Information Technology

The United States FBI issued a short statement on Wednesday pinning the recent JBS ransomware incident on REvil. “As the lead federal investigative agency fighting cyber threats, combating cybercrime is one of the FBI’s highest priorities. We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice,” the agency said. “We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable. Our private sector partnerships are essential to responding quickly when a cyber intrusion occurs and providing support to victims affected by our cyber adversaries. “A cyber attack on one is an attack on us all. We encourage any entity that is the victim of a cyber attack to immediately notify the FBI through one of our 56 field offices.” REvil has previously hit Acer, Travelex, and UnitingCare Queensland. Speaking to Australian Senate Estimates on Wednesday, director-general of the Australian Signals Directorate Rachel Noble said the agency has not used its offensive cyber capabilities against the ransomware crew, which at this time is believed to be Russian-based, but JBS has a private incident response provider.Noble added that ASD is able to use its more secretive powers to warn other organisations if they are on a ransomware attacker’s hit list.

“We were very engaged with [Channel Nine during their March attack] and the technical information that they were able to provide us about what happened on their network helped us, using our more classified capabilities, to warn two other entities that they were about to be victims as well, to prevent them from becoming victims,” the director-general said. JBS said on Tuesday it has seen “significant progress” in resolving the attack that hit its North American and Australian operations while leaving its Mexico and UK without impact. The company said it has received strong support from governments in Washington, Canberra, and Ottawa, and was having daily calls with officials. On Wednesday, JBS said its global operations were back to “near full capacity”. “JBS USA and Pilgrim’s continue to make significant progress in restoring our IT systems and returning to business as usual,” JBS USA CEO Andre Nogueira said. “Today, the vast majority of our facilities resumed operations as we forecast yesterday, including all of our pork, poultry and prepared foods facilities around the world and the majority of our beef facilities in the US and Australia.” On Tuesday, Fujifilm said it disconnected and partially shut down its network after a ransomware attack.”Fujifilm Corporation is currently carrying out an investigation into possible unauthorised access to its server from outside of the company. As part of this investigation, the network is partially shut down and disconnected from external correspondence,” the Japanese giant said.”In the late evening of June 1, 2021, we became aware of the possibility of a ransomware attack. As a result, we have taken measures to suspend all affected systems in coordination with our various global entities.”We are currently working to determine the extent and the scale of the issue. We sincerely apologise to our customers and business partners for the inconvenience this has caused.”Last week, it was reported Japanese government data stored in Fujitsu software was accessed and stolen by hackers.”Fujitsu can confirm unauthorised access to ProjectWEB, a collaboration and project management software, used for Japanese-based projects. Fujitsu is currently conducting a thorough review of this incident, and we are in close consultation with the Japanese authorities,” Fujitsu told ZDNet.”As a precautionary measure, we have suspended use of this tool, and we have informed any potentially impacted customers.”  More on meat and ransomware More

Australian Minister for Families and Social Services Anne Ruston has apologised to a survivor who had their personal information breached when the details of their application to the National Redress Scheme were uploaded directly to another person’s myGov account. “I regret most sincerely that this error has occurred, and that any trauma or distress that has been caused to the person whose information has been incorrectly uploaded, I believe those sentiments were passed on to the person directly by the officer who contacted her, but yes, I deeply regret what’s happened,” Ruston told Senate Estimates on Thursday morning.The National Redress Scheme provides support to people who have experienced institutional child sexual abuse.The scheme started on 1 July 2018, and is currently planned to run for 10 years.As first reported by 10 News Queensland, the survivor’s information was uploaded to the account of another survivor. This comprised 12 pages of highly confidential information, including address, phone number, bank account details, and Centrelink number, as well as their application to the scheme outlining the sexual abuse they had suffered.Ruston told senators she was made aware of the breach on the weekend. Department of Social Services deputy secretary Liz Hefren-Webb said she was told last Friday.The representatives were asked if they could give an ironclad guarantee that such a breach would not occur again.

“Obviously, when you’re dealing with a situation where you have a lot of people, you can never give an ironclad guarantee, but I can assure you every measure has been taken and will continue to be taken to make sure that the safety around the privacy of the information of these people is our utmost consideration,” Ruston said. “I can only apologise for what’s happened.”Senators pointed to funding allocated to the National Redress Scheme as part of the federal Budget, with AU$104.8 million allocated last year. Hefren-Webb clarified the incident occurred in October 2018. “The incident we’re referring to happened some time ago, before the upgrade of the systems … we are still investigating how it occurred, but it was prior to the funding,” she said.”[A] large part of that funding was for additional redress support services, so non-government support services for survivors, but there was funding for improvements and we are working to improve the system. We are working to improve training.”Such training, she said, is around privacy. The department has also added further quality checks to the system. “But this error obviously occurred fairly early in the scheme’s life and we absolutely apologise without reservation to the person who it’s affected,” Hefren-Webb said.An initial investigation is underway by the department, alongside its legal team.”We’re currently looking at the systems and what led to that, the issues, so I expect that we’ll have a better understanding during next week,” Ruston said.When asked if the breach could lead to many survivors not reaching out to the scheme, Ruston said privacy is of the utmost concern to the department. “We’re always concerned that we put in place the best possible measures to support survivors through what is most often a very traumatic experience. And obviously, this is a situation that we need to investigate and make sure every precaution is put in place, that the protection of the confidentiality, privacy of survivors is always utmost in everything that we do,” she added.”I regret that this has happened, but we will continue to work tirelessly to make sure that we provide a scheme that is, that reflects what survivors need and want. “I can’t reiterate enough that we take the confidentially and privacy of individuals who are seeking to gain redress through this scheme very, very seriously.”IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:Suicide Call Back Service on 1300 659 467Lifeline on 13 11 14Kids Helpline on 1800 551 800MensLine Australia on 1300 789 978Beyond Blue on 1300 22 46 36Headspace on 1800 650 890QLife on 1800 184 527SEE ALSOServices Australia penalised for breaching privacy of a vulnerable customerThe agency’s process for updating personal information in a domestic violence situation was not only alarming, but was found to be a breach of privacy by the Information Commissioner, too.Services Australia reported 20 security incidents to the ACSC in 2019-20Across Social Services, the NDIS, Veteran’s Affairs, and its own operations, Services Australia says no breach of Australian citizen data has occurred.Accidental personal info disclosure hit Australians 260,000 times last quarter85 cases of human error resulted in 269,621 instances of Australians having their personal information disclosed accidentally. More

Image: APH
While the Australian Cyber Security Centre (ACSC) is engaged in helping a local organisation remove and recover from a ransomware hit or cyber attack, its overseer, the Australian Signals Directorate (ASD) is able to use its more secretive powers to find out if any other organisations are on the attackers hit list. Speaking about the attack on Channel Nine in March, director-general of the Australian Signals Directorate Rachel Noble told Senate Estimates that pre-warning organsations about any precursor activity on their networks or systems is part of ASD’s “value add”. “We were very engaged with [Channel Nine] and the technical information that they were able to provide us about what happened on their network helped us, using our more classified capabilities, to warn two other entities that they were about to be victims as well, to prevent them from becoming victims,” Noble said. A particular focus in the past year for ACSC has been the health sector, which has seen its share of cyber incidents, and been the sector with the highest level of ransomware attacks. ACSC head Abigail Bradshaw said when an incident occurs, ACSC assists organisations with shutting down and confining the ransomware, before providing assurance that the malicious actor is out, and then helping to restore systems. “And lastly, as quickly as we can … to take whatever indicators of compromise we can for the purpose of pre-warning other entities before they become victims,” Bradshaw said. “We use the full range of ASD capabilities to determine whether or not there might be indicators of future victims. We have done that in a number of cases in the last 12 months … using the full range of ASD capabilities, we have been able to identify precursors going down on other people’s networks, and to pre-warn those entities before they become victims, which [as Noble says] is much more useful.”

The ACSC has been publishing pre-emptive threat advisories for health care over the past 18 months “because they have been so vulnerable and also useful targets for criminals,” Bradshaw said. “We have direct links into, and in fact officers embedded in the Department of Health, because of the criticality of the health sector at the moment.” the ACSC chief said. “That means we alert the Department of Health whenever there is a impact to the healthcare sector, but also, in particular, any entity involved in the vaccine rollout, because that is of critical importance.” Noble confirmed the government has been engaging with global meat producer JBS after ransomware took down its systems earlier this week. “We have been engaging with the JBS subsidiary here in Australia to provide them with the best advice and assistance that that we can,” Noble said. “I think it’s fair to say that they have a private incident response provider, which is terrific, and they know that we’re here for them.” The director-general said ASD has not used its offensive cyber capabilities against the ransomware crew, at this time believed to be Russian-based. JBS said on Tuesday it has seen “significant progress” in resolving the attack that hit its North American and Australian operations while leaving its Mexico and UK without impact. “We have cybersecurity plans in place to address these types of issues and we are successfully executing those plans. Given the progress our IT professionals and plant teams have made in the last 24 hours, the vast majority of our beef, pork, poultry and prepared foods plants will be operational tomorrow,” JBS USA CEO Andre Nogueira said. The company said it has received strong support from governments in Washington, Canberra, and Ottawa, and was having daily calls with officials. In April last year, the government announced ASD used its offensive powers against COVID-19 scammers, and since then, ASD has made sure those crews have not got up off the mat. “We absolutely have continued quite a range of offensive cyber operations, including ensuring that this particular organised criminal syndicate — watching them and making sure that they are unable to rebuild their infrastructure — do not get back on their feet,” the director-general said. Bradshaw added that the National Cyber Security Committee has sometimes been meeting daily, in particular, when vulnerabilities in Microsoft Exchange and Accellion appear. Related CoverageAustralia’s answer to thwarting ransomware is good cyber hygieneBut Labor thinks the advice falls short of recognising the actual problem.Colonial Pipeline attack used to justify Australia’s Critical Infrastructure BillHome Affairs has touted the benefits of the pending Critical Infrastructure Bill while confirming the government has considered the merits of a mandatory reporting requirement for ransomware as an extension of the cybersecurity strategy.RBA to step up cyber resilience with new identity and access management systemThe Reserve Bank of Australia has gone to market for help to deliver more automated IDAM capabilities to reduce unauthorised data access.NSW cyber strategy demands government lead by exampleA new cyber strategy wants strong cybersecurity foundations to start with government agencies as NSW aims to be a leader in digital.The winged ninja cyber monkeys narrative is absolutely wrong: Former NCSC chief’Hype, fear, uncertainty, doubt, that is our enemy,’ says Ciaran Martin. ‘We need absolutely to demystify cybersecurity.’ More

FireEye said it is selling its FireEye Products business for $1.2 billion to a consortium led by Symphony Technology Group (STG).The all-cash deal is expected to close at the end of the fourth quarter. FireEye said that the transaction separates the company’s network, email, endpoint and cloud security products from Mandiant’s software and services. FireEye Products and Mandiant Solutions will continue to be one entity until the transaction closes. Symphony Technology Group and FireEye will maintain reselling and collaboration agreements. FireEye CEO Kevin Mandia said the deal will allow FireEye to scale its software platforms. FireEye projected that its products and related subscriptions and support revenue would fall 10% to 11% in 2021 compared to 2020. Here’s a look at how FireEye Products fit into the company’s first quarter billings mix. In addition, FireEye said it has authorized a stock repurchase program of $500 million. More

Companies are now being penalized financially by banks for data breaches, according to a new study from the American Accounting Association.

ZDNet Recommends

In a new report, titled “Do Banks Price Firms’ Data Breaches?” the organization found that banks are punishing companies that lose customer financial account information or social security numbers through data breaches with substantially higher interest rates and steeper requirements for collateral and covenants. The researcher behind the report analyzed data on 1,081 bank loans to publicly traded companies from 2003 to 2016. Of the 1,081 bank loans, 587 went to companies that had dealt with a data breach and 494 went to companies that had not. Henry Huang, co-author of the study and an associate professor of accounting at Yeshiva University, said he wanted to find a way of quantifying the financial consequences of breaches.The researchers matched companies in similar industries to see whether those that had been breached saw differences in how banks dealt with them. The report showed a clear link between higher interest rates and data breaches, with those that suffered more disastrous breaches faced even tougher treatment from banks. But banks did make a distinction between the companies that had been hacked by criminal groups and those that had lost control of customer data through accidents or mistakes. The financial penalties were harsher for certain industries, like healthcare, business services, computer, electronic equipment, and transportation. Surprisingly, companies that were known for having well-regarded IT departments faced even harsher treatment from banks after breaches because “banks had to make a bigger adjustment to their assessment of the company’s security.”

“We also wanted to learn which variables come into play. For example, we learned there are things companies can do to mitigate damage after a data breach,” Huang said, mentioning actions like hiring security companies to address the attack and building out IT security systems.”There are also valuable lessons here for accountants and auditors. It highlights the consequence of different types of data breaches in different industries, the importance of safeguarding confidential information, and the value of remedial actions after a breach,” Huang added. Cybersecurity experts like Lamar Bailey, senior director of security research at Tripwire, explained that insurance rates and loan rates are all based on risk. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

He compared it to the credit scores and driving records banks use for consumers, noting that the higher interest rates breached companies face is “totally valid.” “I would love to see a public security risk score so consumers can decide if they want to do business with this company or give them any personal data,” Bailey told ZDNet. Panorays founder Demi Ben-Ari explained that since companies are being held accountable for data breaches through data privacy regulations, it’s not surprising that banks are taking a similar approach by charging risky organizations higher interest rates. “The message is clear: organizations are responsible for protecting the data of their customers. To prevent cyber incidents, it’s essential for companies to thoroughly assess and continuously monitor their own cyber posture as well as that of the third parties with which they do business,” Ben-Ari said. “Clearly, investing in such processes pays in the long run.” More

People around the world are getting upset at how their data is being collected and used. Data is often harvested and sold for profit — often without the person’s consent.

Special feature

Turning Big Data into Business Insights

Businesses are good at collecting data, and the Internet of Things is taking it to the next level. But, the most advanced organizations are using it to power digital transformation.

Read More

The UK government wants to extract the medical history of every patient in England if they do not opt-out before July 1, 2021. That is a huge amount of data that potentially can be shared. So, it is not surprising that people are not keen to have their online data shared — often for profit. People are becoming increasingly concerned with and distrustful of how companies use, manage, and protect their personal data, and a new survey has revealed how much people know about data gathering and what happens to their data.From April 23 to May 3, 2021, St. Louis-based market research firm Invisibly surveyed 1,320 people to gauge whether they approve of having their data sold for profit. It wanted to find out whether people want to have more control over what happens to their data and if they had any interest in monetizing their data.The survey showed that four in five (79%) do not approve of companies profiting from their data. Respondents under 25 years of age were less likely to disapprove (74%) compared to older respondents (85% to 87%).
Invisibly
Seven in 10 (71%) were aware that companies profit from selling their data, and 46% felt that they should be able to earn money from their own data instead of companies.

Over three in four (77%) do want to control who has access to their data, yet 81% of consumers will share their personal information for online personalization from a brand. Dr. Don Vaughn, Ph.D., Head of Product at Invisibly said: “Data consent is a huge industry issue right now and we are on a mission to give people control and consent over the data they share.”So how can people be made aware of issues around data control? Anyone who understands data collection and online advertising understand just how difficult, if not impossible it currently is to have total control over your own data. There are several platforms such as SavvyShares, which compensates consumers for access to their data, and Killi Paycheck, which offers direct payments for data use. It is not surprising that data privacy is a hot topic right now. Most businesses are tracking customers yet don’t tell them. Invisibly is launching a consumer-consented data platform where people can choose what data they share and get compensated for it.It would be fantastic if all data that is collected by any company has been consented to by the owner of the data — and that people are being compensated for giving companies access to their data. Being able to choose which data can be shared — and being able to completely protect your data, like the GDPR across Europe — will empower owners of data to choose what happens to their information.Data protection should not be something offered to the few but the many. But will paying people for their data stop companies also profiting from it? Only time will tell. More

Credit: ReFirm Labs
Microsoft has acquired ReFirm Labs, the developer of the open-source Binwalk firmware security-analysis product, for an undisclosed amount. Microsoft officials announced the deal on June 2, saying that the acquisition of ReFirm will “enhance chip-to-cloud protection” capabilities that Microsoft offers on the IoT front. Fulton, Md.-based ReFirm Labs says that its Binwalk open-source technology has been used by more than 50,000 organizations worldwide. (The ReFirm team introduced Binwalk Open Source in 2010 and founded Refirm Labs in 2017.) Its tagline for Binwalk Enterprise is “Find the holes in your device security before attackers do.” Microsoft is touting ReFirm as enabling it to better provide firmware analysis and security on intelligent edge devices, ranging from servers to IoT. “The addition of ReFirm Labs to Microsoft will bring both world-class expertise in firmware security and the Centrifuge firmware platform to enhance our ability to analyze and help protect firmware backed by the power and speed of our cloud,” according to Microsoft’s blog post. Microsoft already offers Azure Defender for IoT and recently acquired CyberX to help bolster IoT security. Microsoft officials said last June that CyberX’s technology would provide a complement to other Microsoft Azure IoT services, as well as products like Azure Sentinel in a way that will help identify threats that may span converged IT and operational technology (OT) networks. More

Researchers have outlined the most popular tools and techniques used by threat actors to try and bypass Microsoft’s Antimalware Scan Interface (AMSI). 

Making its debut in 2015, AMSI is a vendor-agnostic interface designed to integrate anti-malware products on a Windows machine and better protect end users, supporting features including scan request correlation and content source URL/IP reputation checks.  AMSI’s integration with Office 365 was recently upgraded to include Excel 4.0 (XLM) macro scanning to try and combat the increase of malicious macros as an infection vector.  Microsoft’s security solution is a barrier that today’s Windows malware developers often try to circumvent — either by methods such as obfuscation, steganography, or by preventing a file from being scanned and detected as malicious in initial attack stages.  In an investigation into techniques used to either avoid or disable AMSI, Sophos researchers said on Wednesday that threat actors will try everything from living-off-the-land tactics to fileless attacks.  Perhaps the opportunities AMSI bypass represents were highlighted in a tweet by security expert Matt Graeber in 2016, in which Sophos says a single line of code flipped a PowerShell attribute for AMSI integration and, in theory, may have stopped PowerShell-based processes from requesting scans.  While now integrated and flagged as malicious now for years, malware developers have taken inspiration from the one-line AMSI bypass and variations are still in use today that have been obfuscated to try and dance around signature-based scans. 

In detections over 2020 – 2021, the majority appear to be focused on post-exploitation activities, including lateral movement. One method, for example, attempts to retrieve a PowerShell backdoor from a web server within a private IP address space.  The same bypass was traced back to a separate incident, linked to Proxy Logon attacks, in which a connection was forged to a remote server in order to grab a PowerShell-based malware downloader. Another technique used for AMSI bypass is the use of Seatbelt, an offensive security tool. A PowerShell script was used to create a delegate process that uses reflection to access the .NET interface for AmsiUtils. However, Sophos says that over 98% of AMSI circumvention attempts are made through tampering with the AMSI library. There are a variety of malware strains that will try to find AmsiScanBuffer, already loaded into memory, and then overwrite instructions to make sure scan requests fail.  Alternative versions may modify the memory component storing the code designed to return buffer scan results, prompting failure.  Other tactics include:Cobalt Strike: The memory patch technique is included under amsi_disable, and is viewable in the Agent Tesla Trojan family, alongside others. Command line remote scripts invoked in PowerShell prior to patch attempts.Creating fake DLLs designed to dupe PowerShell into loading a fake version of amsi.DLL, an old tactic now made more difficult due to improved Microsoft security. Downgrading script engines.Loading unsupported engines, or in extreme cases, virtual machines (VMs). “Given how prevalent those tactics have become, particularly in ransomware operator intrusions, AMSI can play a particularly important role in keeping Windows 10 and Windows Server systems from being compromised,” Sophos says. “But AMSI is not a panacea. And while Microsoft’s Windows Defender provides some protection against AMSI bypasses, attackers are continuously finding ways to obfuscate and conceal malicious content from anti-malware signature detections.”

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More