Information Technology

Image: Getty Images
Xiaomi has been taken off the US government’s Communist Chinese military companies (CCMC) list, according to a court filing. In the court filing [PDF], the Department of Defense agreed to remove Xiaomi from the list as it did not wish to appeal a federal court order that blocked the department from placing restrictions on the ability for domestic companies to invest in Xiaomi.The court filing, submitted as part of a legal action raised by Xiaomi in February, brings an end to the scuffle between the Chinese company and the Department of Defense.The scuffle first began in mid-January, when the Department of Defense added Xiaomi onto the CCMC list due to its belief that the company was procuring advanced technologies to support the Chinese military. Companies placed on the CCMC list are subject to a Donald Trump executive order that prohibits US persons from trading and investing in any of the listed companies and bans trading in any new companies once the US has placed the CCMC label on them.Immediately after Xiaomi received the designation, it criticised the move and denied having any ties with the Chinese military. This then led to the legal action between Xiaomi and the Department, which culminated in District Judge Rudolph Contreras’ order to temporarily stop Xiaomi from being added to the list as it would likely cause “irreparable harm” to the company.In making that order, Contreras also said Defense’s justification for adding the Chinese company onto the list was made on “shaky ground”.

“Taken together, the Court concludes that Defendants have not made the case that the national security interests at stake here are compelling,” he said.  Since the new year, US entities, such as the New York Stock Exchange, have struggled to handle the consequences and interpretation of the CCMC list. Across the month of January, the exchange said it would delist a trio of Chinese telcos, before changing its mind, and then it reverted to its original decision.Other Chinese companies currently on the list include Huawei, Hikvision, Inspur, Panda Electronics, and Semiconductor Manufacturing International Corporation.RELATED COVERAGE More

More than 1,000 CISOs around the world have expressed concerns about the security ramifications of the massive shift to remote work since the beginning of the pandemic, according to a new survey from security company Proofpoint.The Proofpoint 2021 Voice of the CISO survey was conducted in the first quarter of 2021 and features insights from 1,400 CISOs at organizations of 200 employees or more across different industries in 14 countries. One hundred CISOs from the U.S., Canada, the U.K., France, Germany, Italy, Spain, Sweden, the Netherlands, UAE, Saudi Arabia, Australia, Japan, and Singapore were interviewed for the report, with many highlighting significant problems in the current cybersecurity landscape. Lucia Milică, global resident chief information security officer at Proofpoint, said CISOs are now facing a “constant barrage of attacks from all angles” and have had to take a variety of new measures in order to prepare for the challenges that come with protecting a hybrid workforce. “The pandemic placed an enormous strain on the global economy, and cybercriminals took advantage of this disruption to accelerate their nefarious activities,” Milică said. “We were inundated with cyberattacks, both new and familiar, from pandemic-themed phishing scams to the unwavering march of ransomware.” On average, 64% of CISOs surveyed said they felt like their organization is at risk of suffering from a material cyberattack in the next 12 months, with more than 65% of CISOs from the U.S., France, UAE, Australia, Sweden, Germany, U.K. expressing this fear. The fear was highest among CISOs in the U.K., at 81%, and Germany, at 79%. The fear was highest among CISOs at retail companies and was lowest among those working in the public sector. Another 66% of respondents said they did not believe their enterprise was ready to handle the effects of an attack, particularly CISOs in the Netherlands, Germany and Sweden. 

When it comes to the kinds of attacks CISOs are most concerned about, 34% said business email compromise attacks, 33% said cloud account compromise and 31% cited insider threats. Others mentioned DDoS attacks, supply chain attacks, physical attacks, ransomware attacks and phishing. CISOs living in 12 out of the 14 countries surveyed cited business email compromise as a top three risk, coming in at number one in Canada, Sweden, Spain and Japan. Cloud account compromise was the number one risk in the U.S., France, Italy and Saudi Arabia. More than half of all CISOs said they are more worried about the repercussions of a cyberattack in 2021 than they were in 2020.Many CISOs said the current rise in the number of attacks was being exacerbated by the pandemic, the shift to teleworking and hastily deployed remote environments that made it difficult to protect sensitive information. Nearly 60% of respondents said they have seen more targeted attacks since remote working began at the beginning of the pandemic. Almost 70% of CISOs from companies with more than 5,000 employees reported having a workforce being targeted more since remote working began, particularly those in industries like IT, technology and telecoms. CISOs in the UAE and Saudi Arabia saw the biggest increases in attacks since the beginning of remote working. More than half of all CISOs said remote working negatively impacted their ability to keep classified and sensitive information safe. A majority of CISOs said they have had to introduce stronger security policies since the pandemic beganHuman error is quickly becoming one of the main attack vectors being exploited by cyberattackers, according to the survey. Seth Edgar, CISO for Michigan State University, told the survey that attackers “used to focus on exploiting infrastructure” but now explicitly target people.”Our focus has shifted to protecting people, which illustrates the changing boundary of security,” Edgar said. “That boundary has gotten very personal, very quickly.” When it comes to an organization’s ability to detect an attack or breach, less than two thirds of respondents said they were confident they were prepared, mostly due to a lack of technical tools and support from superiors. Looking ahead, 65% of CISOs surveyed said they believed they would be better prepared to “resist and recover” from cyberattacks by 2022 or 2023, particularly in the retail industry. Alongside that, a majority of CISOs surveyed said they expected at least an 11% increase in cybersecurity budgets over the next two years, but 32% said they expected their budgets to actually decrease over the next two years. Despite concerns over budgets, more than 60% said overall awareness among the public about cybersecurity would help them do their job. One concern raised by CISOs was the profitability of cybercrime, with 63% of respondents saying they expect the business to be even more lucrative in the coming years. Penalties for breaches or attacks will also increase, according to respondents. CISOs also said the pressure on them is becoming overbearing, with 66% of those working for organizations with more than 5,000 employees calling the expectations “excessive.” Half of all CISOs said they are not being put in positions to succeed.  More

HP on Wednesday announced a series of new security services for printers, helping IT departments secure devices both in an office setting and in home offices. In the era of remote work, printers are a potential attack point that make corporate networks and data vulnerable, HP notes. First, HP is expanding its Flexworker offering, which is part of its cloud-based printer management service. The Flexworker plan enables employees to order supplies for their home printing needs. Now, it will offer a fully-automated managed print service (MPS) contract, and it will give enterprises visibility into as many as 15 security settings on devices. The expanded program uses HP Security Manager to continuously monitor devices and automatically remediate compliance issues.Next, HP is introducing secure Internet Printing through HP Advance, a platform for capture, print and output management. The new service protects print jobs, in the office or at home, with  encryption and authentication technologies, including OAuth 2.0 with OpenID connect for Azure AD. It also provides job accounting, so companies can track activity both inside and outside the organization.Lastly, HP is making HP Secure Print compatible with Universal Print from Microsoft, which adds a layer of security by requiring authentication before the document is printed. It will also provide analytics about all print activity.The new services are part of HP Wolf Security, the company’s portfolio of secure hardware, security software and endpoint security services. More

Russia must do more to tackle cyber criminals which are operating from within in its territory, the UK’s Foreign Secretary Dominic Raab has warned.In a speech at the National Cyber Security Centre’s (NCSC) CYBERUK 21 conference, Dominic Raab called out nation-state backed hacking campaigns by North Korea, Iran, Russia and China, who he accused of of using digital technology “to sabotage and steal, or to control and censor.”.The UK, alongside the US called out Russia’s involvement in the SolarWinds supply chain hack which led to the compromise of several government agencies, technology firms and cybersecurity companies – but Raab argued that these states also need to take responsibility for cyber criminals operating within their borders.For example, the Colonial Pipeline ransomware attack – which has disrupted fuel supplies across the US East Coast – was apparently carried out by cyber criminals using DarkSide ransomware-as-a-service – a ransomware group which like many others, is highly suspected to be operating out of Russia.Some argue that Russia tolerates cyber criminals which attack targets in the West – so long as they stay away from Russian targets. Many of the most notorious ransomware gangs tailor the code of their malware to uninstall itself if it detects that the machine is set to the Russian language or has an IP address in a former Soviet nation. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  Ransomware attacks have caused a great deal of disruption around the world – and Raab accused the Kremlin of sitting back as “industrial scale vandals of the 21st century” caused chaos from within its borders.

“When states like Russia have criminals or gangs operating from their territory, they can’t just wave their hands and say nothing to do with them – even when it’s not directly linked to the state, they have a responsibility to prosecute those gangs and those individuals, not to shelter them,” said Raab.Cyber threats from nation-states, cyber criminals – and everything in between – will keep coming, but the Foreign Secretary said the UK is improving its capabilities when it comes to defending against cyber attacks.”We’re getting better at detecting, disrupting and deterring our enemies. Acting with partners around the world, we name and shame the perpetrators,” said Raab. “We did this last month with the SolarWinds attack, exposing the depth and the breadth of cyber activities by the Russian intelligence service, the SVR. And by revealing the tools and techniques malicious cyber actors are using, we can help our citizens and our businesses to see the signs early on and help them protect themselves from threats,” he added.However, there’s no illusions that defending the UK from cyber threats will be an easy task.”It’s is going to be a marathon, a war of attrition, but we will keep relentlessly shining a light on these predatory activities,” said Raab.MORE ON CYBERSECURITY More

The US Cybersecurity & Infrastructure Security Agency (CISA) has warned organizations to be cautious of a relatively new ransomware variant called FiveHands. FiveHands ransomware has been around since January 2021, but CISA said it was “aware of a recent, successful cyberattack against an organization” using this strain of file-encrypting malware.The group using FiveHands employs the same tactics as the DarkSide ransomware group that is holding Colonial Pipeline to ransom, in that the group not only encrypts a target’s data but steals some of it and threatens to leak it online unless the attacker’s payment demands are met.FireEye’s incident response arm Mandiant, which tracks the FiveHands group as UNC2447, detected the group exploiting a zero day flaw in the SonicWall VPN (CVE-2021-20016), according to an April report.  Attackers were targeting unpatched SonicWall Secure Mobile Access SMA 100 remote access products, for which patches were released in February.  The publicly available tools the group users including the SoftPerfect Network Scanner for Discovery and Microsoft’s own remote administration program, PsExec.exe and its related ServeManager.exe. “To thwart the recovery of the data, the ransomware uses Windows Management Instrumentation (WMI) to enumerate Volume Shadow copies using the command select * from Win32_ShadowCopy and then deletes copies by ID (Win32_ShadowCopy.ID),” CISA notes in its Analysis Report (AR21-126A). 

“The malware will also encrypt files in the recovery folder at C:Recovery. After the files are encrypted the program will write a ransom note to each folder and directory on the system called read_me_unlock.txt.”The SombRAT component allows the attackers to remotely download and execute malicious DLLs (software plugins) on the target network. It also serves as the main component of the attacker’s command and control infrastructure. “The RAT provides most of its C2 capabilities to the remote operator by allowing the remote operator to securely transfer executable DLL plugins to the target system—via a protected SSL session—and load these plugins at will via the embedded plugin framework,” CISA explains. “The native malware itself does not provide much actual functionality to the operator without the code provided by the plugins.”Without the plugins, the RAT otherwise can collect system data, such as the computer’s name, the user’s name, current process, operation system version, and the current process it’s masquerading as. Some key recommendations CISA offers are to update antivirus signatures and ensure the OS is updated with the latest patches. It also recommends disabling file and printer sharing services, implementing least privileges, and enabling multi-factor authentication on all VPN connections, external-facing services, and privileged accounts. Also, organizations should decommission unused VPN services and monitor network traffic for unapproved protocols, especially those used for outbound connections to the internet, such as SSH, SMB and RDP. Separately, CISA today issued the same advice for organizations and critical infrastructures in the wake of the Colonial Pipeline ransomware attack.  More

Researchers have provided the details of an investigation into cyberattacker activity linked to DarkSide ransomware.

more coverage

On Tuesday, FireEye researchers documented five separate clusters of activity suspected of being connected to DarkSide, the Ransomware-as-a-Service (RaaS) network responsible for the Colonial Pipeline security incident.  Colonial Pipeline, one of the largest fuel pipeline operators and delivery companies in the United States, suffered a ransomware outbreak last week which has resulted in pipeline closures and fuel shortages. The firm is yet to restore all of its systems and the case — as it involves a critical infrastructure (CI) asset — is deemed serious enough to involve the FBI.  DarkSide’s core team has attempted to distance itself from the attack by claiming to be “apolitical” and a group simply in it for the money. However, the incident has prompted the interest of not only law enforcement, but security researchers tracking RaaS services.  So far, FireEye has tracked five threat actors who are either current or past DarkSide RaaS affiliates.  RaaS subscribers are given access to custom malware — in this case, the DarkSide ransomware variant — in return for developers receiving a slice of any ransom payment profits.  Forum posts indicate that affiliation requires 25% of the cut for ransom payments under $500,000 and this is decreased to 10% for anything over $5 million. 

According to the researchers, anyone who tries to join the DarkSide RaaS group has to pass an interview, and if they succeed, are then provided with a control panel for selecting their ransomware build, managing their victims, and contacting support. In addition, users can specify what information, stolen during a cyberattack, can be published on the main DarkSide leak site. This is known as a double-extortion tactic in which companies that refuse to pay for a decryption key are then threatened with the public leak of their files.  FireEye has described the current activities of three out of the five linked groups, tracked as UNC2628, UNC2659, and UNC2465.  UNC2628: This group has been active since February. They tend to move quickly from initial infection to ransomware deployment and may only lurk on a compromised network for two to three days before starting encryption.  Suspicious authentication attempts, brute force attacks, and ‘spray and pray’ tactics are common, and this threat actor may also acquire initial access through legitimate credentials for corporate virtual private networks (VPNs), which can be purchased from other cybercriminals online.  UNC2628 is thought to partner with other RaaS services including REvil and Netwalker. UNC2659: The second cluster, active since at least January, moves from initial access to ransomware deployment in an average of 10 days.  This set exploits CVE-2021-20016 to obtain initial access, a now-patched vulnerability in the SonicWall SMA100 SSL VPN, a service designed for mobile workers.  “There is some evidence to suggest the threat actor may have used the vulnerability to disable multi-factor authentication options on the SonicWall VPN, although this has not been confirmed,” FireEye says.  TeamViewer is abused to maintain persistence on a compromised machine and the group exfiltrates files before encryption.  UNC2465: With cybercriminal activity dating back to at least April 2019, UNC2465 now uses phishing emails to deliver DarkSide via the Smokedham .NET backdoor. In a case documented by FireEye, initial access to a network was obtained months ahead of ransomware execution.  Smokedham also supports the execution of arbitrary .NET commands, keylogging, and screenshot generation. The NGROK utility is used by the threat actors to circumvent firewalls and expose remote desktop service ports.  In related news, Sophos has been called in to assist on five different instances of DarkSide ransomware infection. The company has reported an average time of 45 days between initial access and ransomware deployment. A copy of the typical ransomware note is below. “We believe that threat actors have become more proficient at conducting multifaceted extortion operations and that this success has directly contributed to the rapid increase in the number of high-impact ransomware incidents over the past few years,” FireEye commented. “We expect that the extortion tactics that threat actors use to pressure victims will continue to evolve throughout 2021.”

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The FBI and the US Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory in the aftermath of a devastating ransomware attack on Colonial Pipeline. 

more coverage

The alert, published on Tuesday, provides details on DarkSide, malware operators that run a Ransomware-as-a-Service (RaaS) network. DarkSide is responsible for the recent cyberattack on Colonial Pipeline. Last Friday, the fuel giant said a cyberattack had forced the company to halt pipeline operations and temporarily pull IT systems offline to contain the incident, found to be an infection caused by DarkSide affiliates.  Colonial Pipeline is yet to recover and as a critical infrastructure provider — one of whom supplies 45% of the East Coast’s fuel and which usually delivers up to 100 million gallons of fuel daily — the FBI has become involved.  “Cybercriminal groups use DarkSide to gain access to a victim’s network to encrypt and exfiltrate data,” the alert says. “These groups then threaten to expose data if the victim does not pay the ransom. Groups leveraging DarkSide have recently been targeting organizations across various CI sectors including manufacturing, legal, insurance, healthcare, and energy.” The DarkSide ransomware is provided to RaaS customers. This cybercriminal model has proven popular as it only requires a core team to develop malware, which can then be distributed to others.  RaaS, also known as ransomware affiliate schemes, may be provided on a subscription basis and/or the creators receive a cut of the profits when a ransom is paid. In return, the developers continue to improve their malware ‘product’.  

DarkSide tries to portray itself in a ‘Robin Hood’ light, with terms of service for clients that dictate no medical, care homes, or palliative care providers should be targeted. The operators have been quick to distance themselves from the attack on Colonial Pipeline as a core country fuel provider and vaguely blamed the attack on a partner.”Our goal is to make money, and not creating problems for society,” DarkSide said.  The FBI/CISA advisory also includes advice and best practices for preventing or mitigating the threat of ransomware.  “CISA and FBI urge CI [critical infrastructure] asset owners and operators to adopt a heightened state of awareness and implement recommendations […] including implementing robust network segmentation between IT and OT networks; regularly testing manual controls; and ensuring that backups are implemented, regularly tested, and isolated from network connections,” the agencies say. “These mitigations will help CI owners and operators improve their entity’s functional resilience by reducing their vulnerability to ransomware and the risk of severe business degradation if impacted by ransomware.” Other recommendations include: Multi-factor authentication for remote access to IT networks Spam filters to mitigate phishing, network traffic filters Employee training programs Frequent patch processes Implementing security audits, risk assessment  RDP restrictions Anonymization service connection monitoring “CISA and the FBI do not encourage paying a ransom to criminal actors,” the agencies added. “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Perth city
Image: Getty Images
The Auditor-General of Western Australia on Wednesday tabled a report into the computer systems used at 50 local government entities, revealing 328 control weakness across the group.It was Auditor-General Caroline Spencer’s intention to list the entities, but given the nature of her findings, all case studies included in Local Government General Computer Controls [PDF] omit entity, and system, names.”Included in the case studies are real life examples of how extremely poor general computer controls can result in system breaches, loss of sensitive and confidential information and financial loss,” Spencer said. “They serve as important reminders of the need to remain ever vigilant against constant cyber threats.”The report states that none of the 11 entities that the Auditor-General performed capability maturity assessments on met minimum targets. For the remaining 39, general computer controls audits were conducted.The audit probed information security, business continuity, management of IT risks, IT operations, change control, and physical security.Of the 328 control weaknesses, 33 rated as significant and 236 as moderate. Like last year, nearly half of all issues were about information security.2019-20 capability maturity model assessment results
Image: Office of the Auditor General 
The capability assessment results, meanwhile, showed that none of the 11 audited entities met the auditor’s expectations across the six control categories, with 79% of the audit results below the minimum benchmark.

“Poor controls in these areas left systems and information vulnerable to misuse and could impact critical services provided to the public,” the report added.”Five of the entities were also included in last year’s in-depth assessment and could have improved their capability by promptly addressing the previous year’s audit findings but, overall, did not discernibly do so.”Among the findings were entities having a poor awareness of cyber threats, with one case study revealing a user’s account details were stolen because of a phishing attack that was not detected or prevented by the entity’s security controls. “The attack resulted in a fraudulent credit card transaction on the user’s corporate credit card, which was immediately cancelled,” the report said. “Further investigation by the entity revealed the attacker downloaded 10GB of entity information in the form of sensitive emails.”Another common weakness was that entities did not have policies, procedures, and processes to effectively manage technical vulnerabilities. At one entity, public facing and internal systems sat in the same network; the same entity also did not monitor devices on its network.Many entities were also not managing privileged access to their networks and systems.One entity was found to not have changed the password for the default network administrator account since 2002, even though various staff who knew the password had since left. “We found instances where this account was used out of office hours and the entity was unable to explain this use,” the report said.Probing the management of IT risks, weaknesses found included no policies and procedures to document, assess, review, and report IT risks; key risks were not documented, meaning entities were left unaware if appropriate controls were in place to protect their information; and entities had not reviewed their risk registers within a reasonable time.IT operations, meanwhile, also revealed many weaknesses, including a lack of user access reviews, no logging of user access and activity, a lack of incident management procedures, and no requirement for IT staff privy to certain sensitive information being required to complete a background check.”At one entity, staff could redirect payments for council rates, infringements, licence and application fees to another bank account by changing a file hosted on a shared server,” the report details. “Access to the server was not appropriately controlled because staff used a shared generic account to access and manage the server.”Physical security was also flagged as weak, with one example showing an entity had no monitoring process regarding its server room, meaning anyone could access it.Further weaknesses under the physical security banner included no backups and no appropriate environmental controls to protect IT infrastructure. The report provided six recommendations, one for each of the security types audited.These included implementing appropriate frameworks and management structures, identifying IT risks, and patching.MORE FROM THE OAG More