Information Technology

The FBI and Justice Department unsealed indictments today leveling a number of charges against 31-year-old Canadian Matthew Philbert for his alleged involvement in several ransomware attacks. Officials from the Ontario Provincial Police held a press conference on Tuesday to announce the charges and Philbert’s arrest in Ottawa.  

In a statement, US Attorney Bryan Wilson of the District of Alaska said Philbert “conspired with others known and unknown to the United States to damage computers, and in the course of that conspiracy did damage a computer belonging to the State of Alaska in April 2018.” Wilson and Canadian officials noted that they received help in the case from Dutch authorities and Europol. Canadian officials also announced charges against Philbert, noting that he had been arrested on November 30. The officials did not say which ransomware group Philbert was part of or what attacks he was responsible for. “Cyber criminals are opportunistic and will target any business or individual they identify as vulnerable,” said Ontario Provincial Police deputy commissioner Chuck Cox. Among the charges Philbert is facing are one count of conspiracy to commit fraud and another count of fraud and related activity in connection with computers.During the press conference, Cox said the FBI contacted officials in Ontario about Philbert’s activities, which included ransomware attacks on businesses, government agencies, and private citizens. 

As Philbert was being arrested, police said they were able to seize several laptops, hard drives, blank cards with magnetic stripes, and a Bitcoin seed phrase. In January, police in Florida arrested another Canadian citizen in connection with several attacks by the Netwalker ransomware group. The DOJ claimed Sebastien Vachon-Desjardins managed to make about $27.6 million through several ransomware attacks on Canadian organizations like the Northwest Territories Power Corporation, the College of Nurses of Ontario, and a Canadian tire store in B.C. Emsisoft threat analyst Brett Callow, a ransomware expert based in Canada, told ZDNet that most people assume that ransomware attacks originate from Russia or the Commonwealth of Independent States. While the ransomware may be “made” in those countries, Callow noted that the individuals who use it to carry out attacks can be based anywhere. “In fact, there’s so much money to be made from ransomware, it would be extremely surprising if individuals in countries like Canada, America, and the UK hadn’t entered the market. Those individuals may, however, be sleeping a little less well at night than they used to. In the past, there was a near-zero chance of them being prosecuted for their crimes, but that’s finally starting to change,” Callow said.  More

Earlier this year, Microsoft announced plans for secured-core servers, the server complements to secured-core PCs. Today, December 7, the first servers that have passed the “Secured-core” standards bar are available to customers. Customers interested in the new secured-core servers can find listings for them in the Windows Server and Azure Stack HCI catalogs. HPE’s Gen 10 Plus (v2) products for Azure Stack HCI 21H2 get the secured-core designation. Dell, HPE, Lenovo, AMD and NEC have a variety of server products running Windows Server 2016, 2019 and/or 2022 that get the secure-core checkmark.Secured-core servers use the Trusted Platform Module (TPM) 2.0 and secure boot to make sure only trusted components load in the boot path. Secured-core servers, as the name implies, are designed to help protect against threats that commonly targete servers, such as ransomware and exploits around cryptocurrency mining. Secured-core servers protect server infrastructure with a hardware root of trust; defend sensitive workloads against firmware-level attacks and prevent access and execution of unverified code on systems, Microsoft officials said. More

SentinelOne on Tuesday published its third quarter financial results, beating market estimates thanks to solid growth in customers with an annualized recurring revenue (ARR) over $100,000. The autonomous cybersecurity company’s total Q3 revenue was $56 million, a 128% increase over a year prior. Non-GAAP net loss per share came to 15 cents. ARR for Q3 was $237 million, a 131% year-over-year increase. Analysts were expecting a loss per share of 18 cents on revenue of $49.58 million. Shares fell in after-hours trading by more than 10%.The company did not provide specific numbers of total customers, but it said it grew more than 75% year-over-year to over 6,000 customers. Customers with ARR over $100,000 grew 140% year-over-year to 416.For the fourth quarter, the company expects total revenue in the range of $60 million to $61 million. For the full fiscal year, the company expects $199 million to $200 million.”Our business is performing extremely well. Q3 marks the third consecutive quarter of triple digit ARR growth,” said Tomer Weingarten, CEO of SentinelOne. “We continued to make progress across all aspects of our growth strategy outlined during the IPO.”

Tech Earnings More

Google announced this morning that it disrupted the command and control infrastructure of Russia-based Glupteba, a blockchain-backed botnet being used to target Windows machines. Google vice president of security Royal Hansen and general counsel Halimah DeLaine Prado wrote in a blog post on Tuesday that the company’s Threat Analysis Group has been tracking Glupteba for months and decided to take technical actions against the group as well as legal ones. Google filed a lawsuit against the blockchain-enabled botnet — litigation they called the first of its kind — hoping to “create legal liability for the botnet operators, and help deter future activity.””After a thorough investigation, we determined that the Glupteba botnet currently involves approximately one million compromised Windows devices worldwide, and at times, grows at a rate of thousands of new devices per day,” the two wrote. “Glupteba is notorious for stealing users’ credentials and data, mining cryptocurrencies on infected hosts, and setting up proxies to funnel other people’s internet traffic through infected machines and routers.”Google noted that while they were able to disrupt key Glupteba command and control infrastructure, the actions may prove to be temporary considering the group’s “sophisticated architecture and the recent actions that its organizers have taken to maintain the botnet, scale its operations, and conduct widespread criminal activity.”They believe the legal action will help make it harder for the group to take advantage of other devices. The lawsuit names Dmitry Starovikov and Alexander Filippov but notes that other unknown actors are involved. 

The lawsuit was filed in the Southern District of New York and the two are being sued for computer fraud and abuse, trademark infringement, and more. Google also filed for a temporary restraining order, an attempt to “create real legal liability for the operators.”But Google was also honest about the fact that the group’s use of blockchain technology made the botnet resilient. They also noted that more cybercrime organizations are taking advantage of blockchain technology, which allows botnets to recover more quickly because of their decentralized nature. Shane Huntley and Luca Nagy, members of Google’s Threat Analysis Group, explained in a blog post that Glupteba is known to steal user credentials and cookies, mine cryptocurrencies on infected hosts, deploy and operate proxy components targeting Windows systems and IoT devices. “TAG has observed the botnet targeting victims worldwide, including the US, India, Brazil, Vietnam, and Southeast Asia. The Glupteba malware family is primarily distributed through pay per install (PPI) networks and via traffic purchased from traffic distribution systems (TDS),” the two wrote. “For a period of time, we observed thousands of instances of malicious Glupteba downloads per day. The following image shows a webpage mimicking a software crack download which delivers a variant of Glupteba to users instead of the promised software.”The team and others at Google terminated around 63 million Google Docs observed to have distributed Glupteba, 1,183 Google Accounts, 908 Cloud Projects, and 870 Google Ads accounts associated with Glupteba distribution. About 3.5 million users were warned before downloading a malicious file through Google Safe Browsing warnings, according to Huntley and Nagy. They noted that they also worked with CloudFlare on the disruption efforts. As part of their investigation, Google used Chainalysis products and investigative services to investigate the botnet. Erin Plante, Chainalysis senior director of investigative services, told ZDNet that the botnet has two main cryptocurrency nexuses: Cryptojacking and a previously unknown tactic used to evade shutdown. Plante explained that Glupteba’s operators used the machines they compromised for several criminal schemes, including utilizing their computing power to mine cryptocurrency. According to Plante, Glupteba also used the Bitcoin blockchain to encode updated command-and-control servers (C2) into the Op_Returns of Bitcoin transactions, meaning that whenever one of Glupteba’s C2 servers was shut down, it could simply scan the blockchain to find the new C2 server domain address, which was then hidden amongst the hundreds of thousands of daily Bitcoin transactions worldwide.Most cybersecurity techniques involve disabling C2 server domains, making this Glupteba botnet tactic particularly difficult to contend with. Plante said this was the first known case of a botnet using this approach.She added that the investigation revealed cryptocurrency transactions originating in Federation Tower East, a luxury office building in Moscow where many cryptocurrency businesses known to launder criminal funds are headquartered. “Glupteba’s blockchain-based method of avoiding the shutdown of its botnet represents a never-before-seen threat vector for cryptocurrencies. In the private sector, cryptocurrency businesses and financial institutions have thus far typically been the ones tackling cases involved in blockchain analysis, usually from an AML/CFT compliance perspective,” Plante said.  “But this case shows that cybersecurity teams at virtually any company that could be a target for cybercriminals must understand cryptocurrency and blockchain analysis in order to stay ahead of cybercriminals.” More

The Israeli government’s Defense Exports Control Agency sent out a notice late on Monday indicating it would be enforcing stricter rules governing the export of offensive cyber tools. The announcement came days after multiple outlets revealed that tools from Israeli cyber firm NSO Group were used to hack into the phones of at least 11 US State Department officials based in Uganda.

The Jerusalem Post reported on Monday that the agency published a revised version of its “Final Customer Declaration”, which countries will have to sign before they can get access to powerful spyware technology like the NSO Group’s Pegasus. The declaration says countries will not use the tools to attack government critics or “political speech” and will only use it to prevent terrorism and “serious crimes.” Any country that ignores the declaration will lose access to cyber-tools, according to the document. The new rules came just days after Reuters, The Wall Street Journal, and The Washington Post reported that 11 workers at the US Embassy in Uganda had their phones hacked using Pegasus, which can be delivered to Apple phones through a text message that doesn’t even need to be opened. Apple has sued NSO Group for creating the tool and said it has already been used to hack into the devices of US citizens, despite claims from the company that it is only used for counter-terrorism efforts. Apple has since patched the vulnerability exploited by Pegasus and now notifies people when they are being targeted. The US government sanctioned NSO Group in November after months of reports showing how the technology was being used widely by dictatorships to hack into the devices of opponents, human rights activists, other world leaders and more. NSO Group continues to face a barrage of bad headlines over how its Pegasus spyware has been used around the world. Last month, a bombshell report from the University of Toronto’s Citizen Lab and the Associated Press said that even the Israeli government’s own spy agency used the tool to hack the phones of six Palestinian human rights activists. 

That report followed another about the ruler of the UAE using Pegasus to spy on his ex-wife and her British lawyers. In July, the “Pegasus Project” used information from Amnesty International, the University of Toronto’s Citizen Lab, and Forbidden Stories to uncover that the NSO Group’s spyware was used to target at least 65 business executives, 85 human rights activists, 189 journalists, and at least 600 politicians. Targeted government officials included French President Emmanuel Macron, South African President Cyril Ramaphosa, and Iraqi President Barham Salih. Cabinet ministers from dozens of countries, including Egypt and Pakistan, were also targeted. Last month, on the heels of the sanctions announcement, several US Congress members demanded the State Department further investigate how Pegasus and other spyware is being used to abuse human rights around the world.John Scott-Railton, senior researcher at Citizen Lab, told ZDNet that the latest news about Pegasus being used against US officials was years in the making.”NSO knew exactly what it was doing by selling this hacking tool and has known for years that Pegasus is used against diplomats. They are a blinking national security threat for the United States and a threat to human rights. That’s what earned them the blocklist designation by Congress,” Scott-Railton said. Scott-Railton was skeptical of the new rules handed down by the Israeli government’s Defense Exports Control Agency, questioning what good a signed declaration would do for dictators or repressive governments that have significant power within their borders. “I’m puzzled. You are asking a rogues’ gallery of dictators to promise they won’t behave badly? This sounds like a distraction, not an effective regulation. In fact, NSO has apparently made its customers certify that they wouldn’t abuse the tech for years. We’ve seen just how badly that fared,” he added, noting the wider difficulties countries will face now that the spyware industry has become so lucrative. “The problem with mercenary spyware is that it is arriving in the hands of security services long before there is effective oversight and accountability. Predictably, companies like NSO are driving the rapid proliferation of this tech, and the harms can be found wherever you look,” Scott-Railton added. “Democracies should decide what kind of technological powers they want to vest in their police services. Citizens of dictatorships don’t have the luxury of a say, and selling spyware to these regimes will help them stay undemocratic.” More

December 7th, 2021 won’t be a day that will live in infamy, but it is a day that will annoy many Amazon Web Services (AWS) users. And, it will also vex many more people who didn’t realize until today that Disney+, Venmo, and Robinhood all rely on AWS. No AWS, no Star Wars: The Bad Batch.  The problem? According to the AWS Service Health Dashboard: We are seeing an impact on multiple AWS APIs in the US-EAST-1 Region. This issue is also affecting some of our monitoring and incident response tooling, which is delaying our ability to provide updates. We have identified the root cause and are actively working towards recovery.So, we should be back to business as usual soon. The problem first manifested at about 10:45 AM Eastern Time. It got its start in the major US East 1 AWS region hosted in Virginia.  It may have been sparked there, but the problems showed up across AWS. Internet administrators reported that there were problems with AWS Identity and Access Management (IAM), a web service that securely controls access to AWS resources, globally.  Adding insult to injury, AWS customer service was down. So, even if your service or site wasn’t at US East 1, you could still feel the problem’s effects.  Fortunately, according to DownDetector results, AWS seems to have a handle on the problem. In a few hours, all should be back to normal. More

It wasn’t that long ago that the very idea that another language besides C would be used in the Linux kernel would have been laughed at. Things have changed. Today, not only is Rust, the high-level system language moving closer to Linux, it’s closer than ever with the next “patch series to add support for Rust as a second language to the Linux kernel.”

The biggest change in these new packages is that the Rust code proposed for the kernel now relies on the stable Rust compiler rather than the beta compilers. Going forward, Rust on Linux will be migrating every time a new stable Rust compiler is released. Currently, it’s using Rust 1.57.0.By doing this, as Linux kernel and lead Rust on Linux, developer Miguel Ojeda, put it, “By upgrading the compiler, we have been able to take off the list a few unstable features we were using.” This, in turn, means Rust on Linux will be more stable. Looking ahead, Ojeda wrote, “We will keep upgrading until we do not rely on any unstable features; at which point we may want to start declaring a minimum Rust version is supported like it is done, e.g. GCC and Clang.Senior Linux kernel developer Greg Kroah-Hartman had told me he believes “drivers are probably the first place for” Rust to appear in Linux since “they are the ‘end leaves’ of the tree of dependencies in the kernel source. They depend on core kernel functionality, but nothing depends on them.”This has been coming for several years now. At the virtual 2020 Linux Plumbers Conference, where the top Linux kernel developers hash out Linux’s future, the idea of introducing Rust as the kernel’s second language was introduced.While Linus Torvalds is sure, Linux won’t end up being written in Rust. But then, that’s not the goal. No one’s going to rewrite the kernel’s 25 million lines of C in Rust.

Led by Josh Triplett, Rust language lead, and Nick Desaulniers, a Google engineer, they proposed using the system-level Rust language inside the kernel. Why? Because it’s much safer than C, especially at handling memory errors.As Ryan Levick, a Microsoft principal cloud developer advocate, explained, “Rust is completely memory safe.” Since roughly two-thirds of security issues can be traced back to handling memory badly, this is a major improvement. In addition, “Rust prevents those issues usually without adding any runtime overhead,” Levick said.Torvalds sees the advantages. While he’s encouraging a slow but steady approach to introducing Rust into Linux, he has also said that using Rust interfaces for drivers and other non-core kernel programs makes sense: “I’m convinced it’s going to happen. It might not be Rust, but it is going to happen that we will have different models for writing these kinds of things, and C won’t be the only one.”So, as Ojeda told ZDNet this summer, “The project is not finished, but we are ready to get mainlined if high-level maintainers accept the current changes and prefer that we work inside the kernel. Most of the work is still ahead of us.” Still, work well underway now. I expect to see the first Rust code in the Linux kernel sometime in 2022.Related stories:

Enterprise Software More

Many businesses still aren’t willing to spend money on cybersecurity because they view it as an additional cost – and then find they have to spend much more cash recovering from a cyber incident after they get hacked.Cyberattacks like ransomware, business email compromise (BEC) scams and data breaches are some of the key issues businesses are facing today, but despite the number of high-profile incidents and their expensive fallout, many boardrooms are still reluctant to free up budget to invest in the cybersecurity measures necessary to avoid becoming the next victim.

ZDNet Recommends

The cost of falling victim to a major cyber incident like a ransomware attack can be many times more than the cost of investing in the people and procedures that can stop incidents in the first place – something many organisations only fully realise after it’s too late.SEE: A winning strategy for cybersecurity (ZDNet special report) “Organisations don’t like spending money on preventative stuff. They don’t want to overspend, so a lot of organisations will sort of be penny-wise and pound-foolish kind of places where they wait for the event to happen, and then they have the big expense of cleaning it up,” Chris Wysopal, co-founder and CTO of cybersecurity company Veracode, told ZDNet Security Update.It’s then that they realise that they could have spent less if they had prevented the attack, he said: “A lot of organisations are going through that right now”.For example, an organisation might end up paying millions of dollars to ransomware criminals for the decryption key for an encrypted network – then there’s the additional costs associated with investigating, remediating and restoring the IT infrastructure of the whole business after the incident.

“Just the ransoms that organisations are paying, if they don’t have cyber insurance, could certainly pay for a lot of cybersecurity professionals. And cyber-insurance rates are going up, so it’s getting more expensive across the board for organisations because of the threat,” said Wysopal.Even for organisations that do have a fully fledged cybersecurity strategy, training, hiring and retaining staff can still pose a challenge because of the high demand for employees with the required skills. The supply and demand issue isn’t going to be solved overnight and, while Wysopal believes long-term investment in cybersecurity is vital, there are additional measures that can be taken to help get more people with cybersecurity skills into the workforce to help protect organisations from attacks.”One thing I would like to see is cybersecurity become part of every IT or computer science students’ training, so that they they had some understanding of cybersecurity as a professional, whether it’s building and managing systems in an IT environment or building software,” he explained.SEE: This new ransomware encrypts your data and makes some nasty threats, tooIf IT or development staff have at least some understanding of cybersecurity, that can help organisations, particularly smaller ones that might not have a big budget. “I’m really pushing for that to be part of the curriculum and I’ve been working with a few colleges to make that part of the computer science curriculum,” Wysopal said.MORE ON CYBERSECURITY More