Information Technology

Exabeam and seven other cybersecurity companies announced the creation of the XDR Alliance on Tuesday, touting the effort as a way to help downstream SecOps teams. Google Cloud Security, Mimecast, Netskope, SentinelOne, Armis, Expel and ExtraHop joined Exabeam in founding the alliance centered on XDR — short for extended detection and response framework and architecture. The companies said the end goal of the partnership is to “enable organizations everywhere to protect themselves against the growing number of cyber attacks, breaches, and intrusions” by helping security teams evolve and ensuring interoperability across the XDR security vendor solutions set.The alliance will also work together on campaigns to popularize XDR and assist SecOps teams in integrating “new and evolving applications and technologies.”Gorka Sadowski, chief strategy officer at Exabeam and founder of the XDR Alliance, said the XDR Alliance “brings together the most forward thinking names in cybersecurity to collaborate on building an XDR framework that is open and will make it easier for security operations teams to protect and secure their organizations.””History will look back and declare how well the cybersecurity industry succeeded in putting collaboration above competition to help protect our organizations and institutions,” Sadowski said. “We are at an inflection point with an extremely fragmented industry that requires all of us in the vendor community to come together to strengthen organizations’ SOCs.”The alliance created a three-tier model that focuses on the core components of the XDR technology stack. The three tiers include data sources/control points, XDR Engine, and content.

“Data sources/control points refers to the security tooling that generates telemetry, logs and alerts, and that act as control points for response. The XDR Engine tier is the engine that ingests all the collected data and performs broad threat detection, investigation and response for SOC operations,” the alliance said in a statement.  “The Content tier includes the pre-packaged content and workflows that allow security organizations to deliver on required use cases with maximum efficiency and automation.”Part of what drew the cybersecurity companies to the alliance is that each represents one of the subcategories under SecOps, which include network detection and response, security information and event management, security analytics, identity management and more.Sunil Potti, Google Cloud VP and GM of Cloud Security, explained that security operations teams are demanding more from their tools as the threat landscape continues to grow. Organizations now need a platform to cost effectively store and analyze all of their security data in one place and investigate and detect threats with speed and scale, Potti said, adding that enterprises now need the ability to store vast amounts of data, analyze and correlate the data from siloed solutions in order to adequately detect and respond to emerging threats within their environments.”We are looking forward to joining the XDR Alliance to help build an inclusive and open XDR framework that gives our joint customers a pathway to the best-in-class Security Operations Centers (SOCs) in the Cloud,” Potti said. There is an XDR Alliance member application page for organizations interested in joining. Exabeam CEO Michael DeCesare added that many of the companies share customers and are looking to improve the SOC experience. The emergence of “covert AI and automated attacks” as well as other threats prompted the companies to unite, DeCesare explained.  More

Raccoon Stealer has been upgraded by its developer in order to steal cryptocurrency alongside financial information. 

On Tuesday, Sophos released new research into the stealer-as-a-service, a bolt-on for threat actors to use as an additional tool for data theft and revenue. In a new campaign tracked by the team, the malware was spread not through spam emails — the usual initial attack vector linked to Raccoon Stealer — but, instead, droppers disguised as installers for cracked and pirated software.  Samples obtained by Sophos revealed that the stealer is being bundled with malware including malicious browser extensions, cryptocurrency miners, the Djvu/Stop consumer ransomware strain, and click-fraud bots targeting YouTube sessions.  Raccoon Stealer is able to monitor for and collect account credentials, cookies, website “autofill” text, and financial information that may be stored on an infected machine. However, the upgraded stealer also has a “clipper” for cryptocurrency-based theft. Wallets, and their credentials, in particular, are targeted by the QuilClipper tool, as well as Steam-based transaction data. “QuilClipper steals cryptocurrency and Steam transactions by continuously monitoring the system clipboard of Windows devices it infects, watching for cryptocurrency wallet addresses and Steam trade offers by running clipboard contents through a matrix of regular expressions to identify them,” the researchers noted. 

The stealer operates through a Tor-based command-and-control (C2) server to handle data exfiltration and victim management. Each Raccoon executable is tied with a signature specific to each client.  “If a sample of their malware shows up on VirusTotal or other malware sites, they can trace it back to the customer who may have leaked it,” Sophos says.  Raccoon is offered as a stealer-for-hire, with the developers behind the malware offering their creation to other cybercriminals for a fee. In return, the malware is frequently updated.  Usually found in Russian underground forums, Raccoon has also been spotted for the last few years in English language forums, too — for as little as $75 for a weekly subscription. According to the researchers, over a six-month period, the malware was used to steal at least $13,000 in cryptocurrency from its victims, and when bundled with miners, a further $2,900 was stolen.  The developer earned roughly $1200 in subscription fees, together with a cut of their user’s proceeds.  “It’s these kinds of economics that make this type of cybercrime so attractive — and pernicious,” Sophos says. “Multiplied over tens or hundreds of individual Raccoon actors, it generates a livelihood for Raccoon’s developers and a host of other supporting malicious service providers that allows them to continue to improve and expand their criminal offerings.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

These are dangerous times for our data. We not only need to protect our files from our own carelessness but also our sensitive information from being stolen online. The Lifetime Backup & Security Subscription Bundle covers all of that, so we never need to worry about it again.

As always, we need to be careful about backing up our files, to avoid the chaos that would result from losing them. And the easier that chore is, the more likely we are to perform it. Degoo Premium: Lifetime 10TB Backup Plan not only provides high-speed data transfers with the ultimate security of 256-bit AES encryption, but it duplicates your backup even as you are performing it, giving you twice the amount of protection against data loss. Best of all, the generous 10TB storage will save you from the frustration of constantly having to purge files because you’re running out of space.Degoo has a 4.4 out of 5-star rating among more than 595,000 reviews on Google Play and a rating of 4.5 out of 5 stars from 6,500 reviewers on the App Store.The second part of this bundle is KeepSolid VPN Unlimited: Lifetime Subscription (5 Devices). KeepSolid is the bestselling VPN of all time for good reason. It has no limits on speed or bandwidth and offers access to over 500 servers in more than 80 locations around the world, plus the utmost security and privacy. You get military-grade encryption, a kill switch, and a strict zero-logging policy.KeepSolid VPN is well-loved by both users and reviewers. The service has over 10 million customers worldwide, PCMag named it Top VPN and Laptop Review Pro awarded it “Best VPN for Laptop”. Tech.Co explains why: “From its simple interface to its genuinely practical features, VPN Unlimited has plenty to recommend it.”The services in this would normally cost $3,799. For a limited time only, get The Lifetime Backup & Security Subscription Bundle for $62.99 with code ANNUAL30.

ZDNet Recommends More

The European Union Agency for Cybersecurity (ENISA) has analyzed 24 recent software supply chain attacks and concluded that strong security protection is no longer enough. Recent supply chain attacks in its analysis include those through SolarWinds Orion software, CDN provider Mimecast, developer tool Codecov, and enterprise IT management firm Kaseya. ENISA focuses on Advanced Persistent Threat (APT) supply chain attacks and notes that while the code, exploits and malware was not considered “advanced”, the planning, staging, and execution were complex tasks. It notes 11 of the supply chain attacks were conducted by known APT groups. 

“These distinctions are crucial to understand that an organization could be vulnerable to a supply chain attack even when its own defences are quite good and therefore the attackers are trying to explore new potential highways to infiltrate them by moving to their suppliers and making a target out of them,” ENISA notes in the report. SEE: Network security policy (TechRepublic Premium)The agency expects supply chain attacks to get a lot worse: “This is why novel protective measures to prevent and respond to potential supply chain attacks in the future while mitigating their impact need to be introduced urgently,” it said.ENISA’s analysis found that attackers focused on the suppliers’ code in about 66% of reported incidents. The same proportion of vendors were not aware of the attack before it was disclosed. 

“This shows that organisations should focus their efforts on validating third-party code and software before using them to ensure these were not tampered with or manipulated,” ENISA said, although this is something easier said than done.As the Linux Foundation highlighted in the wake of the SolarWinds disclosure, even reviewing source code – for both open source and unaudited proprietary software – probably wouldn’t have prevented that attack. ENISA is calling for coordinated action at an EU level and has outlined nine recommendations that customers and vendors should take. Recommendations for customers include:identifying and documenting suppliers and service providers;defining risk criteria for different types of suppliers and services such as supplier and customer dependencies, critical software dependencies, single points of failure;monitoring of supply chain risks and threats;managing suppliers over the whole lifecycle of a product or service, including procedures to handle end-of-life products or components;classifying of assets and information shared with or accessible to suppliers, and defining relevant procedures for accessing and handling them.ENISA recommends suppliers:ensure that the infrastructure used to design, develop, manufacture, and deliver products, components and services follows cybersecurity practices;implement a product development, maintenance and support process that is consistent with commonly accepted product development processes;monitor security vulnerabilities reported by internal and external sources, including third-party components;maintain an inventory of assets that includes patch-relevant information.The SolarWinds attack for example rattled Microsoft whose president Brad Smith said it was the “largest and most sophisticated attack the world has ever seen” and that it probably took 1,000 engineers to pull off. Alleged Russian intelligence hackers compromised SolarWinds’ software build system for Orion to plant a backdoor that was distributed as a software to several US cybersecurity firms and multiple federal agencies. SEE: The cybersecurity jobs crisis is getting worse, and companies are making basic mistakes with hiringThe US Department of Justice (DoJ) revealed last week that 27 districts’ Microsoft Office 365 email systems were compromised for at least six months beginning in May 2020.The rise of state-sponsored supply chain attacks and criminal ransomware attacks that combine supply chain attacks, such as the Kaseya incident, has shifted the focus of discussions between the US and Russia. US president Joe Biden last week said a major cyberattack would be the likely cause of the US entering a “real shooting war” with another superpower.  More

Researchers have disclosed three cyberespionage campaigns focused on compromising networks belonging to major telecommunications companies. 

On Tuesday, Cybereason Nocturnus published a new report on the cyberattackers, believed to be working for “Chinese state interests” and clustered under the name “DeadRinger.”According to the cybersecurity firm, the “previously unidentified” campaigns are centered in Southeast Asia — and in a similar way to how attackers secured access to their victims through a centralized vendor in the cases of SolarWinds and Kaseya, this group is targeting telcos.  Cybereason believes the attacks are the work of advanced persistent threat (APT) groups linked to Chinese state-sponsorship due to overlaps in tactics and techniques with other known Chinese APTs. Three clusters of activity have been detected with the oldest examples appearing to date back to 2017. The first group, believed to be operated by or under the Soft Cell APT, began its attacks in 2018. The second cluster, said to be the handiwork of Naikon, surfaced and started striking telcos in the last quarter of 2020, continuing up until now. The researchers say that Naikon may be associated with the Chinese People’s Liberation Army’s (PLA) military bureau.  Cluster three has been conducting cyberattacks since 2017 and has been attributed to APT27/Emissary Panda, identified through a unique backdoor used to compromise Microsoft Exchange servers up until Q1 2021. 

Techniques noted in the report included the exploitation of Microsoft Exchange Server vulnerabilities — long before they were made public — the deployment of the China Chopper web shell, the use of Mimikatz to harvest credentials, the creation of Cobalt Strike beacons, and backdoors to connect to a command-and-control (C2) server for data exfiltration.Cybereason says that in each attack wave, the purpose of compromising telecommunications firms was to “facilitate cyber espionage by collecting sensitive information, compromising high-profile business assets such as the billing servers that contain Call Detail Record (CDR) data, as well as key network components such as the domain controllers, web servers and Microsoft Exchange servers.” In some cases, each group overlapped and were found in the same target environments and endpoints, at the same time. However, it is not possible to say definitively whether or not they were working independently or are all under the instruction of another, central group. “Whether these clusters are in fact interconnected or operated independently from each other is not entirely clear at the time of writing this report,” the researchers say. “We offered several hypotheses that can account for these overlaps, hoping that as time goes by more information will be made available to us and to other researchers that will help to shed light on this conundrum.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
The Auditor-General of Western Australia has handed down her report into the state’s COVID-19 check-in app, SafeWA, revealing that not only did police access its data, but the app had a number of flaws when it was released.WA Health delivered the SafeWA app in November 2020 to carry out COVID contact tracing.In its report [PDF], the Office of the Auditor-General (OAG) said it was concerned about the use of personal information collected through SafeWA for purposes other than COVID contact tracing. In mid-June, the WA government introduced legislation to keep SafeWA information away from law enforcement authorities after it was revealed the police force used it to investigate “two serious crimes”. The public messaging around the app was that it would be used only for COVID contact tracing purposes.See also: Australia’s cops need reminding that chasing criminals isn’t society’s only need”In March 2021, in response to our audit questioning around data access and usage, WA Health revealed it had received requests and policing orders under the Criminal Investigation Act 2006 to produce SafeWA data to the WA Police Force,” the report said. The WA Police Force ordered access to the data on six occasions and requested access on one occasion. The orders were issued by Justices of the Peace after application by the WA Police Force.

The WA Police Force was granted orders to access SafeWA data for matters under investigation, including an assault that resulted in a laceration to the lip, a stabbing, a murder investigation, and a potential quarantine breach.The OAG said WA Health ultimately provided access in response to three of the orders before the passage of the legislation. Applications made to WA Health on December 14, December 24, and March 10 were provided to the cops; applications on February 24, April 1, May 7, and May 27 were not. The SafeWA Privacy Policy, which users are required to agree to prior to use, details that WA Health collects, processes, holds, discloses, and uses personal information of people who access and use the SafeWA mobile application. The OAG said it also states that information on individuals may be disclosed to other entities such as law enforcement, courts, tribunals, or other relevant entities.The information that SafeWA captures includes sensitive personal information such as name, email address, phone number, venue or event visited, time and date, and information about the device used to check-in.  As of 31 May 2021, over 1.9 million individuals and 98,569 venues were registered in the SafeWA application. The total number of check-in scans between December 2020 and May 2021 exceeded 217 million.  In addition to police accessing contact tracing data, shortly after the initial release of SafeWA, the app suffered a system outage due to poor management of changes, with the OAG saying this put the availability of SafeWA at risk.”WA Health has addressed this risk and continues to manage the vendor contract which has required changes as the state’s strategy on the use of SafeWA has evolved,” the report said.The app was delivered by GenVis and is hosted in the Amazon Web Services (AWS) cloud. The total contract value was initially AU$3 million, but it has since risen to AU$6.1 million over three years.    GenVis said it has processes in place to delete check-in data 28 days after collection. Should a member of the public test positive for COVID-19 or qualify as a close contact, WA Health may store a subset of the data relevant to that case indefinitely. The OAG said this is contrary to WA Health’s logging and monitoring standard, which requires retention for at least seven years and where possible, for the lifecycle of the system.Of further concern to the OAG was that WA Health does not monitor SafeWA access logs to identify unauthorised or inappropriate access to SafeWA information.The OAG also raised issues with WA Health and GenVis’ ability to only request, not enforce, that AWS not transfer, store, or process data outside Australia.WA Health uses provider-managed encryption keys for SafeWA, which are stored in the AWS database, instead of self-managed keys where the cloud provider has no visibility or access to them. “WA Health advised us that the current solution is required so that AWS can access keys through software to perform platform maintenance and support the vendor with technical issues,” the report said. “Although the likelihood is low, the cloud provider could be required to disclose SafeWA information to overseas authorities as it is subject to those laws.”See also: Attorney-General urged to produce facts on US law enforcement access to COVIDSafePrior to going live, WA Health identified that SafeWA registration could be completed with an incorrect number or someone else’s phone number, the OAG added. “This was because SafeWA did not fully verify a user’s phone number during the registration process,” it said. “Due to the timing of SafeWA development and WA Health’s need to balance risk with implementation, this issue was only partially resolved prior to going live. The remaining weaknesses could be exploited to register fake accounts and check-ins.”The issue was resolved in February.It was not just the cops that may have accessed contact tracing data, however, with the OAG noting it was concerned also about the limited communication around WA Health’s use of personal information collected by other government entities, including Transperth SmartRider, Police G2G border crossing pass data, and CCTV footage in its contact tracing efforts. During the audit, the OAG also identified that WA Health’s Mothership and Salesforce-based Public Health COVID Unified System (PHOCUS) accesses SafeWA data. “When WA Health receives confirmation of a positive COVID-19 case from a pathology clinic, it uses PHOCUS to collate data relevant to the case from several sources,” the report says”WA Health has not provided enough information to the community about other personal information it accesses to assist its contact tracing efforts.”The Mothership contact tracing application, OAG said, has security weaknesses, including a weak password policy and inconsistent use of multi-factor authentication. The OAG is preparing a separate report focused on the Mothership and PHOCUS.RELATED COVERAGE More

Lulled into complacency, businesses face risks of supply chain attacks even after they have done their due diligence in assessing their third-party suppliers’ security posture before establishing a partnership. In this first piece of a two-part feature on ransomware, ZDNet discusses the need for continuous review of all touchpoints across their supply chain, especially those involving critical systems and data. Enterprises typically would give their third-party suppliers “the keys to their castle” after carrying out the usual checks on the vendor’s track history and systems, according to Steve Turner, a New York-based Forrester analyst who focuses on security and risk. They believed they had done their due diligence before establishing a relationship with the supplier, Turner said, but they failed to understand that they should be conducting reviews on a regular basis, especially with their critical systems suppliers.

“Anyone who has the keys to the castle, we should know them in and out and have ongoing reviews,” he said in a video interview with ZDNet. “These are folks that are helping you generate revenue and, operationally, should be held accountable [to be] on the same level as your internal security posture.”Third-party suppliers should have the ability to deal with irregular activities in their systems and the appropriate security architecture in place to prevent any downstream effects, he added. Capgemini’s Southeast Asia head of cybersecurity Hamza Siddique noted that technical controls and policies established by third-party or supply chain partners did not always match up to their clients’ capabilities. This created another attack surface or easy target on the client’s network and could lead to risks related to operations, compliance, and brand reputation, Siddique said in an email interview.

To better mitigate such risks, he said Capgemini recommends a third-party risk management strategy that pulls best practices from NIST and ISO standards. It encompasses, amongst others, the need to perform regular audits, plan for third-party incident response, and implement restricted and limited access mechanisms. The consulting firm’s service portfolio includes helping its clients build a strategy around detection and analysis as well as containment and recovery. Turner urged the need for regular reassessments of third-party systems or, if this could not be carried out, for organisations to have in place tools and processes to safeguard themselves against any downstream attacks.”There needs to be inherent security controls so if something goes off baseline, these can react to ensure [any potential breach] doesn’t spread. A zero trust architecture delivers on that,” he said. “Suppliers have an inherent trust relationship [with enterprises] and this needs to stop.”Steve Ledzian, FireEye Mandiant’s CTO and Asia-Pacific vice president, acknowledged that it was challenging to prevent supply chain attacks because these looked to abuse an existing level of trust between organisations and their third-party vendors. However, he said there still were opportunities to detect and mitigate such threats since hackers would need to carry out other activities before launching a full attack. For instance, after successfully breaching a network via a third-party vendor, they would need to map out the targeted organisation’s network, identify the systems that held critical data, and figure out the privilege credentials they needed to steal to gain access, before they could move laterally within the network. “Once the hacker is in your network, and you’re in detection mode, you have the opportunity to identify and stop them before they are able to breach your data,” Ledzian said in a video interview, stressing the importance of tools and services that enabled enterprises to quickly detect and respond to potential threats. Their defence strategy against ransomware attacks also should look beyond simply purchasing products and into how systems were configured and architected. The main objective here was to bolster the organisation’s resilience and ability to contain such attacks, he added. Acronis’ CISO Kevin Reed also noted that the majority of attacks today still were neither highly sophisticated nor zero-day attacks. Attackers typically needed time and effort after identifying a vulnerability to develop an exploit for it and to make it work successfully. Reed said in a video interview that hackers usually would take several days to develop a workable exploit and this task was increasingly more difficult with modern software architectures. “So it takes time to weaponise a vulnerability,” he said, adding that even highly skilled hackers would take 72 hours to do so. This meant organisations should act quickly to plug any vulnerabilities or deploy patches before exploits were available.He advocated the need for organisations to assess their suppliers’ security posture, validating and cross-verifying that these third-party vendors had the right processes and systems in place. This might be more challenging for small and midsize businesses (SMBs) that did not have the resources or expertise to do so, he noted. Reed added that these companies typically depended on their managed service providers to fulfil the responsibility. Here, he underscored the need for managed service providers to step up, especially in the wake of the Kaseya attack. Increased partnership between hackers a worrying trendRansomware attacks, though, may be primed to get more sophisticated and deployed more quickly in future, as they are no longer developed by a single hacker. According to Ledzian, cyberattacks increasingly are broken down into different parts and delivered by different threat actors specialised in each piece of the attack. One might be tasked to build the malware, while other affiliates focused on reconnaissance and breaching a network and developing the exploit.  “When you have specialised skillsets, then each component is more competent,” he cautioned.

Global pandemic opening up can of security worms

Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.

Read More

Sherif El-Nabawi, CrowdStrike’s Asia-Pacific Japan vice president of engineering, also highlighted the rise in teamwork amongst cybercriminals and emergence of ransomware-as-a-service. Describing this as an alarming trend, El-Nabawi noted that five or six separate groups specialised in all aspects of a ransomware chain could band together, so a single group no longer needed to develop everything on its own. Such partnerships could entice more threat actor groups to come into play and fuel the entire industry, he said. Ledzian added that ransomware attacks also had evolved to become multi-faceted exploitation, with cybercriminals realising data theft would have a more severe impact on businesses than a service disruption. Having data backups would no longer be sufficient in such instances, as attackers gained greater leverage over businesses concerned about threats to make public confidential data, he said. According to CYFIRMA CEO and Chairman Kumar Ritesh, cybercriminals were moving their target towards young companies and large startups with access to large volumes of personal data, such as developers of “super apps” and mobile apps.He further pointed to increasing focus on OT (operational technology) systems, such as oil and gas and automotive, as well as process manufacturing industries. In particular, Ritesh told ZDNet that there was growing interest in autonomous and connected vehicles, which dashboards enabled users to access their smart home and Internet of Things (IoT) systems. Some of these systems, he noted, lacked basic security features with communication links between car and home systems left unsecured, and at risk of being exploited. Cybercriminals also were shifting focus towards individuals and high-level influencers, such as employees working in their organisation’s product research team or who had privileged credentials that gave them access to critical data and systems, he said. With remote work now the norm amidst the global pandemic, he added that such risks were exacerbated as personal devices that were not adequately secured could be easily breached to give hackers access to a company’s network and its intellectual property. RELATED COVERAGE More

With ransomware attacks increasing, legislations have been mooted as a way to bar companies from paying up and further fuelling such activities. In this second piece of a two-part feature on ransomware, ZDNet looks at how such policies can be difficult to enforce and may result in more dire consequences.  Regulations that compelled victims not to pay up could put these businesses in a precarious position, said Steve Turner, a New York-based Forrester analyst who focuses on security and risk. For one, any debate over whether to pay up would be muted when physical lives were at stake. Turner pointed to ransomware attacks that brought down critical infrastructure systems such as power and healthcare, impacting the likes of US Colonial Pipeline, Ireland’s Health Service Executive, and Germany’s Duesseldorf University Hospital.

The US pipeline operator paid up almost $5 million in ransom, the bulk of which was later recovered by authorities, while the Irish healthcare operator refused to pay and spent weeks struggling to recover from the attack, affecting hundreds of patients. The Duesseldorf hospital’s inability to function also indirectly caused the death of a patient whose treatment was delayed because she had to be rerouted to a hospital further away.   Capgemini’s Southeast Asia head of cybersecurity Hamza Siddique noted that threat actor groups now had such great success in inflicting critical impact on their victims that it left these organisations with few viable options other than to pay up. “Paying the ransom may be the less expensive option for a cash-strapped company than engaging in the painstaking [task of] rebuilding company systems and databases,” Siddique said in an email interview. “Other entities may choose to pay the threat actor in hopes of avoiding the public release of sensitive information, which may lead to bankruptcy or legal issues.” He advised victims to make “informed decisions” on whether to fork out the ransom or embark on the more difficult path of building from scratch. Paying the ransom not only encouraged threat actors to engage in future ransomware attacks, but also provided funds for these groups to act against nations, governments, and foreign policy interests, he noted.

On whether penalties should be imposed on companies that chose to pay the ransom, he said this decision should be made in line with the country’s IT policy and cost-benefit analysis. Foremost, emphasis should be on not paying, Siddique said, adding that this should be the case if the impact on the business was low. However, if the impact could lead to bankruptcy or major legal issues, organisations should be allowed to decide if they wanted to pay the ransom, he said. Acronis’ CISO Kevin Reed noted that in the short-term, regulations that outlawed ransom payment could have significant adverse effects, but in the long-term, might have an overall positive impact. He said in a video interview that cybercriminals were interested mainly in financial gains and if they faced increasing obstacles in their efforts to extract money, they would stop doing it. However, he cautioned, criminals tended to be creative in how they extorted money, moving from one plan to another until they succeeded in their goal. Regulations on cryptocurrency also not fool-proof CYFIRMA CEO and Chairman Kumar Ritesh suggested that regulations should instead focus on virtual currencies, since these were used to orchestrate ransom payments. Cryptocurrency exchanges or trading firms could be mandated to provide information to the relevant authorities so transactions or accounts with the targeted unique identifiers could be blocked or frozen, Ritesh said in a video interview. Without a trading platform on which to complete the transaction, cybercriminals would find it more difficult to convert their virtual currencies into fiat money. Turner noted that there already were regulations governing legitimate cryptocurrency trading platforms such as Coinbase, which included intricate identification processes before transactions were processed.

Such policies that identified movements across these cryptocurrency hubs could help cut down illicit activities conducted by regular scammers who were not very tech-savvy. However, threat actor groups behind the recent massive ransomware attacks were not run-of-the-mill criminals, the Forrester analyst said in a video interview.For one, they would not be trading cryptocurrencies through common digital wallets. They typically had the skillsets to quickly move and launder these currencies, much like any organised crime operation, so these could be “clean” for use in the real-world, he said. Furthermore, Turner added that cybercriminals would simply use alternative payment modes should more regulations be introduced to monitor cryptocurrency transactions or bar companies from paying ransoms. “Attackers will just find another payment mechanism that hasn’t been outlawed,” he said. “It could be something as [innocuous] as Walmart gift cards, as long as it doesn’t enable hackers to be traced and allows companies to pay the ransom. Outlawing [the use of] cryptocurrency will only put ransomware victims in a bad position.” Turner noted, though, that some form of regulations could raise the collective security posture of companies across the board, since there would be stronger motivation to avoid being put in a position where they would be held ransom. Policies needed to ensure vendors continue critical support Regulations also may be necessary to ensure businesses remain protected when vendors cease support for IT products and systems.  For example, Western Digital in June advised users of its My Book Live and My Book Live Duo to unplug their devices from the internet following a series of remote attacks that triggered a factory reset, wiping out all data on the device. The breach was due to a vulnerability that was introduced in April 2011 due to a coding oversight. Launched in 2010, the portable storage devices were issued their final firmware update in 2015, after which Western Digital discontinued support for the products. The storage vendor later provided data recovery services for customers who lost data as a result of the attacks.Siddique noted that organisations today were mostly digital in nature and highly dependent on vendors and suppliers to provide support as well as reliable products over a longer period of time, and even after these systems were discontinued. “It’s imperative that there should be policies in place for a vendor to provide minimum support for discontinued product lines, considering client may not be in position to upgrade their software or may have certain dependency on the old version of the products,” he said. There should be clearly defined policies for such support to be provided for a specific minimum number of years after its market release, he suggested. Vendors also should be expected to provide information on upcoming product releases and ease migration to new products. He said changes could be made in the SLA (service level agreement) and, if it was not viable for vendors to maintain a support team for discontinued products, there should be minimum requirement for such provisions based on the severity of security vulnerabilities. At the very least, Turner noted, vendors that chose to continue to support online services linked to their products, should then also continue to offer support to the actual products. Otherwise, these online services should be disabled, he said, noting that Western Digital should have disabled the remote access or online services for the My Book models when they cut support for the products in 2015. “If there are no eyes on it, someone is going to exploit it,” the analyst said. He added that the optics would not look good for a manufacturer of data storage products to suffer a breach of this scale.  Any potential regulation here could look at requiring vendors to support a product as long as they supported the services that required the product to connect to the internet, he said. However, Reed suggested that such policies, if introduced, should apply only to critical systems such as medical and industrial control systems. He noted that some hospitals today operated MRI (magnetic resonance imaging) machines that ran on old versions of Windows that were no longer supported by Microsoft. And these machines could impact actual lives, he said. While he agreed that software vendors should take more responsibility for their products, he said legislations were not necessary for all sectors. RELATED COVERAGE More