Information Technology

A digital education platform used by dozens of New York City schools is still struggling to get systems back up and running after reporting a days-long outage. Illuminate Education, which owns popular school management platforms Skedula and PupilPath, said it is still in the process of restoring service after a “security incident” that began on January 8. Scott Virkler, chief operating officer of Illuminate Education, told ZDNet that their priority is “to restore service as soon as possible and do everything in our power to help users.” “We launched an investigation with the help of third-party experts, and that is still ongoing,” Virkler said, declining to answer other questions. On the company’s status update website, Illuminate Education says it has continued experiencing a service interruption affecting all IO Classroom applications for nearly 10 days. They have not provided a new update since January 11. The online grading and attendance platforms are used heavily within the New York City public school system, and Virkler told The New York Daily News on January 11 that it was investigating an “attempted security incident.” He did not explain that statement further.It is still unclear whether data from the platform was leaked during the attack and the Department of Education in New York City did not respond to requests for comment. 

Multiple teachers have told The New York Times and other local outlets that they use the platforms extensively to communicate with parents and check grades for each student. The outages have come at a particularly inopportune time as teachers manage the COVID-19 surge, recent snow days and other issues affecting the school year. After teachers began to complain about the company’s lack of notice about the incident, Illuminate Education released a statement confirming that it was a “security incident.””Illuminate Education recently began experiencing technical difficulties, resulting in a disruption to our IO Suite of products. We immediately began an investigation, and indications are that this was the result of an attempted security incident. Our top priority is to restore full functionality to our systems as soon as possible, and we are working diligently with third-party forensic specialists to investigate the incident and confirm the effect to our systems,” the California-based company said. “We realize that you rely on systems like IO Classroom and PupilPath for daily activities including attendance, grading, and communications. We appreciate your patience and understanding, and apologize for any inconvenience. We will continue to provide updates to the School Administration as we make progress on resolving this issue.”City officials would not say how many schools use the software but the company says it serves 5,200 districts and schools across the country. Records obtained by The New York Post indicate the company has made $16 million from Department of Education schools in the last three years. The outlet added that the outages were hampering efforts by administrators to track which students had COVID-19 because students who test positive typically have everyone in their classes tested as well. Without access to student schedules, it has become difficult for teachers to know which classes a student attends and which students need to be tested.ChalkBeat gained access to a letter sent to parents by Virkler which says the company will be restoring service in phases and that it would send out another update on Tuesday.  More

Google recently added an option to switch off insecure 2G connectivity in Android smartphone modems, a move that has been welcomed by digital civil liberties group the Electronic Frontier Foundation (EFF).It applauded Google for adding the new setting in Android 12 and has now called on Apple to implement the feature, too. 

2G is an early digital cellular network standard that emerged in the early 1990s, when Nokia still ruled mobile. As EFF notes, 2G was developed when standards bodies didn’t account for threats like rogue cell towers or the need for strong encryption. SEE: Best cheap 5G phone 2022: No need to pay flagship prices for quality devices”There are two main problems with 2G. First, it uses weak encryption between the tower and device that can be cracked in real time by an attacker to intercept calls or text messages. In fact, the attacker can do this passively without ever transmitting a single packet,” EFF notes. “The second problem with 2G is that there is no authentication of the tower to the phone, which means that anyone can seamlessly impersonate a real 2G tower and a phone using the 2G protocol will never be the wiser.”Also known as IMSI – international mobile subscriber identity – catchers, the ability to spoof base stations has been used by law enforcement and others worldwide to intercept mobile phone traffic and location data by forcing devices with 2G modems to connect to the 2G surveillance devices. While newer standards like 3G, 4G and 5G are designed to protect against this attack, newer ISMI catchers can be used in so-called downgrade attacks since mobile modems still support 2G. 

“This makes every user vulnerable – from journalists and activists to medical professionals, government officials, and even law enforcement,” the EFF warns.The new setting to disable 2G is available on newer Android phones. On the Google Pixel it can be changed via Settings > Network & Internet > SIMs > Allow 2G, where there is an option to disable 2G. However, 2G is enabled by default to support emergency calls, so users must manually toggle it off. The new setting may not be available on older Android device and is only available on newer Samsung phones under a different setting. Via Ars Technica, Google introduced the 2G disable option in Android 12, but since it implemented it in the radio hardware abstraction layer (HAL), it’s only available in Android devices that implemented that version of the radio HAL. HALs sit between Android and the hardware driver and don’t get updated frequently. Google explains in Android 12 release notes that the toggle to disable 2G is part of Radio 1.6 HAL and that, while the toggle is enabled by default, carriers can disable the feature at runtime. “Device manufacturers must ensure that all networks are available during emergency calling,” Google adds. While operators in North America, South Korea, Japan and Taiwan have already turned off 2G networks, many networks in Europe will support 2G through to 2025 and in some cases even after switching off 3G, according to cellular IoT firm EMnify.   EFF is calling on Google, Apple and Samsung to improve availability of options to disable 2G at the user’s end. “We are very pleased with the steps that Google has taken here to protect users from vulnerabilities in 2G, and though there is a lot more work to be done, this will ensure that many people can finally receive a basic level of protection,” EFF says. “We strongly encourage Google, Apple, and Samsung to invest more resources into radio security so they can better protect smartphone owners.”

Smartphones More

ZDNet Recommends

DHL took over the top spot of Check Point Research’s list of the most imitated brands among cybercriminals this year, surpassing Microsoft and Google as the brand used most often in phishing emails and scams. The company’s Q4 Brand Phishing Report for 2021 ranks the top 10 most imitated brands in October, November and December. Researchers at Check Point found DHL’s brand used in 23% of all phishing attacks they saw globally. Microsoft was second at 20%, while WhatsApp came in at 11% and Google appeared in 10%. On the left side — the fraudulent login page with credentials request. On the right side — a real DHL login page.
Check Point Research
The rest of the list includes LinkedIn, Amazon, FedEx, Roblox, PayPal and Apple. Omer Dembinsky, data research group manager at Check Point Software, said it is important to remember that cybercriminals are opportunists and will often take advantage of consumer trends by imitating popular brands. “This quarter, for the first time, we’ve seen global logistics company DHL top the rankings as the most likely brand to be imitated, presumably to capitalize on the soaring number of new and potentially vulnerable online shoppers during the year’s busiest retail period,” Dembinsky said. “Older users in particular, who are less likely to be as technologically savvy as younger generations, will be shopping online for the first time and might not know what to look for when it comes to things like delivery confirmation emails or tracking updates. Furthermore, the rise in COVID cases has people relying on the shipping service more, and cybercriminals are likely trying to capitalize on people choosing to stay indoors more.”The researchers also found that social media platforms were being spoofed more often as well, with sites like LinkedIn moving from 8th position to 5th compared to Q3 and now accounting for 8% of all phishing-related attacks. WhatsApp moved from 6th to 3rd. 
Check Point Research
“That social media would continue to be heavily targeted by bad actors looking to take advantage of those leaning more heavily on channels like WhatsApp, Facebook and LinkedIn as a result of remote working and other fallouts from the pandemic,” Dembinsky explained. 

“Unfortunately, there’s only so much brands like DHL, Microsoft and WhatsApp — which represent the top 3 most imitated brands in Q4 — can do to combat phishing attempts. It’s all too easy for the human element to overlook things like misspelt domains, typos, incorrect dates or other suspicious details, and that’s what opens the door to further damage. We’d urge all users to be very mindful of these details when dealing with the likes of DHL in the coming months.” More

Image: Getty Images
It’s been an interesting couple of weeks at the intersection of Open Source Avenue and Cybersecurity Way, first with the situation around Log4j, and then this week a JavaScript developer had enough and went rouge.

Excuse me while I clutch this set of pearls very tightly as the term open source vulnerability is used, because where it seems governments think there is a pressing cyber issue, it is more often one of finances. Particularly as a one person project, creating under an open source licence is great for when starting out, and it is barely noticed and your users and fellow developers can help make the software better. But when multinationals and governments freeload from it, I have some sympathy for a developer that decides supporting Fortune 500 companies for free is a bridge too far. While the methodology of injecting an infinite loop and zalgo text might have been cooked, what decent size organisation was pulling down and executing code without either inspecting it, or running it in a test environment first? It sucks that a number of Node.js apps fell over, but thankfully it wasn’t doing anything malicious. Affected organisations should be considering this as a free cyber and software supply chain checkup, rather than yelling even more at a developer that is done with being yelled at. There’s a reason XKCD 2347 has received a bigger workout than usual in recent months, and it is because it exposes the truth of the matter. “I worked for the Linux Foundation on the Core Infrastructure Initiative supporting OpenSSL and other projects,” says one comment on the relevant Explain XKCD site.

“The one that scared me was Expat the XML parser maintained by two people on alternate Sunday afternoons assuming no other distractions. We did get funding for a test suite.” I have little reason to doubt this comment, because this is how the stacks that power the modern internet actually work. Deep in each stack is a weekend dependency. While the tech giants rake in billions each quarter, somewhere there is a well-used library that doesn’t receive a penny from these titans of industry. It’s not illegal, but it is a bit rich on the companies’ part to take advantage of free labour like this. At this juncture, I thought an analogy about a car manufacturer using volunteer labour to make car parts would be apt, but then realised that with all those car entertainment systems, there’s got to be some open source libraries or applications in there somewhere. Such is the world of the 2020s. Last week, the debate reached the point where it was labelled as a “national security concern” in the US, and Google and IBM wanted a list of critical open source projects. While both companies have been among the best corporate supporters and funders of open source, that list really should be put straight into their respective accounting systems and sufficient payments made each month. Unfortunately, the times at the intersection of Open Source Avenue and Cybersecurity Way have a sense of repetition. It was almost eight years ago during the Heartbleed flaw that OpenSSL said it was time for major users to stump up and help fund projects. At the time, OpenSSL had one full-time employee, and an outpouring of donations in the week afterwards had netted a mere $9,000. “It takes nerves of steel to work for many years on hundreds of thousands of lines of very complex code, with every line of code you touch visible to the world, knowing that code is used by banks, firewalls, weapons systems, web sites, smartphones, industry, government, everywhere. Knowing that you’ll be ignored and unappreciated until something goes wrong,” OpenSSL Software Foundation president Steve Marquess said. “The combination of the personality to handle that kind of pressure with the relevant technical skills and experience to effectively work on such software is a rare commodity, and those who have it are likely to already be a valued, well-rewarded, and jealously guarded resource of some company or worthy cause.” OpenSSL would eventually get some funding from the Core Infrastructure Initiative, which would be superseded by the Open Source Security Foundation, but I doubt either of those two organisations would have considered a node.js module or a Java logging framework as critical infrastructure worthy of funding and auditing. Funding needs to be go beyond just the term “critical” and move more towards “widely-used but underfunded”, because with the right vulnerability, suddenly any previously innocuous piece of software can become critical. ZDNET’S MONDAY MORNING OPENER   The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. A member writes it of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.  PREVIOUSLY ON MONDAY MORNING OPENER :  More

Microsoft said it has discovered a destructive malware being used to corrupt the systems of multiple organizations in Ukraine. In a blog published on Saturday, Microsoft Threat Intelligence Center (MSTIC) said it first discovered the ransomware-like malware on January 13. The news comes days after more than 70 Ukrainian government websites were defaced by groups allegedly associated with Russian secret services. But Microsoft said it “has not found any notable associations” between the malware it found and the website attacks that occurred last week. “MSTIC assesses that the malware, which is designed to look like ransomware but lacking a ransom recovery mechanism, is intended to be destructive and designed to render targeted devices inoperable rather than to obtain a ransom,” Microsoft explained. 

“At present and based on Microsoft visibility, our investigation teams have identified the malware on dozens of impacted systems and that number could grow as our investigation continues. These systems span multiple government, non-profit, and information technology organizations, all based in Ukraine. We do not know the current stage of this attacker’s operational cycle or how many other victim organizations may exist in Ukraine or other geographic locations. However, it is unlikely these impacted systems represent the full scope of impact as other organizations are reporting.”Microsoft added that it is still unclear what the purpose of the malware is but said all Ukrainian government agencies, non-profits and companies should be on the lookout for it. They said it initially appeared to be possible Master Boot Records (MBR) Wiper activity and called the malware’s capabilities “unique.”The malware executes via Impacket and overwrites the MBR on a system with a ransom note demanding $10,000 in Bitcoin. Once a device powers down, the malware executes, and Microsoft said it was “atypical” for cybercriminal ransomware to overwrite the MBR. 

Even though a ransom note is included, it is a ruse, according to Microsoft’s analysis. The malware locates files in certain directories with dozens of the most common file extensions and overwrites the contents with a fixed number of 0xCC bytes. After overwriting the contents, the destructor renames each file with a seemingly random four-byte extension, Microsoft explained. Microsoft said this kind of attack is “inconsistent with cybercriminal ransomware activity” they have observed because typically, ransomware payloads are customized for each victim. “In this case, the same ransom payload was observed at multiple victims. Virtually all ransomware encrypts the contents of files on the filesystem. The malware in this case overwrites the MBR with no mechanism for recovery. Explicit payment amounts and cryptocurrency wallet addresses are rarely specified in modern criminal ransom notes, but were specified by DEV-0586,” Microsoft explained.”The same Bitcoin wallet address has been observed across all DEV-0586 intrusions and at the time of analysis, the only activity was a small transfer on January 14. It is rare for the communication method to be only a Tox ID, an identifier for use with the Tox encrypted messaging protocol. Typically, there are websites with support forums or multiple methods of contact (including email) to make it easy for the victim to successfully make contact. Most criminal ransom notes include a custom ID that a victim is instructed to send in their communications to the attackers. This is an important part of the process where the custom ID maps on the backend of the ransomware operation to a victim-specific decryption key. The ransom note in this case does not include a custom ID.”Microsoft added that it was in the process of creating detections for the malware and provided a slate of security recommendations for organizations that may have been targeted. Rick Holland, CISO at Digital Shadows, told ZDNet that while Microsoft doesn’t attribute the activity to Russia, it isn’t a substantial analytical stretch to associate these malicious actions with Russian interests. The ransomware ruse, he said, gives the threat actor a thin veneer of plausible deniability but as Microsoft states, the full scope of the campaign isn’t clear. “Destructive ransomware won’t be the only option available to the attacker. If you look back at 3rd party attacks like last year’s SolarWinds, you could see similar-style campaigns where malicious actors have spent years undetected on Ukrainian victim networks,” Holland said.”This activity isn’t unprecedented; it is a part of Russian doctrine. Whether Russia encourages other actors or directs cyber operations themselves, Russia seeks to disrupt government and private institutions of their geopolitical opponents. We have seen similar playbooks in the 2007 denial of service attacks against Estonia, the cyber-attacks during the 2014 Crimea annexation, and the destructive malware used in the Petya and MeDoc attacks against Ukraine in 2017.”Holland noted that the recovery process with destructive malware is challenging and can often depend on the security controls that were in place before the attack. He estimated it could take days to weeks for affected organizations to recover, explaining that it took more than a week for Saudi Aramco to recover from Shamoon in 2012 and months for organizations to recover from NotPetya. Netenrich’s John Bambenek echoed Holland’s remarks, telling ZDNet that Russia has previously used ransomware as a cover for destructive attacks in the past. “Russia’s typical ploy is to leave just enough ambiguity to claim in public that it wasn’t them but to leave enough fingerprints so everyone in the room knows its them to project a deterrent on other countries in the region. Recovery depends on each entity but Ukraine has a long history of responding to and recovering from sabotage attacks from Russia,” Bambenek said. “MBR and other wipers are fairly common. We haven’t seen much in recent years but the tool has always been in the tool chest when the mission is sabotage.” More

Eight people allegedly involved in the REvil ransomware gang were hit with charges by a court in Moscow on Saturday, according to the Russian News Agency (TASS). The eight were arrested as part of a larger raid by Russia’s Federal Security Service (FSB) and the Ministry of Internal Affairs of Russia on 25 different locations across Moscow, St. Petersburg and Lipetsk on Friday.TASS reported that on Saturday, Moscow’s Tverskoi Court charged the men with violating Part 2 of Article 187 of Russia’s Criminal Code, which covers the “illegal circulation of payments. The men are facing up to seven years in prison and a fine of about $13,150.  “At present, materials are either incoming or have already been examined with regard to Roman Muromsky, Andrey Bessonov and also the following individuals: Golovachuk M.A., Zayets A.N., Khansvyarov R.A., Korotayev D.V., Puzyrevsky D.D. and Malozemov A.V. Overall, the court has materials on eight individuals,” the court said.Muromsky and Bessonov were initially named by Russian news outlets as members of the group and video emerged online of the two in court. The FSB said it moved forward with the raid after receiving information about REvil’s alleged leader and other members of the group from US authorities. The FSB said in a statement that 20 luxury cars, 426 million rubles, $600,000 and Є500,000 in Euros were seized during the raids. Police also took computer equipment and gained access to several crypto wallets.

more coverage

The Russian news outlet called REvil “one of the world’s most prominent cybercrime groups,” noting that they have attacked the state government of Texas, companies like Apple and dozens of other organizations. According to the US Department of Justice, in addition to the headlining attacks on Kaseya and JBS, REvil is responsible for deploying its ransomware on more than 175,000 computers. The group allegedly brought in at least $200 million from ransoms. On Friday evening, White House officials told reporters that the person behind the ransomware attack on Colonial Pipeline last year was arrested as part of the raid but did not reveal the person’s name. While the attack on Colonial Pipeline — which caused a week of gas shortages along the East Coast of the US — was attributed to the DarkSide ransomware group, experts said those involved were closely associated with REvil.Recorded Future ransomware expert Allan Liska told ZDNet that there are multiple connections between REvil and Darkside, which shuttered its operations shortly after the headline-grabbing attack on Colonial Pipeline and reconstituted under the name “BlackMatter.” “First, we think the user Darksup, who was the main organizer of the DarkSide ransomware, started out as an affiliate of REvil. Secondly, there is a lot of code overlap between DarkSide and REvil ransomware. Flashpoint did a good analysis of that,” Liska said. “Finally, after the Colonial Pipeline attack, when DarkSide went into hiding, Unknown (the spokesperson for REvil) was speaking on DarkSide’s behalf on the underground forums.”There has been significant debate about why Russian authorities finally decided to detain members of the REvil ransomware group after US officials spent months pressing the country for help. Digital Shadows’ Chris Morgan told ZDNet that some people on Russian cybercriminal forums said the arrests were part of a larger “political game” between the US and Russia, which has faced backlash in recent weeks for its threatening actions toward Ukraine. “Its possible that the FSB raided REvil knowing that the group were high on the priority list for the US, while considering that their removal would have a small impact on the current ransomware landscape. These arrests could also have served a secondary purpose, as a warning to other ransomware groups,” Morgan explained. “REvil made international news last year in its targeting of organizations such as JBS and Kaseya, which were high profile and impactful attacks; a very public series of raids could be interpreted by some as a message to be mindful of their targeting.” More

Ukrainian law enforcement agencies said more than 70 state websites were attacked on Friday and accused hacker groups associated with Russian secret services of potentially being behind the incident. The attack, which Ukrainian officials initially called “massive,” took down several government websites in Ukraine, including those for the Ukrainian Foreign Ministry and the Ministry of Education and Science.In a statement, the Security Service of Ukraine, State Special Service and Cyber Police said 10 of the government websites “were subjected to unauthorized interference.” Ukrainian news outlet Ukrinform said the websites for the country’s energy, treasury, environment, veterans, and state emergency service departments were defaced. The agencies said the content on the sites was not changed and no personal data was taken during the incident, despite the claims made by the hackers. “Our specialists, together with the administrators of ministries and departments, have restored the work of most web resources. Also at the initiative of the SBU, a number of critical state resources were cut off, including public services portal Action, to localize the technical problem and to prevent the spread of the attack. The mobile application Action worked and works in a regular mode,” the statement said. “At the same time, the report that hackers exploited a specific vulnerability of the content management system that appeared in the media during the day was just one of the versions that was being worked out. Now, at the end of the day, we can say with high probability that there was a so-called supply chain attack, among others. The attackers hacked the infrastructure of a commercial company that had access to the rights to administer the web resources affected by the attack.”Law enforcement officials in the country are still in the process of investigating the incident and collecting evidence, noting that their investigation will continue through the weekend. The Ukrainian CERT released its own message saying the attack may have related to a vulnerability in a CMS system that was discovered last year.  

The incident — which took place as Russia threatens to invade Ukraine — caused significant outrage across Europe but led some to question whether the concern over the attack was warranted considering the the lack of tangible damage done. Cybersecurity expert and journalist Kim Zetter, one of the first to notice the attack, said “it helps the perpetrator of the attack spread fear and their misinformation campaign when people make more out of an attack than it merits.”Other experts said even calling the incident an “attack” was an exaggeration. But despite the criticisms, foreign ministers across Europe released statements condemning the incident and pledging support for Ukraine, including officials from Belgium, Bulgaria, Latvia, Denmark, Lithuania, Poland, Norway and Romania.NATO secretary general Jens Stoltenberg said cyber experts in Brussels were sharing information with Ukrainian officials and others were supporting Ukraine “on the ground.””In the coming days, NATO and Ukraine will sign an agreement on enhanced cyber cooperation, including Ukrainian access to NATO’s malware information sharing platform. NATO’s strong political and practical support for Ukraine will continue,” Stoltenberg said.In addition to the website defacements, Ukraine’s largest gas retail also reported a cyberattack although it is unclear if the two were tied together. Oleg Nykonorov, CEO of РГК, wrote on Facebook that they too were attacked but said it was stopped before any damage could be done. More

Suspected members of the cyber criminal REvil ransomware gang have been detained and the group has been dismantled following raids by Russia’s Federal Security Service (FSB), Moscow has said. Joint action by the FSB and the Ministry of Internal Affairs of Russia was taken at 25 properties across several regions of Russia, including Moscow, St. Petersburg and Lipetsk, linked to 14 members of the REvil ransomware group.According to a statement from the FSB, several member of REvil have been detained and charged. Computer equipment has been seized along with cryptocurrency and crypto wallets, as well as over 426 million rubles, $600,000 US dollars and Є500,000 in Euros. It said 20 luxury cars bought with money obtained from ransomware attacks has have also been seized.SEE: A winning strategy for cybersecurity (ZDNet special report)    The raids took place following requests from the United States, which has been a major victim of ransomware attacks by REvil. Previous action has been taken against REvil, including suspected members being arrested in Romania and Ukraine, but the raids by the FSB is the first time Russian authorities have taken action against the group.One of the most significant alleged REvil attacks targeted Kaseya, an IT solutions developer for MSPs and enterprise clients. REvil was also accused of being responsible for a major ransomware attack against food supplier JBS, which paid $11 million in Bitcoin to the attackers in exchange for the key required to decrypt the network.

Last year, the United States and other G7 countries warned Russia that it needed to take responsibility for ransomware and other cyber criminal groups operating within its borders. Ransomware has become one of the biggest cybersecurity issues facing the world today, with attacks against every sector resulting in disruption.High-profile incidents have seen hospitals and healthcare services, energy suppliers and local governments hit with ransomware attacks, preventing people from being able to access vital services they need. MORE ON CYBERSECURITY More