Information Technology

Just got a new iPhone 13 and that new iPhone smell is still on it? Well, it might be new but that doesn’t mean that you don’t need to update it.Yes, it’s running iOS 15, but not the latest iOS 15.Yes, the update treadmill starts on day one.According to Apple, “[t]his update provides important security updates and fixes an issue where widgets may revert to their default settings after restoring from a backup.”It’s already time to update your brand new iPhone 13!Given that this is not only a bug fix, but the update also contains security updates, I’d recommend downloading this update as soon as possible. More

This week, the Washington Post reported that the FBI had the decryption keys for victims of the widespread Kaseya ransomware attack that took place in July yet did not share them for three weeks. Hundreds of organizations were affected by the Kaseya attack, including dozens of hospitals, schools, businesses and even a supermarket chain in Sweden. Washington Post reporters Ellen Nakashima and Rachel Lerman wrote this week that the FBI managed to obtain the decryption keys because they accessed the servers of REvil, the Russia-based criminal gang that was behind the massive attack.

Kaseya attack

REvil demanded a $70 million ransom from Kaseya and thousands from individual victims before going dark and shutting down significant parts of its infrastructure shortly after the attack. The group has since returned, but many organizations are still recovering from the wide-ranging July 4 attack. Despite the large number of victims of the attack, the FBI did not share the decryption keys, deciding to hold on to them as they prepared to launch an attack on REvil’s infrastructure. According to The Washington Post, the FBI did not want to tip off REvil operators by handing out the decryption keys.The FBI also claimed “the harm was not as severe as initially feared” according to The Washington Post. The FBI attack on REvil never happened because of REvil’s disappearance, officials told the newspaper. The FBI eventually shared the decryption keys with Kaseya on July 21, weeks after the attack occurred. Multiple victims spoke to The Washington Post about the millions that were lost and the significant damage done by the attacks. 

Another law enforcement source eventually shared the decryption keys with Bitdefender, which released a universal decryptor earlier this month for all victims infected before July 13, 2021. More than 265 REvil victims have used the decryptor, a Bitdefender representative told The Washington Post. During his testimony in front of Congress on Tuesday, FBI Director Christopher Wray laid blame for the delay on other law enforcement agencies and allies who they said asked them not to disseminate the keys. He said he was limited in what he could share about the situation because they are still investigating what happened.  “We make the decisions as a group, not unilaterally. These are complex…decisions, designed to create maximum impact, and that takes time in going against adversaries where we have to marshal resources not just around the country but all over the world. There’s a lot of engineering that’s required to develop a tool,” Wray told Congress. The revelation caused considerable debate among security experts, many of whom defended the FBI’s decision to leave victims struggling to recover from the attack for weeks. Critical Insight CISO Mike Hamilton — who dealt with a particularly thorny situation where a Kaseya victim was left in the lurch after paying a ransom right before REvil disappeared — said being careful about disclosing methods is a staple of the law enforcement and intelligence communities. “There is a ‘tell’ though, that we’ve confirmed ourselves. The FBI is quoted as saying that the damage wasn’t as bad as they thought and that provided some time to work with. This is because the event wasn’t a typical stealth infiltration, followed by pivoting through the network to find the key resources and backups. From all indications the only servers that were encrypted by the ransomware were the ones with the Kaseya agent installed; this was a smash-and-grab attack,” Hamilton said. “If you had it deployed on a single server used to display the cafeteria menu, you could rebuild quickly and forget the whole thing happened. The fact that the world wasn’t really on fire, again, created time to dig further into the organization, likely for the ultimate purpose of identifying individual criminals. Those organizations that WERE hit hard had the agent deployed on on-premises domain controllers, Exchange servers, customer billing systems, etc.”Sean Nikkel, senior threat intel analyst at Digital Shadows, said the FBI may have seen the need to prevent or shut down REvil’s operations as outweighing the need to save a smaller group of companies struggling in just one attack. Because of REvil’s increasing scale of attacks and extortion demands, a quickly-developing situation requiring an equally fast response likely preempted a more measured response to the Kaseya victims, Nikkel explained, adding that it is easy to judge the decision now that we have more information but that it must have been a tough call at the time. “Quietly reaching out directly to victims may have been a prudent step, but attackers seeing victims decrypting files or dropping out of negotiations en masse may have revealed the FBI’s ploy for countermeasures,” Nikkel told ZDNet. “Attackers then may have taken down infrastructure or otherwise changed tactics. There’s also the problem of the anonymous soundbite about decryption making its way into public media, which could also tip off attackers. Criminal groups pay attention to security news as much as researchers do, often with their own social media presence.” Nikkel suggested that a better approach may have been to open backchannel communications with incident response firms involved to better coordinate resources and response, but he noted that the FBI may have already done this. BreachQuest CTO Jake Williams called the situation a classic case of an intelligence gain/loss assessment. Like Nikkel, he said it’s easy for people to play “monday morning quarterback” and blame the FBI for not releasing the keys after the fact. But Williams did note that the direct financial damage was almost certainly more widespread than the FBI believed as it withheld the key to protect its operation. “On the other hand, releasing the key solves an immediate need without addressing the larger issue of disrupting future ransomware operations. On balance, I do think the FBI made the wrong decision in withholding the key,” Williams said. “However, I also have the convenience of saying this now, after the situation played itself out. Given a similar situation again, I believe the FBI will release the keys unless a disruption operation is imminent (hours to days away). Because organizations aren’t required to report ransomware attacks, the FBI lacked the full context required to make the best decision in this case. I expect this will be used as a case study to justify reporting requirements.”John Bambenek, principal threat hunter at Netenrich, said critics need to remember that first and foremost, the FBI is a law enforcement agency that will always act in a way that optimizes law enforcement outcomes. “While it may be frustrating for businesses that could have been helped sooner, law enforcement takes time and sometimes things don’t work out as planned,” Bambenek said. “The long term benefit of successful law enforcement operations is more important than individual ransomware victims.” More

Most people are still picking bad passwords and it’s probably because people are even more reliant on web services than ever.LastPass, a password management software vendor, found that many people still re-use passwords across accounts in a study looking at the psychology of password behavior. That’s bad because if a hacker breaches credentials on one account they can break into any other account with a common password. And that’s just one of the many risks that come with poor password choices for online accounts.      

ZDNet Recommends

The best password manager

Everyone needs a password manager. It’s the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.

Read More

LastPass found that while 92% of 3,750 people surveyed know that using the same password is a risk, 65% re-use passwords across accounts. It also found that 45% of respondents didn’t change their passwords in the last year — even after they were affected by the data breach. And attitudes towards passwords vary by application; while 68% of respondents would create stronger passwords for financial accounts, only 32% said they would create strong passwords for work-related accounts.Most users are creating passwords that leverage personal information that has ties to possible public data, like a birthday or home address, the company said, and noted that only 8% of respondents said a strong password “should not have ties to personal information.”With so many accounts to remember, it’s perhaps no surprise that too many people pick one password and use it for every online account. For example, most people don’t know about password spraying, where attackers use dictionary words against online accounts and eventually crack a few of them. Cybercriminals use password spraying as do state-sponsored hackers because it works and it’s cheap. The company advises people should use “nonsensical phrases peppered with numbers and symbols as opposed to individual words to make your passwords longer, stronger, and easier to remember while also making them more difficult for hackers to crack.”

Also: Better than the best password: How to use 2FA to improve your securityThis advice lines up with the UK’s National Cyber Security Centre’s (NCSC) recommendation that people choose three random words to create a password.  The agency also reckons people who don’t want to use password manager software can safely write a password down on paper because it’s offline. Microsoft is trying to make the world passwordless by giving users the option to remove passwords as a login tool using standards like FIDO2 and hardware tied to Windows Hello biometric authentication. Two-factor authentication can also help boost protection so that attackers need more than just a password to access a service. But even with steps forward like that there are still an awful lot of services out there, simply secured by passwords — which means choosing wisely is still very important.

ZDNet Recommends More

Zloader malware, a tool often used to deliver ransomware, is now being spread through malicious Google ads, according to Microsoft.  The malware is a key part of the cybercrime industry and recently popped up on the radar of Microsoft and the US Cybersecurity and Infrastructure Security Agency (CISA). 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

CISA yesterday warned that ZLoader was being used to distribute the Conti ransomware service, which pays ransomware distributors a wage rather than a commission for new infections.  SEE: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attack ZLoader is a banking trojan which uses web injection to steal cookies, passwords and any sensitive information. But it is also used to deliver ransomware and provides attackers with backdoor capabilities and the ability to install other forms of malware, according to security company SentinelOne. According to Microsoft, ZLoader operators are buying Google keyword ads to distribute various malware strains, including the Ryuk ransomware.  The techniques aren’t new but using Google to distribute links to malicious domains is notable because billions of people use Google. 

“While analyzing ZLoader campaigns in early September, we observed a notable shift in delivery method: from the traditional email campaigns to the abuse of online ad platforms. Attackers purchased ads pointing to websites that host malware posing as legitimate installers,” Microsoft said.  “The campaign abused Google Ads. While Microsoft 365 Defender protects customers by blocking malicious sites, behavior, payloads, we responsibly reported findings to Google. Activity related to this threat reduced in the last few days, but we continue to monitor as it evolves,” it added. The attackers also registered a fraudulent company in order to cryptographically sign the malicious files, which claims to install a legitimate Java-based app but instead deliver ZLoader, giving the attackers access to affected devices. Signing the apps helps avoid detection from anti-malware systems.  SEE: Four months on from a sophisticated cyberattack, Alaska’s health department is still recovering Microsoft highlights the maturity of the business ecosystem ZLoader operates within.  “The operators of this campaign can then sell this access to other attackers, who can use it for their own objectives, such as deploying Cobalt Strike or even ransomware,” it notes.  According to security firm Sentinal, this malware campaign primarily targets customers of Australian and German banks. The malware has the capability to disable all Windows 10 Defender anti-malware modules.

While analyzing ZLoader campaigns in early September, we observed a notable shift in delivery method: from the traditional email campaigns to the abuse of online ad platforms. Attackers purchased ads pointing to websites that host malware posing as legitimate installers. pic.twitter.com/8HkR4kmyO6— Microsoft Security Intelligence (@MsftSecIntel) September 23, 2021

Microsoft says the attackers use Google search keywords to target online ads, which redirect victims to a compromised domain and then bump them across to a domain owned by the attacker for the download. The malware users PowerShell to disable security settings and products like Windows Defender. On some machines, the Cobalt Strike penetration testing kit is downloaded.  “The operators of this campaign can then sell this access to other attackers, who can use it for their own objectives, such as deploying Cobalt Strike or even ransomware,” Microsoft warned.  More

A 75-year-old has been arrested by the Federal Bureau of Investigation (FBI) for allegedly placing pipe bombs outside mobile phone and carrier stores. 

According to the US Department of Justice (DoJ), a resident of Whittemore, Michigan, named as John Douglas Allen, was arrested on Wednesday in connection to homemade bombs being left outside stores in Cheboygan and Sault Ste Marie. The affidavit claims that on September 15, Allen placed a USPS box outside of an AT&T store, before moving on to place another USPS box outside of a Verizon outlet.  The boxes, taped up and with wires coming out of them, were seized and checked out by the FBI’s laboratory Explosive Unit, which determined they were pipe bombs.  “Based on video footage taken from the cell phone stores and other nearby businesses, as well as an exhaustive investigation by law enforcement, agents were able to determine that Allen was the person who allegedly left the packages outside of the stores,” the DoJ claims.  Together with the explosives, letters were also left at cell towers — described by prosecutors as being contained within “polka dot envelopes” — that allegedly contained threats against telecommunications firms.  As reported by the Washington Post, court documents claim the letters were addressed as from the “Coalition for Moral Telecommunication” and were aimed toward “AT&T, Verizon and all other Carriers.”

The letter, which allegedly reveals the reason behind the packages and mail, read: “All telecommunication containing immoral content must be stopped. This includes cursing, the transmission of pornography, and all manner of indecent communication.” In addition, the letters reportedly contained demands for $5 million.  According to the affidavit, Allen allegedly admitted responsibility for the scheme, claiming there was no coalition and he was “dissatisfied” with “immoral content” being spread.  Allen faces charges of extortion and attempted damage or destruction of buildings used in interstate commerce. If convicted, the 75-year-old faces up to 20 years behind bars for the extortion claim, and at least five years — and up to 20 years — for the destruction charge.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
Taiwan has applied to join the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), a week after China submitted its own application.The CPTPP currently has 11 members that represent about $13.5 trillion in GDP, or 13.4% of global GDP, making it one of the largest trade pacts in the world. Japan, a CPTPP member, has been in close communication with Taiwan and welcomed its application into the trade pact, Taiwan’s Ministry of Foreign Affairs said in a statement.In a separate statement, Taiwan reiterated its stance of being a separate government to the People’s Republic of China. It also accused China of bullying Taiwan in the international community, saying that China’s bid to join the CPTPP is aimed at blocking Taiwan from entering international trade blocs.In response, China’s foreign ministry spokesperson said his country was firmly opposed to Taiwan’s accession bid for the CPTPP. “There is only one China in the world and Taiwan is an inalienable part of China’s territory. With regard to the CPTPP, we firmly oppose Taiwan’s accession to any agreement or organisation of official nature,” China’s Ministry of Foreign Affairs spokesperson Lijian Zhao said.China also sent 19 aircraft into Taiwan’s air defence zone following the news, Taiwan’s Ministry of Foreign Affairs said.

For a government to join the CPTPP, all CPTPP members must unanimously approve the government’s application.Earlier in the week, Australia’s Trade Minister Dan Tehan said China would need to reopen dialogue with Australia “on a minister-to-minister level” if Australia were to consider allowing China to join the trade pact.”All parties will want to be confident that any new member will meet, implement, and adhere to the high standards of the agreement as well as to their WTO commitments and their existing trade agreements, because it’s in everyone’s interests that everyone plays by the rules,” Tehan said.The CPTPP applications follow Australia, alongside the UK and US, announcing a trilateral security pact aimed at addressing the defence and security concerns posed by China within the Indo-Pacific region.Although China was not mentioned when announcing AUKUS, Australian Prime Minister Scott Morrison said the Indo-Pacific region was increasingly becoming “more complex”. AUKUS will see the three countries create initiatives that increase cyber capabilities, artificial intelligence, quantum technologies, and undersea capabilities. The three countries will also promote deeper information and technology sharing between themselves.Alongside China and Taiwan, the United Kingdom also submitted a formal request to join the CPTPP earlier this year, and a working group for its accession has been established.  Current members of the CPTPP include Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, and Vietnam.RELATED COVERAGE More

A new report from NTT Application Security has found that applications used by organizations in the education sector have an improving window of exposure despite having lower remediation rates and a higher than average time to fix.This month, the NTT Application Security research team focused on cyberthreats targeting education applications as security concerns in that sector continue to grow with the school year starting. Accelerated online learning environments due to the pandemic and considerable rates of ransomware and phishing attacks against K-12 schools have increased focus on the unique cybersecurity challenges these organizations face. According to the report, although the education sector’s breach exposure has remained relatively consistent this year, it’s taking longer to fix high severity vulnerabilities compared to other industries (206 days vs 201 days). Additionally, applications within the education sector show an increased Window of Exposure (WoE) rate, rising to 57% in August from 53% last month.Setu Kulkarni, vice president of strategy at NTT Application Security, told ZDNet the education sector showed a positive trend as far as WoE is concerned. “As we completed the research, it was surprising to see that less than 50%, actually only 46% of the critical vulnerabilities are ever fixed. That’s a shockingly low remediation rate, but that’s only half of the story. For those 46% of the vulnerabilities that get remediated, on average it takes over 200 days to fix a critical vulnerability once an organization decides to address the vulnerability,” Kulkarni explained. 

“Those two factors are majority contributors to the high breach exposure for applications — that is, applications have an unacceptable WoE to attacks. Moreover, the mix of serious vulnerabilities has remained constant over time and that means, the attackers do not have to try too hard.” Despite the issues, the data indicates that organizations in the education sector are hyper-focused on fixing critical vulnerabilities within some of their web applications and Kulkarni said this approach seems to be working, as the sector’s otherwise stable Window of Exposure metrics are now improving.The education sector has one of the best Window of Exposure metrics (less than one month) across all sectors, according to the report. The researchers found that 53% of applications in the education sector have at least one critical vulnerability exploitable throughout the year, yet 34% of these applications have a Window of Exposure of less than one month. This means that serious vulnerabilities in 34% of applications in the sector get addressed within one month.Kulkarni said that moving forward, there needs to be a focus on reducing the average time to fix critical and high severity vulnerabilities, which are critical to improving the WoE and consequently the overall security posture of applications. “The application security statistics for the education sector indicate a hyper focus among organizations in this sector on a handful of critical web applications and fixing a handful of critical vulnerabilities in those applications,” Kulkarni added. “To accelerate the improvement in the Education sector’s overall application security posture, organizations in the sector should expand their approach to identify their overall attack surface and put in place a systematic program that progressively covers all applications.” Kulkarni also suggested educational organizations provide security training to students and demand that the SaaS and non-SaaS products are thoroughly checked for vulnerabilities. More

Apple released security updates for three vulnerabilities in both macOS Catalina and iOS 12.5.5 that are currently being exploited in the wild. CVE-2021-30869 is an XNU vulnerability found in macOS, iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch that allows malicious applications to execute arbitrary code with kernel privileges.Apple said there are reports that an exploit for the vulnerability exists and said it was addressed “with improved state handling,” noting that it was discovered by Google Threat Analysis Group members Erye Hernandez and Clément Lecigne as well as Ian Beer of Google Project Zero.CVE-2021-30860 was discovered by Citizen Lab and may be connected to the NSO Pegasus spyware that was used to break into Apple devices. The vulnerability affects iPhone 5s, iPhone 6, iPhone 6 Plus, iPad Air, iPad mini 2, iPad mini 3, and iPod touch (6th generation).There was significant outrage when Citizen Lab released multiple reports this year showing how NSO Pegasus spyware gave certain nation-states and criminal actors full access to Apple devices. CVE-2021-30860, as Citizen Lab described in their latest report, relates to how threat actors could use the processing of a maliciously crafted PDF to execute arbitrary code.Apple admitted in the release that it has been actively exploited and said it was addressed “with improved input validation.”The third vulnerability — CVE-2021-30858 — affects the same devices as the first two and was submitted anonymously. Apple explained that the vulnerability relates to how processing maliciously crafted web content can lead to arbitrary code execution. Like the others, Apple said it was aware that it may have been actively exploited. 

Apple said they solved the issue with “improved memory management.” More