Information Technology

Android apps that haven’t been used for a while will soon begin to automatically lose their permission to access sensitive device features, such as sensors, SMS messages, and contact lists. Come December, Google plans to ramp up the availability of “permissions auto-reset”, an Android privacy feature that automatically winds back an app’s previously-granted permissions to access a device’s location, camera, microphone and so on.  Google released the feature for Android 11 last year, but in December it will expand it to “billions more devices” via Google Play services on devices running Android 6.0 (API level 23) from 2015 and newer.   

“The feature will be enabled by default for apps targeting Android 11 (API level 30) or higher. However, users can enable permission auto-reset manually for apps targeting API levels 23 to 29,” Google explains in an Android developer blogpost.  SEE: Over 60 million wearable, fitness tracking records exposed via unsecured database The feature aims to help Android users control privacy-sensitive app permissions in the context of users having dozens of apps on a device, many of which don’t get used that often or for long periods of time. It targets an app’s “runtime permissions”, or “dangerous permissions” for accessing location, contact information, messages and other private user data.     Around Q2 2022, if an app targets Android 6 or higher and isn’t used for a few months, Android will automatically reset the sensitive runtime permissions that the user had granted to an app. 

“This action has the same effect as if the user viewed a permission in system settings and changed your app’s access level to Deny,” Google explains in developer notes.  The change will affect all Android apps on consumer devices. However, Google has made an exception for enterprise-managed apps and apps with permissions that have been fixed by enterprise policy.  Google also has a way for developers to ask a user to disable auto-set for their app. This could be suitable for apps that are expected to work in the background, such as apps that provide family safety, apps for syncing data, apps for controlling smart devices or pairing with other devices. SEE: Smartphone sales are riding out the global chip shortage The rollout of the auto-reset feature will gradually take place after kicking off in December, but it won’t reach all devices between Android 6 and Android 10 until Q1 2022, Google notes.  However, users with Android 6 to 10 can go to an auto-reset settings page and enable or disable auto-reset for specific apps. “The system will start to automatically reset the permissions of unused apps a few weeks after the feature launches on a device,” Google notes.  More

Facebook has criticized a series of investigations published by the Wall Street Journal as containing “deliberate mischaracterizations” which “confer egregiously false motives to Facebook’s leadership and employees.”

Recently, the WSJ has published “The Facebook Files,” a set of articles based on a review of the social media giant’s internal documents, research, draft presentations, and online employee discussions.  Among the reports is an allegation made by the news outlet that the company knows its platforms — including Facebook and Instagram — are “riddled” with flaws that “cause harm, often in ways only the company fully understands” and these alleged issues are known all the way up to the chief executive, Mark Zuckerberg. Among its reports, the WSJ says that changes made by Facebook to its algorithms three years ago to improve user connectivity and well-being made the platform “angrier” instead, with staff members warning of the potential damage being done. Changes were then allegedly resisted due to concerns surrounding declining user engagement.  In addition, the publication says that researchers inside Instagram have found that the app is “harmful” and “toxic” for some younger users; in particular, teenage girls.  “In response, Facebook says the negative effects aren’t widespread, that the mental-health research is valuable and that some of the harmful aspects aren’t easy to address,” the WSJ says.  Furthermore, an alleged internal platform known as cross check/XCheck exempts some high-profile users from the rules applied to typical users, which shields these individuals from sanctions normally applied when material is posted that may break Facebook terms of service, such as posts inciting violence. 

In response, former UK politician and now Facebook Vice President of Global Affairs Nick Clegg said in a blog post on Saturday that the series “contained deliberate mischaracterizations of what we are trying to do, and conferred egregiously false motives to Facebook’s leadership and employees.” Clegg also says that the accusation at the core of the reports, that Facebook conducts research and dismisses anything that is not of benefit to the company, “is plain false” and is based on the “cherry-picked” selection of leaked documents. “With any research, there will be ideas for improvement that are effective to pursue and ideas where the tradeoffs against other important considerations are worse than the proposed fix,” the executive says. “The fact that not every idea that a researcher raises is acted upon doesn’t mean Facebook teams are not continually considering a range of different improvements.” Clegg also referenced one of the WSJ’s reports on how COVID-19 misinformation and “barrier to vaccination” content has been handled over the course of the pandemic. The publication writes that anti-vaxxers have been able to abuse Facebook’s own tools to sow doubt, flooding the platform with negative comments and potentially undermining initiatives to drive up vaccine acceptance rates.  The executive says that health organizations continue to post because despite negative commentary, by their own measurements, promotion is still effective.  “Facebook understands the significant responsibility that comes with operating a global platform,” Clegg says. “We take it seriously, and we don’t shy away from scrutiny and criticism. But we fundamentally reject this mischaracterization of our work and impugning of the company’s motives.”  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Victorian Government
The Victorian government has launched a new five-year cyber strategy that will see over AU$50 million be allocated towards bolstering the state’s cybersecurity resilience. The cyber strategy [PDF] will focus on three core missions that government has described as providing safe and reliable delivery of government services, creating a cyber safe place, and creating a “vibrant” cyber economy. The strategy will be implemented through the state’s chief information security officer (CISO) releasing annual mission delivery plans that outline specific activities associated with the three core missions. The CISO will develop this plan in consultation with relevant stakeholders across government, industry, and the community. The CISO will also publish an annual statement on the progress of activities against each of the three core missions. While the first annual mission delivery plan is yet to be released, Minister for Government Services Danny Pearson said the first year of the cyber strategy will see government specifically focus on strengthening security for government online services and communications. It will also provide more opportunities to grow the state’s local cybersecurity talent, Pearson said. As part of the mission of improving the delivery of government services, the actions to be rolled out by government will entail creating an IT asset management guideline that is in line with Victorian Protective Data Security Framework requirements; decommissioning unused services currently active on vic.gov.au domains; and establishing a whole-of-government third-party risk program.

It also includes deploying a status monitoring program and simple procurement process that both follow Essential Eight guidelines; working with the National Cyber Security Committee to standardise government third-party supplier security frameworks; and building various guidelines and cyber education programs aimed at improving the resilience of government’s critical services. For the mission of making Victoria more cyber safe, the state government will establish a Victoria Police Cybercrime Strategy to boost Victoria Police capability and a new expert advisory panel focused on understanding cybercrime risks. The advisory panel will report to government on opportunities to enhance cybercrime messaging and education programs as well as potential legislative reform for helping police combat cybercrime, the strategy outlines.Government will also develop an annual cyber exercise program in partnership with Victoria’s critical infrastructure owners and operators as part of the strategy’s second mission. The third mission, creating a “vibrant” cyber economy, will see the Victorian government allocate investment towards growing local cyber capability, create internship and training programs in the cyber sector, and establish an expert advisory panel to provide insight on cyber capability uplift opportunities and digital economic growth.The new cyber strategy builds on Victoria’s AU$196 million plan, announced late last year, to centralise and simplify the state’s IT services. Related Coverage More

There are few things cooler than multiple displays that make multi-tasking a breeze. However, while that’s not an uncommon setup at home, it’s hasn’t been easy to take on the road — until now. The Mobile Pixels TRIO gives you not one, but two extra displays for your laptop.It has a light, compact design that makes it easy to take anywhere, and conveniently has just one cable that can be used for both data and power. The TRIO has a full 270° rotation and the brightness can be adjusted to your liking.Amazon buyers rate it 4.2 out of 5 stars and it’s been featured on WIRED, Buzzfeed, and more. Students, working professionals, programmers, gamers, and more will love the Mobile Pixels TRIO. If you’re a digital nomad, you can learn a new language on one screen with your work on a second and email on the third.

Of course, if you’re using mobile accessories, it’s a good indication that you’ll be on public wifi at least now and then. So you need powerful VPN protection, which is exactly what VPN Unlimited: Lifetime Subscription offers. Your security and privacy are ensured by military-grade encryption and a zero-log policy. A kill-switch is included to disconnect you from the internet if your connection to a KeepSolid VPN server drops.If you happen to be traveling abroad, you’ll appreciate that KeepSolid has more than 400 servers placed around the globe, because that means no geo-restrictions when it comes to watching your favorite content. The service also includes unlimited speed and bandwidth, so there is no lagging or buffering while you’re streaming.You get 24/7 support, but KeepSolid is very user-friendly. It also has additional convenient features such as Trusted Networks, Favorite Servers, Ping Tests, and a lot more. KeepSolid VPN is the best-selling VPN of all time, with over ten million users worldwide. A VPN Special review illustrates KeepSolidVPN’s advantages quite nicely: “KeepSolid VPN Unlimited offers amazing services and its advanced features makes it a solid VPN service provider.”

Don’t miss this chance to get a lifetime of powerful VPN protection and two portable displays for your laptop. Grab The VPN Unlimited Lifetime Subscription + Mobile Pixels TRIO Bundle today while you can use Coupon SCREEN285 to get a 25% discount off the $699 retail price and pay only $519. More

US customer experience technology giant TTEC has announced a “cybersecurity incident” but confirmed to employees that it was hit with ransomware.The company, with nearly 61,000 employees and billions in annual revenue, sent a message to employees this week warning them not to click on a link titled “!RA!G!N!A!R!” according to KrebsonSecurity. The message indicates the attack may have been launched by the prolific Ragnar Locker ransomware group or someone trying to impersonate them. TTEC told employees that it was having system outages and was working to remove the malicious “!RA!G!N!A!R!” file from its system.In a statement to ZDNet, TTEC corporate communications vice president Tim Blair would not confirm that it was a ransomware incident but said some of the company’s data was encrypted and “business activities at several facilities have been temporarily disrupted.””TTEC immediately activated its information security incident response business continuity protocols, isolated the systems involved, and took other appropriate measures to contain the incident,” Blair said. “We are now in the process of  carefully and deliberately restoring the systems that have been involved. We also launched an investigation, typical under the circumstances, to determine the potential impacts. In serving our clients TTEC generally does not maintain our clients’ data, and the investigation to date has not identified compromise to clients’ data. That investigation is on-going and we will take additional action, as appropriate, based on the investigation’s results.”TTEC works with some of the biggest companies in the world, including Verizon, Best Buy, Dish Network, Bank of America and Kaiser Permanente.

KrebsonSecurity was able to obtain the internal message from a reader, who told the blog that the “widespread” system outage began on Sunday, September 12. The source told KrebsonSecurity that thousands of TTEC employees working on accounts for Verizon, Kaiser Permanente and Bank of America were unable to do any tasks because of the attack while many other customer support teams reported being unable to work. Ransomware groups typically target organizations with large customer bases that rely on services or a product, knowing it hinders business and creates a trickle-down impact on all customers, KnowBe4 security advocate James McQuiggan said. “Ransomware attacks have been known to hinder the business and steal intellectual property, client information and employee information. The cyber criminals then use this information to extort the employees or customers for additional money or be in fear of their data being released publicly,” McQuiggan said.The Ragnar Locker ransomware group has been in the news as of late for their comments about victims who contact the police or professional negotiators. On their darknet leaksite, the group said it would destroy decryption keys and publish all sensitive data that was stolen if victims dared to contact cybersecurity companies or law enforcement. “So from this moment we warn all our clients, if you will hire any recovery company for negotiations or if you will send requests to the police/FBI/investigators, we will consider this as a hostile intent and we will initiate the publication of whole compromised data immediately,” the group said, according to a note seen by BleepingComputer.The group has previously attacked major companies like Capcom, Campari, energy company EDP, game studio CD Projekt Red and a number of shipping giants in China.  More

Image: Daniel Romero via Unsplash
My iPhone offers pretty good connectivity, but tends to be hamstrung by the limits imposed by my cellular carrier. Even though I have an unlimited data plan, using my phone as a hotspot is limited to a very short amount of time before I start to rack up extra fees. When traveling, and working for a few hours every night in a hotel lobby or coffee shop, my so-called unlimited hotspot service just won’t cut it. That means I’ve had to rely on local Wi-Fi for both my iPhone and iPad. Let me put it bluntly: using a local hotel, airport, school, or coffee shop Wi-Fi is terrifying. There’s no telling what’s monitoring traffic, and even if the hotel has encrypted Wi-Fi, you never know what’s running on that network. That’s why running a VPN is essential, and I’ve long recommended having a VPN service that works with both your iPhone and iPad — I tend to use both extensively while on the road. In this article, we’re looking at four VPN services we’ve come to know over the years, who offer solid iPhone and iPad clients and good performance. Let’s take a look at each.

4.6 App Store average, 219K ratings

Simultaneous Connections: 6Kill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Android TV, Chrome, FirefoxLogging: None, except billing dataCountries: 59Servers: 5517Trial/MBG: 30 dayAlso: How does NordVPN work? Plus how to set it up and use itNordVPN is one of the more popular VPN offerings on the iPhone App Store. Installation on the iPhone is simple and painless, and performance is predictable across regions.Also: My in-depth review of NordVPNIn our review, we liked that it offered capabilities beyond basic VPN, including support of P2P sharing, a service it calls Double VPN that does a second layer of encryption, Onion over VPN which allows for TOR capabilities over its VPN, and even a dedicated IP if you’re trying to run a VPN that also doubles as a server. It supports all the usual platforms and a bunch of home network platforms as well. The company also offers NordVPN Teams, which provides centralized management and billing for a mobile workforce.Also: My interview with NordVPN management on how they run their servicePerformance testing was adequate, although ping speeds were slow enough that I wouldn’t want to play a twitch video game over the VPN. To be fair, most VPNs have pretty terrible ping speeds, so this isn’t a weakness unique to Nord. Overall, a solid choice, and with a 30-day money-back guarantee, worth a try.

4.6 App Store average, 142.2K ratings

Simultaneous Connections: 5 or unlimited with the router appKill Switch: YesPlatforms: A whole lot (see the full list here)Logging: No browsing logs, some connection logsCountries: 94Locations: 160Trial/MBG: 30 daysExpressVPN supports iOS back to iOS 12. Phones supported include iPhone 12, iPhone 12 Mini, iPhone 12 Pro, iPhone 12 Pro Max, iPhone 11, iPhone 11 Pro, iPhone 11 Pro Max, iPhone SE (2nd generation), iPhone XS, iPhone XS Max, iPhone XR, iPhone X, iPhone 8, iPhone 8 Plus, iPhone 7, iPhone 7 Plus, iPhone SE, iPhone 6, iPhone 6S, iPhone 6S Plus. iPads supported include iPad, iPad Pro, iPad Air, iPad Air 2, iPad Mini, iPad Mini 2, iPad Mini 3, iPad Mini 4ExpressVPN is one of the most popular VPN providers out there, offering a wide range of platforms and protocols. In addition to iOS, platforms include Windows, Mac, Linux, routers, Android, Chromebook, Kindle Fire, and even the Nook device. There are also browser extensions for Chrome and Firefox. Plus, ExpressVPN works with PlayStation, Apple TV, Xbox, Amazon Fire TV, and the Nintendo Switch. There’s even a manual setup option for Chromecast, Roku, and Nvidia Switch.Must read:With 160 server locations in 94 countries, ExpressVPN has a considerable VPN network across the internet. In CNET’s review of the service, staff writer Rae Hodge reported that ExpressVPN lost less than 2% of performance with the VPN enabled and using the OpenVPN protocol vs. a direct connection.While the company does not log browsing history or traffic destinations, it does log dates connected to the VPN service, amount transferred, and VPN server location. We do want to give ExpressVPN kudos for making this information very clear and easily accessible.Exclusive offer: Get 3 extra months free.

4.5 App Store average, 77.2K ratings

Simultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Chrome, plus routers, Fire Stick, and KodiLogging: None, except billing dataServers: 1,500 Locations: 75Trial/MBG: 30 dayIPVanish is a deep and highly configurable product that presents itself as a click-and-go solution. I think the company is selling itself short doing this. A quick visit to its website shows a relatively generic VPN service, but that’s not the whole truth.Also: My in-depth review of IPVanishIts UI provides a wide range of server selection options, including some great performance graphics. It also has a wide variety of protocols, so no matter what you’re connecting to, you can know what to expect. The company also provides an excellent server list with good current status information. There’s also a raft of configuration options for the app itself.IPVanish provides even more iOS support than ExpressVPN, supporting devices back to iOS 11. That provides support for iPhones back to the iPhone 5s, the iPad mini 2, and the original iPad Air.In terms of performance, connection speed was crazy fast. Overall transfer performance was good. However, from a security perspective, it wasn’t able to hide that I was connecting via a VPN — although the data transferred was secure. Overall, a solid product with a good user experience that’s fine for home connections as long as you’re not trying to hide the fact that you’re on a VPN.The company also has a partnership with SugarSync and provides 250GB of encrypted cloud storage with each plan.

4.4 App Store average, only 4.3K ratings

Simultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, Linux, iOS, Android, Fire TV, Firefox, ChromeLogging: None, except billing dataTrial/MBG: 30 dayAt two bucks a month for a two-year plan (billed in one chunk), Surfshark offers a good price for a solid offering. In CNET’s testing, no leaks were found (and given that much bigger names leaked connection information, that’s a big win). The company seems to have a very strong security focus, offering AES-256-GCM, RSA-2048, and Perfect Forward Secrecy encryption. Surfshark also offers iOS support for phones going back as far as the iPhone 5s.Must read:Surfshark’s performance was higher than NordVPN and Norton Secure VPN, but lower than ExpressVPN and IPVanish. That said, Surfshark also offers a multihop option that allows you to route connections through two VPN servers across the Surfshark private network. We also like that the company offers some inexpensive add-on features, including ad-blocking, anti-tracking, access to a non-logging search engine, and a tool that tracks your email address against data breach lists.

Isn’t iCloud+ Private Relay a VPN? Why do I need another VPN?

So let’s be clear. iCloud+ Private Relay is a feature of iCloud+, coming sometime in late 2021. If you buy any iCloud storage, you’ll get the iCloud+ features. But while Private Relay can hide your email address and location, it only does it when you’re using Safari. If you’re using Chrome (or any applications that use the Internet directly), you’re out of luck. It also shows up as proxy server so if you don’t want anyone to know you’re using a VPN, you’re out of luck. You also can’t change or hide your location, as you can with a full VPN. Private Relay is a feature of iCloud+. A VPN is a full security solution.

Do I need a VPN if I just use my carrier’s data?

Maybe. That depends on how much you trust your carrier — and wireless signals have been intercepted. You’re better off encrypting your data when it’s in motion, whether you use Wi-Fi or a carrier connection.

Doesn’t iOS include VPN services in the OS?

Yes, if you’re connecting to a corporate VPN server, as detailed here. But if you’re connecting to other destinations on the internet, you’re probably going to want to use a commercial VPN service.

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

The FBI said this week that thousands of people had filed complaints about online romance scams that resulted in losses totaling about $133 million.In a release, the FBI explained that from January 1 to July 31, the FBI Internet Crime Complaint Center received more than 1,800 complaints about romance scams where victims were coerced into sending money digitally or trading cryptocurrency for another person. “The scammer’s initial contact is typically made via dating apps and other social media sites. The scammer gains the confidence and trust of the victim — through establishing an online relationship — and then claims to have knowledge of cryptocurrency investment or trading opportunities that will result in substantial profits,” the FBI said in a statement.”The scammer directs the victim to a fraudulent website or application for an investment opportunity. After the victim has invested an initial amount on the platform and sees an alleged profit, the scammers allow the victim to withdraw a small amount of money, further gaining the victim’s trust. After the successful withdrawal, the scammer instructs the victim to invest larger amounts of money and often expresses the need to ‘act fast.’ When the victim is ready to withdraw funds again, the scammers create reasons why this cannot happen.” Even more funds are extracted from victims when cybercriminals say there are additional taxes or fees that need to be paid. Some scammers include a “customer service group” to siphon more funds from a victim and generally stop answering messages once there is no money left to steal. The FBI said earlier this year that they had received a record number of complaints about online scams and fraud. Interpol released a similar warning in January. In July, a resident of Houston, Texas was sentenced to over seven years in jail for his role in romance and business scams that netted over $2.2 million in illicit proceeds. Last week, a former US Army reservist was sentenced to over three-and-a-half years in prison for conducting both romance and Business Email Compromise (BEC) scams.

Paul Bischoff, privacy advocate at Comparitech, told ZDNet that in 2020 alone, reported losses to romance scams reached a record $304 million, about a 50% increase on 2019’s $201 million, according to the FTC. The FBI reported $475 million in losses in the same year, Bischoff added.He noted that the FBI’s numbers are often at odds with those presented by the FTC. 
Image: FTC
Romance scams accounted for larger losses than any other type of scam, according to the FTC. “The majority of romance scam victims are women over the age of 50, according to the FBI.  Given that elder fraud is hugely underreported, the real figures are likely much higher. The scam starts on dating apps or social media, where the scammer approaches the victim and begins a grooming process,” Bischoff explained.”This often involves love bombing, or showering the victim with affection to make them feel infatuated. The next step might involve the victim sending something that the scammer can use against them, such as compromising photos. Scammers often try to trick victims into sending money, but victims can also be used as mules for money laundering or smuggling illegal goods.”The elderly are often the prime targets for these kinds of scams — particularly during the COVID-19 pandemic — because they are often socially isolated and in need of personal connection. Bischoff noted that romance scams often go on for a long time, with victims continuing to send money even after they realize they’re being scammed, either due to romantic feelings for the scammer or because they’re being blackmailed.Romance scams have long been a go-to method for cybercriminals to steal money and valuable personal information from people. From 2017 to 2021, romance scams were one of the top five most lucrative scams perpetrated against military personnel, according to the Federal Trade Commission. US military members lost $92 million through romance scams between 2017 and 2021, with the median loss hovering around $2,500.  More

CISA is urging users of Zoho’s ManageEngine ADSelfService Plus to update their tools, noting that APT actors are actively exploiting a recently discovered vulnerability. Zoho ManageEngine ADSelfService Plus build 6114, which Zoho released on September 6, 2021, fixes the vulnerability. ManageEngine ADSelfService Plus is a widely used self-service password management and single sign-on solution. The critical authentication bypass vulnerability affects representational state transfer (REST) application programming interface (API) URLs that could enable remote code execution.

ZDNet Recommends

In a joint advisory sent out this week, CISA, the FBI and the US Coast Guard Cyber Command said APT actors have already targeted “academic institutions, defense contractors and critical infrastructure entities in multiple industry sectors — including transportation, IT, manufacturing, communications, logistics, and finance.”According to CISA, cybercriminals and nation-states exploiting the vulnerability are able to upload a .zip file containing a JavaServer Pages (JSP) web shell masquerading as an x509 certificate: service.cer. From there, more requests are made to different API endpoints to further exploit the victim’s system, according to the advisory. “After the initial exploitation, the JSP web shell is accessible at /help/admin-guide/Reports/ReportGenerate.jsp. The attacker then attempts to move laterally using Windows Management Instrumentation (WMI), gain access to a domain controller, dump NTDS.dit and SECURITY/SYSTEM registry hives, and then, from there, continues the compromised access. Confirming a successful compromise of ManageEngine ADSelfService Plus may be difficult — the attackers run clean-up scripts designed to remove traces of the initial point of compromise and hide any relationship between the exploitation of the vulnerability and the web shell,” CISA explained. “Illicitly obtained access and information may disrupt company operations and subvert US research in multiple sectors. Successful exploitation of the vulnerability allows an attacker to place web shells, which enable the adversary to conduct post-exploitation activities, such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.” 

CISA added that organizations need to ensure that ADSelfService is not directly accessible from the internet and the recommended “domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets if any indication is found that the NTDS.dit file was compromised.”Threat actors have been exploiting the vulnerability since August, and CISA said they had seen a variety of tactics used to take advantage of the flaw, including frequently writing web shells to disk for initial persistence, obfuscating files or information, conducting further operations to dump user credentials and more. Others have used it to add or delete user accounts, steal copies of the Active Directory database, delete files to remove indicators from the host and use Windows utilities to collect and archive files for exfiltration. The situation is so serious that the FBI said it is “leveraging specially trained cyber squads in each of its 56 field offices and CyWatch, the FBI’s 24/7 operations center and watch floor, which provides around-the-clock support to track incidents and communicate with field offices across the country and partner agencies.”CISA is also offering affected organizations help, and the US Coast Guard Cyber Command said it is providing specific cyber coverage for marine transportation system critical infrastructure.Oliver Tavakoli, CTO at Vectra, told ZDNet that finding a critical vulnerability in the system intended to help employees manage and reset their passwords “is exactly as bad as it sounds.” Even if the ADSelfService Plus server were not accessible from the internet, it would be accessible from any compromised laptop, Tavakoli noted.He added that recovering from an attack will be expensive because “domain-wide password resets and double Kerberos Ticket Granting Ticket (TGT) password resets” are disruptive by themselves. The APT groups may have established other means of persistence in the intervening time, he noted. BreachQuest CTO Jake Williams said it was important that organizations note the frequent use of web shells as a post-exploitation payload. “In this case, threat actors have been observed using web shells that were disguised as certificates. This sort of activity should stand out in web server logs – but only if organizations have a plan for detection,” Williams said. “Given that this will certainly not be the last vulnerability that results in web shell deployment, organizations are advised to baseline normal behavior in their web server logs so they can quickly discover when a web shell has been deployed.”Like Digital Shadows senior cyber threat intel analyst Sean Nikkel, other experts explained that this issue is the fifth instance of similar, critical vulnerabilities from ManageEngine this year. These vulnerabilities are severe in that they allow either remote code execution or the ability to bypass security controls, Nikkel told ZDNet. “Since the service interacts with Active Directory, giving attackers access can only lead to bad things, such as controlling domain controllers or other services. Attackers can then take advantage of ‘blending in with the noise’ of everyday system activity. It’s reasonable to assume that there will be more widespread exploitation of this and previous vulnerabilities given the interactivity with Microsoft system processes,” he said. “The observation that APT groups are actively exploiting CVE-2021-40539 should highlight the potential exposure it might cause. If trends are consistent, extortion groups will likely seek exploitation for ransomware activity in the not-so-distant future. Users of Zoho’s software should apply patches immediately to avoid the types of compromise described in the CISA bulletin.”The vulnerability is part of a larger trend of issues being found with systems management software tools. Vulcan Cyber CEO Yaniv Bar-Dayan compared it to recent issues with SolarWinds, Open Management Infrastructure (OMI), Salt and more. “Considering the amount of access and control these tools have, it is critical IT security teams take immediate steps to remediate fully. Zoho has a patch, but it is just a patch for one vulnerable component of what is a multi-layered, advanced persistent threat,” Yaniv Bar-Dayan added. “Apply the patch, but also make sure to eliminate direct access to ManageEngine software from the Internet where possible. If APT groups get access to systems management tools, they get the keys to the kingdom. Move quickly.” More