Information Technology

Cybersecurity works best when people know that their corporate information security team will be sympathetic to mistakes. That’s because, if someone suspects they may have clicked a phishing link or fallen victim to a cyber attack, they’re much more likely to be open about it – and that helps the whole organisation stay secure against malicious hackers.Organisations face potential cyber threats on a daily basis as criminals attempt to breach networks using various methods including phishing in an effort to gain usernames and passwords, or even to lay the foundations for a malware or ransomware attack.The nature of cyber defence means that an attacker only needs to be successful once in order to find an opening. Often, that opening can come in the form of an employee unintentionally falling victim to a phishing email, an incident which if left undetected and unchecked, could have significant consequences for the organisation as a whole.Organisations should therefore be understanding with employees and encourage them to contact their information security team if they suspect they may have fallen victim to a phishing attack or any other potentially malicious activity.”The last thing I think we want to do is – whether people are at home or in the office – is is to create a sort of culture where you drive incidents or mistakes underground,” David Emm, principal security researcher at Kaspersky told ZDNet Security Update.SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)”Because actually as an IT department, you want to know if somebody clicked a link and they shouldn’t, you want them to ring you up and say ‘I think I’ve done something silly, I didn’t realize I clicked on a link’ – great okay, we can manage that now we know about it”.

There’s a risk that if people are worried they’ll be punished for making a cybersecurity mistake, they won’t come forward to talk about it in the first place – and that’s only going to cause more serious issues, especially if cyber criminals have managed to infiltrate the network.”If people don’t want to tell you, because they think they’re going to get into serious trouble, it just goes underground and you have no visibility of that,” said Emm.And if organisations don’t have any indication that there could be malicious activity within their network, they can’t look for it, meaning a malicious hacker could be inside the network for a long time, laying the groundwork for a significant cyber attack.So making sure employees feel comfortable coming forward about potential incidents, and that the information security team is going to be sympathetic – rather than punishing them – is key to helping the whole organisation stay safe from cyber attacks.”Trying to encourage a feeling whereby people feel enabled or empowered to say things is really important, because that way, if you have visibility into it, you can manage it,” said Emm.MORE ON CYBERSECURITY More

A cross-site scripting (XSS) vulnerability has been found in a WYSIWYG editor used by at least 30,000 websites. 

Discovered by Bishop Fox security consultant Chris Davis and publicly disclosed on Wednesday, the bug, tracked as CVE-2021-28114, impacts Froala version 3.2.6 and earlier. Froala is a lightweight What-You-See-Is-What-You-Get (WYSIWYG) HTML rich text editor for developers and content creators. Wappalyzer estimates that Froala is in use by approximately 30,000 web domains.  According to Bishop Fox, the WYSIWYG editor contains a security flaw in its HTML sanitization parsing protocol, allowing attackers to bypass existing XSS protections.  The vulnerability can be triggered by inserting a JavaScript payload in an HTML event handler within specific HTML and MathML tags, which will cause the parser to mutate the payload into JavaScript commands.  “The XSS is caused by a confusion during the HTML parsing sequence,” Davis said. “The < math > tag causes the parser to switch its namespace context from HTML to MathML, which does not parse in the same manner as HTML. The < iframe > and embedded HTML comment < !-- causes the parser to switch context during the tokenization phase of HTML parsing and read the strings that follow as user data (RCDATA) rather than computer instructions." Bishop Fox As a result, XSS can be triggered. Cross-site scripting attacks often allow attackers to act as a victim user when they interact with a vulnerable application, and consequences can range from privilege escalation to data leaks or, in the worst scenarios, actions such as forcing an unauthorized fund transfer.  "In Froala's case the vulnerability may reflect itself as either stored or reflected depending on the application that uses it and therefore the impact will vary," the researcher says. "The context of the application leveraging Froala will also dictate the impact of the vulnerability." CVE-2021-28114 was first discovered on February 26 and Froala was contacted on March 4. The vendor developed and released a patch in version 3.2.7 on May 18, however, Bishop Fox retested the software and found that the bug, in some configurations, had not been fully resolved. While a public disclosure timeline extension was offered, no adjustments were made.  When contacted, the vendor pointed us to the changelog. XSS bugs were previously patched in versions 3.2.2 and 3.2.3.To mitigate the risk of this vulnerability, users should upgrade to at least version 3.2.7. The latest version available, v.4.0, was released on June 1.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cybercriminals in underground forums have been soliciting techniques for compromising cryptocurrency services.

Capture the Flag competitions, conference calls for papers, and gamification in cybersecurity courses designed to equip learners with hands-on skills are all common in the white hat realm, but in opposition, contests are also being launched by cybercriminals to create new offensive techniques.  Over the past month, according to Intel 471, operators of Russian underground forums have been running a competition asking for papers that examine “how to target cryptocurrency-related technology.” Starting April 20, the contest requests unorthodox methods covering everything from the theft of private keys and wallets used to store cryptocurrency including Bitcoin (BTC) and Ethereum (ETH) to submissions for “unusual” cryptocurrency mining software, as well as proposals relating to smart contracts and non-fungible tokens (NFTs). According to the team, proposals were accepted over 30 days with the forum administrator claiming that $100,000 in prizes would be awarded to the ‘best’ research — and a further $15,000 was shortly added to the pool.  Some papers were posted for the wider forum to appraise, including ways to manipulate APIs used by cryptocurrency platforms, the use of phishing websites to harvest keys and seed phrases, and more.  Underground forum contents are nothing new, and similar forums have launched their own versions in the past asking for everything from software vulnerabilities to ATM and point-of-sale (PoS) exploits. 

However, the cryptocurrency-focused contest does highlight how the virtual alternative to fiat currency is lucrative — despite, or perhaps because of, the volatility of some coins — and not just because of how cryptocurrency is abused by ransomware operators.  A security researcher kept a major Bitcoin Core vulnerability secret for two years that could be used to crash the main BTC blockchain alongside Bcoin, Btcd, and similar blockchains. This vulnerability was quietly patched before another researcher stumbled across the same issue and its existence was made public.  Other cryptocurrency and blockchain-related security problems of note this year are Akamai’s discovery of a botnet using BTC mining activities and the blockchain at large as a method of obfuscation, and the use of March’s Microsoft Exchange Server zero-days to install cryptocurrency mining software on vulnerable machines.   Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

IBM has awarded a total of $3 million in grants to US school districts to bolster their defenses against ransomware operators.

All United States public K-12 school districts were eligible to apply for the grants, designed to help school officials “proactively prepare for and respond to cyberattacks.”The grants, worth $500,000 each, have been awarded to school districts in Florida (Brevard Public Schools), New York (Poughkeepsie City School District), Georgia (KIPP Metro Atlanta Schools), Texas (Sheldon Independent School District), California (Newhall School District), and Colorado (Denver Public Schools).  IBM says that applicants were judged on their “cybersecurity needs and experiences, community resources and potential risks.” The IBM Education Security Preparedness Grant will sponsor IBM Service Corps, a group established in 2008 that will visit districts and review their current cybersecurity postures, as well as create assessments to identify “pain points” that need to be addressed to deal with ransomware.  Ransomware is a form of malware that in recent years has proved to be an extremely lucrative avenue for cyberattackers. If an intrusion and infection occur, victims will find themselves locked out of their systems and faced with a blackmail demand, usually in cryptocurrency and reaching millions of dollars, in return for a decryption key.  This key may or may not work, and if victims refuse to pay, they may also be faced with a double-extortion tactic — in which any confidential data stolen during the initial stages of a ransomware attack will be leaked online or sold unless they bow to the cybercriminals’ demands. 

We’ve seen just how disruptive these attacks can be through the global WannaCry outbreak, and more recently, a ransomware outbreak on Colonial Pipeline’s networks that caused fuel shortages as well as the impact on patients of Ireland’s health service, which has also been targeted by ransomware operators.  When it comes to schools, 2020 was a “record-breaking” year for cyberattacks, according to the K-12 Security Information Exchange. In the organization’s latest report on K-12 security, the group says that attacks have highlighted “significant gaps and critical failures in the resiliency and security of the K-12 educational technology ecosystem.” IBM says that the applications received revealed there is a massive disparity in cybersecurity budgets, with half of school districts able to raise less than $100,000 for cybersecurity spending — an especially problematic fact for smaller districts, which face the same cybersecurity challenges as larger districts able to raise millions of dollars.  Over 7,800 US schools and over 4 million students were represented in the applications. In total, over 40% of districts said they had already suffered a ransomware attack, and over 55% of school districts have no security training programs in place.  The grant receivers will begin working with IBM this summer.  “It’s extremely encouraging to see how many school districts are taking an active role in trying to better their cybersecurity,” said Christopher Scott, Director of Security Innovation, Office of the CISO at IBM. “This is not only an important decision as schools continue to operate remotely, but also as students look to get back to the classroom.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Reserve Bank of Australia (RBA) said it is looking to modernise its identity and access management (IDAM) capabilities by introducing more automated controls to its existing platform. The RBA explained it currently relies heavily on a mix of manual and automated processed to enforce bank controls but believes a new IDAM environment would help “futureproof” the bank, reduce the risk of unauthorised data access, and support staff with the delivery of normal operational activities. “Whilst these processes are acceptable in the current landscape, additional capabilities have been identified to implement more robust controls so as to future proof and make these fully effective in their intended undertakings,” the RBA said in its tender request. “In order to realise this initiative, the IDAM project has been initiated, where the bank is seeking the supply of one or more products and related services to uplift this technology area.” Under the IDAM project, the RBA identified that it wants to see the delivery of an identity governance and administration, hybrid identity infrastructure and password-less multi-factor authentication capabilities, privilege access management system, and customer identity access management integration. Read also: There are 84 high-cost IT projects underway by the Australian governmentAccording to the request for tender, the RBA wants the solutions to have a minimal on-premise footprint, but it did not specify whether it needed to be completely in the cloud, despite the fact that the bank is currently implementing a cloud-focused strategy.

The successful vendor will enter an 18-month contract, with a possible three-year contract for ongoing support.  The planned start date for the project is November 2021 with an expected completion date by April 2023.During a round of audits last year, the Australian National Audit Office found the RBA was effective in managing cybersecurity risks and had implemented controls in line with the requirements of the Information Security Manual, including the Top Four and other mitigation strategies in the Essential Eight. The bank’s assistant governor of corporate services Susan Woods detailed that the bank also relies on other arrangements to remain cyber resilient, including formal and not so formal training, team-bonding exercises, and holding “FedEx days” for security specialists. “We use many different tactics from formal training to email campaigns and events like our FedEx days to try and educate and make people more aware,” she told the Joint Committee on Public Accounts and Audit last May. “We call them FedEx days because we take a particular security challenge and within a day they have to identify, design, and implement a solution to the challenge so they tend to be small problems but nevertheless, meaningful ones, and we get people talking and thinking about the problems that we might face from a cyber perspective, and how they could deal with those.” Related Coverage Reserve Bank of New Zealand investigates illegal access of third-party systemReserve Bank calls in big banks for Aussie blockchain-based digital currency projectRBA says entrepreneurial ‘dynamism’ key to a post-coronavirus Australian economyReserve Bank of Australia gets ‘data bunker’ project underway More

The US Justice Department announced on Tuesday that it has seized two command-and-control and malware distribution domains that were used as part of a recent phishing attack identified by Microsoft last week. Nobelium, a group Microsoft and CISA believe was behind the massive SolarWinds attack, was found operating a widespread malicious email campaign that used the account of the U.S. Agency for International Development (USAID) on mass-mailing service Constant Contact to send infected emails to thousands of recipients.  Both Microsoft and CISA released alerts about the attack and the Washington Post as well as the New York Times reported that few, if any, of the malicious emails were opened.But the Justice Department said on Tuesday that its seizure of the two domains “was aimed at disrupting the malicious actors’ follow-on exploitation of victims, as well as identifying compromised victims.” “The actors may have deployed additional backdoor accesses between the time of the initial compromises and last week’s seizures,” the government statement said. The initial attack was believed to have originated from the Russian Foreign Intelligence Service and targeted governmental as well as non-profit organizations focused on European politics. Acting U.S. Attorney Raj Parekh said the spear-phishing attack could have caused “widespread damage throughout affected computer networks, and can result in significant harm to unsuspecting individual victims, government agencies, NGOs, and private businesses.”Bryan Vorndran, assistant Director of the FBI’s Cyber Division, added that they were committed to working with domestic and international partners to disrupt attacks directed toward government agencies.

“We will continue to use all of the tools in our toolbelt and leverage our domestic and international partnerships to not only disrupt this type of hacking activity but to impose risk and consequences upon our adversaries to combat these threats,” Vorndran said. More than 3,000 people were targeted using the compromised USAID account and the emails sent included “special alerts” and other efforts to get people to open them or download what was inside. Some of those targeted in the attacks have been critical of the Russian government while others are involved in international development, humanitarian and human rights work across Europe and the United States. The emails had a hyperlink that downloaded malware from a sub-domain of theyardservice[.]com, and from there the people behind the attack could download “the Cobalt Strike tool to maintain persistent presence and possibly deploy additional tools or malware to the victim’s network,” according to the Justice Department. “The actors’ instance of the Cobalt Strike tool received C2 communications via other subdomains of theyardservice[.]com, as well as the domain worldhomeoutlet[.]com. It was those two domains that the Department seized pursuant to the court’s seizure order,” the statement said. Cybersecurity experts like Netenrich threat intelligence advisor John Bambenek said that what is novel about the Justice Department’s actions was that they used the legal process to relatively quickly seize domains and protect its own interests in a straightforward way. “If governments can start doing this quickly, not just on APT threats but conventional cybercrime, we can have a greater disruptive effect on cybercrime,” Bambenek said. Hank Schless, senior manager of security solutions at Lookout, said that by seizing domains and command and control servers used in phishing campaigns, researchers can be given leads as to who is running the campaign and where else they might be carrying out nefarious activity. “Most threat actors likely have backups of their malicious campaigns and can spin out new versions of the same activity on different domains and servers. However, reusing the same campaign means that it will likely possess identifiable heuristics or characteristics in the future,” Schless explained to ZDNet.  He noted that the seizure of recently used domains and command and control servers helps enable proactive threat research and helps to mitigate the risk of similar attacks happening in the future. By amassing a sizable batch of threat intelligence, datasets can grow and more threats can be identified, allowing for the creation of machine learning tools that help enable automatic discovery and conviction of malicious phishing campaigns and actors, Schless said. “Since attackers often reuse bits and pieces of previous malware or even naming tactics in their campaigns, a large enough dataset will be able to identify and protect against both known and unknown threats before they reach any sort of sizable scale,” he told ZDNet.”It’s encouraging to see the Justice Department take steps that could deter threat actors from targeting US Federal agencies in particular.”

SolarWinds Updates More

The fallout from the cyberattack on global meat producer JBS continued on Tuesday as the White House officially identified it as a ransomware attack and reports emerged of other downstream effects from the shutdown of the company’s IT systems. JBS released a statement on Monday admitting that “some of the servers supporting its North American and Australian IT systems” were brought down by an “organized cybersecurity attack” on Sunday. The company is the second largest meat and poultry processor in the United States and accounts for nearly one quarter of all the beef produced in the country as well as one fifth of all pork.JBS has shut down all of the affected systems and contacted the White House on Tuesday, according to a statement from deputy press secretary Karine Jean-Pierre. While the initial JBS statement did not say it was a ransomware attack, Jean-Pierre confirmed that it was and told reporters on Tuesday the company had already gotten a ransom demand from an organization “likely based in Russia.” She did not say whether JBS plans to pay the ransom or not.”The White House is engaging directly with the Russian government on this matter and delivering the message that responsible states do not harbor ransomware criminals,” Jean-Pierre said during a briefing on Air Force One.  She added that the White House is working with the Department of Agriculture, the FBI and CISA on helping JBS while also coordinating with meat suppliers across the country in case supply is affected by the attack. Government officials in Australia are also working with the company to remedy the problem. 

Bloomberg News and The Counter reported that the attack was already so damaging that the Department of Agriculture was unable to release the wholesale prices for beef and pork, affecting thousands involved in the agriculture market. “Packer submission issues” was cited as the main reason for the delay in releasing the report. In the data that was released, daily cattle slaughter estimates showed that there was a 27,000 drop in heads of cattle compared to last week. JBS alone handles about 22,500 cattle each day, according to Bloomberg.The JBS statement said the company’s backup servers were not affected and that at the moment, there is no evidence “that any customer, supplier or employee data has been compromised or misused as a result of the situation.” The company admitted that there may be delays of “certain transactions with customers and suppliers.”The Counter reported that JBS, which is based in Brazil but operates in more than 20 countries, was forced to shut down shifts at multiple processing plants across the United States and Australia, where it is also one of the biggest suppliers of pork and beef. In multiple Facebook posts, JBS said it was shutting down plants in Iowa, Utah, Colorado, Minnesota, Texas, and Nebraska. Many online noted that the company has digitized significant parts of its operations, from its IT systems down to some factory tools used for the processing of meat. The U.S. Cattlemen’s Association took to Twitter to provide updates, explaining that there were reports of “livestock haulers in line, at plants, waiting to unload and being redirected to nearby yards.” The situation began to draw political condemnation as many noted how dangerous it was for the country to have nearly 25% of its meat production coming from one company relying on one software platform. Powerful Iowa Senator Chuck Grassley wrote on Twitter that he was demanding updates from JBS about the situation and that the company “needs to normalize operations as soon as possible for farmers and consumers.”Cybersecurity analysts drew parallels to the recent ransomware attack on Colonial Pipeline that left much of the East Coast scrambling for gas for days. But many said this attack was worse because unlike gas, food will spoil and many ransomware attacks take weeks to recover from. “The recent JBS cyberattack — along with the Colonial Pipeline and Apple/Quanta cyber attacks that preceded it — demonstrate that your organization needs to make cybersecurity a boardroom priority, if you haven’t done so already,” said Neil Jones, a cybersecurity evangelist with Egnyte. “For years, cybercriminals have attacked targets for financial gain, but now we’re seeing an alarming pattern of debilitating attacks on our food, critical infrastructure, and IP supply chain, which can have a crippling impact across the US economy,” Jones added.BitSight CTO Stephen Boyer said in an email that 40% of food production companies face an increased risk of a ransomware incident due to poor patching practices. Food companies are also reportedly taking longer to patch vulnerabilities than the recommended industry standard, leaving them at higher risk, Boyer wrote. Over 70% of food production companies are at an increased risk of ransomware due to their overall security performance, according to BitSight’s analysis. The Associated Press noted that the Campari Group was hit with a ransomware attack last year while Molson Coors also announced that it was attacked in March.  Purandar Das, co-founder of cybersecurity firm Sotero, explained that this is the second attack in a row on a critical industry and shows how vulnerable infrastructure and supply chain systems are. “What used to be isolated attacks on siloed systems has now escalated into broad attacks that are rendering systems useless,” Das said. He added that the big concern now is that these attacks will become more targeted in order to leave certain industries inoperable for large periods of time. “The private sector needs to reevaluate their cybersecurity approach and invest in long-term programs and technology,” Das told ZDNet. “It needs to be a long-term investment with the understanding that not doing so will impact their operations and eventually their revenue streams. Cybersecurity can no longer be an afterthought.” More

Cyber criminals are now using fake versions of popular Android applications in order to infect victims with trojan malware – which are only installed after the user downloads a fake ad blocker. TeaBot – also known as Anatsa – is able to take full remote control of Android devices, allowing cyber criminals to steal bank details and other sensitive information with the aid of keylogging and stealing authentication codes. The malware first emerged in December last year and the campaign remains active. The authors of TeaBot attempt to trick victims into downloading the malware by disguising it as fake versions of popular apps, the real versions of which often have often been downloaded millions of times. As detailed by cybersecurity researchers at Bitdefender here, these include phoney versions of Android apps including antivirus apps, the VLC open source media player, audiobook players and more. The malicious version of the apps use slightly different names and logos to the real ones. The malicious apps aren’t being distributed by the official Google Play Store, but are hosted on third-party websites – although many of the ways people are directed to them still remains a mystery to researchers. SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) One of the ways the victims are driven towards the malicious apps is via a fake ad blocker app which acts as a dropper – although it’s unknown how victims are directed towards the ad blocker in the first place.

The fake ad blocker doesn’t have any real functionality, but asks for permissions to display over other applications, show notifications and install apps from outside Google Play – the fake apps which are hidden after they’re installed. However, these hidden apps will repeatedly show phoney adverts – ironically, often claiming that the smartphone has been damaged by a malicious app – encouraging the user to click a link for the solution. It’s this which downloads TeaBot onto the device. The method of infection might appear convoluted, but dividing it over a number of steps makes it less likely that the malware will be detected. TeaBot appears to concentrate much of its targeting on Western Europe, with Spain and Italy the current hotspots for infections – although users in the UK, France, Belgium, the Netherlands and Austria are also frequent targets. The campaign remains active and while many of the methods of distribution outside the fake Ad Blocker remain unknown, there are precautions which users can take to avoid becoming a victim. “Never to install apps outside the official store. Also, never tap on links in messages and always be mindful of your Android apps’ permissions,” Bitdefender researchers advised in the blog post.

MORE ON CYBERSECURITY More