Information Technology

Image: Getty Images
The European Commission and the United States announced a new Trans-Atlantic Data Privacy Framework over the weekend, signalling clarification may be on the way regarding what data flows are allowed after a European court struck down the EU-US Privacy Shield one and a half years ago. The Privacy Shield agreement had set the terms for transatlantic transfers of personal data. The agreement was struck down, however, after the European Court of Justice found US laws did not offer enough data protection safeguards to meet European standards, leading to legal uncertainty regarding what data flows are allowed. The legal uncertainty led to European regulators, in recent months, issuing orders against flows of personal data that passed through products such as Google Analytics. Meta, meanwhile, “threatened” to pull its services out of Europe if governments could not come to an agreement on a new EU-US transatlantic data transfer framework. The company eventually backpedalled from its comments, but it remained staunch in calling for a new framework to be established. According to a White House fact sheet, the new Trans-Atlantic Data Privacy Framework will see the US government implement reforms to better protect the personal data of EU citizens, such as allowing these citizens to seek redress at a newly-created, independent Data Protection Review Court that will have “full authority” to adjudicate claims and direct remedial measures as needed. The US government will also ensure signals intelligence collection may only be undertaken where necessary to advance legitimate national security objectives, and must not disproportionately impact the protection of individual privacy and civil liberties under the framework. “The new framework marks an unprecedented commitment on the US side to implement reforms that will strengthen the privacy and civil liberties protections applicable to US signals intelligence activities,” the European Commission and US government said in a joint statement. With the US committing to these reforms, among others that have yet to be publicly detailed, citizens and companies on both sides of the Atlantic will be able to continue their existing data flows between the EU and US, which companies like Google have already lauded. “We look forward to certifying our processes under the Trans-Atlantic Data Privacy Framework at the first opportunity. For Google, these (and similar) standards serve as a floor, not a ceiling, for the protections we offer our users and customers,” Google VP of public policy Karan Bhatia said. Max Schrems, the privacy lawyer who raised the lawsuit that culminated in the Privacy Shield agreement being canned, was sceptical of the new framework, with its details yet to be released. “Seems we do another Privacy Shield especially in one respect: Politics over law and fundamental rights,” Schrems said. “This failed twice before. What we heard is another ‘patchwork’ approach but no substantial reform on the US side. Let’s wait for a text but my [first] bet is it will fail again.” Related Coverage More

Credit: Microsoft
Microsoft is adding a new Vulnerable Driver Blocklist feature to Windows Defender on Windows 10, Windows 11, and Windows Server 2016 or newer releases. This feature is aimed at helping IT Pros to protect users against malicious and exploitable drivers.

Microsoft Vice President of OS Security and Enterprise David Weston tweeted about the new Windows security option on March 27.  The feature will be enabled by default on Windows 10 in S Mode, as well as on devices that have the Memory Integrity Core Isolation feature, which relies on virtualization-based security. (This Core Isolation Memory Integrity feature also is known as Hypervisor-protected Code Integrity or HVCI). More details are available in this Microsoft article about recommended driver block rules. This blocking feature will rely on a list of blocked drivers maintained by Microsoft in conjunction with OEM partners. As explained on ghacks.net, the reason these drivers may be marked as blocked is they are known security vulnerabilities that can be exploited to elevate Windows kernel privileges; they act as malware or certificates used to sign malware, or they exhibit behaviors that circumvent the Windows Security Model and can be used to elevate Windows kernel privileges.I’ve asked Microsoft whether this new driver-blocking feature will be available on all versions of Windows 10 and 11 and when it will be fully deployed. No word back so far.In other security-related news, Microsoft announced plans for a new U.S. Government cloud environment — Office 365 Government Secret — on March 28. Currently in government review, this new Secret cloud is designed for the U.S. Federal Civilian, Department of Defense (DoD), Intelligence Community (IC), and U.S. Government partners working within Secret environments with Microsoft’s Software as a Service (SaaS) capabilities for all data classifications. The Office 365 Government Secret cloud environment is built on Microsoft’s Azure Government classified environments.  More

Okta has admitted it “made a mistake” by not telling customers sooner about a security breach in January, in which hackers were able to access the laptop of a third-party customer support engineer.The Lapsus$ hacking group published screenshots of Okta’s systems on March 22, taken from the laptop of a Sitel customer support engineer which the hackers had remote access to on January 20. “We want to acknowledge that we made a mistake. Sitel is our service provider for which we are ultimately responsible. In January, we did not know the extent of the Sitel issue – only that we detected and prevented an account takeover attempt and that Sitel had retained a third party forensic firm to investigate. At that time, we didn’t recognize that there was a risk to Okta and our customers. We should have more actively and forcefully compelled information from Sitel,” Okta said in an FAQ it published on Friday, under the heading ‘Why didn’t Okta notify customers in January?’.On January 20, Okta said, it saw an attempt to directly access the Okta network using a Sitel employee’s Okta account, which was detected and blocked by Okta, which then notified Sitel. Outside of that attempted access, there was no other evidence of suspicious activity in Okta systems, it said.Okta is an important enterprise access management software vendor. It said that only 366 customers, about 2.5% of its customers, were affected. However there have been questions as to why customers did not know about the incident sooner. In its FAQ Okta said: “In light of the evidence that we have gathered in the last week, it is clear that we would have made a different decision if we had been in possession of all of the facts that we have today.”The company has provided a detailed timeline of events from January 20 — when it received an alert that a new factor was added to a Sitel employee’s Okta account — to March 22 — the date Lapsus$ published the screenshots it grabbed. Sitel hired an unnamed forensic company to investigate the breach on January 21, which concluded it on February 28. The forensic report to Sitel is dated March 10 and Okta received a summary of that report on March 17, according to Okta’s timeline. After the screenshots were published Okta’s chief security officer David Bradbury said he was “greatly disappointed by the long period of time that transpired between our notification to Sitel and the issuance of the complete investigation report.”   More

The average ransom demand made following a ransomware attack has risen to $2.2 million as cyber criminals are becoming bolder and have a bigger impact on the businesses they’re targeting. The amount ransomware attackers are demanding has more than doubled since 2020, when the average ransom demand for a decryption key stood at $900,000, The figures comes from cybersecurity researchers at Palo Alto Networks, who analyzed ransomware incident response cases they were involved in during 2021. While the final ransom payments are often much less than the initial ransom demands, they’ve also risen significantly in reason years. During 2020, the average ransom paid was just over $300,000, which rose to $541,000 in 2021.  Analysis of incidents suggests that for those businesses which paid a ransom when the attackers initially demanded over $3 million, the average amount paid was 43% of the ransom demand – but some cyber criminals managed to blackmail victims into paying almost the full amount they first asked for. SEE: What is ransomware? Everything you need to know about one of the biggest menaces on the webFor example, researchers cite an incident by the BlackCat ransomware gang which saw cyber criminals demand a payment of $9 million for a decryption key and walking away $8.5 million. Sometimes ransomware attackers get much less than they demand; in one case, cyber criminals behind a Suncrypt ransomware attack made a ransom demand of $12 million, only to get paid just $200,000 – 1.67% of their ransom demand. The overall trend of the rise in ransom demands and rise in ransom payments shows that ransomware is working, as cyber criminals can make millions of dollars from a single victim who gives into the extortion demands.  Despite warnings not to pay because it only encourages further ransomware attacks, the Unit 42 report suggests that 58% of organisations hit by a ransomware attack opt to pay the ransom. But even if the ransom is paid, that isn’t necessarily the end of their troubles – researchers say 14% of organisations paid cyber criminals more than once.  The network being down because of encrypted files and servers is disruptive enough, but one of the reasons so many victims are giving into ransom demands is because of the rise of double extortion attacks. In order to carry out a ransomware attack, hackers enter the network, providing them with access to sensitive files and data. Many cyber criminals use this as extra leverage, copying the data before it’s encrypted and threatening to publish it if the ransom isn’t paid – and in many cases, it’s working. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)   “Cyber criminals are doubling down by finding additional ways to extort victims in conjunction with ransomware,” said Ryan Olson VP of threat intelligence at Unit 42 for Palo Alto Networks. “In 2021, ransomware gangs took these tactics to a new level, popularizing multi-extortion techniques designed to heighten the cost and immediacy of the threat,” he added. But this hasn’t just involved threats to publish stolen data – in some cases cyber criminals are adding other extortion tactics including the threat of DDoS attacks, or even harassing employees of the victim organisation over the phone. Ransomware continues to be one of the most significant cybersecurity threats facing businesses and the wider world today, but there are ways in which businesses can help protect themselves from falling victim to attacks. Many ransomware attacks begin with hackers exploiting unpatched cybersecurity vulnerabilities or remote desktop protocol (RDP) logins.  Information security teams should therefore ensure that security patches for known vulnerabilities are applied as quickly as possible and that login credentials are protected with multi-factor authentication in order to help defend against attacks. Any passwords which are suspected of being leaked or stolen should be changed. It’s also vital for IT departments to understand and monitor the network, as this can help them identify potentially malicious behaviour before cyber criminals trigger a full-blown ransomware attack. MORE ON CYBERSECURITY More

An Estonian man connected to multimillion dollar ransomware attacks has received a 5-and-a-half-year jail sentence for his involvement in online fraud schemes.The US Department of Justice says Maksim Berezan, a 37-year-old from Estonia, took part in at least 13 ransomware attacks, including seven against American businesses, which cost victims over $53 million in losses. Berezan was an active member of an online forum designed for Russian-speaking cybercriminals to gather and exchange their criminal knowledge, tools, and services, the DoJ said.Berezan was arrested in Latvia in November 2020 and extradited to the US where he pleaded guilty in April 2021 to conspiracy to commit wire fraud affecting a financial institution and conspiracy to commit access device fraud and computer intrusions. Following his arrest, police searched Berezan investigated his computers and found evidence of his involvement in ransomware attacks, with $11 million in ransom payments flowing through cryptocurrency wallets he owned. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)   According to court documents, he used the money made from cyber crime to buy two Porsches and a Ducati motorcycle, along with an assortment of jewelry. Authorities confiscated $200,000 in cash from Berezan’s home, along with cryptocurrency wallets holding $1.7 million in Bitcoin. The Eastern District of Virginia sentenced Berezan to 66 months in prison and he’s been ordered to pay $36 million in restitution. “Ransomware thieves are not safe in any dark corner of the internet in which they may think they can hide from our highly trained investigators and law enforcement partners worldwide,” said special agent in charge Matthew Stohler of the US Secret Service. “Together with our critical partners we are dedicated to protecting the public and securing every iteration of our money and every part of our national financial infrastructure.” The US Department of Justice worked with the Latvian State Police and Estonian Police to help obtain the conviction. “Cybercrime has become increasingly more sophisticated, but so have our methods for combatting it,” said U.S. Attorney Jessica D. Aber for the Eastern District of Virginia.  “Ransomware attacks are devastating to people and organizations alike, and we have honed our strategies and techniques to target both the individual actors who perpetrate these attacks and the networks that support them,” she added.MORE ON CYBERSECURITY More

Researchers continue to investigate a wave of malicious npm packages, with the published tally now reaching over 700. Last week, JFrog researchers disclosed the scheme in which an unknown threat actor had published at least 200 malicious Node Package Manager (npm) packages. The team said that the repositories were first detected on March 21 and grew rapidly, with each npm package deliberately named to mimic legitimate software. 

An automated script targeted scopes used by Microsoft Azure developers, including @azure, @azure-rest, @azure-tests, and more, in the npm software registry. On Monday, Checkmarx researchers Aviad Gershon and Jossef Harush said the Supply Chain Security (SCS) team has also been tracking these activities and have recorded over 600 malicious packages published over five days, bringing the total to over 700. To try and keep the attacks under the radar, the miscreant responsible has been using unique user accounts. “This is uncommon for the automated attacks we see; usually, attackers create a single user and burst their attacks over it,” Checkmarx says. “From this behavior, we can conclude that the attacker built an automation process from end to end, including registering users and passing the OTP challenges.”According to Checkmarx, the attacker’s “factory” is developing malicious npm packages relying on type dependency confusion to dupe developers and steal their data successfully.As previously noted by JFrog, the attack method relies on typosquatting and names that mimic trustworthy packages, often removing the “scope” part of a package name to look legitimate. The command-and-control (C2) server used to manage the overall infrastructure of the attack wave, “rt11[.]ml,” is also the recipient address for the stolen information to be sent. The C2 appears to be running Interactsh, an open source tool written in the Go programming language for data extraction. Checkmarx set up its own domain and server, complete with an Interactsh client, to better understand the attacker’s method. A script was then written that opens NPM accounts upon request, using the web testing software SeleniumLibrary. The script can randomly generate usernames and email addresses under the test domain and automatically initiates the sign-up process. This is where Interactsh comes in. To bypass the One-Time Password (OTP) verification check used by NPM, Interactsh automatically extracts the OTP and sends it back to the sign-up form, allowing the account creation request to succeed. The team then adhered to the attacker’s method by creating a template npm package and a script able to communicate with NPM utilities in the ‘login’ and ‘publish’ stages. “It is worth mentioning that once the user account is open, it is possible to configure it in a way that does not require OTP in order to publish a package,” the researchers said. “This could be done using an authentication token and configuring it to work without 2FA. We presume that this is the way attackers who published bursts of malicious packages were able to automate their process without setting up the described mechanism.”Checkmarx, as well as JFrog, have reported the malicious packages to the NPM security team. In addition, the company providing the C2 server has been notified. “By distributing the packages across multiple usernames, the attacker makes it harder for defenders to take them all down with “one stroke,” Checkmarx noted. “By that, of course, making the chances of infection higher. Just to make it clear, the building blocks required for creating single (OTP verified) user[s] per package is no trivial task.”In February, JFrog found 25 malicious npm packages containing Discord token stealers. Many of these packages mimicked colors.js, open source software for using colored text on node.js — before its creator sabotaged the package. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The US Cybersecurity and Infrastructure Security Agency (CISA) has told federal agencies to patch 66 new security bugs based on evidence of active exploitation. These new 66 bugs join a growing list of bugs in the Known Exploited Vulnerabilities Catalog that covers technology typically used in enterprises, such as network security appliances. 

ZDNet Recommends

Federal agencies have been given until April 15, 2022 to apply this batch of patches under the Binding Operational Directive aimed at reducing the significant risk of known exploited vulnerabilities. SEE: There’s a critical shortage of women in cybersecurity, and we need to do something about itThe 66 bugs include recent and older flaws in networking kit and security appliances from D-Link, Cisco, Netgear, Citrix, Kuiper, Palo Alto, Sophos, Zyxel, plus enterprise software from Oracle, OpenBSD, VMware and others, as well as multiple Windows bugs.Among the bugs are one affecting Watch Guard’s Firefox and XTM appliances (CVE-2022-26318), one impacting Mitel’s MiCollab, MiVoice Business Express Access Control Vulnerability (CVE-2022-26143), and the Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2022-21999). The Mitel bug was being exploited for the TP240PhoneHome DDoS attack, which was capable of an amplification ratio of 4,294,967,296 to 1. It was observed being exploited in February and March. CISA last month gave agencies two weeks to fix a whopping 95 bugs. Again some were newly exploited while others have had patches available for several years. So, it looks like admins at federal agencies will have yet another busy few weeks finding and then patching systems. As part of its Shields Up initiative, CISA and the White House are encouraging all US organizations to step up patch and check multi-factor authentication configurations due to an increased threat from cyberattacks being directed at them by Russia. More

Sophos has patched a remote code execution (RCE) vulnerability in the Firewall product line. Sophos Firewall is an enterprise cybersecurity solution that can adapt to different networks and environments. Firewall includes TLS and encrypted network traffic inspection, deep packet inspection, sandboxing, intrusion prevention systems (IPSs), and visibility features for detecting suspicious and malicious network activity.

On March 25, the cybersecurity company disclosed the RCE, which was privately disclosed to Sophos via the firm’s bug bounty program by an external cybersecurity researcher. Sophos offers financial rewards of between $100 and $20,000 for reports. Tracked as CVE-2022-1040 and issued a CVSS score of 9.8 by Sophos as a CNA, the vulnerability impacts Sophos Firewall v18.5 MR3 (18.5.3) and older. According to Sophos’ security advisory, the critical vulnerability is an authentication bypass issue found in the user portal and Webadmin Sophos Firewall access points. While the vulnerability is now patched, Sophos has not provided further technical details. Sophos Firewall users will have received a hotfix, in most cases, to tackle the flaw. So if customers have enabled the automatic installation of hotfix updates, they do not need to take further action. However, if customers are still using older software versions, they may have to update their builds to a newer version to stay protected. There is also a general workaround to mitigate the risk of attacks made through the user portal and Webadmin. Users can disable WAN access to these platforms entirely, and Sophos recommends using a virtual private network (VPN) alongside Sophos Central to improve the security of remote connections. Earlier this month, Sophos resolved CVE-2022-0386 and CVE-2022-0652, two vulnerabilities in Sophos UTM threat management appliance. CVE-2022-0386 is a high-severity post-auth SQL injection vulnerability, whereas CVE-2022-0652 is an insecure access permissions bug. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More