomware attack was initiated on several City systems.” Tulsa Mayor G.T Bynum said the city would refuse to pay a ransom and instead shut down all of the city’s systems. The city’s online bill payment systems were shut down along with utility billing and any services through email. All of the websites for the Tulsa City Council, Tulsa Police, the Tulsa 311 and the City of Tulsa were shut down as part of the effort to contain the attack.Tulsa was forced to resort to phone services as a way to make up for the lack of online services. Residents were told to prepare for weeks, if not months, of city websites being down. 

Tulsa suggested concerned residents visit the Oklahoma Department of Consumer Credit website. They also said residents need to monitor all financial accounts and credit reports, change passwords to personal accounts and contact credit or debit card companies about fraudulent charges.  Cybersecurity experts said the leakage of police citations and reports could provide any malicious actor with enough information to do serious damage. Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said that while the reports did not contain social security numbers, there was still enough information that could be leveraged to create incredibly powerful social engineering lures to fool victims into sending money. “The disclosure of police records can be used to construct convincing stories to trick unsuspecting victims or their families into paying fake fees or fines by claiming to be lawyers or court representatives,” Clements said. “Even normally scam savvy people may be fooled if a fraudster has enough detailed information.” Conti has made a name for itself after attacking hundreds of healthcare institutions, most notably bringing down significant parts of Ireland’s healthcare system earlier this year. The FBI said last month that Conti has also gone after first responder networks, law enforcement agencies, emergency medical services, 911 dispatch centers, and multiple municipalities within the last year. “These healthcare and first responder networks are among the more than 400 organizations worldwide victimized by Conti, over 290 of which are located in the US,” the FBI said. Erich Kron, security awareness advocate at KnowBe4, said Conti has repeatedly shown “a blatant disregard for the authority of law enforcement as they continue their attacks on these vital services.” “Even after the shutdown of the Darkside gang, the arrests in the takedown of the Clop group, and even in light of the Ziggy ransomware gang providing all of their encryption keys for victims due to the fear of law enforcement actions, Conti continues their attacks without skipping a beat,” Kron said.”Because Conti’s typical attacks begin with email phishing or stolen Remote Desktop Protocol credentials, organizations looking to defend themselves against the threat should concentrate on these attack vectors.” He added that organizations need to review the security related to any RDP instances they have deployed, paying special attention to securing against brute force attacks, spotting unusual login times or attempts from unusual locations and ensuring that unusual behavior through these portals is quickly reported to security. More

Google has issued an alert for Workspace admins that an upcoming update to improve the security of sharing links from Google Drive will actually break links to some files. This could create headaches for Google Workspace business users who need to access files from Drive. The update involves updating Drive file links and may lead to “some new file access requests”, according to Google.    

That in turn could lead to problems for Workspace admins who might see a rush on support calls over broken links.  SEE: Network security policy (TechRepublic Premium)Google notes that the security update is being applied to some files in Google Drive to make sharing links more secure.”The update will add a resource key to sharing links. Once the update has been applied to a file, users who haven’t viewed the file before will have to use a URL containing the resource key to gain access, and those who have viewed the file before or have direct access will not need the resource key to access the file,” Google explains. This is the first phase of a staged rolled out of resource keys that may break links to Drive files. By the sounds of Google’s description, things could get messy for Drive files, especially in larger organizations with lots of users and files. 

Google’s support page on the issue explains that admins can choose how to apply the update up to July 23. During this phase, once the resource key security update is applied, end users are notified of impacted files. Admins can change the selection after July 23, but users won’t be notified of the changes.  In phase 2, between July 26 and August 25, Drive notifies impacted users of the update and any affected items that they own or manage. Admins can also let users decide to remove the update from specific items.”Unless the admin chooses to opt their organization out of the security update, end users who own or manage impacted files will receive an email notification starting July 26, 2021 with their impacted files,” Google notes.”End users will have until September 13 to determine how the update is applied to their files, if permitted by their admin.”SEE: Programming languages: Rust in the Linux kernel just got a big boost from GoogleGoogle has also released information for developers affected by the change that may affect various projects that depend on Drive files.It says that end users who own or manage impacted files will receive an email notification from July 26, 2021 that will flag their affected files. Assuming an admin has permitted it, users might have the option to remove the security update from their impacted files. Google also flagged an upcoming issue with unlisted videos that were uploaded before January 1, 2017. From July 23, unlisted videos uploaded before that date will move to Private as part of a security update. Private is one of three visibility settings on YouTube, along with Public and Unlisted. “In 2017, we rolled out a security update to the system that generates new Unlisted video links. This update included security enhancements that make the links for your Unlisted videos even harder for someone to discover if you haven’t shared the link with them. We’re now making changes to older Unlisted videos that were uploaded before this update took place,” Google explains. YouTube users can opt out of this change by following the instructions on Google’s support page.
Google More

Microsoft Defender for Endpoint’s new ability to monitor and protect unmanaged devices has now reached general availability. 

More Windows 11

Microsoft Defender for Endpoint (formerly Defender ATP), gives security teams visibility over unmanaged devices running on their networks. It’s a cloud-based security service that gives security teams incident response and investigation tools and lives as an instance in Azure. It’s distinct from Microsoft Defender antivirus that ships with Windows 10.    Microsoft pushed the public preview of this unmanaged device capability to public preview in April, as ZDNet reported at the time. The feature aims to alleviate post-pandemic hybrid work security risks, where people may be using their own computers and devices from home, then bring them to work and connect to the corporate network.It’s meant to tackle the unknown threats that may arise from devices that have been compromised at home and then brought into work. The new capabilities should make it easier to discover and secure unmanaged PCs, mobile devices, servers, and network devices on a business network.The GA release allows security teams to discover devices connected to a corporate network, onboard devices once they’ve been discovered, and then review assessments and address threats and vulnerabilities on newly discovered devices. Defender for Endpoint will let teams discover unmanaged workstations, servers, and mobile endpoints across Windows, Linux, macOS, iOS, and Android platforms that haven’t been onboarded and secured. 

It also covers network devices, such as switches, routers, firewalls, WLAN controllers, VPN gateways. These can also can be discovered and put on the device inventory using periodic authenticated scans of preconfigured network devices.Security teams will be able to see the new features for unmanaged devices within the Microsoft 365 Defender user interface in “Device inventory”. “Now that these features have reached general availability, you will notice that endpoint discovery is already enabled on your tenant. This is indicated by a banner that appears in the EndpointsDevice inventory section of the Microsoft 365 Defender console,” notes Microsoft’s Chris Hallum. The banner will vanish on July 19, 2021 and the default behavior for discovery will be switched from Basic to Standard. Standard discovery is an active discovery method that relies on already-managed devices to probe the network for unmanaged devices.”At this time, Standard discovery will enable the collection of a broader range of device related properties and it will also perform improved device classification. The switch to Standard mode was verified as having negligible network implications during the public preview,” notes Hallum.    More

Ireland’s health service faces months of disruption as it continues to recover from a ransomware attack, the head of the Health Service Executive (HSE) has warned. HSE, which is responsible for healthcare and social services across Ireland, fell victim to what was described as a “significant” ransomware attack on 14 May.The attack has been attributed to the Conti ransomware gang. The cyber criminals provided HSE with a decryption tool for free but have threatened to publish information stolen in the attack – potentially a violation of patient privacy – if they don’t receive a ransom of a reported $20 million in bitcoin, something that HSE vowed not to pay.

But even with the correct decryption key, restoring the network has been a slow and arduous task for HSE. Health services across Ireland remain disrupted as hospitals attempt to treat patients, despite limited IT services and no internet access – meaning appointments are still being delayed or cancelled.SEE: Have we reached peak ransomware? How the internet’s biggest security problem has grown and what happens next”The restoration process, and the accompanying due diligence exercise, is necessarily taking some time. Although we can effectively decrypt data, that is only one element. The malware must also be eradicated,” HSE CEO Paul Reid told the National Parliament (Oireachtas) Joint Committee on Health.”Decryption takes much longer than the original encryption, and eradication involves additional tasks to ensure that the perpetrators have no access route back into our systems,” he added. 

Reid described how HSE has decrypted 75% of its servers, and 70% of end-user devices are now available to staff. However, disruptions to patient services are expected to continue for some time – despite IT staff, cybersecurity experts and Ireland’s defence forces working seven days a week to restore the network to fully operational status. “There is no underestimating the damage this cyberattack has caused. There are financial costs certainly, but there will unfortunately be human costs as well,” said Reid. “I assure members, and the public, that we are doing everything possible to restore the systems. I must also caution that it will likely take months before systems are fully restored.”Due to the ongoing disruptions, HSE warns that emergency departments are very busy due to IT outages and significant delays are to be expected, while many X-ray appointments are being cancelled.Essential and urgent services, including COVID-19 vaccinations, are operating, but patients are warned they could face delays because “systems are not functioning as usual” due to “critical IT systems” still being out of action in the aftermath of the ransomware attack. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)Reid told the Committee that, following the ransomware, “significant learnings about further protections that can be put in place” will be made and the fact that the ransomware attack happened meant their were “obvious vulnerabilities” in the network.He also warned that ransomware and the “highly skilled criminal organisations” behind ransomware attacks represent a significant risk to organisations across the globe. “The whole world needs to raise its game,” said Reid.MORE ON CYBERSECURITY More

Researchers have discovered a set of vulnerabilities that can be chained together to perform code execution attacks on Dell machines. 

On Thursday, Eclypsium said the vulnerabilities, which together equate to a critical chain with a cumulative CVSS score of 8.3, were discovered in the BIOSConnect feature within Dell SupportAssist.  Altogether, the security flaws could be exploited to impersonate Dell.com and attack the BIOS/UEFI level in a total of 128 Dell laptops, tablets, and desktop models, including those with Secure Boot enabled and Secured-core PCs, owned by millions of consumers and business users.  According to Eclypsium, “such an attack would enable adversaries to control the device’s boot process and subvert the operating system and higher-layer security controls.”  Dell SupportAssist, often pre-installed on Windows-based Dell machines, is used to manage support functions including troubleshooting and recovery. The BIOSConnect facility can be used to recover an OS in cases of corruption as well as to update firmware.  In order to do so, the feature connects to Dell’s cloud infrastructure to pull requested code to a user’s device.  The researchers discovered four vulnerabilities in this process that would allow “a privileged network attacker to gain arbitrary code execution within the BIOS of vulnerable machines.”

The first issue is that when BIOSConnect attempts to connect to Dell’s backend HTTP server, any valid wildcard certificate is accepted, “allow[ing] an attacker to impersonate Dell and deliver attacker-controlled content back to the victim device.” Additionally, the team found some HTTPS Boot configurations which use the same underlying verification code, potentially rendering them exploitable.  Three independent vulnerabilities, described as overflow bugs, were also uncovered by the researchers. Two impacted the OS recovery process, whereas the other was present in the firmware update mechanism. In each case, an attacker could perform arbitrary code execution in BIOS. However, the technical details of these vulnerabilities will not be disclosed until an upcoming DEFCON presentation in August.  “An attack scenario would require an attacker to be able to redirect the victim’s traffic, such as via a Machine-in-the-Middle (MITM) attack,” the researchers say. “Successfully compromising the BIOS of a device would give an attacker a high degree of control over a device. The attacker could control the process of loading the host operating system and disable protections in order to remain undetected.” Eclypsium completed its investigation into Dell’s software on March 2 and notified Dell PSIRT a day later, which acknowledged the report. The vendor has since issued a security advisory and has scheduled BIOS/UEFI updates for impacted systems.  Dell device owners should accept BIOS/UEFI updates as soon as they are available — and patches are due to be released today. The vendor has also provided mitigation options, as detailed in the firm’s advisory.  “Dell remediated multiple vulnerabilities for Dell BIOSConnect and HTTPS Boot features available with some Dell Client platforms,” Dell told ZDNet. “The features will be automatically updated if customers have Dell auto-updates turned on. We encourage customers to review the Dell Security Advisory (DSA-2021-106) for more information, and if auto-updates are not enabled, follow the remediation steps at their earliest convenience. Thanks to Eclypsium researchers for working directly with us to resolve the issue.”

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Vulnerabilities that could allow XSS, CSRF, and one-click account takeovers in Atlassian subdomains have been patched. 

On Thursday, Check Point Research (CPR) said that the bugs were found in the software solutions provider’s online domains, used by thousands of enterprise clients worldwide. The Australian vendor is the provider of tools including Jira, a project management system, and Confluence, a document collaboration platform for remote teams.  The vulnerabilities in question were found in a number of Atlassian-maintained websites, rather than on-prem or cloud-based Atlassian products.  Subdomains under atlassian.com, including partners, developer, support, Jira, Confluence, and training.atlassian.com were vulnerable to account takeover.  CPR explained that exploit code utilizing the vulnerabilities in the subdomains could be deployed through a victim clicking on a malicious link. A payload would then be sent on behalf of the victim and a user session would be stolen.  The vulnerable domain issues included a poorly-configured Content Security Policy (CSP), parameters vulnerable to XSS, SameSite and HTTPOnly mechanism bypass, and a weak spot that allowed cookie fixation — the option for attackers to force users to use session cookies known to them for authentication purposes. 

The researchers say that it was possible to take over accounts accessible by these subdomains through cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. In addition, the vulnerable domains also allowed threat actors to compromise sessions between the client and web server once a user logged into their account. “With just one click, an attacker could have used the flaws to take over accounts and control some of Atlassian’s applications, including Jira and Confluence,” the researchers said.  The ramifications of these attacks included account hijacking, data theft, actions being performed on behalf of a user, and obtaining access to Jira tickets. Atlassian was informed of the team’s findings on January 8, prior to public disclosure. A fix for the impacted domains was deployed on May 18.  Atlassian told ZDNet:”Based on our investigation, the vulnerabilities outlined impact a limited set of Atlassian-owned web applications as well as a third-party training platform. Atlassian has shipped patches to address these issues and none of these vulnerabilities affected Atlassian Cloud (like Jira or Confluence Cloud) or on-premise products (like Jira Server or Confluence Server).”The research into Atlassian was performed by CPR due to the ongoing issues surrounding supply chain attacks, in which threat actors will target a centralized resource used by other companies.  If this element can be compromised — such as by tampering with update code due to be pushed out to clients in the case of Codecov — then a wider pool of potential victims can be reached with little effort.  SolarWinds, too, is a prime example of how devastating a supply chain attack can be. Approximately 18,000 SolarWinds clients received a malicious SolarWinds Orion software update that planted a backdoor into their systems; however, the attackers cherry-picked a handful of victims for further compromise, including Microsoft, FireEye, and a number of federal agencies.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber criminals are increasingly using virtual machines to compromise networks with ransomware.By using virtual machines as part of the process, ransomware attackers are able to conduct their activity with additional subtlety, because running the payload within a virtual environment reduces the chances of the activity being discovered – until it’s too late and the ransomware has encrypted files on the host machine.During a recent investigation into an attempted ransomware attack, cybersecurity researchers at Symantec found the ransomware operations had been using VirtualBox – a legitimate form of open-source virtual machine software – to run instances of Windows 7 to aid the installation of ransomware.

“The motivation behind the tactic is stealth. In order to avoid raising suspicions or triggering antivirus software, the ransomware payload will “hide” within a VM while encrypting files on the host computer,” Symantec said.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  While a virtual machine is run separately to the machine it’s hosted on, it can have access to the host machine’s files and directories via shared folders, which cyber criminals can exploit to allow the payload hosted in the virtual machine to encrypt files on the computer itself.While researchers haven’t been able to fully identify the ransomware discovered running in a virtual machine, clues as to how the malware operated provided strong indications that it was Conti – a notorious form of ransomware used by cyber criminals in a number of high profile campaigns, including the ransomware attack against the Ireland’s HSE health service.

However, this wasn’t the only activity that was detected – researchers found evidence that an attacker had attempted to run Mount Locker ransomware on the host computer. Researchers suggest that the attacker attempted to run Conti via the virtual machine but, when that didn’t work, they switched to using Mount Locker instead.This isn’t the first time ransomware gangs have been spotted using virtual machines to deploy ransomware, but researchers warn that this could make attacks much more difficult to detect.”Groups will often mimic others’ tactics if they think they’ve been successful. There may be a belief that some security solutions cannot reliably and consistently detect the ransomware sample executing from inside a virtual machine (VM),” said Dick O’Brien, principal in the Symantec Threat Hunter Team.SEE: Three billion phishing emails are sent every day. But one change could make life much harder for scammersWhile cyber criminals could target devices that already have virtual machine environments, in this case it appears as if they’re actively downloaded the tools that enable them to run. One way of countering this is to monitor and control what software is installed on machines, so potentially malicious, yet legitimate, tools can’t be downloaded without approval.”Use software inventory and restriction tools that enable them to control what licensed software may be installed. In addition, organizations already using VM software can use enterprise versions of the software that restrict creation of new unauthorized VMs,” said O’Brien. MORE ON CYBERSECURITY More

The Commonwealth Ombudsman’s Report to the Minister for Home Affairs on agencies’ compliance with the Surveillance Devices Act 2004, for the period 1 July to 31 December 2020 appeared this week, with three of the four law enforcement agencies inspected having issues with destroying data.

The report [PDF] looked at the Australian Federal Police (AFP), the South Australian Police, the Australian Criminal Intelligence Commission (ACIC), and the Australian Commission for Law Enforcement Integrity (ACLEI). Only the ACLEI law enforcement watchdog passed with flying colours.

For ACIC, the Ombudsman found three instances where protected information was not destroyed as soon as practicable. It added for each time this occurred, there was a “significant delay” between the authorisation and destruction of data.

“We identified one instance where protection information was not destroyed within five years,” the report said.

“The ACIC disclosed seven additional instances it did not destroy protected information within five years.”

The report also found issues with records kept to detail actions taken under warrant or tracking device authorisations to show agencies are acting lawfully.

“The computer access warrant action sheets we inspected did not provide sufficient information for us to understand what actions were taken under the warrant, or to confirm that the correct devices were accessed,” the report said.

“As a result, we could not verify that the computers the ACIC targeted were those it was authorised to access under the warrant.”

See also: ACIC believes there’s no legitimate reason to use an encrypted communication platform

For the AFP, the Ombudsman found four instances where it did not destroy information after authorisation for more than a month, and one instance where it took over five months.

“Further, the AFP did not destroy protected information or certify it for retention within five years,” the report states.

“In three instances the AFP did not destroy the records until more than five years after the warrant was issued and could not provide files to demonstrate the protected information was certified for retention within five years.

“In the remaining instance, the AFP certified the protected information for destruction within five years but did not complete the destruction until after the five year period.”

The inspection found instances where AFP reported destroying data, but the Ombudsman found the warrant was not executed, or information was not gained from it. The AFP also had issues with its action sheets.

The report found the AFP was still conducting surveillance in foreign jurisdictions without lawful approval.

“While the AFP disclosed this instance of non-compliance, it did not quarantine the associated data until prompted to do so during our inspection,” the report said.

“We suggested the AFP quarantine any unlawfully obtained data as soon as it identifies it.”

“We identified that, while the surveillance device was first used extraterritorially on 17 December 2019, the AFP did not send written correspondence to the Attorney-General until 19 May 2020.”

The report said only after the Ombudsman inspection, did it quarantine the data it retrieved.

The AFP also disclosed two instances where data was collected outside of a warrant. It also disclosed two instances where it failed to inform its overseeing minister of a warrant or authorisation ceasing, with the Ombudsman later finding another two instances.

With the South Australian Police, the Ombudsman found there was no process to destroy records.

“SA Police informed us it does not have staff delegated to perform the functions of the chief officer under s 46(1)(b) of the Act,” the report said.

“SA Police advised it requested internal legal advice about its delegations more than 12 months prior to our inspection and had been told not to proceed with any destructions until that advice was given.”

The SA force said it was gaining the relevant delegation and would start destruction as soon as the instrument was ratified.

Related Coverage More