Information Technology

It started out as a normal Thursday for Tony Mendoza, senior IT director at Spectra Logic, a data storage company based in Boulder, Colorado. And then the ransomware attack began. “We got some notifications of some system failings and it quickly turned into a lot of unrelated systems failing, which is really abnormal,” says Mendoza. He realised that the company was under attack – and that its files were being encrypted.

ZDNet Recommends

“When it hit, we ran to our server room and data centre and started pulling plugs out so it couldn’t propagate itself – which brought our entire infrastructure down,” he says.  SEE: What is cyber insurance? Everything you need to know about what it covers and how it works  In total, three-quarters of the production environment was compromised with ransomware. The hackers left a ransom note demanding a payment of $3.6 million in bitcoin in exchange for the decryption key.  “Figuring out what it was was fairly simple, because they tell you who they are, and they tell you where to send the money. It was NetWalker because it said so in the ransomware letter,” explains Mendoza.  Another problem: the attack came in May 2020, when many employees had just started to work remotely because of the COVID-19 outbreak, so there was no way of easily communicating what was going on outside the building.

Despite that, the IT team had to assess the damage that had been done and what the options were for getting data back – if it was going to be possible at all. There was some hope – the company had backups,  which were separate from the rest of the network and safe from the incident.  “We’re still under attack, we’re still trying to stop the bleeding, we still don’t know what the extent of the damage was – but we knew we had data to work with,” says Mendoza. Every organisation that falls victim to a ransomware attack ultimately has to face one major question – do they they give in to the ransom demand in order to retrieve their data? Cybersecurity companies and law enforcement agencies around the world argue against giving into extortion surrounding ransomware attacks, because not only does it hand over hundreds of thousands or even millions of dollars in bitcoin to criminals, it proves that the attacks work, which encourages ransomware attackers to continue with campaigns. However, some victims feel as if they’ve got no choice and they’ll pay the ransom, perceiving it to be the quickest and easiest way to get their data returned and the network back up and running – although that isn’t without issues. There are instances where attackers have either taken the money and ran, or taken the ransom then just returned with a second attack. Spectra Logic had cyber insurance, which could potentially have covered the cost of paying the ransom. That might have been the simpler short-term decision for restoring the network, but it was quickly decided that with the backups still available, Spectra Logic wouldn’t give in to the ransom demand. So instead of communicating with the cyber criminals at all, Mendoza contacted the FBI. “I went from being in a panic to being reassured by them that they’d seen it before, we’re not alone in this and they’re going to put tools in place to start protecting us. That was the biggest thing, getting protected,” he explained. The FBI also assigned a specialist team to help Spectra Logic deal with the immediate fallout from the attack over the course of the days that followed.  Attempting to restore the network turned out to be a 24/7 job for the small team over the course of the following week. For much of that time, people were sleeping at the office in order to have the most time possible to focus on restoring the network. “From the Thursday morning, we spent 24 hours everyday for the next five days working on this – we slept in shifts. Three of us would work through the night while two people slept for a few hours,” said Mendoza. “There was no leaving and coming back, it was go sleep on the couch in case we need you. It was five days of all hands on deck.” As well as this, he was having to provide the board with updates on the ongoing situation. They wanted answers about when the network was going to be restored and when business was going to be back to normal. “I’m dealing with leadership in the company and I don’t want to lie to them and say I know when it’ll be up – I had to tell them I don’t know what’s going on or when systems will be up,” he says.

It took days of working around the clock but eventually the IT department, with the aid of cybersecurity specialists, was able to restore some functionality to the network a week after the ransomware attack, without paying out to the attackers. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) “Our cybersecurity team provided us with the expertise and tools, monitoring and logging to get the threat out of our system. Monday morning they give us a green light; it’s done, they’ve stopped it and removed it,” Mendoza remembers. “The FBI told us we’re going the hard way, but the right way – and it ended up being the easy way when we came back and said we were back up eight days later; it was shocking for them,” he added. But it didn’t mean everything was immediately back to normal – it took weeks more to bring back systems that weren’t critical to the business, and during that whole time careful attention was required just to make sure the attackers hadn’t somehow managed to spread the ransomware again, which meant constantly monitoring all activity on the network for another month. A lot of ransomware attacks never become public knowledge, and examples of companies that go into detail about what happened are still few and far between. But Mendoza says it’s important to be transparent about dealing with a ransomware attack, because it’s important to show that it is possible to recover from an attack without lining the pockets of cyber criminals. “What we realised was we protected our data and there’s a way to thwart ransomware. We couldn’t find public information when we were looking for it, so we wanted to make it a common thing, that it’s okay to talk about being impacted by ransomware,” he said. So what is the key lesson Mendoza would say that other organisations need to take away from Spectra Logic’s experience? It’s backup your systems – and do so offline – so, if the worst happens and the organisation falls, you still have backups offline. “You’ve got to limit your attack blast radius. Backup your data in multiple locations on multiple mediums and the key is to air-gap it. Whether it’s physical air-gap or virtual air-gap, you’ve got to put a wall between an attack and your data,” he said. And how did the company end up falling victim to a ransomware attack in the first place? Analysis of the incident revealed a phishing email sent to an employee working from home was how hackers gained their initial access to the network. In the aftermath of the ransomware attack, Spectra Logic has worked to improve its cybersecurity culture, both on-site and for remote workers in an effort to learn from the incident. The company is now actively looking for potential cybersecurity threats that might have been missed before. “Initially after the attack, when the wounds were fresh, we talked about security. Six months later, we’re still concerned about security and we’re more aware of phishing attacks. We were kind of complacent before,” he says: now staff will notify him if a phishing email isn’t picked up by the malware system. “There’s more awareness now.” 

MORE ON CYBERSECURITY More

The Federal Trade Commission (FTC) has sent millions of dollars in refunds to students affected by allegedly false University of Phoenix ads claiming partnerships with major tech firms. 

According to the US regulator, the University of Phoenix (UOP), an online university, “falsely touted its relationships and job opportunities with companies such as AT&T, Yahoo!, Microsoft, Twitter, Adobe, and the American Red Cross” in allegedly “deceptive” advertisements.Furthermore, the FTC alleges that UOP, together with parent company, Apollo Education Group, claimed its curriculums were tailored with these partnerships in mind to give its students a better chance to secure a job with one of these companies.  According to the FTC, some ads specifically targeted “military and Hispanic consumers,” including veterans and military spouses. “In reality, these companies did not partner with UOP to provide special job opportunities for UOP students or develop curriculum,” the FTC claims. “Instead, UOP and Apollo selected these companies for their advertisements as part of a marketing strategy to drive prospective student interest.” So far, over 147,000 students have been sent close to $50 million in refunds.  Students enrolled in bachelor’s, master’s, or associate’s degrees between October 15, 2012, and December 31, 2016, could be eligible to claim if they paid more than $5,000 in fees and did not receive debt cancellation from the FTC’s prior settlement with UOP. 

The settlement, which in total has been agreed for $191 million, includes close to $141 million to settle unpaid balances owed by students eligible to have their debts cleared due to the lawsuit.  UOP and the FTC originally settled the allegations in 2019. The university was required to pay $50 million in cash — which is now on its way to students — as well as wipe existing student debt.  ZDNet has reached out to UOP and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Dark web takedowns and arrests are a crucial part of fighting cybercrime, but when one marketplace or malware operation gets disrupted by law enforcement, another is always likely to take its place.Emotet, one of the most prolific and most dangerous forms of malware – which served as a means for cyber criminals to deliver ransomware and other cyberattacks – was disrupted in a police operation earlier this year.

More on privacy

And while the disruption of such a big player in the malware space inevitably has an impact on cybercrime, it doesn’t just disappear – cyber criminals find new means of engaging in malicious online activity. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)”I’m a big geek for Jurassic Park, and there’s famous line that Jeff Goldblum says: ‘Life finds a way,'” Rick Holland, CISO at Digital Shadows, told ZDNet Security Update.”When I think about cyber-criminal takedowns – Emotet and others – there’s a long history of this as well; cybercrime finds a way. One set of operators gets arrested, goes to jail, but someone will fill their spot. It’s just like water flowing and it’s going to find a way”.In the case of the Emotet disruption, cyber criminals have quickly shifted to Trickbot and other trojans as a means of gaining access to networks for use in cyberattacks – either for deploying their own malware, or leasing out the backdoor for others to plant their own malware or ransomware.

And that’s despite an attempted takedown of Trickbot by a coalition of cybersecurity companies in October.But that doesn’t mean there isn’t a need to fight cybercrime with takedowns and arrests – because even if cyber criminals have to evolve and adapt their tactics, criminal hacking and malware will remain a threat. “I definitely think we need to continue the law enforcement takedowns, it does have an impact, but it is a whack-a-mole because someone will fill that gap,” said Holland. “There’s definitely some impact on the operators themselves if they go to to jail and things like that, but as far as the macro view versus the micro you know it’s going to continue,” he added.SEE: Check to see if you’re vulnerable to Microsoft Exchange Server zero-days using this toolHowever, when takedowns are successful, there’s a chance that some lower-level cyber criminals will be frightened off being involved due to the potential prospect of going to jail if they’re caught.”A lot of the bottom feeders, if you will, that are kind of rushing to make money, they’re new to cybercrime, they don’t have as much operational security or experience, so they can be vulnerable just because of a lack of experience that’s there,” said Holland. MORE ON CYBERSECURITY More

Image: Grumpy Turtle Creative
Due to the large geographical range of the Great Barrier Reef — roughly the same size as Italy — researchers have only collected data regularly from approximately 5-10% of the reef. In a bid to ramp up data collection, conservation organisation Citizens of the Great Barrier Reef launched the Great Barrier Reef census project in November. The project aimed to bring together stakeholders across tourism, including visitors and divers, science, research, and business to assist with capturing large-scale reconnaissance data from across the Great Barrier Reef. Phase one of the project saw over 14,000 images collected of about 170 reefs — double than what was originally anticipated — across 680 different sites from the tip of Cape York to the remote southern Swain Reefs. Of those images, approximately 6,000 were submitted by vessels fitted with a Dell device purpose-built to capture images of the reef. “If you put [the distance travelled] against the side of the US, it would go from above Seattle to below the border of Mexico. That’s the kind of range we’re talking about,” Citizens of the Great Barrier Reef CEO Andy Ridley told ZDNet. “We even found a shipwreck up in the north from the 1840s. That kind of gives you an idea of not only how big the place is, but even now you can find a shipwreck that’s been there for nearly 200 years.” Must read: How AI and drones are trying to save the Great Barrier Reef (TechRepublic)

Currently, those images are being analysed in real time as part of phase two of the census project. Involved in analysing the images are what the team described as “citizen scientists” — everyday people from around the globe — who are playing their part to support conservation and coral recovery. Users are encouraged to select a reef image and “colour-in” where they see key elements, such as a coral, sand, and rubble. On average, Citizen receives 1,500 unique visitors a day to its census website, over half from the US, followed by Australia, and then Europe and Asia. “Through a fairly novel analysis technique, we’re asking people to sort of trace around what they see in the image. We give them categories and say, ‘Is this coral a reef? Does it look like hard coral or soft coral?’ … and we collect polygon data from that,” Citizens of the Great Barrier Reef technologist Som Meaden said. “It helps give us a sense of the makeup of the reef, which is going to help us train a computer vision model to better recognise these types of images. “Traditional survey imagery is of very close-up one-by-one metre sort of transects. We’re trying to utilise seascape imagery that a tourist or somebody else might take and be able to get meaningful data from that. We’ve essentially baselined against research data, so we have a good sense of what that means.”
Image: Citizens of the Great Barrier Reef
To date, just over 6,000 analyses have been completed by the public so far, while half of the images uploaded have also been analysed by researchers. The goal is to have all images analysed by the end of April.”We’re relying on the general public to help us analyse all of them multiple times over and hopefully combined, that will give us a very good insight into what the images tell us but also how useful citizen science is in this regard,” Meaden said.”As people analyse an image, we’re sort of saying, is this something that’s been analysed by research before, and we can really grade the performance. As we increase trust as each people analyse images, we can build up a pretty good profile of who’s good at it, who’s not, and we can teach them about the reef at the same time.” Sending up a flareHelping to ensure the census project is always online is Cloudflare’s Project Galileo, which was established to help not-for-profit organisations and artistic groups fend of cyber attacks pro bono. “We’re a tiny team …  [of] five now. But there’s only one technology person, so there’s only so much we can do … we can run a project like census and have thousands of people hitting it a day, analysing images, and uploading images, and be extremely confident that we’re not going to run into any problems,” Meaden said. Meaden boasted that since March, through Project Galileo, the organisation has seen 360GB of data routed via Argo Tunnel with an average response of 75ms, more than 100 hours of video has been watched via Stream, 17,000 images have been secured and served to census participants through Workers, and multiple security events where there were more than 100 requests were blocked by Firewall. “It’s been a very useful [because] all of this has been done on a very insignificant budget,” he said.
Image: Christian Miller
Ridley emphasised that running a project like census needs to be scalable, highly efficiently, but it cannot “cost loads of money”.”The endeavour behind citizens is we’re trying to build a 21st century conservation organisation, so that requires that shared economy approach of how can you scale without needing billions and billions of dollars,” he said. “Although it’s only currently focused on reconnaissance data on reefs, underneath that you’re building infrastructure, so you’re actually building the capacity to do a lot more things across the Great Barrier Reef. “In theory, if you can get the model right, which includes the technical architecture as well, you can scale that beyond the Great Barrier Reef.” Citizens of the Great Barrier Reef plans to make the data, methodology, and technology developed through the project open-sourced at the end of the project.”Much of the world thinks that [the Great Barrier Reef is] already gone but it really hasn’t it; it’s a patchwork. You get some places that are so extraordinary and beautiful that you don’t know whether you should laugh or cry when you come to the surface…. then you get other places that have been hard hit by climate change, by bleaching, by runoffs,” Ridley said.”To be able to get a really broader picture of what’s going on and be able to talk about that, it’s actually very important because if the world thinks it’s gone, there’s not much to fight for.”Obviously, you’re trying to look at how you can build resilience in a system, like the Great Barrier Reef, but many of the lessons you learn here can be applied all around the globe. What we’re trying to do at Citizens is build stuff that can be scaled and shared around the world.” There are plans to launch a scaled-up census in October to survey at least 200 reefs on the Great Barrier Reef while testing the infrastructure’s ability to capture reconnaissance data for another habitat, such as sea grass. Other plans the organisation has its sights set on include trialling the model on reefs such as Ningaloo along the Western Australia coast or the Coral Triangle, a marine area in the western Pacific Ocean that includes waters of Indonesia, Malaysia, the Philippines, Papua New Guinea, Timor Leste, and Solomon Islands.  The Great Reef census project is being delivered in partnership with the Great Barrier Reef Marine Park Authority, the University of Queensland, and the Australian Institute of Marine Science, with support from James Cook University. The project is funded by the partnership between the Australian government’s Reef Trust and the Great Barrier Reef Foundation, the Prior Family Foundation, and the Reef and Rainforest Research Centre. RELATED COVERAGE Budget 2020: Keeping Australia at the forefront of weather and climate modelling The Australian Community Climate and Earth System Simulator quietly picked up AU$7.6 million in funding. Smart coral reefs: This underwater, fish-spotting AI helps protect the rainforest of the sea Intel and Accenture deployed artificial coral reefs equipped with AI to help researchers monitor the health of coral reefs. CSIRO and Microsoft to use AI to tackle man-made environmental problems Artificial intelligence is one technology the pair will be using to look at challenges such as illegal fishing and plastic waste, and to boost farming in Australia. IBM using AI to help prevent Australia’s beaches from washing away IBM and KWP are helping to preserve Australia’s iconic beaches, implementing artificial intelligence to allow scientists to put their time towards addressing coastal erosion, rather than on mapping it. More

The Australian Bureau of Statistics (ABS) has a little over four months to complete preparations for the 2021 Census, and hopes it will avoid the embarrassment that plagued the agency nearly five years ago.The 2021 Census will be built using the Amazon Web Services cloud through a contract awarded to PwC Australia.The change of approach is expected to counter any repeats of what occurred in 2016, when the ABS experienced a series of small denial-of-service (DDoS) attacks, suffered a hardware router failure, and baulked at a false positive report of data being exfiltrated which resulted in the Census website being shut down and citizens unable to complete their online submissions.The Census was run on on-premises infrastructure procured from tech giant IBM.Read more: Censusfail: An omnishambles of fabulous proportionsFacing Senate Estimates on Wednesday night, Deputy Australian statistician Teresa Dickinson said preparations for the next Census are well advanced. “Census day is the 10th of August, and we are on track. In our metrics, where we measure progress against the Census, many of the sub programs of work are ‘green’, there are a few that remain ‘amber’, and the reason is that we still have some testing and defect remediation to do on our technical work,” Dickinson said. “But we are on track to do that, by the time the form goes live.”

In response to the omnishambles that was the 2016 Census, there have been three reviews that made 36 recommendations, 29 of which were directed at the ABS and agreed upon. There was also a report prepared by the Australian National Audit Office (ANAO).”We had a number of reviews … which made quite a number of recommendations. All those recommendations have been actioned,” Dickinson said. “And as part of actioning those recommendations, we’ve done a great deal around cybersecurity.”She said the ABS has worked very closely with cybersecurity experts in building the completely new system. Further funding, she disclosed, was provided to the Bureau largely to “mitigate cybersecurity risk”.ANAO in November labelled the preparation for the 2021 Census by the ABS as “partly effective”.It said generally appropriate frameworks have been established to cover the Census IT systems and data handling, and the procurement of IT suppliers, but that the ABS has not put in place arrangements for ensuring improvements to its architecture framework, change management processes, and cybersecurity measures will be implemented ahead of the 2021 Census.”The ABS has been partly effective in addressing key Census risks, implementing past Census recommendations, and ensuring timely delivery of the 2021 Census,” the auditor added. “Further management attention is required on the implementation and assessment of risk controls.”Additionally, Dickinson confirmed it has over 50 suppliers and partners working on the Census.LATEST FROM CANBERRA More

Brazil is a world leader in phishing attacks, with one in five Internet users in the country targeted at least once in 2020, according to research. According to the report on phishing by cybersecurity firm Kaspersky, Brazil tops a list of five countries with the highest rate of users targeted for data theft throughout last year. The other nations cited are Portugal, France, Tunisia and French Guiana.The number of phishing attacks against mobile devices increased by more than 120% between February and March 2020 alone, according to the study. Factors behind the increase in scams include the boost in internet usage and access to services online such as internet and mobile banking and online shopping as a result of social distancing measures, as well as large-scale adoption of remote work and the anxiety around information about the pandemic.

The pandemic was a recurring theme of phishing attacks during 2020, according to the research. Techniques used wit a view of obtaining online account credentials and bank passwords ranged from websites offering face masks and hand sanitizers at times of scarcity, to bogus websites for registrations for social assistance programs and, more recently, fraudulent registration webpages for the Covid-19 vaccine. On the other hand, the Kaspersky study noted there was an improvement in the level of awareness of security threats online among Internet users. Despite the growth in phishing attacks, there was one particular aspect that has seen a decline relation to 2019: that year, more than 30% of Brazilians had tried, at least once, to open a link that led to a phishing page, compared to approximately 20% in 2020. “This demonstrates that campaigns and warnings about this type of scam means that users are more alert – but it does not mean that we do not need to evolve, as the statistics are still very bad”, said Fabio Assolini, senior security analyst at Kaspersky Brazil.Moreover, the study noted the percentage of victims of phishing attacks in Brazil is above the world average – 20% against the global average of 13%. According to Assolini, this disparity can be explained by the difficulty Internet users in Brazil have when it comes to recognizing fake emails, – 30% of Brazilians can’t tell whether an email is not genuine, according to previous research by the cybersecurity firm.

“We need to improve our digital education”, Assolini pointed out. “[Not being able to recognize threats] makes us vulnerable and prone to falling into ‘must-see promotions’ and other online scams.” More

Head of the Australian Cyber Security Centre (ACSC) Abigail Bradshaw has told senators “10s of organisations” have so far reached out to her agency regarding vulnerable Microsoft Exchange servers.”We have had feedback from 10s of organisations who have spotted the indicators of compromise and whom we’ve assisted,” Bradshaw said. “The fact that people are engaging us on the basis that they’ve identified indicators of compromise is evidence both of the fact that they’ve seen the advice because they’ve run the specific scripts, but also an understanding that they understand and are able to spot for themselves where there are vulnerabilities on their systems.”Must read: Everything you need to know about the Microsoft Exchange Server hackBradshaw’s remarks were in response to senators raising concerns on Wednesday night that around 7,000 servers in Australia were vulnerable to the threat, with 11,000 Australian IPs found as potentially vulnerable.”We have also used what we call part of our cyber hygiene improvement program, which has been funded under the Cyber Enhanced Situational Awareness and Response funding, which gives the ACSC capacity to run scans on externally facing internet connections, which has assisted us to observe the number of systems that still require patching, which means that we have some familiarity with the numbers of servers that were identified,” Bradshaw explained.She said the ACSC has been monitoring those flagged as vulnerable “extraordinarily closely” by running constant scans. She said the ACSC has observed a “very substantial degree of patching”. “And as a consequence, many, many fewer servers, which remain vulnerable since that date,” she said.

Here’s more: Microsoft: 92% of vulnerable exchange servers are now patched, mitigatedThe ACSC has also engaged directly with managing director of Microsoft Australia Steven Worrall, Bradshaw said, in regards to the results of its scanning.”[We] engage them on how we can assist them to get to any residual Microsoft customers who might be running that particular server,” she added. Director-General of the Australian Signals Directorate (ASD) Rachel Noble said her organisation was first made aware of the Microsoft Exchange issue on March 3, resulting in the ACSC sending out an email blast to its 63,500 subscribers. The ACSC also wrote directly to 100 of its Commonwealth government CISOs and an additional 50 in state and territory governments.RELATED COVERAGE More

Facebook said it has disrupted a network of hackers tied to China who were attempting to distribute malware via malicious links shared under fake personas. The social network’s cyber espionage investigations team has taken action against the group, disabled their accounts and notified the roughly 500 users who were targeted.

The hackers — believed to be part of the Earth Empusa or Evil Eye groups — were targeting activists, journalists and dissidents, predominantly among Uyghurs from Xinjiang in China, living abroad in Turkey, Kazakhstan, the US, Syria, Australia, and Canada. Facebook said the highly focused campaign was aimed at collecting information about these targets by infecting their devices with malicious code for surveillance purposes. The links that were shared through Facebook included links to both legitimate and lookalike news websites, as well as to fake Android app stores. In the case of the news websites, Facebook’s head of cyber espionage investigations Mike Dvilyanski said the hackers were able to compromise legitimate websites frequently visited by their targets in a process known as a watering hole campaign intended to infect devices with malware. The hackers also created lookalike domains for Turkish news websites and injected malicious code that would infect the target’s device with malware. Similarly, third-party lookalike app stores were built to trick targets into downloading Uyghur-themed apps with malicious code that would allow the hackers to exploit the devices they were installed on. Facebook said the group took steps to conceal their activity by only infecting people with iOS malware when they passed certain technical checks, including IP address, operating system, browser, and country and language settings.On Facebook, the malicious infrastructure was blocked and the accounts were taken down. Facebook said its cyber team first became aware of the hacking efforts in mid-2020 based on intensification of the activity on the Facebook platform. It’s believed that the efforts extend back to 2019.

“Measuring impact and intent can be challenging but we do know even for the small number of users around the world, the consequences [of being hacked] can be very high and that is why the team took this so seriously,” said Nathaniel Gleicher, head of security policy for Facebook. “It’s a small number of targets, under 500 for the entire campaign, but that is only for the aspects that touched Facebook in some way. The majority of what this threat actor has done took place off Facebook.”RELATED: More