Information Technology

Japanese conglomerate Fujifilm announced that it is suffering from a ransomware attack, becoming the latest victim of cyberattackers who in the last week alone have crippled everything from the largest meat processor in the US to the ferry system serving Martha’s Vineyard.In a statement, the company said it was investigating unauthorized access to its servers and had no choice but to shut down its network. On Tuesday evening, the company said it became aware that it was being hit with ransomware and spent the last two days trying to “determine the extent and the scale of the issue.”The photography and medical imaging giant said the attack had affected all of its external communications, including email and phone services. BleepingComputer spoke with Advanced Intel CEO Vitali Kremez, who said Fujifilm had been hit with the Qbot trojan in May and added that the people behind Qbot have been working with the REvil ransomware gang as of late.REvil caused outrage again this weekend after they were implicated in a ransomware attack on JBS, one of the world’s largest meat processors and a company providing about one fourth of the beef and pork in the US. They previously shut down Colonial Pipeline, causing gas shortages on the East Coast and national outrage that sparked more stringent cybersecurity guidelines for pipelines.Due to the increasing number of attacks, The White House released an open letter on Thursday titled, “What We Urge You To Do To Protect Against The Threat of Ransomware” from Anne Neuberger, deputy assistant to the President and Deputy National Security Advisor for Cyber and Emerging Technology. Despite the startling increase in ransomware attacks in the last few months, Neuberger touted the White House’s efforts to deal with the crisis, noting that the US government is currently “disrupting ransomware networks, working with international partners to hold countries that harbor ransomware actors accountable, developing cohesive and consistent policies towards ransom payments and enabling rapid tracing and interdiction of virtual currency proceeds.”But she added that it was important for the private sector to do its part in addressing the cybersecurity posture of their organizations. 

“All organizations must recognize that no company is safe from being targeted by ransomware, regardless of size or location,” Neuberger said. She urged business leaders to “immediately convene their leadership teams to discuss the ransomware threat” and enhance security measures as well as continuity plans in case they are attacked. Neuberger included a list of best practices and suggestions that ranged from the creation of data backups to prompt system patches, third party cybersecurity reviews, and segmented networks. “Ransomware attacks have disrupted organizations around the world, from hospitals across Ireland, Germany and France, to pipelines in the United States and banks in the UK,” Neuberger wrote. “The US Government is working with countries around the world to hold ransomware actors and the countries who harbor them accountable, but we cannot fight the threat posed by ransomware alone. The private sector has a distinct and key responsibility.”Setu Kulkarni, vice president of strategy at WhiteHat Security, said the two pieces of advice that stood out from the letter are the incident response testing and pen testing. Kulkarni explained that often organizations treat incident response plans like business continuity plans, only creating them for compliance. “We need to make a change here to treat the incident response plan much like a fire drill or an earthquake drill so that when the inevitable breach happens, the entire organization is clear on the first few steps and that will give them the time they need to counter the threat effectively rather than scrambling at the nth minute,” Kulkarni said. “The memo should be updated to further emphasize penetration testing of production systems in a continuous manner — this is important because while the production systems may not change that often, the adversary and the threat landscape are fast evolving in an attempt to breach these production systems.” Focusing on continuous production security testing of web, mobile and API applications, Kulkarni added, should be non-negotiable. But Kulkarni said the memo fell short because it does not create an environment of incentives and disincentives for organizations to double down on these security fundamentals. Tony Cole, CTO of Attivo Networks and a former executive at FireEye, McAfee, and Symantec, told ZDNet that there were a variety of reasons behind the recent spate of ransomware attacks. Enterprises have an over reliance on vendors and in general, organizations continue to add digital tools to their operations which increase the complexity of work for cybersecurity officials.   Cole, who previously worked as a cyber operator for the US Army, added that there is a general lack of cyber defenders with the needed skill sets to keep organizations safe as well as systems that prevent privilege escalation. “No solution is perfect, and attackers will get into the enterprise if they are determined enough with the resources to back their efforts,” Cole said. “Organizations must understand that they can’t prevent all attacks.” Dozens of cybersecurity experts told ZDNet that the letter was an appropriate move considering the current landscape of cyberthreats. Many, like Egnyte cybersecurity evangelist Neil Jones, said there has been a marked shift from simple data theft and cyber-espionage to attacks specifically designed to cripple critical services and business productivity. Others echoed Neuberger’s letter in saying that companies now need to prepare for when, not if, they are hit with ransomware. Tom Garrubba, CISO of Shared Assessments, questioned why critical infrastructure organizations are not being held more accountable and said it was time for certain enterprises to be held to a higher level of legislative scrutiny, like financial institutions and even retail enterprises.”Perhaps it’s time to bring in the executives and board members of these breached organizations to publicly explain these breaches and how their organizations are addressing the IT risks in the current environment,” Garrubba explained. “Every C-Suite and BoD needs to be similarly prepared to answer these questions.”Sophos senior security advisor John Shier noted that the financial incentives of ransomware attacks need to be removed in order to address the problem. Shier said attackers want to hit where it hurts the most to increase their likelihood of a large payout, but most ransomware attacks aren’t targeted scenarios, as seen with the Colonial Pipeline attack. “Attackers are opportunistic. Once they realize they’ve secured a potentially lucrative victim, they go all in — that’s when they become targeted attacks,” he added, explaining that while no defense can be bulletproof, putting up tougher barriers will force cybercriminals to move on to easier targets.  While many experts said it was important to have plans in place for how to recover from an attack, Gurucul CEO Saryu Nayyar said organizations had to implement defenses that could reduce their attack surface and detect ransomware attacks in real-time. “The technology is available. It’s just a matter of putting it in place and working diligently to identify and derail cybercriminals and malicious insiders before they derail you,” Nayyar told ZDNet.But even with a slate of cybersecurity tools available, many IT teams and CISOs do not have the full buy-in from the leaders of their organization. The letter may help justify requests for bigger cybersecurity budgets and more help, according to Digital Shadows CISO Rick Holland. “One comment that stands out to me from Neuberger’s memo is the need for a ‘skilled, empowered security team.’ We so often focus on technology to solve our problems,” Holland said. “Focus on your teams first; have dedicated training and development programs.” Doug Britton, CEO of Haystack Solutions, said that while the recommendations from the White House were accurate and worthwhile, the biggest problem is finding a team able to implement the measures. “Unfortunately, with hundreds of thousands of cyber positions unfilled in the US alone, the million-pound gorilla in the room is, ‘where are the qualified cyber practitioners that can expertly implement the recommendations?'” Britton said.  “Ideally, the national strategy will also rethink the underlying economics of identifying the potential talent, decreasing the cost of training the talent, and retaining that talent in industry.”Kulkarni echoed those remarks, noting that the need for a skilled security team was one area where the gap is the largest between aspiration and reality.”There are just not enough security personnel in the world to staff security teams in organizations today,” Kulkarni said. “What is needed is a combinatorial approach: accelerated and scaled-up security training in the country for security professionals plus training the general population about avoiding risky online behavior.” More

When things take longer than they should, it takes up time that can be much more enjoyably spent elsewhere. There’s no reason for that, when the problem may be that you just don’t have the right software. And if that’s the case, then all you need in order to boost your productivity is The All-Star Mac Bundle Featuring Parallels Pro. Fortunately, it’s being offered at a 30% discount for a very limited time, when you use the code ALLSTARMAC.

For instance, you can streamline your operating systems usage by running macOS and Windows at the same time using the Parallels Pro: 1-Yr Subscription included in this bundle. Buyers really love this service, they gave it a remarkable 4.7 out of 5 stars rating on Trustpilot. Then you can protect your privacy forever, not only on your Mac but also on up to 5 other devices, with a lifetime subscription to FastestVPN. Since you don’t have to sacrifice speed for security, this is a critic’s choice. According to TenBestVPNs:”FastestVPN is one of the most promising VPN services in the market.”Once you’ve got your operations rolling along, you can really begin to turbocharge your productivity in perpetuity with what is arguably the most powerful contact manager you can use on a Mac, because a perpetual license to Busy Contacts is also part of this bundle. The Smart Filter and Tags features allow you to organize your contacts, plus you can sync with all the common cloud services and even integrate it with your social media accounts. While the Activity List keeps track of all your communications and other events with each contact.You will also get a lifetime license for both Macs and Windows to PDFChef, which lets you do everything you need to with pdf files, as well as a perpetual license for Moho Debut. That’s a fun 2D animation program you can use to make cartoons, videos, and more, even if you are a complete novice.Don’t miss this chance to get a 30% discount off The All-Star Mac Bundle Featuring Parallels Pro during the short time it’s available. Use the code ALLSTARMAC today and pay only $35.Prices subject to change.

ZDNet Recommends More

A recent Necro Python bot campaign has shown that the developer behind the malware is hard at work ramping up its capabilities.

On Thursday, researchers from Cisco Talos published a report on Necro Python, a bot that has been in development since 2015. The botnet’s development progress was documented in January 2021 by both Check Point Research (CPR) and Netlab 360, tracked separately as FreakOut and Necro. The developer behind the Necro Python bot has made a number of changes to increase the power and versatility of the bot, including exploits for over 10 different web applications and the SMB protocol that are being weaponized in the bot’s recent campaigns. Exploits are included for vulnerabilities in software such as VMWare vSphere, SCO OpenServer, and the Vesta Control Panel.  A version of the botnet, released on May 18, also includes exploits for EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0147).  The bot will first attempt to exploit these vulnerabilities on both Linux and Windows-based operating systems. If successful, the malware uses a JavaScript downloader, Python interpreter and scripts, and executables created with pyinstaller to begin roping the compromised system into the botnet as a slave machine.  Necro Python will then establish a connection to a command-and-control (C2) server to maintain contact with its operator, receive commands, to exfiltrate data, or to deploy additional malware payloads.  A new addition to the bot is a cryptocurrency miner, XMRig, which is used to generate Monero (XMR) by stealing the compromised machine’s computing resources. 

“The bot also injects the code to download and execute a JavaScript-based miner from an attacker-controlled server into HTML and PHP files on infected systems,” the researchers say. “If the user opens the infected application, a JavaScript-based Monero miner will run within their browser’s process space.” Other features include the ability to launch distributed denial-of-service (DDoS) attacks, data exfiltration, and network sniffing.  A user-mode rootkit is also installed to establish persistence by ensuring the malware launches whenever a user logs in, and to hide its presence by burying malicious processes and registry entries.  Another upgrade of note is Necro Python’s polymorphic abilities. According to the researchers, the bot has a module to allow developers to view code as it would be seen by an interpreter before being compiled to bytecode, and this module has been integrated into an engine that could allow runtime modifications. The engine runs every time the bot is started and it will read its own file before morphing the code, a technique that can make bot detection more difficult.  “Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot,” Talos says. “This increases its chances of spreading and infecting systems. Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

In a few days, Amazon will begin enrolling Echo devices, Ring Floodlights, and Spotlight Cams into its Amazon Sidewalk network, a plan to create a huge shared network that will allow other Amazon devices that are experiencing network downtime to automatically connect to a nearby device to get a connection.

ZDNet Recommends

The best smart speakers

Want a speaker for your office that pumps out premium sound and offers Bluetooth streaming or voice control? Here are your best options from all the big players, including Sonos, Bose, Google, Apple, and Amazon.

Read More

Here’s how Amazon describes Sidewalk: “Sidewalk can also extend the working range for your Sidewalk-enabled devices, such as Ring smart lights, pet locators, or smart locks, so they can stay connected and continue to work over longer distances. Amazon does not charge any fees to join Sidewalk.” Your contribution to Sidewalk is a small portion of your internet bandwidth — 80Kbps, capped to a maximum of 500MB a month. In return, you get access to Sidewalk, and if your internet goes down, or you have a device that’s in a location where it has a poor connection, your devices get to tap into that shared bandwidth in order that your devices can continue to send you notifications. Must read: Why is iOS 14 so bad? “By sharing a small portion of their home network bandwidth, neighbors give a little—but get a lot in return,” is how Amazon puts it in its privacy and security whitepaper.

I agree. I’ve come across a lot of commentary related to Amazon Sidewalk. Some sensible, some losing their minds over it. And privacy and security concerns are at the top of people’s worries.

Would I allow Amazon Sidewalk to share my network connection? Having read Amazon’s privacy and security whitepaper, and looking at Amazon’s track record over the years, I’d have no problems using Amazon Sidewalk. Amazon has put a great deal of effort and engineering into this, and it’s a clever solution to a problem that affects more and more people who have an ever-expanding ecosystem of IoT hardware in their homes. If you’re concerned about Amazon’s privacy and security credentials, then I’d question why you have Amazon hardware connected to your network in the first place. I mean, these devices have deep hooks into your life, home, and surroundings, and this hardware is bristling with microphones and cameras that are always ready to start listening and watching. Worrying that someone could do something nefarious with that 80Kbps of bandwidth that you’re making available should be the least of your worries. Also, given the state of home network hardware and how poorly they are patched for knows security issues, that will offer a far bigger and better attack surface than Sidewalk ever will. And Amazon is pretty much on the ball when it comes to patching its hardware, so if bugs do surface — more of a when than an if — patches will be forthcoming and installed in the background. That’s a lot more than your typical home router sees. The fact that Tile users will be able to use this network to find lost items is innovative, and offers real competition to Apple’s AirTags. Amazon Sidewalk is a superb idea. More

A new backdoor used in ongoing cyberespionage campaigns has been connected to Chinese threat actors.  On Thursday, Check Point Research (CPR) said that the backdoor has been designed, developed, tested, and deployed over the past three years in order to compromise the systems of a Southeast Asian government’s Ministry of Foreign Affairs.  The Windows-based malware’s infection chain began with spear phishing messages, impersonating other departments in the same government, in which members of staff were targeted with weaponized, official-looking documents sent via email.  If victims open the files, remote .RTF templates are pulled and a version of Royal Road, an RTF weaponizer, is deployed.  The tool works by exploiting a set of vulnerabilities in Microsoft Word’s Equation Editor (CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802).  CPR says that Royal Road is “especially popular with Chinese [advanced persistent threat] APT groups.” The RTF document contains shellcode and an encrypted payload designed to create a scheduled task and to launch time-scanning anti-sandboxing techniques, as well as a downloader for the final backdoor. 

Dubbed “VictoryDll_x86.dll,” the backdoor has been developed to contain a number of functions suitable for spying and the exfiltration of data to a command-and-control server (C2). 

These include the read/write and deletion of files; harvesting OS, process, registry key and services information, the ability to run commands through cmd.exe, screen grabbing, creating or terminating processes, obtaining the titles of top-level windows, and the option to close down PCs.  The backdoor connects to a C2 to pass along stolen data and this server may also be used to grab and execute additional malware payloads. First stage C2s are hosted in Hong Kong and Malaysia, while the backdoor C2 server is hosted by a US provider.  CPR believes it is likely that the backdoor is the work of Chinese threat actors due to its limited operational schedule — 1.00 am — 8.00 am UTC — the use of Royal Road, and due to test versions of the backdoor, uploaded to VirusTotal in 2018, which contained connectivity checks with Baidu’s web address.  “We learned that the attackers are not only interested in cold data, but also what is happening on a target’s personal computer at any moment, resulting in live espionage,” commented Lotem Finkelsteen, head of threat intelligence at CPR. “Although we were able to block the surveillance operation for the Southeast Asian government described, it’s possible that the threat group is using its new cyberespionage weapon on other targets around the world.”

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

NortonLifeLock has launched a dedicated cryptocurrency mining setup for users of the Norton 360 antivirus platform.Announced on Wednesday, NortonLifeLock says that the new feature, Norton Crypto, will be rolled out today for users signed up to Norton’s early adopter program. Norton Crypto has been designed to allow users to “safely and easily mine cryptocurrency.” In the initial stages, users will be able to mine for Ethereum (ETH).  Mining software leverages a PC’s CPU and graphics capabilities to obtain cryptocurrencies ranging from ETH to Monero (XMR). However, in order to do so, NortonLifeLock says users may have to disable their antivirus solutions — potentially Norton 360 included — and this could allow “unvetted code” to compromise their systems.  The vendor added that cryptocurrency miners taking this risk could lead to the theft of their hard-won coins, or loss if coins are kept in cold storage on user hard drives. To promote the new feature, NortonLifeLock claims that Norton Crypto will protect against these pitfalls by storing coins in a cloud-based wallet, Norton Crypto Wallet.  A company spokesperson told The Verge that once cryptocurrency has been earned, it will be possible to “pull money into Coinbase,” which suggests that Norton Crypto users may also need to sign up for an account with the trading platform — unless other alternative exchanges or means of transfer are also offered. 

“We are proud to be the first consumer Cyber Safety company to offer coin miners the ability to safely and easily turn the idle time on their PCs into an opportunity to earn digital currency,” commented Gagan Singh, NortonLifeLock chief product officer. Users in the US should be aware that cryptocurrency is considered a taxable asset and so earnings may have to be declared.  The timing of the announcement, however, is while the cryptocurrency market is far from flourishing.  The prices of popular coins, including Bitcoin (BTC), ETH, and Dogecoin (DOGE) appear to be on a slow recovery trajectory after cryptocurrencies at large suffered a crash in May, prompted by increasing regulatory scrutiny in China and the US, as well as Elon Musk’s announcement that Tesla would no longer accept BTC as payment.  Norton Crypto will be rolled out and made available to all Norton 360 customers in the coming weeks.  ZDNet has reached out to the vendor with additional queries and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Ransomware is one of the most dangerous cybersecurity threats facing organisations today, yet many are still under prepared when it comes to protecting networks from attacks, and about what to do if ransomware causes disruption.High-profile and highly disruptive ransomware attacks have recently hit Colonial Pipeline, Ireland’s HSE health service and global food producer JBS. In the case of Colonial Pipeline, the organisation paid a ransom of over $4 million in Bitcoin for the key required to restore the affected IT network.

ZDNet Recommends

A ransomware attack can, therefore, be highly damaging when it comes to providing services, it can damage the reputation of the organisation and it can cost a lot of money, both in terms of paying the ransom – if the victim chooses to pay, despite warnings it just funds and encourages criminality – and for restoring and securing the network after an incident.It’s vital that the CEO and the rest of the board are fully equipped with the knowledge to deal with the prospect of a ransomware attack hitting their organisation and are doing as much as possible to ensure this doesn’t happen. And in the unwanted event of an incident, they need to be ready with a plan to restore the network, preferably without paying a ransom.In an effort to provide guidance to CEOs, the UK’s National Cyber Security Centre (NCSC) has detailed five key questions for board members to ask about ransomware. 1. As an organisation and as board members, how would we know when an incident occurred?One of the reasons why ransomware attacks have become so successful is because the attackers are able to lurk within the network for a long time without being discovered.

Organisations should, therefore, know what their IT infrastructure looks like, what monitoring is in place on their network – especially with regards to critical assets – and be able to identify when something is potentially suspicious, as well as having mechanisms for reporting and investigating that malicious activity. By identifying potentially suspicious activity on the network, organisations can go a long way to cutting off ransomware attacks before an intruder has had the time to move around the network.2. As an organisation, what measures do we take to minimise the damage an attacker could do inside our network?One of the key aims of a ransomware attack is to encrypt as much of the network as possible, so organisations should examine what they can do to slow down or stop ransomware from spreading through systems.In order to help make it more difficult for malicious intruders to move around the network, organisations can segment networks, preventing the whole network from being compromised by an attacker gaining access to just one device. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  Organisations should also look to implement two-factor authentication across the network as an additional line of defence that makes it harder for malicious intruders to move around the network.3. As an organisation, do we have an incident management plan for cyber incidents and how do we ensure it is effective?”Organisations should think in terms of ‘when’ rather than ‘if’ they experience a significant cyber incident,” warned the NCSC blog post, so it’s essential to plan incident response carefully and to practice for it. SEE: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay upThe NCSC’s recommendations for an incident management plan include identifying the key contacts who need to know about it, clear allocation of responsibility, a conference number for emergency incident calls, as well as contingency measures for critical functions.4.  Does our incident management plan meet the particular challenges of ransomware attacks?Some ransomware attacks simply encrypt data and demand a ransom in return for the key. But increasingly, ransomware gangs are engaging in double extortion techniques where they’ll steal sensitive data and threaten to release it if they’re not paid.Situations like this might not be in the incident response plan, so it’s recommended that plans are made for what would happen in the event that data is stolen – and what a recovery looks like when stolen information, potentially including sensitive data about customers, is published online.5. How is data backed up, and are we confident that backups would remain unaffected by a ransomware infection?One of the key things an organisation can do to help protect against the impact of a ransomware attack is to store backups and to regularly update them, as this provides a method of restoring the network relatively quickly without giving into the ransom demand.However, the board should also seek assurances over what data is deemed critical, how frequently it’s backed up and how the backups are stored. Some ransomware attacks will target backups, so it’s important to make sure the backups are stored offline and on a separate network to the rest of the organisation. By asking questions like the above, the boardroom can help make sure that the organisation is as resilient against the growing threat of ransomware attacks as possible.”Cybersecurity is a board-level responsibility, and board members should be specifically asking about ransomware as these attacks are becoming both more frequent and more sophisticated,” said the NCSC guide.MORE ON CYBERSECURITY More

WhatsApp has reversed course on its decision to limit app functionality for users who do not agree with policy changes that have caused controversy in recent months. 

The new terms were first due to roll out in February and were then pushed back to a May 15 deadline amidst concerns that Facebook would be given access to user data and potentially chat content, and thereby erode the privacy that WhatsApp was originally created for. WhatsApp, acquired by Facebook in 2014, said the new privacy policy will change how the Facebook and WhatsApp applications function, and “integrations” would be offered for businesses that want to manage WhatsApp chats with customers via the Facebook platform.  However, the changes did not prove popular — nor WhatsApp’s ‘take it or leave it’ approach to users, who were told to expect limited app functionality if they did not agree to the new terms.  Originally, WhatsApp said that users who refused would encounter persistent reminders for a few weeks and gradual, dialed-back functions, such as being unable to access chat lists.  “After a few weeks of limited functionality, you won’t be able to receive incoming calls or notifications and WhatsApp will stop sending messages and calls to your phone,” the company said in its FAQ.  While chats and user contacts wouldn’t be shared with Facebook, user profile data would be shared once that user communicated with a business on WhatsApp. 

However, this assurance wasn’t enough to placate some of WhatsApp’s two billion users, millions of which have since turned to encrypted chat alternatives including Signal and Telegram.  WhatsApp has since attempted to explain what the privacy changes mean for users, but as the controversial changes prompted German regulators to file an emergency three-month ban prohibiting Facebook from processing personal data from WhatsApp “for its own purposes,” it seems the company has finally dialed back its heavy-handed approach.  The privacy term updates have gone ahead, but users that refuse can carry on using WhatsApp as normal.  “No one will have their accounts deleted or lose functionality of WhatsApp on May 15th because of this update,” the company says.  “Considering the majority of users who have seen the update have accepted, we’ll continue to display a notification in WhatsApp providing more information about the update and reminding those who haven’t had a chance to do so to review and accept. We currently have no plans for these reminders to become persistent and to limit the functionality of the app.” Accounts that do not accept the privacy terms will not be deleted. However, WhatsApp added that there will be “opportunities” for those who have not accepted the changes to do so directly in the app, such as when users reregister or “if someone wants to use a feature that’s related to this update for the first time.” In related Facebook news, at the F8 developer conference, Facebook announced a swathe of changes to the WhatsApp Business API to improve uptake, API onboarding, and overall speed; as well as new messaging features to bolster integration of business chatbots on the platform.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More