Information Technology

Most businesses are struggling to identify and detect early indicators that could suggest an insider is plotting to steal data or carry out other cyberattacks. Research by security think tank the Ponemon Institute and cybersecurity company DTEX Systems suggests that over half of companies find it impossible or very difficult to prevent insider attacks. These businesses are missing indicators that something might be wrong. Those include unusual amounts of files being opened, attempts to use USB devices, staff purposefully circumventing security controls, masking their online activities, or moving and saving files to unusual locations. All these and more might suggest that a user is planning malicious activity, including the theft of company data. SEE: A winning strategy for cybersecurity (ZDNet special report) Insider threats can come in a number of forms, ranging from employees who plan to take confidential data when they leave for another job, to those who are actively working with cyber criminals, potentially even to lay the foundations for a ransomware attack. In many cases, an insider preparing to carry out an attack will follow a set pattern of activities including reconnaissance, circumvention, aggregation, obfuscation and exfiltration, all of which could suggest something is amiss. But businesses are struggling to detect the indicators of insider threat in each of these stages because of a lack of effective monitoring controls and practices. 

“The vast majority of security threats follow a pattern or sequence of activity leading up to an attack, and insider threats are no exception,” said Larry Ponemon, chairman and founder of the Ponemon Institute. Many security professionals are already familiar with Lockheed Martin’s Cyber Kill Chain and the MITRE ATT&CK Framework, both of which describe the various stages of an attack and the tactics utilized by an external adversary, he said. But since human behavior is more nuanced than machine behavior, insider attacks follow a slightly different path and, therefore, require modern approaches to combat.Just a third of of businesses believe they’re effective at preventing data from being leaked from the organisation.According to the research, one of the key reasons insider threats aren’t being detected is because of confusion around who is responsible for controlling and mitigating risks. While 15% of those surveyed suggested that the CIO, CISO or head of the business is responsible, 15% suggested that nobody has ultimate responsibility in this space – meaning that managing and detecting the risks and threats can fall between the cracks. There are several factors that make detecting cybersecurity risks – including insider threats – difficult. Over half of businesses cite lack of in-house expertise in dealing with threats, while just under half say there’s a lack of budget, and the shift to remote working has also made it harder to mitigate cybersecurity risks. SEE: Ransomware: This new free tool lets you test if your cybersecurity is strong enough to stop an attackAccording to Ponemon and DTEX, the best way for companies to improve their ability to detect insider threats is to improve the security posture of the business, as well as designating a clear authority for controlling and mitigating this risk – one that can investigate activities that could suggest a potential insider attack. “Our findings indicate that in order to fully understand any insider incident, visibility into the nuance and sequence of human behavior is pivotal,” said Rajan Koo, chief customer officer at DTEX Systems. “Organisations need to take a human approach to understanding and detecting insider threats, as human elements are at the heart of these risks,” he added. MORE ON CYBERSECURITY More

It has been two years since the emergency of Mozi, and despite the arrest of its alleged author, the botnet continues to spread. 

Mozi was discovered in 2019 by 360 Netlab, and in the two years since, has grown from a small operation to a botnet that “accounted for an extremely high percentage of [Internet of Things] IoT traffic at its peak.” According to Netlab (translated), Mozi has accounted for over 1.5 million infected nodes, of which the majority — 830,000 — originate from China.  Mozi is a P2P botnet that uses the DHT protocol. In order to spread, the botnet abuses weak Telnet passwords and known exploits to target networking devices, IoT, and video recorders, among other internet-connected products.  The botnet is able to enslave devices to launch Distributed Denial-of-Service (DDoS) attacks, launch payloads, steal data, and execute system commands. If routers are infected, this could lead to Man-in-The-Middle (MITM) attacks. Earlier this month, Microsoft IoT security researchers said that Mozi has evolved to “achieve persistence on network gateways manufactured by Netgear, Huawei, and ZTE” by adapting its persistence mechanisms depending on each device’s architecture. In July, Netlab claimed that the cybersecurity firm had assisted law enforcement to arrest the alleged developer of Mozi, and therefore, “we don’t think it will continue to be updated for quite some time to come.” 

However, the botnet lives on, and on Tuesday, the company has provided its opinion on why.  “We know that Mozi uses a P2P network structure, and one of the “advantages” of a P2P network is that it is robust, so even if some of the nodes go down, the whole network will carry on, and the remaining nodes will still infect other vulnerable devices,” Netlab says. “That is why we can still see Mozi spreading.” According to the team, alongside the main Mozi_ftp protocol, the discovery of malware using the same P2P setup — Mozi_ssh — suggests that the botnet is also being used to cash in on illegal cryptocurrency mining. In addition, users are harnessing Mozi’s DHT configuration module and creating new, functional nodes for it, which the team says allows them to “quickly develop the programs needed for new functional nodes, which is very convenient.” “This convenience is one of the reasons for the rapid expansion of the Mozi botnet,” Netlab added.  The team also said that in a sample of the botnet dubbed v2s, captured last year, suggests that updates to Mozi have been focused on separating control nodes from “mozi_bot” nodes, as well as improving efficiency. It may be that these changes were made by the authors to lease the network to other threat actors. “The Mozi botnet samples have stopped updating for quite some time, but this does not mean that the threat posed by Mozi has ended,” the researchers say. “Since the parts of the network that are already spread across the internet have the ability to continue to be infected, new devices are infected every day.” Netlab predicts that that week-by-week, the size of the botnet will gradually decrease, but it is likely that the impact of Mozi will be felt for some time to come.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cream Finance has lost over $34 million in cryptocurrency after a cyberattacker exploited a vulnerability in the project’s market system. 

The decentralized finance (DeFi) organization is the developer of a lending protocol for individuals, with yields on offer for some cryptocurrency stakes. Assets on the platform include Ethereum (ETH), the AMP token, CREAM token, USDT, and COMP.Cream said an attacker managed to exploit a vulnerability on August 31, leading to the theft of 462,079,976 in AMP ($24.2m) tokens and 2,804.96 ETH tokens ($9.9m), according to an update posted on September 1.At current prices, this amounts to over $34 million.  In an analysis of the attack, with the assistance of PeckShield, Cream said an error in how the platform integrated AMP, leading to a reentrancy bug, was the source of the exploit.  “While unfortunate and disappointing, we take ownership of the error,” the developers say.  Cream is now working with law enforcement to try and trace the attacker — or, attackers, as the platform says a “copycat” was also in play at the time of the main attack. The second individual has a transaction history with Binance.

The organization has paused AMP supply and borrow functions until a patch can be deployed. The stolen ETH and AMP will be replaced, with 20% of protocol fees now earmarked to repay customers.  Cream says that if the attacker is willing to return the stolen cryptocurrency, they can keep 10%, without any consequences as a form of bug bounty payment. However, if others are able to provide a lead on the identity of the cyberattacker leading to their arrest and/or prosecution, 50% of the value of the stolen funds is on offer. as a reward  If neither offer is successful, “we will forward all relevant information to law enforcement authorities and prosecute to the fullest extent of the law,” the company says.This is not the first time Cream has fallen foul of a cyberattack. In February, the platform lost $37.5 million due to a flash loan exploit made via IronBank.  Earlier this month, DeFi platform Poly Network said an attacker exploited a vulnerability in the platform to siphon away roughly $610 million in cryptocurrency, including BSC and ETH. The thief has since returned the funds and is signed off as “Mr. White Hat” in Poly blog posts.  The company has returned assets to its rightful owners and is currently in the process of restoring cross-chain services.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Native English speakers are being recruited in their droves by criminals trying to make Business Email Compromise (BEC) more effective. 

BEC schemes can be simple to execute and among the most potentially devastating for a business, alongside threats such as ransomware.  A BEC scam will usually start with a phishing email, tailored and customized depending on the victim. Social engineering and email address spoofing may also be used to make the message appear to originate from someone in the target company — such as an executive, the CEO, or a member of an accounts team — in order to fool an employee into making a payment to an account controlled by a criminal.  In some cases, these payments — intended to pay an alleged invoice, for example — can reach millions of dollars. In 2020, US companies alone lost roughly $1.8 billion to these forms of cyberattack.  Little technical knowledge is required to pull off a BEC scam, however, threat actors need to be able to communicate effectively in order to succeed in these endeavors — and if they are not fluent in the language a target speaks, this can cause BEC attacks to ultimately fail.  Unfortunately, there are ways to plug this gap in expertise: recruit a native language speaker from the underground.  According to Intel 471, forums are now being used to seek out English speakers, in particular, to bring together teams able to manage both the technical aspects and social engineering elements of a BEC scam. 

Over the course of 2021, threat actors have posted ‘wanted’ adverts on a popular Russian-speaking cybercriminal forum asking for native English speakers, later tasked with managing email communication that would not raise red flags to members of a high-level organization, as well as to manage the negotiation aspect of a BEC operation. If a scam is to succeed, the target employee must believe communication comes from a legitimate source — and secondary language use, spelling mistakes, and grammatical issues could all be indicators that something isn’t right, in the same way that run-of-the-mill spam often contains issues that alert recipients to attempted fraud.  “Actors like those we witnessed are searching for native English speakers since North American and European markets are the primary targets of such scams,” the researchers say.In addition, threat actors are also trying to recruit launderers to clean up the proceeds from BEC schemes, often achieved through cryptocurrency mixer and tumbler platforms. One advert spotted by the team asked for a service able to launder up to $250,000.  “The BEC footprint on underground forums is not as large as other types of cybercrime, likely since many of the operational elements of BEC use targeted social engineering tactics and fraudulent domains, which do not typically require technical services or products that the underground offers,” Intel 471 says. “[…] Criminals will use the underground for all types of schemes, as long as those forums remain a hotbed of skills that can make criminals money.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

CISA and the FBI have released an advisory warning of potential cyberattacks that may occur over the coming Labor Day weekend, noting that in recent years hackers have launched dozens of devastating attacks on long weekends. They urged organizations to take steps to secure their systems, reduce their exposure and potentially “engage in preemptive threat hunting on their networks to search for signs of threat actors.”Eric Goldstein, executive assistant director for Cybersecurity at CISA, said ransomware “continues to be a national security threat” but noted that the challenges presented by potential attacks are “not insurmountable.” “With our FBI partners, we continue to collaborate daily to ensure we provide timely, useful and actionable advisories that help industry and government partners of all sizes adopt defensible network strategies and strengthen their resilience,” Goldstein said. “All organizations must continue to be vigilant against this ongoing threat.”

Kaseya attack

He urged organizations not to pay ransoms in the event of a ransomware attack and said CISA or local FBI field offices should be contacted before any decisions are made. CISA noted that there is generally an increase in “highly impactful ransomware attacks” that occur on holidays and weekends, noting the devastating Kaseya attack that took place on July 4. CISA said it does not have specific threat intelligence indicating attacks are imminent but explained that threat actors know IT teams are limited on holiday weekends and listed a number of attacks that took place on holidays this year. 

They cited the Mother’s Day weekend attack in May by the DarkSide ransomware group on Colonial Pipeline and the Memorial Day weekend attack on major meat processor JBS by the Sodinokibi/REvil ransomware group. REvil then hit Kaseya on July 4, continuing the holiday attack trend. 

more coverage

“The FBI’s Internet Crime Complaint Center, which provides the public with a trustworthy source for reporting information on cyber incidents, received 791,790 complaints for all types of internet crime — a record number — from the American public in 2020, with reported losses exceeding $4.1 billion,” the advisory said. “This represents a 69 percent increase in total complaints from 2019. The number of ransomware incidents also continues to rise, with 2,474 incidents reported in 2020, representing a 20 percent increase in the number of incidents, and a 225 percent increase in ransom demands. From January to July 31, 2021, the IC3 has received 2,084 ransomware complaints with over $16.8M in losses, a 62 percent increase in reporting and 20 percent increase in reported losses compared to the same time frame in 2020.”  The FBI added that over the last month, the most frequently reported attacks involved ransomware groups like Conti, PYSA, LockBit, RansomEXX/Defray777, Zeppelin and Crysis/Dharma/Phobos. More ransomware groups are also coupling the encryption of IT assets with the secondary extortion of organizations with stolen sensitive or proprietary data, according to the notice. CISA added that ransomware groups are increasingly deleting backups and adding other tactics to make attacks more devastating. The most common initial access vectors involve phishing and brute forcing unsecured remote desktop protocol endpoints, according to CISA. Ransomware gangs are also using dropper malware, exploiting vulnerabilities and taking advantage of stolen credentials. At times, ransomware actors spend weeks inside a system before launching an attack — typically on weekends or holidays — so CISA urged IT leaders to proactively search their systems for potential points of access. Suspicious traffic patterns and strange access locations may help tip off IT teams of the potential for an attack, CISA noted. IT leaders, like ThycoticCentrify vice president Bill O’Neill, said malicious actors often know that long weekends mean there will be a delayed response or an unprepared ‘skeleton crew’ that simply doesn’t have the resources to simultaneously monitor for and deter threats fast enough. “Or threats will be monitored, trigger automatic alerts, and enforce certain lockdowns, but often those still require human action for mitigation and additional security controls,” O’Neill said. “And because most organizations would prefer to have their data released immediately rather than wait out the duration of a holiday weekend (and incur continued reputational damage), they’re also more likely to negotiate with attackers and pay out the requested ransom to minimize long term risks associated with these attacks.”Lookout senior manager Hank Schless added that hackers know people may be traveling and not able to access their work computer or mobile device in order to help stop an attack once they receive an alert of suspicious activity. Attackers have already become much more advanced in how they gain entry to an organization’s infrastructure — even when teams are fully staffed up and working, Schless told ZDNet.  Jake Williams, CTO at BreachQuest, explained that most ransomware attacks seen today could be easily discovered before encryption by following the guidance from CISA. “This is especially true for reviewing logs. Threat actors could certainly perform lateral movement while staying out of logs, but with the plethora of potential victims with horrible cyber hygiene there’s currently no need to do so,” Williams said, adding that extremely basic levels of cybersecurity hygiene and monitoring are enough to achieve early detection of today’s ransomware adversaries.Tripwire vice president Tim Erlin put it succinctly: “Attackers don’t take the weekends off, and neither should your cybersecurity.” More

Crowdstrike on Tuesday published its second quarter financial results, beating market estimates with solid growth from subscription customers. The cybersecurity company added 1,660 net new subscription customers in the quarter for a total of 13,080 subscription customers as of July 31. That represents 81% year-over-year growth. Subscription revenue was $315.8 million, a 71% increase. Crowdstrike’s total Q2 revenue was $337.7 million, a 70% increase over a year prior. Non-GAAP net income came to $25.9 million or 11 cents per share. Analysts were expecting earnings of 9 cents per share on revenue of $323.16 million. “CrowdStrike delivered an outstanding second quarter with rapid subscription revenue growth and record net new ARR generated in the quarter,” CEO and co-founder George Kurtz said in a statement. “The success of our platform strategy and our growing brand leadership have led to a groundswell of customers turning to CrowdStrike as their trusted security platform of record. We believe that our extensible Falcon platform, purpose-built to leverage the power of the cloud, collecting data once and reusing it many times, is a fundamental cornerstone to building a durable growth business over the long-term.” Crowdstrike’s annual recurring revenue (ARR) increased 70% year-over-year and grew to $1.34 billion as of July 31. Of that, $150.6 million was net new ARR added in the quarter. In addition to adding a record number of net new subscribers in the quarter, Crowdstrike reported solid growth in the portion of subscribers adopting multiple modules. CrowdStrike’s subscription customers that have adopted four or more modules, five or more modules and six or more modules increased to 66%, 53%, and 29%, respectively, as of July 31. 

For the third quarter, the company expects total revenue in the range of $358 million to $365.3 million.

Tech Earnings More

Using unsupported software, allowing the use of default usernames and passwords and using single-factor authentication for remote or administrative access to systems are all dangerous behaviours when it comes to cybersecurity and should be avoided by all organisations – but particularly those supporting critical infrastructure. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

The warning comes from the US Cybersecurity and Infrastructure Security Agency (CISA) which is developing a catalogue of “exceptionally risky” behaviours  which can put critical infrastructure at extra risk of falling victim to cyber attacks. Use of single-factor authentication — where users only need to enter a username and password — is the latest risky behaviour to be added to the list, with CISA warning that single-factor authentication for remote or administrative access to systems supporting the operation of critical infrastructure “is dangerous and significantly elevates risk to national security”.  SEE: A winning strategy for cybersecurity (ZDNet special report) Using multi-factor authentication can help disrupt over 99 percent of cyber attacks. For critical infrastructure, it’s therefore particularly important to have it applied in order to help prevent cyber criminals from tampering with cyber-physical systems.  Alongside single-factor authentication as a bad practice is the use of known, fixed or default passwords, which CISA describes as “dangerous”. Default or simple passwords are good for cyber criminals because there’s a much higher chance of them being able to simply guess passwords to compromise accounts.   CISA also warns against the use of passwords which are known to have been breached previously, as that means they also provide cyber criminals with a simple means of gaining access to networks. 

The third bad practice listed by CISA is the use of unsupported or end-of-life software in critical infrastructure. By using software or operating systems which no longer receive security updates, there’s the risk that cyber criminals could exploit newly discovered security vulnerabilities which emerge as old software often doesn’t receive security patches.  “The presence of these bad practices in organizations that support critical infrastructure…is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public.” CISA said. CISA’s list of dangerous bad practices is designed as advice for organisations involved in running or supporting critical infrastructure – but it’s also useful advice for businesses and avoiding the use of single-factor authentication, default passwords and unsupported software will also help protect them from falling victim to cyber attacks. 
MORE ON CYBERSECURITY More

Verizon announced on Tuesday that it will be partnering with Microsoft to offer an on-premises private edge compute solution for businesses. Leveraging Verizon 5G Edge with Microsoft Azure Stack Edge, the solution “enables the ultra-low latency needed to deploy real-time enterprise applications,” the companies said in a statement. Sampath Sowmyanarayan, chief revenue officer of Verizon Business, said it would allow businesses to “bring compute and storage services to the edge of the network at the customer premises, providing increased efficiencies, higher levels of security, and the low lag and high bandwidth needed for applications involving computer vision, augmented and virtual reality, and machine learning.””We’re thrilled to partner with Microsoft to bring 5G Edge to enterprises, dropping latency at the edge, helping critical, performance-impacting applications respond more quickly and efficiently,” Sowmyanarayan said. “5G will usher in next-generation business applications, from core connectivity to real-time edge compute and new applications and solutions that take advantage of AI transforming nearly every industry.”Corporate vice president of Azure for Operators at Microsoft Yousef Khalidi added that through the partnership with Verizon, the companies would be able to provide customers with compute and storage service capabilities at the edge of customers’ networks, “enabling robust application experiences with increased security.””Business innovation demands powerful technology solutions and central to this is the intersection between the network and edge” Khalidi said. 

Verizon said the announcement builds on a collaboration with Microsoft that began in 2020 and has sought to provide retailers with a way to process information in near real time to gain actionable data-driven insights to increase inventory accuracy and power fast and flexible supply chains.The companies noted that businesses like Ice Mobility have already used the solution to assist with computer vision-backed product packing as a way to improve on-site quality assurance. Ice Mobility is now looking into other 5G Edge applications that can offer material automation enhancements to its business like near real-time activity-based costing.”This solution would allow them to assign overhead and indirect costs to specific customer accounts, pick and pack lines, and warehouse activities to enhance efficiencies and improve competitiveness,” the companies explained in a statement. The companies believe that the solution can help manufacturers minimize their downtime, gain greater visibility into their business processes and maximize the performance of their assets. Ghassan Abdo, Research VP at IDC, said the announcement “aligns with IDC’s view that an on-premise, private 5G edge compute deployment model will spur the growth of compelling 4th generation industrial use cases.” “This partnership is a positive development as it leverages the technology and communications leadership of both companies,” Abdo said.  More