Information Technology

Organisations today lack a proper framework that will help them respond quickly when they experience a cybersecurity incident. Governments can help by establishing clear guidelines and protocols, but overly restrictive requirements may discourage companies from disclosing they suffered a breach. As it is, companies are on edge that they may face litigation from customers when a security incident occurs. More were moving to keep things under wrap over concerns about class action lawsuits or any other potential legal action, said Forrester’s senior analyst Jess Burn, who specialises in incident response and crisis management as well as security training.

Insurance and attorney-client privilege often got in the way of full transparency from these companies, particularly in North America where the society was perceived to be highly litigious, Burn said in a video interview with ZDNet. Organisations would disclose what was required by regulators and park everything else under a dedicated contract that ensured investigations, following a breach, were kept under attorney-client privilege, she said. This meant that any party involved in the investigation could be prevented from disclosing confidential communications between the breached organisation and its lawyers.   Burn observed that lawyers increasingly were involved in any communication that companies released with regards to a breach. Reports and documentations on the breach assessment, which organisations might be required to carry out and pay for when they suffered an incident, also would be heavily controlled.

The complexity of determining and understanding the extent of a breach also further compounded the issue. She explained that some cyber insurance providers would not cover state-sponsored attacks, but defined such breaches so broadly that it would take some effort before attacks were officially attributed. This could drive some organisations to stay silent until they were able to fully ascertain their position before reporting the breach, she said. Firms should already know who to call Legal issues aside, organisations foremost should have a plan in place to help them navigate quickly when there is a cybersecurity incident. This still is lacking in most companies today. Too many still were parking the bulk of their money on protection, rather than defining how they needed to respond in the event of a security incident, said Richard J. Watson, Asia-Pacific cybersecurity consulting leader at EY Global. The top priority for companies should be to ensure they had a framework on how they should respond to a breach, he said in an interview with ZDNet. This would was critical in building up cyber resilience and ensure network availability, especially as employees worked from home and remotely, he said. Companies simply were not prepared and would attempt to work out how they should respond in the midst of a security incident, said CrowdStrike’s Asia-Pacific Japan services director Mark Goudie. “It’s like a doctor flipping through a manual book while operating on a patient,” Goudie said in an interview. “They’re haven’t trained and aren’t ready.” Burn concurred, adding that many organisations waited until they were breached to call in the investigators. “The best practice is to have a retainer in place and have some onboarding before a breach happens,” she said. “Bring in a company that can assess your readiness and incident response plan, and run through a tabletop exercise to get your team and executives ready.” “The mistake is to wait and call a hotline of some well-known incident response provider for help [after a breach occurs]. It’s too late. You would waste three to five days [which] they [need to] understand your company workflow and systems. You need to establish a relationship with them and an outside attorney, and have them help you rehearse your entire incident response plan,” she noted. Goudie added that having a retainer ensured organisations had access to help when a major vulnerability, such as the recent Log4j, was uncovered. Incident response services providers, for instance, would be inundated with service calls and were likely to prioritise existing customers over new ones that had yet to sign a retainer. In addition, an incident response plan would better enable organisations to identify a threat more quickly, have visibility of the threat, and respond quickly. The goal here was to prevent the security incident from escalating into a data breach, he said. adding that there often was a window during which this could be stopped. Watson noted that while it was easy to detect when there were suspicious activities within the network, it was tougher to determine the severity of a potential breach. He, too, suggested organisations worked with an incident response vendor to help them navigate breaches, during which two courses of action needed to happen. Companies first had to work out whether there was any data exfiltration or privacy violation and, hence, decide if the relevant authorities must be notified of the security incident. Affected organisations then had to figure out the type of breach that occurred and potentially prepare for data preservation, he said. This could impact the speed of response since it was essential that evidence and diagnostics data be preserved.

Companies that failed to properly prepare or have a well-defined process in place likely would end up rebuilding their systems, as this was the fastest way to get their operations up and running. In the process of doing so, however, they could end up removing all evidence. This meant that they would not be able to identify and understand the cause the breach, so the vulnerability could be plugged to prevent a recurrence, Watson said. Companies that did not make efforts to preserve evidence in an attack also might limit their ability to file an insurance claim, he added.   He said EY espoused a seven-step approach in the event of a security incident, which encompassed mobilising the planned response, acquiring evidence, investigating, threat hunting, containment, mitigation, and recovery. He reiterated the need for a more balanced division of investment in security protection as well as response and recovery. Goudie also underscored the importance of establishing response plans and playbooks for different threats, whether these were ransomware or nation-state attacks. These should guide the operations team on what they needed to do so they could react quickly, he said. Regulations to drive information sharing Noting that most regulations currently were focused on data breach and ensuring there was adequate disclosure, Watson also called for more reporting on other types of incidents such as ransomware and indicators of compromise. Pushing organisations to share information on attack activities they identified and blocked in their network could benefit the industry, particularly if other organisations had failed to stop similar attack tactics, he said. He suggested governments led efforts to establish common standards or platforms for information sharing on indicators of compromise, so organisations within critical sectors such as finance, utility, and manufacturing could leverage such networks of knowledge. Having standardised protocols also would automate such processes and ease the submission and sharing of data, he said. Watson further mooted the need for regulations to go beyond protection and include incident response, such as a minimum set of requirements mandating how companies must respond in the event of a breach. “There’s implicit trust right now that companies are carrying out adequate investigation, since the onus is on them to report to the authorities, but we know that companies generally don’t have sufficient response in place,” he said. “You can’t know what you don’t know. And yet, regulations now rest on the fact that companies are doing a good job sizing the breach and responding.” Such assumptions reflected an inherent flaw in the system, he said, stressing the need for organisations to have the appropriate incident response framework and resources in place. Goudie, though, noted that mandates and punishments could result in further penalising organisations that already were victims of a breach. Regulations that were overly restrictive also could see companies spending more time responding to mandates than on responding to the security incident itself, he said. He, too, pitched the need for metrics to drive information sharing so the industry could better understand and learn how threat actors gained access to breached networks. Such data could be distributed to the relevant authorities and shared amongst companies in the affected vertical. He noted that threat actors typically used the same tactics and procedures to carry out attacks, including those targeting certain industry sectors. “If we can understand their playbook and inform the vertical about how a victim [in that vertical] was compromised, this helps the whole industry become more resilient for the next attack,” he said. Burn noted that any unwillingness to provide information and the lack of transparency were detrimental to the security industry, during a time when there should be more data sharing to better combat attacks. With the general public now used to seeing news about security incidents amidst the rise in breaches, she said consumers were more forgiving when companies suffered a cyber attack. However, they would be less inclined to do so if businesses were found to be less forthright about a breach and made efforts to hide the truth from customers, the Forrester analyst said.   She pointed to Norwegian manufacturing company Norsk Hydro, which won much praise for its openness and transparency after suffering a ransomware attack in 2019. It shared details about the incident and how it worked to recover from it, after refusing to pay the ransom. “I think we need to find a way [to address] concerns about lawsuits and fight attacks with transparency,” Burn said. She added that while companies should be penalised if their negligence was found to be the cause of a breach, organisations should be given some latitude to not be penalised for telling the truth.  RELATED COVERAGE More

Panasonic has informed investors that it will introduce optional four-day work weeks to help employees achieve better work-life balance.During the company’s sustainability management briefing, president and group CEO Yuki Kusumi told investors that introducing a four-day work week will mean the company can “flexibly accommodate diverse situations of our employees”.”We must support the wellbeing of each employee at Panasonic to enhance our competitiveness … Panasonic has approximately 240,000 employees globally with diverse personalities and capabilities. Our responsibility is to strike an ideal balance between the work style and lifestyle for our diverse human capital,” she said. Kusumi also said Panasonic will introduce a work-from-home system that will enable it to retain employees whose partners may have been transferred to another location.She added Panasonic will revise its appraisal system, and promotion and screening system, which the company believes will better support challenges faced by individuals in both their work and home life. Separately, the Japanese conglomerate has provided an update on its investigation into the data breach the company experienced in November. It detailed that candidate applicant and internship related information, business partner contact details, and other business-related information provided by business partners and information generated internally by the company were accessed unlawfully during the breach. Individuals impacted are being informed, Panasonic said.

“Panasonic Corporation has been investigating the cause and impact of the unauthorized access in cooperation with an external security advisor. As a result, it was confirmed that a third-party illegally accessed the file server in Japan via the server of an overseas subsidiary,” the company stated. “There was no evidence of unauthorised access to business systems other than the file server in question. Although to date the investigation has not found any evidence that any illegally accessed files have been leaked, the company has been taking measures based on the potential for such leakage.”Panasonic also noted that no files related to or containing personal information about individual customers were found to be hosted on the server, and that following the discovery of the cyberattack, it “immediately implemented additional security countermeasures, including strengthening access controls from overseas locations, resetting relevant passwords, and strengthening server access monitoring”.”Panasonic Corporation will continue to improve its information security measures and adopt measures to prevent recurrence,” the company said.  “Based on the results of the investigation and advice from external advisors, the company will enhance the monitoring, control, and security of its networks, servers, and PCs throughout its global operations.”Related CoverageFujitsu to redesign Singapore office to support flexible workingThe company’s 500 Singapore-based employees will also have the option to work remotely 90% of the time.90% of millennials and Gen-Z do not want to return to full-time office work post-pandemicA Citrix study found that corporations expect people born after 1981 to deliver an extra $1.9 trillion in profits.Work less but produce more? In Japan, Microsoft is trying to solve that puzzleMicrosoft’s four-day working week trial in Japan has produced significant productivity growth among employees. More

Cybersecurity firm Check Point Research has released new data from 2021 showing that among their customers, there was a significant increase in overall cyberattacks per week on corporate networks compared to 2020.Researchers attributed some of the increases, which were concentrated toward the end of the year, to the Log4J vulnerability discovered in December. Check Point said in a report that 2021 was a record-breaking year for cyberattacks and the Log4J vulnerability only made things worse.

more Log4j

“Last year, we saw a staggering 50% more cyber attacks per week on corporate networks compared to 2020 – that’s a significant increase. We saw cyber attack numbers peak towards the end of the year, largely due to the Log4J vulnerability exploit attempts,” said Omer Dembinsky, data research manager at Check Point Software.  “New penetration techniques and evasion methods have made it much easier for hackers to execute malicious intentions. What’s most alarming is that we’re seeing some pivotal societal industries surge into the most attacked list. Education, government and healthcare industries made it into the top 5 most attacked industries list, worldwide.” 
Check Point Research
Check Point found that for 2021, overall attacks per week on corporate networks grew 50% compared to 2020 and in Q4, they saw an all-time high in weekly cyberattacks per organization of 925. Check Point’s customers in the education and research space dealt with an average of 1,605 attacks per organization every week, the highest volume of attacks they saw. This represented a 75% increase compared to 2020. The government, defense, military and communications industries were not far behind, averaging around 1,100 attacks weekly per organization.When they broke their internal data down by region, they found organizations on the African continent saw the highest volume of attacks in 2021 with an average of 1,582 weekly attacks per organization. Organizations in the APAC region saw an average of 1,353 weekly attacks per organization while Latin America dealt with 1,118 attacks weekly and Europe saw 670 attacks weekly. North America was last with a weekly average of 503. 
Check Point Research

Check Point bases its numbers off of their internal ThreatCloud tool that pulls data from hundreds of millions of sensors worldwide. Dembinsky said he expected the numbers to increase for 2022 as hackers “continue to innovate and find new methods to execute cyberattacks, especially ransomware.” “We’re in a cyber pandemic, if you will. I strongly urge the public, especially those in the education, government and healthcare sectors, to learn the basics on how to protect themselves,” Dembinsky said. “Simple measures such as patching, segmenting your networks and educating employees can go a long way in making the world safer.”  More

On Monday, Signal’s founder and CEO, Moxie Marlinspike, announced that he’s stepping down from his role after almost a decade of working with the company. Marlinspike detailed in a blog post that he would remain on Signal’s board to continue to “help manifest Signal’s mission.” He added that Signal’s executive chairman and WhatsApp co-founder, Brian Acton, would be stepping in as Signal’s interim CEO while looking for a permanent replacement. “I now feel very comfortable replacing myself as CEO based on the team we have, and also believe that it is an important step for expanding on Signal’s success,” he wrote. “I’ve been talking with candidates over the last few months, but want to open up the search with this announcement in order to help find the best person for the next decade of Signal. Please get in touch if that might be you!” Marlinspike added that the company has grown faster than he could have imagined, and that “exciting work” is coming soon to the app. “People increasingly find value and peace of mind in Signal (technology built for them instead of for their data), and are increasingly willing to sustain it,” Marlinspike said. “Every day, I’m struck by how boundless Signal’s potential looks, and I want to bring in someone with fresh energy and commitment to make the most of that.” The encrypted messaging developer has grown exponentially since it was founded as a nonprofit in 2014. Signal has managed to stand out from competitors like WhatsApp by not supporting advertising within the app and keeping the app free to use for everyone. In addition, the company recently launched an in-app sustainer program last month to rely on donations from users to keep its technology afloat. Signal also announced last April that it would test cryptocurrency payments in collaboration with MobileCoin to bring fast peer-to-peer payments to mobile without a bank’s involvement. However, there hasn’t been an update on if crypto payments would become a mainstay on the messaging app.   More

Education software provider Finalsite said on Monday that no data was stolen during a ransomware attack that started on January 4. Finalsite provides website services to thousands of public schools across the US and the attack took place at a particularly inopportune time. As schools braced for snow days and potential COVID-19 disruptions on Friday, officials found their websites and email systems out of commission, making it more difficult to communicate changes with parents. “Examples of usage to avoid include sending email/notifications, workflows, relying on calendar and athletic alerts, uploading data, etc.,” the company said on January 7. On Sunday, the company said that all client websites are back online.Finalsite CEO Jon Moser told reporters on Monday that the company has hired data privacy attorneys at Mullen Coughlin LLC and cyber forensic investigators at Charles River Associates to help with the recovery process. Moser explained that they now know which ransomware group conducted the attack and have “achieved containment of threat actor activity.” They know how the ransomware group got in and said they “have found no evidence that client data has been viewed, compromised or extracted.”The company said it primarily holds “publicly-facing information found on school and district websites” but some customers use the company’s directories or messages/eNotify modules that may contain demographic data ranging from names to email addresses and phone numbers. “Some clients use Finalsite payment integrations with third-party organizations. These payments are processed through a secure third party. Finalsite does not transmit or store any credit card data,” the company said. “Finalsite does not store academic records, social security numbers, or any other confidential information. Again, Finalsite has no evidence that any data was compromised as a result of this incident.”

The company told ZDNet it is unable to share which ransomware group was responsible for the attack. A spokesperson for the company also took issue with reports on social media that schools were unhappy with how Finalsite dealt with the outages. One Reddit user said a number of school districts complained that they were unable to use their emergency notification system to warn their communities about closures due to weather or COVID-19 protocol.  “The impact of this outage is far greater than the attention it has received,” the user wrote.Some schools took to Twitter to inform students and parents about website outages, noting to the public that their websites were down because of the ransomware attack on Finalsite.  More

Grass Valley, California has announced an extensive data breach involving the Social Security numbers and more of all city employees and vendors — as well as anyone who had their information given to the local police department. The city said in a notice that Social Security numbers, driver’s license numbers, and health insurance information was leaked for all Grass Valley employees, former employees, spouses, dependents, and vendors. 

Anyone whose information was provided to the Grass Valley Police Department had their names, Social Security numbers, driver’s license numbers, financial account information, payment card information, health insurance information, passport numbers, and more lost in the breach.The same goes for anyone who filled out a loan application at the Grass Valley Community Development Department. The city government said the breach began in 2021 on April 13 and files were transferred out of the city’s network until July 1. By December, the city said it had a better understanding of the scope of information lost in the breach and began sending breach notification letters to victims on January 7. Only those who had their Social Security number or driver’s license number leaked are being given access to one year of free credit monitoring and identity theft protection. The city later released an update to the notice, telling victims that the city is unable to verify whether a person’s information was lost in the massive breach.  

“We have learned that some individuals are calling the phone number provided to inquire ‘has my identity been affected?’ The call center is unable to ‘look up names’ specifically. Rather, we ask that if you fall into one of these categories that you specify to the call center the category in which you fall, and ask to have them provide you with a use-code to enroll in Experian’s IdentityWorksSM credit monitoring service,” the city explained. Grass Valley is located near Sacramento and has a population of around 13,000 people.  More

Officials with the US Cybersecurity and Infrastructure Security Agency (CISA) said on Monday that they have not seen the exploitation of Log4Shell result in significant intrusions since the vulnerability came to light in December.CISA director Jen Easterly and executive assistant director for cybersecurity Eric Goldstein fielded questions from reporters during a briefing on Monday, telling attendees that outside of an attack on the Belgian Defense Ministry, they have not seen any damaging incidents that resulted directly from the exploitation of the Log4j vulnerability. 

more Log4j

“At this time, we have not seen the use of Log4Shell resulting in significant intrusions. This may be the case because sophisticated adversaries have already used this vulnerability to exploit targets and are just waiting to leverage their new access until network defenders are on a lower alert. Everybody remembers the Equifax breach that was revealed in September of 2017 was a result of an open-source software vulnerability discovered in March of that year,” Easterly said. “It may also be due in part to the urgent actions taken by defenders and many organizations to rapidly mitigate the most easily exploitable devices, such as those accessible directly from the internet,” Easterly added. “We do expect Log4Shell to be used in intrusions well into the future.” Easterly added that they could not confirm multiple reports from cybersecurity companies that ransomware groups were leveraging the Log4j vulnerabilities for attacks. Goldstein noted that even though they have not seen any significant attacks, there has been widespread scanning and exploitation of Log4Shell by cybercriminals who use it to install cryptomining software on victim computers or to capture victim computers for use in botnets.He added that CISA has not seen any confirmed compromises related to federal agencies or critical infrastructure organizations. According to Goldstein, CISA is “not seeing destructive attacks or attacks attributed to advanced persistent threats.”

Easterly touted the agency’s efforts to deal with the Log4j crisis, explaining that their catalog of the more than 2,800 products affected by Log4j got hundreds of thousands of views and their Log4j scanner was downloaded nearly 4,000 times. Even though CISA has not seen a confirmed attack resulting from Log4j, cybersecurity companies are reporting millions of attempts to exploit the vulnerability. Cybersecurity firm NETSCOUT told ZDNet that the number of Log4j exploits it has blocked is approaching eight digits, and it recently blocked five million in a single day. ClearDATA founder Chris Bowen said his company has witnessed over 2.1 million security events specifically related to Log4j. “Of those, roughly 268,000 are considered with high confidence to be valid threat events,” Bowen explained. “When combined with TOR metrics, this number increases to 365,247 attacks prevented before execution.” More

An Indian threat group’s inner workings have been exposed after it accidentally infected its own development environment with a remote access Trojan (RAT).

ZDNet Recommends

Dubbed Patchwork by Malwarebytes and tracked under names including Hangover Group, Dropping Elephant, Chinastrats, and Monsoon, the Indian group has been on the scene since at least 2015 and is actively launching campaigns designed to deploy RATs for the purposes of data theft and other malicious activities. In one of the latest attack waves connected to Patchwork, the group targeted individual faculty members from research institutions specializing in biomedical and molecular sciences. On January 7, the Malwarebytes team said it was able to delve into the advanced persistent threat (APT) group’s activities after Patchwork managed to infect its own systems with its own RAT creation, “resulting in captured keystrokes and screenshots of their own computer and virtual machines.” According to the cybersecurity researchers, Patchwork typically relies on spear-phishing attacks, with tailored emails sent to specific targets. These emails aim to drop RTF files containing the BADNEWS RAT, of which a new variant has now been found. The latest version of this malware, dubbed Ragnatela, was compiled in November 2021. The Trojan is capable of capturing screenshots, keylogging, listing OS processes and machine files, uploading malware, and executing additional payloads.  After examining Patchwork’s systems, the team ascertained that Ragnatela is stored in malicious RTF files as OLE objects, often crafted to be official communication from Pakistani authorities. An exploit for a known Microsoft Equation Editor vulnerability is used to execute the RAT. 

Based on the attacker’s control panels, Malwarebytes was able to name the Pakistani government’s Ministry of Defense, the National Defense University of Islamabad, the Faculty of Bio-Sciences (FBS) at UVAS University, the HEJ Research Institute at the University of Karachi, and the molecular medicine department at SHU University as organizations infiltrated by Patchwork.  Patchwork managed to infect its own development machine with Ragnatela, and so the researchers were also able to see them make use of VirtualBox and VMware virtual machines (VMs) to conduct malware testing.  “Other information that can be obtained is that the weather at the time was cloudy with 19 degrees and that they haven’t updated their Java yet,” Malwarebytes said. “On a more serious note, the threat actor uses VPN Secure and CyberGhost to mask their IP address.” This is the first time the group has been connected to attacks against the biomedical research community, which may suggest a pivot in Patchwork’s priority targets.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More