Information Technology

more coverage

Web applications represented 39% of all data breaches in the last year with phishing attacks jumping 11% and ransomware up 6% from a year ago, according to the Verizon Business Data Breach Investigations Report. The report, based on 5,358 breaches from 83 contributors around the world, highlights how the COVID-19 pandemic move to the cloud and remote work opened up a few avenues for cybercrime. Verizon Business found that 61% of all breaches involved credential data. Consistent with previous years, human negligence was the biggest threat to security. Each industry in the DBIR had its own security nuances. For instance, 83% of data compromised in the financial and insurance industry was personal data, said Verizon Business. Healthcare was plagued by misdelivery of electronic or paper documents. In the public sector, social engineering was the technique of choice. By region, Asia Pacific breaches typically were caused by financial motivations and phishing. In EMEA, Web application attacks, system intrusion and social engineering were the norm. Here are some more figures to ponder in the Verizon Business DBIR:85% of breaches involved a human element.61% of breaches involved credentials.Ransomware appeared in 10% of breaches, double the previous year.Compromised external cloud assets were more common than on-premises assets in incidents and breaches.
Verizon Business DBIR 2021 More

Colonial Pipeline, the operator of the one of the largest pipelines in the United States for refined petroleum products, Wednesday evening said it restarted operations that had been interrupted by a ransomware attack May 7th.  “Colonial Pipeline initiated the restart of pipeline operations today at approximately 5 p.m. ET.,” said the company in a posting on its Web page that has provided updates since Saturday.  Said Colonial, “Some markets served by Colonial Pipeline may experience, or continue to experience, intermittent service interruptions during the start-up period. Colonial will move as much gasoline, diesel, and jet fuel as is safely possible and will continue to do so until markets return to normal.” Also: Colonial Pipeline attack: Everything you need to know  Colonial first announced Saturday that it proactively shut down operations after being infiltrated by ransomware software that encrypted the company’s files.  The pipeline provides roughly 45% of the East Coast’s fuel. In days following the attack, stocks of gasoline have run out across swatches of the Eastern U.S. seaboard, in states such as North Carolina and Virginia, prompting panic buying by motorists.  Law enforcement and security specialists quickly pointed to the underworld organization DarkSide as the source of the ransomware code used, and DarkSide subsequently claimed responsibilty for the attack. DarkSide operates as a “ransomware-as-a-service” cloud computing business. 

Also: DarkSide explained: The ransomware group responsible for Colonial Pipeline cyberattack Security firm FireEye has documented the nature of the DarkSide code based on a forensic analysis of the exploit, and groups that appear to have been participating in the attack uisng the code.Also Wednesday, The White House announced U.S. President Joe Biden signed an executive order calling for a number of measures to “improve the nation’s cybersecurity and protect federal government networks.”

Tech Earnings More

The Parliamentary Joint Committee on Intelligence and Security (PJCIS) has recommended the passage of the Bill that would pave the way for Australia to share communications data with other countries, but only if the government implements the 23 other recommendations it has made. The Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (IPO Bill), if passed, would allow Australia to obtain a proposed bilateral agreement with the United States, in the first instance, under its Clarifying Lawful Overseas Use of Data Act (CLOUD Act).The IPO Bill is intended to amend the Telecommunications (Interception and Access) Act 1979 (TIA Act) to create a framework for Australian agencies to gain access to stored telecommunications data from further foreign designated communication providers in countries that have an agreement with Australia, and vice versa.But the committee has asked for a number of fixes to the TIA Act before waving through the IPO Bill.Must read: Intelligence review recommends new electronic surveillance Act for AustraliaOne recommendation from the PJCIS is that these foreign agreements be published and tabled in the regulations, subject to Parliamentary scrutiny and a period of disallowance.It also wants a disallowance period inserted into the TIA Act where arrangements with foreign parties are extended for another three years. The PJCIS does not require any arrangement extensions to be privy to Parliamentary scrutiny, but it does require a handful of prerequisites, with the first being the foreign government is prohibited from intentionally targeting an Australian citizen or permanent resident, either directly or through a non-Australian.

All interception activities of the foreign government, therefore, are only to be carried out for the purpose of obtaining information about communications of an individual who is outside of Australia.Further clauses include that the foreign party must not be engaging in collection activities on behalf of the Australian government, or any other government, and that it not share the data it obtained with any other government.The IPO Bill proposes three different types of international production orders that can be sought for three purposes. The types of production orders include interception of data, access to stored communications, and access to telecommunications data.Such an order may be sought for the purpose of an investigation of an offence of a serious nature; or the monitoring of a person subject to a control order, so as to protect the public from terrorist acts, prevent support for terrorist acts and hostile acts overseas, and detect breaches of the control order; or the carrying out by the Australian Security Intelligence Organisation (ASIO) of its functions.It wants the Bill amended to also require ASIO to retain a copy of a particular document for three years, or for as long as any of the data obtained under an international production order is retained, whichever is longer; and retain all relevant materials supporting an application for international production order for this period.See also: Australia’s tangle of electronic surveillance laws needs unravellingThe TIA Act, the PJCIS said, should also be amended to avoid “scope creep” — it has asked that an international agreement only be issued for the purpose of obtaining information relating to the listed criteria.The committee also wants “urgent circumstances” defined in the TIA Act and powers inserted to define that ASIO’s Director-General of Security may only delegate powers to a senior position holder.  The committee also wants the country seeking a designated international agreement with Australia to meet criteria, such as respect for the rule of law, human rights obligations, and clear legal procedures and restrictions governing the use of electronic surveillance investigatory powers.With concerns raised on the possibility of Australia granting foreign law enforcement bodies with data that could be used to condemn an individual to death, due to countries such as the US still practising the death penalty as an example, the PJCIS said the relevant minister must receive a written assurance from the government of the foreign country “relating to the non-use of Australian-sourced information obtained by virtue of the agreement in connection with any proceeding for a death penalty offence in the country or territory”.On the IPO Bill itself, it wants only officers or officials who are designated as authorised officers by the head of an enforcement agency to be given the ability to apply for IPOs. Due to this, when it comes to authorising an individual to be an authorised officer, the PJCIS has asked for a requirement that the head of an enforcement agency must be satisfied it is necessary for an individual to be an “authorised officer” in order for the individual to carry out his or her normal duties.See also: Budget 2021: ASIO the big winner from AU$1.9 billion national security poolElsewhere, the PJCIS has asked that the government ensure the Office of the Commonwealth Ombudsman has sufficient resources to enable effective oversight of powers under the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018, as well as the IPO Bill.It also wants assurance that the Inspector-General of Intelligence and Security is given appropriate resources to enable effective oversight of ASIO regarding its proposed IPO Bill powers.The PCJIS has asked as well that it be allowed to review the effectiveness and continuing need for an international production orders regime three years after the date on which the first designated international agreement comes into force.Finally, the committee said it will wave the Bill through if all of its recommendations are addressed.”The committee recommends that, following implementation of the recommendations in this report, the Bill be passed by Parliament,” it wrote.MORE ON THE IPO BILL  More

Image: Getty Images
Xiaomi has been taken off the US government’s Communist Chinese military companies (CCMC) list, according to a court filing. In the court filing [PDF], the Department of Defense agreed to remove Xiaomi from the list as it did not wish to appeal a federal court order that blocked the department from placing restrictions on the ability for domestic companies to invest in Xiaomi.The court filing, submitted as part of a legal action raised by Xiaomi in February, brings an end to the scuffle between the Chinese company and the Department of Defense.The scuffle first began in mid-January, when the Department of Defense added Xiaomi onto the CCMC list due to its belief that the company was procuring advanced technologies to support the Chinese military. Companies placed on the CCMC list are subject to a Donald Trump executive order that prohibits US persons from trading and investing in any of the listed companies and bans trading in any new companies once the US has placed the CCMC label on them.Immediately after Xiaomi received the designation, it criticised the move and denied having any ties with the Chinese military. This then led to the legal action between Xiaomi and the Department, which culminated in District Judge Rudolph Contreras’ order to temporarily stop Xiaomi from being added to the list as it would likely cause “irreparable harm” to the company.In making that order, Contreras also said Defense’s justification for adding the Chinese company onto the list was made on “shaky ground”.

“Taken together, the Court concludes that Defendants have not made the case that the national security interests at stake here are compelling,” he said.  Since the new year, US entities, such as the New York Stock Exchange, have struggled to handle the consequences and interpretation of the CCMC list. Across the month of January, the exchange said it would delist a trio of Chinese telcos, before changing its mind, and then it reverted to its original decision.Other Chinese companies currently on the list include Huawei, Hikvision, Inspur, Panda Electronics, and Semiconductor Manufacturing International Corporation.RELATED COVERAGE More

More than 1,000 CISOs around the world have expressed concerns about the security ramifications of the massive shift to remote work since the beginning of the pandemic, according to a new survey from security company Proofpoint.The Proofpoint 2021 Voice of the CISO survey was conducted in the first quarter of 2021 and features insights from 1,400 CISOs at organizations of 200 employees or more across different industries in 14 countries. One hundred CISOs from the U.S., Canada, the U.K., France, Germany, Italy, Spain, Sweden, the Netherlands, UAE, Saudi Arabia, Australia, Japan, and Singapore were interviewed for the report, with many highlighting significant problems in the current cybersecurity landscape. Lucia Milică, global resident chief information security officer at Proofpoint, said CISOs are now facing a “constant barrage of attacks from all angles” and have had to take a variety of new measures in order to prepare for the challenges that come with protecting a hybrid workforce. “The pandemic placed an enormous strain on the global economy, and cybercriminals took advantage of this disruption to accelerate their nefarious activities,” Milică said. “We were inundated with cyberattacks, both new and familiar, from pandemic-themed phishing scams to the unwavering march of ransomware.” On average, 64% of CISOs surveyed said they felt like their organization is at risk of suffering from a material cyberattack in the next 12 months, with more than 65% of CISOs from the U.S., France, UAE, Australia, Sweden, Germany, U.K. expressing this fear. The fear was highest among CISOs in the U.K., at 81%, and Germany, at 79%. The fear was highest among CISOs at retail companies and was lowest among those working in the public sector. Another 66% of respondents said they did not believe their enterprise was ready to handle the effects of an attack, particularly CISOs in the Netherlands, Germany and Sweden. 

When it comes to the kinds of attacks CISOs are most concerned about, 34% said business email compromise attacks, 33% said cloud account compromise and 31% cited insider threats. Others mentioned DDoS attacks, supply chain attacks, physical attacks, ransomware attacks and phishing. CISOs living in 12 out of the 14 countries surveyed cited business email compromise as a top three risk, coming in at number one in Canada, Sweden, Spain and Japan. Cloud account compromise was the number one risk in the U.S., France, Italy and Saudi Arabia. More than half of all CISOs said they are more worried about the repercussions of a cyberattack in 2021 than they were in 2020.Many CISOs said the current rise in the number of attacks was being exacerbated by the pandemic, the shift to teleworking and hastily deployed remote environments that made it difficult to protect sensitive information. Nearly 60% of respondents said they have seen more targeted attacks since remote working began at the beginning of the pandemic. Almost 70% of CISOs from companies with more than 5,000 employees reported having a workforce being targeted more since remote working began, particularly those in industries like IT, technology and telecoms. CISOs in the UAE and Saudi Arabia saw the biggest increases in attacks since the beginning of remote working. More than half of all CISOs said remote working negatively impacted their ability to keep classified and sensitive information safe. A majority of CISOs said they have had to introduce stronger security policies since the pandemic beganHuman error is quickly becoming one of the main attack vectors being exploited by cyberattackers, according to the survey. Seth Edgar, CISO for Michigan State University, told the survey that attackers “used to focus on exploiting infrastructure” but now explicitly target people.”Our focus has shifted to protecting people, which illustrates the changing boundary of security,” Edgar said. “That boundary has gotten very personal, very quickly.” When it comes to an organization’s ability to detect an attack or breach, less than two thirds of respondents said they were confident they were prepared, mostly due to a lack of technical tools and support from superiors. Looking ahead, 65% of CISOs surveyed said they believed they would be better prepared to “resist and recover” from cyberattacks by 2022 or 2023, particularly in the retail industry. Alongside that, a majority of CISOs surveyed said they expected at least an 11% increase in cybersecurity budgets over the next two years, but 32% said they expected their budgets to actually decrease over the next two years. Despite concerns over budgets, more than 60% said overall awareness among the public about cybersecurity would help them do their job. One concern raised by CISOs was the profitability of cybercrime, with 63% of respondents saying they expect the business to be even more lucrative in the coming years. Penalties for breaches or attacks will also increase, according to respondents. CISOs also said the pressure on them is becoming overbearing, with 66% of those working for organizations with more than 5,000 employees calling the expectations “excessive.” Half of all CISOs said they are not being put in positions to succeed.  More

HP on Wednesday announced a series of new security services for printers, helping IT departments secure devices both in an office setting and in home offices. In the era of remote work, printers are a potential attack point that make corporate networks and data vulnerable, HP notes. First, HP is expanding its Flexworker offering, which is part of its cloud-based printer management service. The Flexworker plan enables employees to order supplies for their home printing needs. Now, it will offer a fully-automated managed print service (MPS) contract, and it will give enterprises visibility into as many as 15 security settings on devices. The expanded program uses HP Security Manager to continuously monitor devices and automatically remediate compliance issues.Next, HP is introducing secure Internet Printing through HP Advance, a platform for capture, print and output management. The new service protects print jobs, in the office or at home, with  encryption and authentication technologies, including OAuth 2.0 with OpenID connect for Azure AD. It also provides job accounting, so companies can track activity both inside and outside the organization.Lastly, HP is making HP Secure Print compatible with Universal Print from Microsoft, which adds a layer of security by requiring authentication before the document is printed. It will also provide analytics about all print activity.The new services are part of HP Wolf Security, the company’s portfolio of secure hardware, security software and endpoint security services. More

Russia must do more to tackle cyber criminals which are operating from within in its territory, the UK’s Foreign Secretary Dominic Raab has warned.In a speech at the National Cyber Security Centre’s (NCSC) CYBERUK 21 conference, Dominic Raab called out nation-state backed hacking campaigns by North Korea, Iran, Russia and China, who he accused of of using digital technology “to sabotage and steal, or to control and censor.”.The UK, alongside the US called out Russia’s involvement in the SolarWinds supply chain hack which led to the compromise of several government agencies, technology firms and cybersecurity companies – but Raab argued that these states also need to take responsibility for cyber criminals operating within their borders.For example, the Colonial Pipeline ransomware attack – which has disrupted fuel supplies across the US East Coast – was apparently carried out by cyber criminals using DarkSide ransomware-as-a-service – a ransomware group which like many others, is highly suspected to be operating out of Russia.Some argue that Russia tolerates cyber criminals which attack targets in the West – so long as they stay away from Russian targets. Many of the most notorious ransomware gangs tailor the code of their malware to uninstall itself if it detects that the machine is set to the Russian language or has an IP address in a former Soviet nation. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  Ransomware attacks have caused a great deal of disruption around the world – and Raab accused the Kremlin of sitting back as “industrial scale vandals of the 21st century” caused chaos from within its borders.

“When states like Russia have criminals or gangs operating from their territory, they can’t just wave their hands and say nothing to do with them – even when it’s not directly linked to the state, they have a responsibility to prosecute those gangs and those individuals, not to shelter them,” said Raab.Cyber threats from nation-states, cyber criminals – and everything in between – will keep coming, but the Foreign Secretary said the UK is improving its capabilities when it comes to defending against cyber attacks.”We’re getting better at detecting, disrupting and deterring our enemies. Acting with partners around the world, we name and shame the perpetrators,” said Raab. “We did this last month with the SolarWinds attack, exposing the depth and the breadth of cyber activities by the Russian intelligence service, the SVR. And by revealing the tools and techniques malicious cyber actors are using, we can help our citizens and our businesses to see the signs early on and help them protect themselves from threats,” he added.However, there’s no illusions that defending the UK from cyber threats will be an easy task.”It’s is going to be a marathon, a war of attrition, but we will keep relentlessly shining a light on these predatory activities,” said Raab.MORE ON CYBERSECURITY More

The US Cybersecurity & Infrastructure Security Agency (CISA) has warned organizations to be cautious of a relatively new ransomware variant called FiveHands. FiveHands ransomware has been around since January 2021, but CISA said it was “aware of a recent, successful cyberattack against an organization” using this strain of file-encrypting malware.The group using FiveHands employs the same tactics as the DarkSide ransomware group that is holding Colonial Pipeline to ransom, in that the group not only encrypts a target’s data but steals some of it and threatens to leak it online unless the attacker’s payment demands are met.FireEye’s incident response arm Mandiant, which tracks the FiveHands group as UNC2447, detected the group exploiting a zero day flaw in the SonicWall VPN (CVE-2021-20016), according to an April report.  Attackers were targeting unpatched SonicWall Secure Mobile Access SMA 100 remote access products, for which patches were released in February.  The publicly available tools the group users including the SoftPerfect Network Scanner for Discovery and Microsoft’s own remote administration program, PsExec.exe and its related ServeManager.exe. “To thwart the recovery of the data, the ransomware uses Windows Management Instrumentation (WMI) to enumerate Volume Shadow copies using the command select * from Win32_ShadowCopy and then deletes copies by ID (Win32_ShadowCopy.ID),” CISA notes in its Analysis Report (AR21-126A). 

“The malware will also encrypt files in the recovery folder at C:Recovery. After the files are encrypted the program will write a ransom note to each folder and directory on the system called read_me_unlock.txt.”The SombRAT component allows the attackers to remotely download and execute malicious DLLs (software plugins) on the target network. It also serves as the main component of the attacker’s command and control infrastructure. “The RAT provides most of its C2 capabilities to the remote operator by allowing the remote operator to securely transfer executable DLL plugins to the target system—via a protected SSL session—and load these plugins at will via the embedded plugin framework,” CISA explains. “The native malware itself does not provide much actual functionality to the operator without the code provided by the plugins.”Without the plugins, the RAT otherwise can collect system data, such as the computer’s name, the user’s name, current process, operation system version, and the current process it’s masquerading as. Some key recommendations CISA offers are to update antivirus signatures and ensure the OS is updated with the latest patches. It also recommends disabling file and printer sharing services, implementing least privileges, and enabling multi-factor authentication on all VPN connections, external-facing services, and privileged accounts. Also, organizations should decommission unused VPN services and monitor network traffic for unapproved protocols, especially those used for outbound connections to the internet, such as SSH, SMB and RDP. Separately, CISA today issued the same advice for organizations and critical infrastructures in the wake of the Colonial Pipeline ransomware attack.  More