Information Technology

Dell has added new features to its ProSupport Suite for PCs that offer users new endpoint security offerings and enhance their line of commercial PCs. 

The ProSupport Suite for PCs allows IT teams to customize and automate how they manage employee devices, which has become increasingly important as companies continue to invest heavily in remote work.Dell’s updates include new catalog management and deployment capabilities while also giving IT managers the ability to update Dell BIOS, drivers, firmware and applications automatically and remotely. IT teams can also customize how the updates are grouped. The new tools also provide IT teams with a centralized platform to see their entire Dell PC fleet and monitor each device’s health, application experience, and security scores. Dell will also be offering a AI-powered services support software to provide suggestions based on performance trends. The new ProSupport Suite for PCs capabilities will be available to customers by October 19, and the Advanced Secure Component Verification is available now for US customers. The Intel ME Verification and Dell Trusted Device SIEM Integration is also available to all customers in North America, Europe and the Asia-Pacific-Japan region. Doug Schmitt, president of Services at Dell Technologies, said the company prioritised the updates because IT operations have become significantly more complicated, especially with the amount of data and opportunities at the edge. “Our approach to IT services is built on an AI-driven, adaptive, always-on foundation, taking today’s realities and future customer needs into consideration,” Schmitt said. 

“At the end of the day, the new capabilities are about helping IT leaders see ahead and stay ahead while providing workforces around the world the ability to continue collaborating and innovating without disruption.”The company also unveiled the Dell Trusted Devices security portfolio to protect commercial PCs throughout the entire supply chain and device lifecycle. “This comprehensive suite of above- and below- the operating system (OS) security solutions leverage intelligence and help empower businesses to prevent, detect and respond to threats with improved mean-time-to-detect (MTTD) and mean-time-to-resolution (MTTR) of issues,” Dell explained. Dell is adding Advanced Secure Component Verification for PCs that helps customers make sure Dell PCs and key components arrive as they were ordered and built. The Intel Management Engine Verification checks critical system firmware and looks for evidence of tampering, targeting boot processes. IT teams will also have more critical visibility below the OS security events in dashboards offered through the new Dell Trusted Device Security Information and Event Management Integration. More

Researchers have uncovered a new connection between Tomiris and the APT behind the SolarWinds breach, DarkHalo. 

On Wednesday at the Kaspersky Security Analyst Summit (SAS), researchers said that a new campaign revealed similarities between DarkHalo’s Sunshuttle, as well as “target overlaps” with Kazuar.  The SolarWinds incident took place in 2020. FireEye and Microsoft revealed the breach, in which SolarWinds’s Orion network management software was compromised to impact as many as 18,000 customers in a software update-based supply-chain attack.  While many thousands of clients may have received a malicious update, the threat actors appeared to cherry-pick the targets worthy of further compromise — including Microsoft, FireEye, and government agencies.  Microsoft president Brad Smith dubbed the incident as “the largest and most sophisticated attack the world has ever seen.”
Kaspersky
Eventually, the finger was pointed at the advanced persistence threat (APT) group DarkHalo/Nobelium as the party responsible, which managed to deploy the Sunburst/Solorigate backdoor, Sunspot build server monitoring software, and Teardrop/Raindrop dropper, designed to deploy a Cobalt Strike beacon, on target systems.   The Russian, state-backed group’s campaign was tracked as UNC2452, which has also been linked to the Sunshuttle/GoldMax backdoor. 

In June, after roughly six months of inactivity from DarkHalo, Kaspersky uncovered a DNS hijacking campaign against multiple government agencies in an unnamed CIS member state. “These hijacks were for the most part relatively brief and appear to have primarily targeted the mail servers of the affected organizations,” Kaspersky commented. “We do not know how the threat actor was able to achieve this, but we assume they somehow obtained credentials to the control panel of the registrar used by the victims.”The researchers say that the campaign operators redirected victims attempting to access an email service to a fake domain which then prompted them into downloading a malicious software update, made possible by switching legitimate DNS servers for compromised zones to attacker-controlled resolvers. This update contained the Tomiris backdoor.  “Further analysis showed that the main purpose of the backdoor was to establish a foothold in the attacked system and to download other malicious components,” Kaspersky added. “The latter, unfortunately, were not identified during the investigation.” Tomiris, however, did prove to be an interesting discovery. The backdoor is described as “suspiciously similar” to Sunshuttle. Both backdoors are written in the Golang (Go) programming language, the same English language spelling mistakes were in the payloads’ code, and each uses similar encryption and obfuscation setups for configuration and network traffic management purposes.  In addition, both Tomiris and Sunshuttle use scheduled tasks for persistence as well as sleep-based delay mechanisms. The team believes the “general workflow of the two programs” hints at the same development practices.  However, the backdoor has little function beyond the capability to download additional malware, which suggests Tomiris is likely part of a wider operator toolkit.It should also be noted that Tomiris has been found in environments also infected with the Kazuar backdoor, malware that Kaspersky has tentatively linked to Sunburst — while Palo Alto has also connected Kazuar and the Turla APT. Cisco Talos has also recently uncovered a new, simple backdoor now deployed by the Turla APT on victim systems.  Kaspersky also acknowledges this may be a case of a ‘false flag’ designed to mislead researchers and send them down the wrong analysis or attribution paths. Pierre Delcher, senior security researcher at Kaspersky, commented: “None of these items, taken individually, is enough to link Tomiris and Sunshuttle with sufficient confidence. We freely admit that a number of these data points could be accidental, but still feel that taken together they at least suggest the possibility of common authorship or shared development practices.” Previous and related coverage:Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

I’m very excited to share my latest research on best practices for successfully influencing employee cybersecurity behavior. Excited may not be the right word exactly, as this research was born out of the disappointment I started feeling when hearing of security leaders and teams implementing disciplinary sanctions for employees who fail phishing simulations, cybersecurity quizzes, or fall victim to scams such as business email compromise. 

see also

Best VPN services

Virtual private networks are essential to staying safe online — especially for remote workers and businesses. Here are your top choices in VPN service providers and how to get set up fast.

Read More

This punishment ranges from extreme sanctions, such as disciplining or terminating the offenders or victims, to less severe forms, including forcing employees to sit through more training. While the latter may sound okay, employees disagree. The debate raged about the ethics and effectiveness of these practices. And hence it took me a while to put pen to paper, because I get all sides of this dilemma. This is what I decided: Sure, there is a time and place for disciplinary action, but leaders seemed to jump to it too readily. It seemed as though we could not see that some of the interventions we were putting in place reinforced negative perceptions and resentment of security, humiliated employees, caused psychological damage, and encouraged employees to hide failures and mistakes. Education and shame are not synonyms. You may win the battle, but the war is much bigger. As a security leader, your bigger opportunity is to engage, influence, and benefit your employees as well as your organization’s customers, and even society, and to do this, you need to: Be aware of the impact of each security intervention. When weighing consequences for negative security behaviors, security leaders often think of extreme punishments like formal disciplinary action or dismissal as deterrents. However, employees also view many well-meaning interventions as punitive, particularly if they overtax employee time and productivity and seem to lack empathy. Tread that fine line between engagement (e.g., quizzes), empathy (e.g., ask-and-listen hours), and punishment (e.g., dismissals). Start by designing an environment tolerant of human fallibility — this isn’t purely an awareness or training problem. Before proceeding to punishment — or indeed any sort of intervention — you need to be very clear that you’ve done all that you can to support employees who have made a mistake or have become a victim. Your employees fall for scams — real or simulated — for many reasons, including: your test or simulation is too difficult to detect; your security awareness training is dull and tedious; you’re not helping employees avoid errors; or you failed to design security processes and technologies that stop people from making errors. Find positive ways to influence good security behavior and creativity. Instead of scaring employees into complying with your security rules, use empathy and recognition to create engagement. Employees who feel empowered can focus on solutions without fear. Forrester’s Employee Experience Index shows that empowerment is the most significant predictor of engagement. Initiate positive reporting and messaging (e.g., communicate successes such as “X% completed the exercise this month, up from Y%” and “Clicks are down by Z%, and nonreporting is down by X%.”) so employees are encouraged and respond to self-reported mistakes, nudge behaviors toward the correct action, and recognize and reward positive behaviors as they occur. Consider safety culture, where organizations celebrate success and change behavior via initiatives such as incentives, leaderboards, safety moments, and walls of fame. Choose the appropriate behavior modification action. Outside gross negligence, employees should never suffer when their employer falls victim to a data breach, cyberattack, fraud, or scam. Before making the call about what intervention to use, decide whether your employee is a victim or has been blatantly and regularly breaching the rules. Use our severity versus repetition framework to segment offenders and create different interventions for each type of offender. Make the tough calls when necessary, and always do so ethically. Listening, coaching, and changing processes are all well and good, but at some point, you need to face reality and discipline anyone who has been maliciously flouting the rules. To know when you’ve reached the point of making the tough call, consider these questions: Is their intent malicious? Are they bypassing processes repeatedly for inappropriate reasons, such as their seniority in the organization? If the answer to either of these is yes, you have every reason to act with ethics, integrity, empathy, candor, and transparency. My key takeaway? Make empathy your new superpower in all the big and small things that you do. All of this recognition and behavioral change requires you to become a coach — not a boss– not only for your team, but also for all employees and stakeholders within your organization. Level up your leadership skills by eliminating passive management practices and fostering a strong coaching mindset. It is through this mindset that the suggestions above will seem less of a chore or a practical guide and more of a lifestyle that you and your team can implement. As organizations seek to leverage emerging technology and intelligent automation in new ways, employees need to feel they can innovate and experiment consistent with the security and privacy values of the enterprise. But many organizations manage human risk through a model of control, coercion, and punishment — from penalizing users who fail simulations or training to terminating offenders or victims of breaches. Security programs founded in fear not only drive down employee engagement and inspiration, but also stifle creativity. Instead, organizations must learn how to nurture positive behavior to foster a security culture that deals with human fallibility with positivity, instead of distress, reprimand and shame. To learn more, register for Forrester’s virtual events, Technology & Innovation APAC here and Security & Risk event here. This post was written by Principal Analyst Jinan Budge, and it originally appeared here.    More

An Android Trojan has now achieved a victim count of over 10 million in at least 70 countries. 

According to Zimperium zLabs, the new malware has been embedded in at least 200 malicious applications, many of which have managed to circumvent the protections offered by the Google Play Store, the official repository for Android apps.  The researchers say that the operators behind the Trojan have managed to infect so many devices that a stable cash flow of illicit funds, “generating millions in recurring revenue each month,” has been established.  Believed to have been in operation since November 2020, the “GriftHorse” campaign relies on victims being duped into handing over their phone number, which is then used to subscribe them to premium SMS messaging services.  Victims first download Android apps that appear innocent and legitimate. These apps vary from puzzle games and utilities to dating software, food and drink, with the most popular malicious app — a translator — accounting for at least 500,000 downloads. 
zLabs
Upon installation, however, the GriftHorse Trojan, written in Apache Cordova, constantly bombards the user with messages, alerting them to a fake prize they have won and then redirecting them to a website page based on their geolocation, and, therefore, their language.  Mobile users are then asked to submit their phone numbers for verification purposes. If they submit this information, they are then subscribed to premium services “without their knowledge and consent,” zLabs noted.

Some of the charges are upward of €30 ($35) per month, and if a victim does not notice this suspicious transaction, then they could, theoretically, be charged for months on end with little hope of ever clawing back their cash.  In order to avoid discovery, the malware’s operators use changeable URLs rather than hardcoded addresses.  “This method allowed the attackers to target different countries in different ways,” the team says. “This check on the server-side evades dynamic analysis checking for network communication and behaviors.” zLabs reported its findings to Google who promptly removed the Android apps marked as malicious from Google Play. However, these apps are still available on third-party platforms. 
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Akamai Technologies has acquired Guardicore to enhance the content delivery network (CDN’s) cybersecurity portfolio. 

The deal was announced on Wednesday. Under the terms of the agreement, Akamai will pay roughly $600 million to acquire all outstanding equity.   Tel Aviv, Israel-based Guardicore is a cybersecurity company that offers the enterprise a micro-segmentation solution to reduce the potential attack surface of corporate networks, secure applications, and to meet compliance standards. The firm’s software is based on zero-trust and strict permissions architecture, with process-level rules implemented to bolster secure access across public, private, and hybrid cloud environments.  Akamai says the micro-segmentation solution will be added to the company’s Zero Trust security portfolio, including Web Application Firewall (WAF), Zero Trust Network Access (ZTNA), Domain Name System (DNS) Firewall, and Akamai’s Secure Web Gateway (SWG).  “Their solution enables deep visibility into application flows, across data center and cloud applications, allowing businesses to more granularly understand and protect their infrastructure, from the core of the enterprise to the cloud,” Akamai says. “As a result, breaches can be detected early on so that corrective actions can be taken as quickly as possible.” The acquisition, subject to regulatory approval, is expected to close in Q4 2021. Akamai says that the purchase may generate between $30 and $35 million in revenue over FY2022, with Akamai’s non-GAAP operating margin anticipated to be in the range of 29-30%, returning to a minimum of 30% in 2023.  

“Given the recent surge in ransomware attacks and increasingly stringent compliance regulations, investing in technologies to reduce the spread of malware has become mission-critical,” commented Tom Leighton, CEO of Akamai. “By adding Guardicore’s leading micro-segmentation products to Akamai’s comprehensive portfolio of zero trust solutions, we believe Akamai will be able to provide the most effective way to combat ransomware on the market today.” Guardicore CEO Pavel Gurvich said the team “greatly look forward to joining Akamai to protect the user and the enterprise — no matter what the user is doing or where end-users and workloads are located.” Morgan Stanley & Co. served as Akamai’s financial advisor.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has launched a new development program targeting the Tsunami Security Scanner.

On September 28, Guoli Ma, Sebastian Lekies, and Claudio Criscione, members of Google’s vulnerability management team, said in a blog post that the new program is designed to improve Tsunami’s security detection capabilities.The Tsunami Security Scanner, open sourced in July 2020, was originally an internal Google tool and has since been published and made available to the public.  The scanner is designed to check large-scale enterprise networks for open ports and then to cross-check vulnerability exposure based on the initial reconnaissance results. Plugins can be implemented by users to check for specific security flaws. Tsunami can also check for basic security issues including the use of weak enterprise credentials.  Google says that the new, experimental program will give researchers patch rewards for creating plugins and application fingerprints. The former requires contributors to develop plugins that can be used for enhanced vulnerability detection, whereas the latter asks for web application modules that can be used to detect off-the-shelf web apps in an enterprise network.  The company is most interested in high and critical-severity bugs that can have a real-world impact on enterprise security.  “The vulnerability should have a high or critical severity rating if there is already a CVE ID assigned (CVSS score >= 7.0),” Google says. “If there is no severity assigned yet, the Tsunami scanner team will perform the triage and determine the severity. This usually includes vulnerabilities like Remote Code Executions (RCEs), arbitrary file uploading, security misconfigurations that result in the exposure of sensitive admin panels, and so on.”

The tech giant says that Tsunami also needs more fingerprint data for popular web apps which may contain bugs that impact the security of a wider network. If IT teams do not realize they are present, this could mean they are overlooked in patch processes.  Contributions are overseen by Google’s vulnerability management team.  In July, Google announced a new bug bounty platform, https://bughunters.google.com. The resource center brings together all of the firm’s Vulnerability Rewards Programs (VRPs), including Google, Android, Abuse, Chrome and Play to streamline the vulnerability disclosure process.  It is on this platform that those interested in the Tsunami program can find the in-scope lists for contributions to open source tools and Tsunami.  Financial rewards vary. For web application fingerprints, Google is willing to pay a flat fee of $500 for each fingerprint added to Tsunami’s database. When it comes to plugins, up to $3,133 is on offer, depending on the severity of a vulnerability and whether or not it is emergent. .Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Ransomware attacks against hospitals are having direct consequences for patient care as a result of the reduced availability of systems and services when cyber criminals encrypt networks. According to a survey of healthcare organisations, ransomware attacks have resulted in patients being kept in hospital longer, delays in tests and procedures – and, most disturbingly of all, an increase in patient deaths. 

ZDNet Recommends

The research into the impact ransomware has on hospitals and patient care was conducted by The Ponemon Institute think tank and cybersecurity company Censinet. SEE: A winning strategy for cybersecurity (ZDNet special report)  Ransomware is a major cybersecurity issue for all industries, but attacks against healthcare have a huge impact because of the potential consequences for patient care. If a retailer or a supermarket is compromised with ransomware, customers can often go elsewhere for their products – but in the case of hospitals, that’s not really an option. It’s why targeting hospitals has become a lucrative business for criminal ransomware operations – the nature of healthcare and the requirement for constant access to systems means that, in many cases, the victim will give in and pay the ransom demand for a decryption key. The results of the survey, based on answers from 597 IT and IT security professionals working in healthcare, paint a picture of hospitals struggling to protect against and deal with the fallout from ransomware attacks – and all of this at a time when healthcare has been feeling the strain of the coronavirus pandemic. 

Just over a third (36%) of respondents at hospitals affected by a ransomware attack saw an increase in complications for patients following medical procedures, while seven in 10 saw delays in procedures and tests resulting in what’s described as “poor outcomes”. Seven in 10 patients also had a longer stay at the hospital due to the ongoing consequences of a ransomware attack. One in five respondents who worked at a hospital that had been hit by ransomware said the incident lead to an increase in deaths. Official reporting that examines the direct impact of ransomware on patient mortality is opaque at best. In September last year, it was reported that a patient at a German hospital died after the facility was hit by a ransomware attack as they were being transferred to another hospital. Police launched an investigation into the death to determine if the cyber criminals who launched the ransomware attack were responsible for the patient death. However, they came to the conclusion that the patient was in such poor health condition that it was still likely they would have died.

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

While healthcare is a tempting target for ransomware because of the critical nature of the industry, funding issues around cybersecurity don’t help. Hospital budgets are often stretched, meaning that investment in IT infrastructure and cybersecurity can end up low down the priority list.  SEE: A cloud company asked security researchers to look over its systems. Here’s what they foundThis can lead to cybersecurity issues like failing to patch known vulnerabilities or updating operating systems to the latest version becoming big problems, both of which can be exploited by cyber criminals to launch ransomware attacks.  Budgets are tight, but if healthcare organisations can invest in the technology and security staff required to help discover and fix vulnerabilities in endpoints and networks, it can go a long way to helping to keep hospitals – and patients – safe from the impact of cyberattacks. “Our findings correlated increasing cyberattacks, especially ransomware, with negative effects on patient care, exacerbated by the impact of COVID on healthcare providers,” said Larry Ponemon, chairman and founder of the Ponemon Institute. MORE ON CYBERSECURITY More

Telegram-powered bots are being utilized to steal the one-time passwords required in two-factor authentication (2FA) security. 

On Wednesday, researchers from Intel 471 said that they have seen an “uptick” in the number of these services provided in the web’s underground, and over the past few months, it appears the variety of 2FA circumvention solutions is expanding — with bots becoming a firm favorite.  Two-factor authentication (2FA) can take the form of one-time password (OTP) tokens, codes, links, biometric markers, or by tapping a physical dongle to confirm an account owner’s identity. Most often, 2FA tokens are sent through a text message to a handset or an email address.  While 2FA can improve upon the use of passwords alone to protect our accounts, threat actors were quick to develop methods to intercept OTP, such as through malware or social engineering.  According to Intel 471, since June, a number of 2FA-circumventing services are abusing the Telegram messaging service. Telegram is either being used to create and manage bots or as a ‘customer support’ channel host for cybercriminals running these types of operations.  “In these support channels, users often share their success while using the bot, often walking away with thousands of dollars from victim accounts,” the researchers say.  The Telegram bots are being used to automatically call would-be victims in phishing attempts, to send messages claiming to be from a bank, and to otherwise try and lure victims into handing over OTP codes. Other bots are targeting social media users in phishing and SIM-swap attack attempts. 

In order to create a bot, there is a basic level of programming required — but nothing in comparison to developing custom malware, for example. What makes matters worse is that in the same way as traditional botnets, the Telegram bots can be leased out — and once the phone number of an intended victim is submitted, attacks can begin with only a few clicks.  The researchers cited two particular bots of interest; SMSRanger and BloodOTPbot.  SMSRanger’s interface and command setup are similar to the Slack collaboration platform and it can be used to target particular services including PayPal, Apple Pay, and Google Play. BloodOTPbot is an SMS-based bot that can also be used to generate automatic calls that impersonate bank staff. 
Intel 471
“The bots show that some forms of two-factor authentication can have their own security risks,” Intel 471 commented. “While SMS- and phone-call-based OTP services are better than nothing, criminals have found ways to socially engineer their way around the safeguards.”In April, Check Point Research disclosed the existence of a Remote Access Trojan (RAT) dubbed ToxicEye that abuses the Telegram platform, leveraging the communications service within its command-and-control (C2) infrastructure.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More