Information Technology

For some families, there’s no way around older kids being home alone after school. This isn’t a new phenomenon, but what is new is a host of new technology and devices that make it easier for parents to keep track of and increase the safety of their children in the hours between school and when parents get home from work. And it goes way beyond just having a home security system.While there is no set or agreed-upon age for when it is appropriate to leave kids home alone, the U.S. Children’s Bureau does offer some guidelines with regard to evaluating maturity levels in children. Most parents can’t even rely on the law to determine when it’s OK to leave kids home alone, as according to the Children’s Bureau, only three states (Illinois, Maryland, and Oregon) have such laws on the book.Here are some tips, technologies, and hacks to help parents keep kids safe when they’re home alone after school.Prepare Before Your Child Needs to be Home AloneIs Your Child Ready?Before you decide to leave your kids at home, consider their level of maturity. While some kids may do well being left alone, not everyone would be comfortable in this type of setting. Ask yourself these questions to determine if perhaps you need to make alternate plans:Timing: Is this recurring time home alone or one-time? Will your child be home alone in the morning, afternoon or evening?Comfort level: Is your child scared of being home alone? If they need help, are they comfortable talking to adults such as neighbors or emergency responders?Compliance: Do your children typically follow rules that you set? Do your children avoid telling you when something has gone wrong, and they need help?Responsibility: Are older children responsible for taking care of younger children – and if so, are they mature enough to take on this responsibility? Can your child accurately judge what is and isn’t an emergency and can choose to call 9-1-1?An Emergency Plan Ahead of TimeOne of the best ways to prep your child to stay home alone is to have an open and honest discussion with them. Before the big day comes, sit down with your child and go over what to do in an emergency. Even better, have them write down the answers to these questions themselves, so they’re sure to remember. Want a printable version of these questions?Information that 9-1-1 would need to knowChild’s name and nearest cross streetsTrusted neighbors and friends to reach out to in an emergencyChild Safety TechnologiesSmart Home CameraA smart home camera is one way to help keep your kids safe and give parents some extra peace of mind. “Parents today are living in an interesting time: teeter-tottering with how and when to use tech to keep tabs on their children,” says Ben Nader, general manager of video solutions at Ooma, which makes smart cameras. With DIY home security cameras increasingly making their way into homes, Nader says parents can use these cameras to keep tabs on their kids’ whereabouts. Certain cameras, such as Google Nest cameras, are even unrolling features that allow cameras to detect familiar faces, technology that can give parents additional insight into the comings and goings at home while they’re away. Smart Doorbell Camera

A doorbell camera is another option. “Parents tell their kids not to answer the door, but kids tend to ignore this rule when the uninvited guest might be a friend,” warns Justin Lavelle, chief communications officer with BeenVerified, an online background check platform. “While peepholes are a safety precaution, they do not prevent strangers from seeing your child through adjacent windows, nor can some children reach the peepholes.”He recommends a smart doorbell camera or video doorbell that detects movement approaching your front door or someone ringing the doorbell and sends a notification to you. This allows parents to stay on top of visitors to the front door while they’re away and kids are home alone. “Nest, Ring, Swann, and Arlo are just a few of the many brands offering such surveillance devices that connect to your smartphone via Wi-Fi and app,” he says. “Some smart doorbells even have a feature that allows homeowners to communicate with their surprise house guest from a remote location.” GPS Watch for KidsWhile a smart camera is great when kids come home from school, they don’t offer much for the time between a kid leaving school and getting home. A GPS watch for kids gives parents additional visibility into a kid’s journey home. These watches have GPS capability that allows parents to look up the exact location of the watch, so as long as a kid is wearing the watch, the parent can make sure they’re where they need to be. Another common feature for these watches allows parents to program a set number of phone numbers the child can communicate with by phone call or text. Sten Kirkbak, the co-founder of XPLORA, a European maker of GPS watches for kids, points out certain watches can also specify geolocated safety zones. “If the child enters or leaves the area, the parent will be notified,” Kirkbak says.Tracking AppsIn lieu of getting a GPS watch, Lavelle recommends downloading a tracking app. “Having a tracking app installed on a smartphone will let you know your kids’ exact location; thus, if there is any trouble (like taking the wrong turn home), you can give them the help they need.” If your kids are old enough to have smartphones and they’re responsible enough to keep up with them, this is one of the most inexpensive ways to monitor their location. A few such kid-tracking apps include Footprints, AngelSense, and Life360.  Computer Monitoring SoftwareKids often come home from school and jump on the computer — and the Internet — to start doing homework. However, the Internet can also pose risks if kids are unsupervised when using it. “With no one there to monitor what websites they’re accessing, kids may come across inappropriate content that is not healthy for young eyes to see,” warns Lavelle.Also, you don’t know who they may be interacting with online. “Children are susceptible to trusting strangers they meet online and giving out personal information,” he says.”Such software as K9 Web Protection, Norton Family Online, and Net Nanny allows parents to control what their children have access to on the internet.” Lavelle also recommends parents set timers for how long kids can play games on the computer, to limit eye strain and balance online time with more active time.”With the number of children and teens online growing year after year, instances of cyberbullying, sexting and online threats continue to flourish just as quickly,” says Titania Jordan, chief parenting officer at Bark, a parental internet monitoring company. Smart Locks and Home Security SystemsA home security system can help protect kids from intruders and also detects smoke and carbon monoxide leaks. However, kids who are home alone will need to know how to disarm the system to reduce false alarms and also communicate verbal passwords to the alarm company. If law enforcement is routinely dispatched to a home for no reason, it could result in penalties and fines depending on local ordinances.Tips and Tricks To Prepare for Being Home AloneDaily ChatsWhile technology can help keep kids safe when they’re home alone after school, communication is also crucial. For example, Kirkbak recommends quick morning chats before school. “These chats are a great way to ensure your kids know where they need to go when the bell rings,” he says. “These briefs help reinforce the message that good communication between kids and parents regarding each other’s whereabouts is important.” These kinds of conversations can help kids understand they shouldn’t make spontaneous decisions to stop off at a friend’s house without asking for permission or communicating their plans.Baby StepsAlso, if this is the first time your kids are staying home alone, you may need to ease them into the process. “Since processes like deactivating the internal alarm might be too stressful to begin with, maybe consider turning that off for the first couple of days until they have built up more confidence,” Kirkbak says.”You might also consider small things, like keeping some lights on in the hallway to avoid a completely dark house on return, or perhaps leaving on the radio and leaving out a little surprise, to help create a more welcoming and homely atmosphere for a child to come home to.” Sten Kirkbak, co-founder of XPLORA, a European maker of GPS watches for kids.Have a Backup PlanIn addition, it’s a good idea to have a backup plan. For example, even if you use smartphones or smartwatches, consider what would happen if your kids lost their devices. One way to address this is to print physical copies of phone numbers that can be posted on the fridge or put in your kids’ backpacks, so they will always have a way to contact someone in the event of an emergency.  Know Your NeighborsIt could also be a good idea to make sure your kid knows to go to a trusted neighbor who can provide assistance when circumstances merit.

ZDNet Recommends More

With the frequency and severity of malware attacks growing practically every day, the files and folders on our computers have never been more at risk. Sure, there have been solutions for strong protection available, but they tend to be so cumbersome and inconvenient to use that few of us would bother. Fortunately, a lifetime subscription to the powerful yet easy-to-use GhostVolt Encryption Software is currently very affordable.GhostVolt will automatically add enterprise-level 256-bit AES encryption to your data and permanently maintains it on your computer or home network. For added security, the program will automatically log you out after a period of inactivity. It will even check your passwords against over 600 million exposed ones.

File management couldn’t be easier since the app is designed just like your regular file explorer, so there’s no learning curve. You can just add your files and folders as you normally would, and they will also be automatically re-encrypted after any editing. You can both preview and share files securely.Many convenience features are built-in, including integration with Microsoft OneDrive, light and dark modes, backup encryption keys, and more. The program is multilingual, as well, for English, Spanish, French, German, Italian, and Portuguese. Users are really satisfied with GhostVolt, rating it 4.3 out of 5 stars on TrustPilot and 4.7 out of 5 stars on Softpedia.If you tend to use a laptop more often than a desktop and spend any time at all on public Wi-Fi networks, and want to take even further precautions, you might like this powerful VPN bundled with two extra displays. But GhostVolt will offer you the ultimate in privacy and protection against data or identity theft. Because the encryption will completely obscure all of your personal information, so it will be unreadable to criminals even if it is stolen, hacked, or breached.You really don’t want to pass up this opportunity to protect all of your most sensitive files when it is so easy and affordable to do; get GhostVolt Encryption Software: Lifetime Subscription while it is on sale for only $29.99. More

Canada-based VoIP provider VoIP.ms is still battling a week-long, massive ransom distributed denial of-service (DDoS) attack. 

ZDNet Recommends

The best VoIP services: Replicate a traditional office phone at home

Are you transitioning your on-premises workforce to a work-at-home powerhouse? Do you need to put a business phone on every desk, even if those desks are in the corner of a spare bedroom? If you’re trying to replicate a traditional office phone PBX remotely, we have 12 recommendations that should get you talking.

Read More

The company, which provides internet telephony services to businesses across the US and Canada, was hit by a DDoS attack on September 16, with the company confirming via Twitter: “At the moment we carry on with the labor of alleviating the effects caused by the massive DDoS directed at our infrastructure. We continue to work full-on re-establishing all of our services so we can have you connected.”SEE: Four months on from a sophisticated cyberattack, Alaska’s health department is still recoveringAs reported by BleepingComputer earlier this week, the attack also affected its domain name service (DNS) infrastructure. Its website remains hard to access some days after the attacks were first acknowledged. In an update on Wednesday, VoIP.ms apologized to customers and confirmed it was still being targeted by what it described as a ‘ransom DDoS attack’ . VoIP.ms says it has over 80,000 customers in 125 countries.    

All our resources are still working at stabilizing our website and voice servers due to the ongoing DDoS attacks. We understand the significance of the impact on our clients’ operations and want to reassure you that all of our efforts are being put into recovering our service.— VoIP.ms (@voipms) September 22, 2021

DDoS attacks are becoming more frequent, more disruptive and increasingly include ransom demands, according to recent research. VoIP.ms’s website currently indicates it is using CDN provider Cloudflare “to protect itself from online attacks”.Cloudflare in August helped block what it claimed was the largest DDoS attack on record, which emanated from about 20 000 compromised internet-connected devices in 125 countries. Variants of the Mirai botnet still plague the internet, some five years after the original Mirai DDoS was open-sourced following a massive attack on the blog Krebs on Security in 2016.  

According to Ars Technica, VoIP.ms is requiring visitors to solve captchas before allowing them to access the site. After completing the captcha challenge, the VoIP.ms website currently displays the message: “A Distributed Denial of Service (DDoS) attack continues to be targeted at our Websites and POP servers. Our team is deploying continuous efforts to stop this however the service is being intermittently affected.”In a Facebook post on Wednesday, the company said: “We have not stopped on all duties required to have our website and voice servers safe from the attack that has been directed to us, we have all the team, plus professional help working minute by minute on controlling the issues and having all crucial services going as expected, Please stay tuned, thanks.”SEE: Half of businesses can’t spot these signs of insider cybersecurity threatsBleepingComputer reported that the attackers have asked for one bitcoin, worth around $45,000 today, to stop the DDoS attacks.Two UK VoIP companies suffered DDoS attacks earlier this month, as reported by The Register: UK-based Voip Unlimited said it was hit with a “colossal ransom demand” after the DDoS attack. Mark Pillow, MD of Voip Unlimited, told The Register that industry body UK Comms Council had reported that other companies had also been affected by DDoS attacks and ransoms from ‘REvil’. However, there is no way of knowing whether this is related to the prolific ransomware attack group of the same name. More

Cybersecurity researchers have detailed a ransomware campaign that clearly borrows attack techniques used by nation-state-backed hacking and cyber-espionage operations.  The campaign came to light when cyber criminals attempted to launch a ransomware attack against an unspecified product safety testing organisation. The attack was detected and stopped before it was successful, but provided cybersecurity researchers at eSentire with enough information to analyse the tactics, techniques and procedures being used.

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

As eSentire’s security research team began to investigate the incident, they said they “discovered some very curious findings, relating to both the threat group behind the attack, as well as the tools and techniques used in the attack”.  SEE: A winning strategy for cybersecurity (ZDNet special report) The attack methods used in attempted ransomware campaign resembled techniques previously attributed to state-backed Chinese hacking operations including APT27 – also known as Emissary Panda.  eSentire said the low quality of the ransomware and the lack of any known ransomware breaches by this ‘Hello Ransomware’, along with the attackers’ use of intrusion and reconnaissance methods that are typically associated with sophisticated groups, raises the question of whether the ransomware is the primary goal of the operators.  “Or are the cyber criminals dropping ransomware into their target victims’ IT environment to simply distract from their real motive – cyber espionage?” eSentire said.

While all of this doesn’t necessarily mean that those behind the ransomware are working out of or on behalf of China, it demonstrates how cyber criminals can mimic the tactics used by advanced government-backed hacking groups in an effort to deliver malware.  Techniques deployed in the attempted attack in July include the use of SharePoint exploits and China Chopper, a stealthy remote access tool that provides a backdoor onto compromised systems, often distributed onto web servers. While commonly used by Chinese APT groups, China Chopper web shell is widely available and is popular with a variety of attackers, both state-backed and cyber criminal.  But the use of these exploits and China Chopper aren’t the only techniques the attackers behind ransomware use alongside APT groups, such as using Mimikatz for password scraping and privilege escalation, attempts to disable security monitoring, as well as dropping PowerShell command executions via masquerading as a legitimate anti-virus provider – in this case, mimicking Kaspersky.   There are also time delays between different steps of the attack in an effort to avoid detection. These time delays also suggest a hands-on human touch when carrying out the attacks, something that’s common with APT groups.  While the methodology is the same as that used by nation-state hacking groups, it would be unusual for a state-sponsored group to directly engage in ransomware attacks. Wannacry ransomware, deployed by North Korea, is an infamous example of an attempted ransomware attack by a state, but on the whole, ransomware is the domain of cyber criminals.  There’s the possibility that those behind ransomware are performing a false flag operation, deploying tactics known to be used by a particular operation because it leads any investigation away from them. It’s also well-known that the tactics are an effective means of compromising networks – meaning they’re perfect for ransomware attacks.  Like other forms of ransomware, Hello encrypts files – in this case with a .hello extension – and demands a ransom from victims in exchange for the decryption key. The ransom note is fairly basic, using Notepad to present a ransom note telling the victim to email the attackers to negotiate a deal.   Hello ransomware is also quite basic by the standards of top ransomware in 2021 because there’s no threat to leak stolen data and no leak site for publishing stolen data on. It also isn’t run on a ransomware-as-a-service model, like many of the most prolific ransomware variants today, meaning that it stands out.  Despite all this, the hands-on nature of attacks indicates that whoever is behind Hello ransomware knows what they’re doing.  “Hello ransomware is an exception of ransomware evolution. There’s nothing particularly sophisticated about the ransomware itself, or even the initial access vector, a two-year-old SharePoint vulnerability,” Keegan Keplinger, research and reporting lead at eSentire, told ZDNet.  “It is the post-compromise actions which can really be considered sophisticated,” he added. 

Researchers even suggest the possibility that the ransomware could be laid down as a distraction while laying the foundations for something else.   SEE: Four months on from a sophisticated cyberattack, Alaska’s health department is still recovering “There is a stark difference between the sophisticated intrusion capabilities, used in conjunction with the seemingly simplistic Hello Ransomware. This, in addition to the little-publicised success of the Hello ransomware campaigns, also bring the actors’ motivations into question,” said Keplinger.  The campaign remains mysterious, but while the attack targeting the safety testing organisation was stopped before it was able to encrypt the network, others might not be so lucky.  Steps that businesses can take to help avoid falling victim to ransomware – and many other forms of cyberattacks – include applying security patches for known vulnerabilities in a timely manner and using multi-factor authentication across the network to make it more difficult for intruders to move around networks.  More

A new hacking group targeting entities worldwide to spy on them has been unmasked by researchers.  Dubbed FamousSparrow by ESET, on Thursday, the team said that the advanced persistent threat (APT) group — many of whom are state-sponsored — is a new entry to the cyberespionage space.  Believed to have been active since at least 2019, the APT has been linked to attacks against governments, international organizations, engineering firms, legal companies, and the hospitality sector.   Victims are located in Europe, the United Kingdom, Israel, Saudi Arabia, Taiwan, Burkina Faso in West Africa, and the Americas — including Brazil, Canada, and Guatemala. 
ESET
ESET says that current threat data indicates that FamousSparrow is a separate group independent from other active APTs, however, there do appear to be several overlaps. In one case, exploit tools used by the threat actors were set up with a command-and-control (C2) server linked to the DRDControl APT, and in another, a variant of a loader employed by SparklingGoblin appears to have been in use.

What makes this new APT interesting is that the group joined at least 10 other APT groups that exploited ProxyLogon, a chain of zero-day vulnerabilities disclosed in March which was used to compromise Microsoft Exchange servers worldwide.  The researchers say that ProxyLogon was first exploited by the group on March 3, before Microsoft released emergency patches to the public, which indicates “it is yet another APT group that had access to the details of the ProxyLogon vulnerability chain in March 2021.”

The APT tends to compromise internet-facing applications as its initial attack vector, and this does not only include Microsoft Exchange servers — Microsoft SharePoint and Oracle Opera are in the line of fire, too.  FamousSparrow is the only known APT to make use of a custom backdoor, dubbed SparrowDoor by the team. The backdoor is deployed via a loader and DLL search order hijacking, and once established, a link to the attacker’s C2 is created for the exfiltration of data.  In addition, FamousSparrow accounts for two customized versions of the open source, post-exploit password tool Mimikatz, a legitimate penetration testing kit that has been widely abused by cybercriminals. A version of this tool is dropped upon initial infection, as well as the NetBIOS scanner, Nbtscan, and a utility for gathering in-memory data, such as credentials.  “This is another reminder that it is critical to patch internet-facing applications quickly, or, if quick patching is not possible, to not expose them to the internet at all,” the researchers commented. “The targeting, which includes governments worldwide, suggests that FamousSparrow’s intent is espionage.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australia and New Zealand Group (ANZ) chief executive Shayne Elliot has encouraged the Standing Committee of Economics to prioritise the need to raise further awareness, as well as recommend additional steps industry and government could take, to address the rising number of scams.In fronting the committee, which is currently undertaking a review of the four major banks and other financial institutions, Elliot highlighted that for the first eights months of 2021, ANZ had seen a 73% increase in scams being detected or reported by customers, compared to the same time last year. Over the same period, ANZ retail customers sent AU$77 million to scammers, of which the bank was able to claw back almost AU$19 million, Elliot said.He also noted that ANZ has blocked over 15 million malicious emails every month, and has blocked between 15 to 20 million attacks on its website, including DDoS attacks, during the period. “The most prevalent and successful scam involves criminals gaining remote access to consumer customer computers and the devices. We’ve also seen a year-on-year increase in investment scams of around 53% and a high proportion of these involve cryptocurrency,” Elliot continued.”There’s good work going on within the industry and government to tackle the problem. For example, the Australian Banking Association launched a scams awareness campaign yesterday. However, more needs to be done. “This committee could help by inquiring into the problem, raising further awareness of the dangers, and recommending additional steps industry and government could take.”

Elliot detailed that for “serious attacks” and when the bank can identify the perpetrator, it works with the likes of Austrac, national security teams, and the police to deal with these attacks but urged more needs to be done to help customers who cannot protect themselves.The average age of scam victims is 59 and 44% are over the age of 65, Elliot reported. “Thankfully, the Australian banking system and it’s not just an entity that is investing heavily in the area … our concern is more to do with our customers who either don’t have the resources or don’t see the need to do this, so it’s a growing issue.”On topic of cryptocurrency, Elliot admits it is an area the bank “struggles” to understand in terms of how to service it while remaining compliant to obligations, such as money laundering sanctions and anti-terrorism financing. “That’s not to say that that’s a forever policy, but right now that’s difficult,” he said. “Just to give you an example, at the moment, we understand if you’re a crypto exchange you may apply for an Austrac licence but that’s not transparent to me. I have no way of knowing or getting access to whether that licence has been granted or not, so it’s quite a difficult area.”For now, we have a policy of not providing banking to the crypto exchange world, in particular. But as I said, it’s not a forever policy, it will depend on how things emerge in that space and how we can do so safely.”A similar view was shared by Commonwealth Bank of Australia chief Matt Comyn who faced the committee on Thursday morning.”We have very specific requirements when we bank someone, we need to understand the remitter and beneficiary. We have certain obligations. Some elements — and there’s a large dispersion of different types of players in the crypto space — is unquestionably fraud and scam. There are also some reputable players. It is by definition a higher risk industry and category,” he said.Such discussions coincide with the release of a whitepaper Cyber Threats and Data Recovery Challenges for FMIs, developed by the Working Group on Cyber Resilience, an industry working group that includes representatives including the Reserve Bank of Australia and the Federal Reserve Bank of New York. The paper highlights the need for greater industry collaboration around: The creation of design principles for housing critical data sets in data bunkers and third-party sites; the need for further guidelines for minimising contagion; the adoption of common standards for assessing third-party risks to the ecosystem; the delivery of industry-wide cyber exercises by an independent party; and a common, yet flexible, definition of service criticality and its prioritisation around resumption.On Thursday, the Australian Securities and Investments Commission (ASIC) also noted it was concerned that social media posts were being used to coordinate pump and dump activity in listed stocks, which could potentially result in market manipulation and therefore in breach of the Corporations Act 2001.As ASIC puts it, pump and dump activity can occur when a person buys shares in a company and starts an organised program to seek to increase the share price using social media and online forums to create a sense of excitement in a stock or spread false news about the company’s prospects. They then sell their shares and take a profit, leaving other shareholders to suffer as share prices fall. ASIC said that it has recently observed “blatant attempts” of such activities, using its real-time surveillance system and by integrating trade data from third parties to identify networks of connected parties and to analyse trading patterns. “Market participants, as gatekeepers, should take active steps to identify and stop potential market misconduct. They should consider the circumstances of all orders that enter a market through their systems, and be aware of indicators of manipulative trading,” ASIC commissioner Cathie Armour said. Related Coverage More

LG Electronics said on Thursday it has acquired Israeli automotive cybersecurity startup Cybellum.Tel Aviv-based Cybellum was founded in 2016 and offers a risk assessment software that can scan software on vehicle components for vulnerabilities and risks.   The South Korean electronics maker signed a deal with the startup to acquire 63.9% of its shares. LG will also acquire additional shares of Cybellum by the year’s end, with the amount to be finalised then.LG has also signed an additional contract, worth $20 million, with the startup for future equity that will see the funds be converted to more shares from the end of 2022 to the first half of 2023.Cybellum’s current management team will continue to run the company independently and work with its existing automobile and component partners, LG said.According to the South Korean company, the importance of security in the automotive industry has become more important as more vehicles connect to networks. Due to this, cybersecurity has become an important barometer for the quality of a vehicle’s life cycle, along with design, development and driving capabilities, the company said.  Through Cybellum’s solutions, LG will look to beef up the security systems on its automotive offerings in the areas of infotainment and telematics, the company said, to preempt security regulations in various countries and become a reliable partner to automobile manufacturers.

LG currently offers various software and components for vehicles. Its affiliate LG Display also supplies display panels to automobile companies.In July, its joint venture with Magna International was formed, which aims to offer electric powertrain components and systems for cars.In March, LG launched a joint venture called Alluto with Luxoft, a subsidiary of DXC Technology that offers connected car solutions based on the webOS Auto platform.Related Coverage More

CISA sent out an advisory on Wednesday centered around the Conti ransomware, providing detailed information for the cybersecurity community about the ransomware group and its affiliates.  Both CISA and the FBI said they have seen more than 400 attacks involving Conti’s ransomware targeting US organizations as well as international enterprises. The FBI has previously implicated Conti in attacks on at least 290 organizations in the US. CISA offered a technical breakdown on how the ransomware group’s operators typically function and what steps organizations can take to mitigate potential attacks. CISA noted that while Conti operates a ransomware-as-a-service model, they do so a bit differently than others. Instead of paying affiliates a cut of the earnings that come from ransoms, the group pays the deployers of the ransomware a wage, according to CISA. Rob Joyce, director of cybersecurity at NSA, said the cybercriminals now running the Conti ransomware-as-a-service have historically targeted critical infrastructure, such as the Defense Industrial Base (DIB). He added that the advisory highlights actions organizations can take right now to counter the threat.”NSA works closely with our partners, providing critical intelligence and enabling operations to counter ransomware activities. We highly recommend using the mitigations outlined in this advisory to protect against Conti malware and mitigate your risk against any ransomware attack,” Joyce said. On Twitter, Joyce said Conti attacks are increasing and he urged organizations to use MFA, segment their networks and explore using a patch management system to keep networks updated. CISA explained that Conti actors typically use a variety of methods and tools to infiltrate systems, including spearphishing campaigns, remote monitoring and management software and remote desktop software.

The spearphishing campaigns seen by CISA used tailored emails that contain malicious attachments or links. Stolen or weak Remote Desktop Protocol (RDP) credentials, phone calls, fake software promoted via search engine optimization, other malware distribution networks like ZLoader and common vulnerabilities in external assets were all cited as tools Conti actors have used during ransomware attacks. “Malicious Word attachments often contain embedded scripts that can be used to download or drop other malware — such as TrickBot and IcedID, and/or Cobalt Strike — to assist with lateral movement and later stages of the attack life cycle with the eventual goal of deploying Conti ransomware,” CISA explained. “In the execution phase, actors run a getuid payload before using a more aggressive payload to reduce the risk of triggering antivirus engines. CISA and FBI have observed Conti actors using Router Scan, a penetration testing tool, to maliciously scan for and brute force routers, cameras, and network-attached storage devices with web interfaces. Additionally, actors use Kerberos attacks to attempt to get the Admin hash to conduct brute force attacks.” The operators of Conti’s ransomware also have been seen using remote monitoring and management software as well as remote desktop software as backdoors to maintain persistence in a victim’s network. CISA explained that sometimes the ransomware group and its affiliates use tools that are already on a victim’s network or add tools like Windows Sysinternals and Mimikatz to “obtain users’ hashes and clear-text credentials, which enable the actors to escalate privileges within a domain and perform other post-exploitation and lateral movement tasks.”The TrickBot malware is also used in some cases as a way to carry out other post-exploitation tasks.The advisory noted that “artifacts from a recently leaked threat actor ‘playbook,’ identify IP addresses Conti actors have used for their malicious activity.” The playbook also shows that Conti operators aim to exploit vulnerabilities in unpatched assets like the 2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities, the “PrintNightmare” vulnerability and the “Zerologon” vulnerability. “CISA and FBI have observed Conti actors using different Cobalt Strike server IP addresses unique to different victims. Conti actors often use the open-source Rclone command line program for data exfiltration,” the advisory said. “After the actors steal and encrypt the victim’s sensitive data, they employ a double extortion technique in which they demand the victim pay a ransom for the release of the encrypted data and threaten the victim with public release of the data if the ransom is not paid.”As Joyce said, CISA, the FBI and NSA suggested organizations segment their networks, filter traffic, scan for vulnerabilities and stay up-to-date with all patches. They added that unnecessary applications and apply controls should be removed, endpoint and detection response tools should be implemented and access should be limited across networks. Conti made a name for itself after attacking hundreds of healthcare institutions — including a debilitating ransomware attack on Ireland’s Health Service Executive on May 14 — as well as schools like the University of Utah and other government organizations like the city government of Tulsa, Oklahoma and the Scottish Environment Protection Agency.Allan Liska, ransomware expert and member of the computer security incident response team at Recorded Future, said much of what was in the advisory was well-known in the information security community. But he noted that experts are not the target audience of the advisory. “There are a lot of security people who will find this very useful because the tools used by Conti are used by other ransomware groups. For example, rclone is mentioned in the report. I see rclone used by many ransomware groups but rarely by legitimate employees of an organization, so looking for rclone hashes on endpoints could be useful,” Liska said. “I also think a lot of people didn’t know that Conti has infected organizations through phone calls. That may be a new threat model for a lot of organizations and one that they have to consider how to defend against. Overall, while it is not a groundbreaking report, it is nice to have so many of Conti’s TTP in a single location rather than combing through 15 different ZDNet articles to find them.” More