Information Technology

A screenshot of AFP Technology Detection Dog Georgia finding a phone hidden in a vacuum cleaner.
Image: AFP
The Australian Federal Police (AFP) this week revealed some of its canine squad have been trained to sniff out devices, such as USBs and SIM cards, at crime scenes or during the execution of search warrants.In a Facebook post showing a video of one dog, Georgia, finding a phone hidden in a vacuum cleaner, the AFP said since 2019, its three AFP technology detection dogs have located more than 120 devices in support of investigations ranging from child protection investigations to counter terrorism operations.It said over the next three years, at least 12 more labradors will be trained and deployed across the country.”A single USB can hold hundreds of thousands of child exploitation images, or documents of crucial evidence for a police investigation,” an AFP spokesperson told ZDNet. “However, with the Technology Detection Dogs, we are able to detect their presence, even when concealed.”AFP said the government is boosting funding by AU$35.4 million over four years to combat child sexual abuse and exploitation, which includes AU$5.7 million to expand the team of technology detection dogs. “The increased funding for the tech dogs capability will greatly enhance the ability of the AFP to collect vital digital evidence, bringing to justice not only online child sex offenders, but also violent extremists and those involved in organised crime,” the spokesperson said.According to the AFP, initial training of the dog squad takes at least three months of intensive work, followed by ongoing dedicated work between the handler and the dog once they are teamed.   

“These dogs are the very top tier among detection dogs, requiring specific traits such as a high drive, a high level of intelligence, endurance, and the ability to learn how to detect these devices in repetitive learning,” the spokesperson said. “The other critical element to this capability is, of course, the handler selection to pair with the dogs. “This is a highly technical capability and requires an experienced handler to work with the dogs and use them effectively.”Each dog can expect to work for around six years in the field, before enjoying a well-deserved retirement with their handler or a volunteer family. MORE FROM THE AFP More

A screenshot of AFP Technology Detection Dog Georgia finding a phone hidden in a vacuum cleaner.
Image: AFP
The Australian Federal Police (AFP) this week revealed some of its canine squad have been trained to sniff out devices, such as USBs and SIM cards, at crime scenes or during the execution of search warrants.In a Facebook post showing a video of one dog, Georgia, finding a phone hidden in a vacuum cleaner, the AFP said since 2019, its three AFP technology detection dogs have located more than 120 devices in support of investigations ranging from child protection investigations to counter terrorism operations.It said over the next three years, at least 12 more labradors will be trained and deployed across the country.”A single USB can hold hundreds of thousands of child exploitation images, or documents of crucial evidence for a police investigation,” an AFP spokesperson told ZDNet. “However, with the Technology Detection Dogs, we are able to detect their presence, even when concealed.”AFP said the government is boosting funding by AU$35.4 million over four years to combat child sexual abuse and exploitation, which includes AU$5.7 million to expand the team of technology detection dogs. “The increased funding for the tech dogs capability will greatly enhance the ability of the AFP to collect vital digital evidence, bringing to justice not only online child sex offenders, but also violent extremists and those involved in organised crime,” the spokesperson said.According to the AFP, initial training of the dog squad takes at least three months of intensive work, followed by ongoing dedicated work between the handler and the dog once they are teamed.   

“These dogs are the very top tier among detection dogs, requiring specific traits such as a high drive, a high level of intelligence, endurance, and the ability to learn how to detect these devices in repetitive learning,” the spokesperson said. “The other critical element to this capability is, of course, the handler selection to pair with the dogs. “This is a highly technical capability and requires an experienced handler to work with the dogs and use them effectively.”Each dog can expect to work for around six years in the field, before enjoying a well-deserved retirement with their handler or a volunteer family. MORE FROM THE AFP More

Palo Alto Networks announced a slate of new features on Wednesday designed to help customers introduce a Zero Trust across their network security stack. 

Anand Oswal, a senior vice president at Palo Alto Networks, said in a statement that they were trying to simplify the process of adopting complete Zero Trust Network Security by adding SaaS Security, Advanced URL Filtering, DNS Security, Cloud Identity Engine, and new ML-Powered Firewalls.”The productivity of a hybrid workforce lies in the ability for users to move freely on and off the campus network and still securely access any applications or data from any device in any location. Enabling this seamless experience securely is one of the many promises of a Zero Trust architecture,” Oswal said. The company statement explained that the new tools will introduce Cloud Access Security Brokers, which enable secure access to SaaS applications, as well as a Cloud Identity Engine that authenticates and authorizes the network’s users. URL Filtering, beefed-up DNS Security, an ML-powered firewall and more round out the list of tools being incorporated across an organization’s hardware, software and cloud. Multiple customers shared their experience with the product, including representatives from Caesars Entertainment Corporation, Takeda Pharmaceutical North America, CDW and World Wide Technology.Bobby Wilkins, vice president of cybersecurity at Caesars, said they were using the SaaS Security solution to protect data across all of their corporate SaaS applications, and CDW vice president Tom Cahill added that the ML-driven firewall would help innovate the company’s cybersecurity solutions. More

Every week there is a new organization facing a ransomware attack, but a new report from eSentire’s security research team and Dark Web researcher Mike Mayes says the incidents we see in the news are just a small slice of the true number of victims.The eSentire Ransomware Report says in 2021 alone, six ransomware groups compromised 292 organizations between Jan. 1 and April 31. The report estimates that the groups managed to bring in at least $45 million from these attacks and details multiple incidents that were never reported. The eSentire team and Mayes focused exclusively on the Ryuk/Conti, Sodin/REvil, CLOP, and DoppelPaymer ransomware groups, as well as two emerging but notable gangs in DarkSide and Avaddon. Each gang focuses on particular industries and regions of the world, according to the report. The Ryuk/Conti gang has attacked 352 organizations since 2018 and 63 this year, focusing mostly on manufacturing, construction and transportation companies. Dozens of their victims have never been publicized but the most notable organizations attacked include the Broward County School District and French cup company CEE Schisler, both of which did not pay the exorbitant ransoms, the report said. In addition to manufacturing, the group made waves in 2020 for attacking the IT systems of small governments across the United States like Jackson County, Georgia, Riviera Beach, Florida, and LaPorte County, Indiana. All three local governments paid the ransoms, which ranged from $130,000 to nearly $600,000. The group also spent much of 2020 attacking local hospitals as well. 

Like the Ryuk/Conti gang, the people behind the Sodin/REvil ransomware similarly focus on healthcare organizations while also devoting their efforts to attacking laptop manufacturers. Of their 161 victims, 52 were hit in 2021 and they made international news with attacks on Acer and Quanta, two of the world’s biggest technology manufacturers. Quanta, which produces Apple’s notebooks, was hit with a $50 million ransom demand. The company refused, and the Sodin/REvil gang leaked detailed designs of an Apple product in response. The gang threatened to leak more documents but pulled the photos and any other reference to the attack by May, according to the report, which noted that Apple has not spoken about the intrusion since. The DoppelPaymer/BitPaymer has made a name for itself by targeting government institutions and schools. The FBI released a notice in December specifically about the ransomware, noting that it was being used to attack critical infrastructure like hospitals and emergency services. The report adds that most of the group’s 59 victims this year have not been publicly identified other than the Illinois attorney general’s office, which was attacked on April 29.The Clop gang has focused its efforts on abusing the widely-covered vulnerability in Accellion’s file transfer system. The eSentire team and Mayes explain that the group used the vulnerability profusely, hitting the University of California, US bank Flagstar, global law firm Jones Day, Canadian jet manufacturer Bombardier, Stanford University, Dutch oil giant Royal Shell, the University of Colorado, the University of Miami, gas station company RaceTrac and many more. The report notes that the Clop gang became infamous for allegedly combing through an organization’s files and contacting customers or partners to demand that they pressure the victim into paying a ransom. The DarkSide gang has been in the news as of late for their attack on Colonial Pipeline, which set off a political firestorm in the United States and a run on gas stations in certain towns along the East Coast. The group is one of the newest of the leading ransomware groups, emerging in late 2020, according to the report. But they’ve wasted little time, racking up 59 victims since November and 37 this year. The report notes that the DarkSide group is one of the few that operates as a ransomware-as-a-service operation, offloading responsibility onto contractors who attack targets and split ransoms. eSentire said their research indicated that the people behind DarkSide were unaware of the Colonial attack before it happened and only found out from the news. They made waves last week when they allegedly shut down all of their operations due to increased law enforcement scrutiny. The ransomware has been implicated in multiple attacks on energy producers like one of Brazil’s largest electric utility companies, Companhia Paranaense de Energia, which they hit in February. The final group studied is the Avaddon gang, which was in the news this week for their attack on major European insurance company AXA. The attack was notable because AXA provides dozens of companies with cyberinsurance and pledged to stop reimbursing their customers in France for paid ransoms. In addition to AXA, the group has also attacked 46 organizations this year and operates as a ransomware-as-a-service operation like DarkSide. The report explains that the gang is notable for including a countdown clock on their Dark Web site and for the added threat of a DDoS attack if the ransom is not paid. The list of their victims includes healthcare organizations like Capital Medical Center in Olympia, Washington and Bridgeway Senior Healthcare in New Jersey. The eSentire team and Mayes added that the vast number of unreported attacks indicate that these gangs are “wreaking havoc against many more entities than the public realizes.””Another sobering realization is that no single industry is immune from this ransomware scourge,” the report said. “These debilitating attacks are happening across all regions and all  sectors, and it is imperative that all companies and private-sector organizations implement security protections to mitigate the damages stemming from of a ransomware attack.” More

Coursera and InfoSec are joining forces on a new slate of cybersecurity-focused courses, giving the site’s estimated 82 million users access to classes on cybersecurity management, digital forensics, secure coding and incident response. 

The courses available from InfoSec are available now and include Cyber Incident Response, Credential Access, Discovery, Lateral Movement, and Collection, Python for Command-And-Control, Exfiltration, and Impact, and more. In a statement, InfoSec said it would be rolling out more specialized classes over the next few months. Jack Koziol, Infosec CEO and founder, said it was imperative for the cybersecurity industry to constantly offer new courses and educational opportunities as the threat landscape evolves.”We partnered with Coursera to expand our reach and help individuals, businesses and governments stay ahead of cyber threats,” Koziol said. “We’re excited to help even more professionals develop the knowledge and skills critical to success in any cyber role, while accelerating job-readiness for aspiring cybersecurity professionals.”InfoSec currently has its own platform for technical skills development with more than 1,200 resources covering “hands-on cyber ranges, projects and courses mapped to the NICE Workforce Framework for Cybersecurity and MITRE ATT&CK Framework,” the company said in a release.In addition, the site offers boot camps and certifications for those looking to improve their skills or upskill.  

Coursera chief content officer Betty Vandenbosch said cybersecurity has become an issue that affects everyone, adding that consumers are now demanding better protection of their data from the organizations they frequent. But the demand for more stringent data protection from consumers comes at a time when the cybersecurity industry is facing a severe shortage of talent. Vandenbosch said providing flexible online learning programs from InfoSec would help those looking to break into the industry or stay up to date with the latest cyber threats, technologies and best practices. More

Cyberattackers on average have 11 days after breaching a target network before they’re being detected, according to UK security firm Sophos – and often when they are spotted it’s because they’ve deployed ransomware.As Sophos researchers note in a new report, that’s more than enough time for an attacker get a thorough overview of what a target network looks like, where its weaknesses lie, and for ransomware attackers to wreck it. Sophos’ data, based on its responses to customer incidents, suggests a much shorter “dwell time” for attackers than data from FireEye’s incident response team, Mandiant, recently reported. Mandiant said the median time-to-detection was 24 days, which was an improvement on previous years. Sophos explains the relatively short dwell time in its incident response data is because a whopping 81% of incidents it helped customers with involved ransomware — a noisy attack that immediately triggers alarms for tech departments. So, while shorter dwell times might indicate an improvement in so-called security posture, it might also be just because file-encrypting ransomware is a disruptive attack compared to data theft. “To put this in context, 11 days potentially provide attackers with approximately 264 hours for malicious activity, such as lateral movement, reconnaissance, credential dumping, data exfiltration, and more. Considering that some of these activities can take just minutes or a few hours to implement, 11 days provide attackers with plenty of time to do damage,” notes Sophos in its Active Adversary Playbook 2021 report. The vast majority of incidents Sophos responded to were ransomware attacks, suggesting the scale of the problem. Other attacks include stealing data, cryptominers, banking trojans, data wipers, and the use of penetration testing tools like Cobalt Strike.Another notable point is the widespread use by attackers of Remote Desktop Protocol (RDP) with about 30% of attacks starting with RDP and 69% of subsequent activity being conducted with RDP. Phishing, on the other hand, was the entry point for just 12% of attacks, while 10% of attacks involved exploiting an unpatched system. 

Attacks on RDP endpoints have long been used to initiate ransomware attacks and are far more common than exploits against VPNs. Several security firms ranked RDP as the top intrusion vector for ransomware incidents in 2020. Security firm ESET reported remote working had seen a nearly 800% spike in RDP attacks in 2020.     “RDP played a part in 90% of attacks. However, the way in which attackers used RDP is worth noting. In incidents that involved RDP, it was used for external access only in just 4% of cases. Around a quarter (28%) of attacks showed attackers using RDP for both external access and internal movement, while in 41% of cases, RDP was used only for internal lateral movement within the network,” Sophos threat researchers note. Sophos also compiled a list of the most widely observed ransomware groups. DarkSide, a newish but professional ransomware  service provider that started activity in mid-2020, only accounted for 3% of cases Sophos investigated through 2020. It’s in the spotlight because of the attack on Colonial Pipeline, which reportedly paid $5 million to the group. DarkSide offers its ransomware as a service to other criminal groups who distribute the ransomware, much like the REvil ransomware gang does. REvil was in the spotlight last year because of attacks on government and healthcare targets plus for its high ransom demands that averaged about $260,000.  According to Sophos, REvil (aka Sodinokibi) was the most active ransomware threat in 2020 along with Ryuk, which, according to some estimates, has earned $150 million through ransomware. Other significant ransomware players including Dharma, Maze (defunct), Ragnarok, and Netwalker (defunct).  US president Joe Biden last week said he discussed the Colonial ransomware attack with Moscow, and suggested Russia should take “decisive action” against these attackers. The US believes DarkSide is based in Russia but not connected to the Russian government.  “We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks,” said Biden on May 13.      More

A new report from cybersecurity company Vectra highlights the top 10 threats customers face when using Microsoft Azure AD and Office 365. 

The list in the “2021 Q2 Spotlight Report: Top 10 Threat Detections for Microsoft Azure AD and Office 365” is topped by O365 risky exchange operations, Azure AD suspicious operations, and O365 suspicious download activity. Between January and March, Vectra saw a startling increase in detections centered on attackers trying to manipulate Exchange in order to gain access to specific data or further attack progression. More than 70% of Vectra’s customers triggered that detection per week, according to their data. More than 60% of Vectra customers also triggered weekly detections of abnormal Azure AD operations, meaning cyberattackers may be escalating privileges and performing admin-level operations after regular account takeover. O365 accounts downloading unusual numbers of objects was also high on the list of detections caught weekly, followed by other issues with O365 related to suspicious sharing activity and external team access. Other commonly seen detections by Vectra include administrative privileges being assigned to redundant accounts or suspicious mail forwarding.The study notes that many of the functions being targeted are used to share files and access with other users within a company, making it difficult to defend as more people work from home and have no choice but to share files digitally. There were some differences with the kind of detection trends noticed at small, medium, and large companies. While smaller organizations dealt with more O365 risky exchange operations, Azure AD suspicious operations, and O365 suspicious download activity, larger entities had to face more O365 suspicious power automate flow creation detections as well as more suspicious mail forwarding and external team activity in O365. 
Vectra

Overall, larger companies generally triggered fewer detections, and researchers with Vectra surmised that users and administrators from larger companies may “perform Office 365 and Azure AD activity more consistently compared to smaller organizations.”But larger companies also had to face more Office 365 DLL hijacking, Office 365 unusual scripting engine attacks, and Office 365 suspicious eDiscovery exfils, the report notes. The study also includes a detailed breakdown of how the Solarwinds backdoor was being leveraged by attackers. 
Vectra
Cybersecurity experts have attributed much of the report’s findings to the massive shift to remote work that took place in 2020 due to the pandemic. There are over 250 million active Microsoft Office 365 users, and AppOmni CEO Brendan O’Connor said the pandemic exposed how seriously undermanned teams are when it comes to cybersecurity.”When enterprises shifted to a virtual and remote workforce, organizations had to quickly shift business applications and data to the cloud. IT staff can no longer gain the little benefit they had from network segmentation afforded by traditional office networks,” he said. “With traditional security measures completely removed from the equation, IT staff struggled to implement necessary measures to ensure the safety of data in the cloud. The rapid adoption of SaaS exposed not only the lack of general cybersecurity expertise but also the lack of expertise in SaaS to leverage the built-in security measures effectively.” More