Information Technology

A multinational manufacturer of Internet of Things (IoT) devices has halted production after falling victim to a ransomware attack.Canadian IoT maker Sierra Wireless says it suffered a ransomware attack against its internal IT systems on March 20, which has led to production being halted at its manufacturing sites. Internal operations have also been disrupted by the attack and at the time of writing, the company website is down, stating that it’s “under maintenance”.The company says the impact of the attack is limited to internal Sierra Wireless systems and customer-facing products haven’t been affected by the incident because the networks of internal IT systems and services designed for customers are separated. It’s currently unknown when production facilities and other systems will return to normal, but Sierra Wireless believes it has addressed the attack and operations will resume “soon”.After falling victim to attack, the company says it implemented counter-measures to mitigate it in accordance with “established cybersecurity procedures” developed alongside third-party cybersecurity advisors, who’ve also been involved in investigating the attack.”Sierra Wireless asks its customers and partners for their patience as it seeks to remediate the situation,” the company said in a statement.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

It’s currently unknown what kind of ransomware Sierra Wireless has fallen victim to or how it was able to infiltrate the network. ZDNet contacted Sierra Wireless to clarify what has happened, but was told that the company isn’t sharing additional information about the ransomware attack at this time.Ransomware remains an issue for organisations across the world and a recent report detailed it as the biggest cybersecurity concern for chief information security officers (CISOs) and chief security officers (CSOs).MORE ON CYBERSECURITY More

There’s been a spike in ransomware attacks targeting schools, colleges and universities, the UK’s National Cyber Security Centre (NCSC) has warned.The alert by the cyber security arm of GCHQ says it has dealt with a significant increase in the number of ransomware attacks targeting education over the course of the last month, a time in which schools were preparing to resume in-person lessons.Ransomware attacks encrypt servers and data, preventing organisations from providing services. In this case, cyber criminals are hoping that the need for schools and colleges to provide teaching will result in victim organisations giving into extortion demands and paying a ransom in bitcoin in exchange for the decryption key required to restore the network.”In recent incidents affecting the education sector, ransomware has led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing,” the agency said.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) It’s likely that the attempted targeting of sensitive information is an effort to engage in double-extortion ransomware attacks, where cyber criminals threaten to publish stolen data if they’re not paid the ransom.”Any targeting of the education sector by cyber criminals is completely unacceptable,” said Paul Chichester, director of operations at the NCSC.

“This is a growing threat and we strongly encourage schools, colleges, and universities to act on our guidance and help ensure their students can continue their education uninterrupted”.Cybersecurity recommendations for schools, colleges and universities to protect their networks from ransomware attacks include having an effective strategy for vulnerability management and applying security patches, securing remote online services with multi-factor authentication and installing and enabling anti-virus software.It’s also recommended that organisations have up-to-date and tested offline back-ups, so if the network is taken down by a ransomware attack, it can be restored without paying criminals.”I urge all education and research institutions to act swiftly to ensure their systems and data are robustly protected,” said Steve Kennett, director of e-infrastructure at the higher education support body Jisc, “Jisc has been helping many colleges and universities recover from ransomware attacks recently, so we have seen what a devastating impact this crime has on the sector”.The NCSC previously put out a warning about ransomware attacks targeting universities in September, but this particular form of cyber crime shows no sign of slowing down.MORE ON CYBERSECURITY More

Lurking on underground forums has revealed insight into the methodology behind cyberattacker targets — as well as what criminals say to do if, or when, they are caught. 

Released on Monday, research conducted by the Digital Shadows cybersecurity team on dark web forums explored the discussions between black hat hackers and the exchanges made in how to avoid jail, what do to when they are on law enforcement radars, and the bullish nature of many when it even comes to the prospect of arrest. In February, in an interview between a lone LockBit ransomware operator and Cisco Talos, the cybercriminal said that the “best country” to be in for this occupation is Russia, but “underappreciation and low wages drove him to participate in unethical and criminal behavior.” While trawling Russian-speaking underground forms, Digital Shadows was able to obtain further insight into this idea, in which law enforcement “will not care” if the US or EU are targeted — but the moment any former Soviet Union nations are involved, they will “hunt you down.” When it comes to foreign travel, forum users believe this apparent peace deal only lasts as long as you don’t cross the border. One poster said: “[Cybercriminals] live peacefully in Russia, decided to go on holiday abroad — and that’s it, they don’t even make it out of the airport without the cuffs on.” Operational security (OPSEC) practices are also widely discussed, with forum users exchanging ways to avoid arrest and stay anonymous. Numerous threads mention everything from virtual to physical security options, but one common topic of discussion, in particular, is widely debated.  Hard drive encryption or deletion is sometimes cited as a way to stop law enforcement investigations in their tracks. However, not every forum user is so sure, with one saying, “if it were all as simple as that then major cases would never be solved.”

Early mistakes in criminal careers also appear to be causing some sleepless nights, with poor OPSEC when starting out being a difficult issue to remedy. “Many a threat actor’s downfall stemmed from poor OPSEC practices when they first decided to don the black hat, such as using a spouse’s email address, forgetting to mask their IP, or letting their real name and address slip,” the researchers say. “And once you realize your mistake, it might be too late.” In addition, discussions have taken place over collaboration. While many believe that other dark web forum users will “sell out” each other, others say that forging ties with others in the criminal industry can push threat actors up the pecking order.  Digital Shadows noted that allegations are flying thick and fast that English-speaking criminal forums and marketplaces are becoming little more than police honeypots. Some forum users said that “sooner or later,” law enforcement will obtain information on them, and others relayed concerns over potential police violence on arrest. Others appear, at least online, to have a rather bullish attitude to the prospect of prosecution at all. Laws worldwide are still catching up with the evolution of cybercrime, and for some, corrupting law enforcement and saving enough to pay bribes and avoid prosecution is a possibility. As one forum user quipped, “a good lawyer knows the law, a better one knows the judge.”  “Cybercriminals, just like the organizations they target, must always have one eye on their security practices,” the researchers say. “There are so many things for them to worry about and ways they can slip up..It must be pretty tiring. Threat actors must keep looking over their shoulders, fixing past mistakes, and coming up with new ways to beat the technology used to track them. ” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

UK taxpayers have been connected to a reminder system used by councils that potentially exposed their sensitive data online. 

An investigation conducted by The Register found that a debt-chasing service “freely exposed to the public thousands of taxpayers’ names, addresses, and outstanding debts” via bulk SMS messages sent to remind residents of unpaid bills. The system was developed by Telsolutions who acted on behalf of an estimated dozen UK councils.  Debt defaulters were sent text message reminders containing a URL leading to a basic web page showing a council resident’s personal data and outstanding bill. However, if you changed alphanumeric characters contained in the web address, this could reveal records belonging to others — including those living in different council areas.  The publication says that no authentication or security checks were in place in a few cases. While some councils did require a postcode as a verification method, this is far from enough to stop a determined individual from collecting private, sensitive information on a target.   Telsolutions told The Register they have since resolved the issue and have “further increased security and introduced new measures to prevent malicious intent.”  A number of the councils contacted said they took security “seriously” and while one said their Data Protection Officer had been informed, others either pointed to the fact the majority of links are never accessed, or that they were now investigating the issue. 

In 2019, Gateshead council admitted to a slew of data breaches including when a list containing the details of 53 individuals who owed the council money was sent to a resident and the upload of medical data to an online forum. Last week, Birmingham council allegedly exposed the details of children deemed vulnerable by accidentally uploading them to a taxpayer service.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cloudflare has debuted a new zero-trust tool designed to help protect remote employees from cyberattacks. 

When the COVID-19 pandemic forced many of us out of the traditional office and into hastily-created home setups, instead, we — and the organizations we work for — were suddenly required to rely on either personal or company on-loan devices to continue performing our jobs. When it comes to cybersecurity, this means that the potential attack surface for threat actors increased due to remote and end-user devices that needed to connect to corporate resources.  According to Reboot Online, 44% of businesses in the UK alone have experienced a security breach since stay-at-home orders were imposed, a 20% increase year-over-year.  Working from home, whether as a permanent option or as part of hybrid models, may become standard, and so the corporate world needs to consider how best to keep their networks protected whilst also catering to a remote workforce.  To this end, Cloudflare has contributed a new zero-trust solution for browser sessions. On Tuesday, the web security firm launched Cloudflare Browser Isolation, software that creates a “gap” between browsers and end-user devices in the interests of safety. Instead of employees launching local browser sessions to access work-related resources or collaborative tools, the service runs the original, requested web page in the cloud and streams a replica to the end-user. 

Cloudflare says that tapping into the firm’s global network to run browser sessions circumvents the usual speed downgrades and potential lag caused by typical, pixel-based streaming.  As there is no direct browser link, this can mitigate the risk of exploits, phishing, and cyberattacks. In addition, Cloudflare automatically blocks high-risk websites based on existing threat intelligence.  The solution has now been made available through Cloudflare for Teams.  “Everyone uses a web browser, and that makes it the perfect target for attackers all over the world,” commented Matthew Prince, Cloudflare CEO. “We don’t believe that the most effective protection to these attacks should be restricted to a handful of large companies with huge IT teams. Cloudflare Browser Isolation can be deployed by anyone in just a few clicks and automatically protects against the majority of threats people face online.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber criminals are sending over three billion emails a day as part of phishing attacks designed to look like they come from trusted senders. By spoofing the sender identity used in the ‘from’ field in messages, cyber criminals attempt to lure potential victims into opening emails from names they trust. This could be the name of a trusted brand like a retailer or delivery company, or even, in more sophisticated attacks, the name of their CEO or a colleague.

More on privacy

These phishing attacks might sound simple, but they work – and that’s why so many of these messages are distributed by cyber criminals. And according to a report by email security company Valimail, over three billion spoofing messages are sent every day, accounting for 1% of all email traffic. SEE:  A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  One of the reasons why email remains such a common attack vector is because of the rise of remote working. Employees are dealing with an increase in corporate communications being conducted over email, while the reality of working from home means that it’s harder for people to ask if an email is legitimate. All of this combined means that phishing emails are putting people and organisations at risk of cyberattacks, including credential theft, malware and ransomware. However, it’s possible for organisations to help defend against spoofed emails by applying DMARC (Domain-based Message Authentication, Reporting & Conformance), which is an email authentication protocol that, when implemented, means only authorized senders can send email using the domain, preventing spam emails being sent. It also contains a reporting function for ongoing improvement and protection.

DMARC enforcement helps prevent spoofed emails from being delivered in the first place, with analysis by Valimail finding that 1.9% of email from domains without DMARC enforcement is suspicious, while just 0.4% of email from domains with DMARC enforcement is suspicious. SEE: Cybercrime groups are selling their hacking skills. Some countries are buying Ultimately, domains without DMARC applied are almost five times more likely to be the target of phishing emails than domains that do have it applied, so organisations can help make the internet a safer place by protecting domains with it. “Privacy laws already exist in Europe and parts of the United States, and if a company does any business in those areas, a DMARC policy at enforcement is essential,” said Alexander García-Tobar, CEO and co-founder of Valimail. “By having valid email authentication in place, companies protect themselves and their customers from privacy violations. Without it, emails are sent without permission, fines are issued, confidential information is obtained and reputations sink.”

MORE ON CYBERSECURITY More

Shell has disclosed a data breach involving stakeholders that exposed personal information records. 

The oil and gas company said an unknown threat actor managed to gain access to “various files” during the time of intrusion which included personal data and information “from Shell companies and some of their stakeholders.”Shell has not disclosed how many individuals are involved in the security incident beyond saying that impacted parties have been contacted, alongside law enforcement agencies and regulators.  The firm added that it does not appear core IT systems have been compromised, as the route of access was isolated from the rest of Shell’s central infrastructure.  However, the data breach has been connected to Accellion’s File Transfer Appliance (FTA), enterprise software used to transfer large files — and a solution linked to a string of security incidents in December 2020 and January 2021.  Accellion FTA, a legacy product that has now been formally retired, contained a zero-day vulnerability that was patched within three days of the vendor being made aware of active attacks utilizing the security flaw.  However, thousands of organizations worldwide rely on the appliance, leading to a string of attacks against high-profile corporations and government entities. 

The first case was reported by the Reserve Bank of New Zealand. Organizations including the Australian Securities and Investments Commission (ASIC), Singtel, and Qualys soon followed.  FireEye’s Mandiant team was pulled in to conduct an assessment of the Accellion FTA vulnerability, finding two further vulnerabilities — albeit accessible only by authenticated FTA users — and all bugs, as of now, have been resolved in FTA. If systems remain unpatched, however, they also remain vulnerable to exploit.  The companies said in February that threat group FIN11 has been connected to the FTA zero-day exploit activity. “Out of approximately 300 total FTA clients, fewer than 100 were victims of the attack,” Accellion said. “Within this group, fewer than 25 appear to have suffered significant data theft.”CVE-2021-27101, CVE-2021-27102, CVE-2021-27103, and CVE-2021-27104 have now been reserved to track associated vulnerabilities. Users of Accellion FTA are recommended to switch to Kiteworks.  “We will continue to monitor our IT systems and improve our security,” Shell says. “We regret the concern and inconvenience this may cause the affected parties.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Embracing innovation comes with risk. Exciting product launches don’t always go according to plan – and when that happens, you need to act quickly, learn from it and find new ways of making a difference.That’s certainly been the case for Graeme Hackland, CIO at Williams F1, whose team had to pull a recent plan to launch its new FW43B racing car using virtual reality, when leaked images appeared online before the scheduled reveal.

Innovation

But this episode won’t put Hackland off trying to innovate. As the person responsible for IT risk at Williams, he says he will not be saying to his board to steer clear of emerging technologies.SEE: Guide to Becoming a Digital Transformation Champion (TechRepublic Premium)The firm is already investigating how it might take advantage of artificial intelligence to help improve decision-making processes. There are also plans for more data-led services that will help boost fan engagement. Hackland, in short, is keen to keep on innovating – so long as the risk to the business is kept in check.”When I get the opportunity at the next board meeting, I’ll be encouraging us to stay brave and to keep embracing new technology in this way. The digital transformation journey we’re on now is not just about our internal systems. For us, it was always about fan engagement as well,” he says.Williams is far from alone in embracing tech-led innovation. All companies have had to embrace digital transformation during the past 12 months – whether that’s in terms of establishing remote working, moving to e-commerce or using new technologies to keep socially distanced customers engaged.  

What’s more, that preparedness to try new things isn’t going anywhere soon. Gartner says creative thinking will continue to be crucial in the post-COVID age. Companies that balance embrace innovation effectively will be most likely to gain a competitive edge on their competitors. The key message from Hackland is that, in age of almost-continual digital transformation, CIOs and their organisations must be prepared to try new things. Yes, things can go wrong – but the key to success is being prepared to embrace innovation and to learn lessons when issues arise.”In Formula 1, every time we make a mistake, we learn from it, we do an after-action review: why did that happen and how do we make sure it doesn’t happen again. I think a lot of organisations are starting to do that,” he says.Evidence would suggest that this kind of review process is absolutely critical. As the demand for innovative digital projects quickens, so do the chances of failure. Boston Consulting Group research shows just 30% of digital transformations succeed in achieving their objectives. That kind of failure rate helps to explain why executives in many large corporations are reluctant to advocate for what they perceive to be risky projects. The Harvard Business Review says they quash new ideas in favour of marginal improvements, cost-cutting and safe investments. Hackland: “I’ll be encouraging us to stay brave and to keep embracing new technology.”
Image: Williams F1
Hackland recognises that it can be difficult for CIOs to gain funding for innovative projects, especially in organisations with competing priorities. But when there’s a chance to try something new, the opportunity must be grabbed – not just in terms of the potential benefits it might bring to the company itself but also in terms of professional development.”You’re learning and your people are learning,” says Hackland, referring to the importance of experimentation. “They’re engaged in something new, they’re not just doing lights-on, which I think is really important. They’re getting to play with new technologies.”Which brings us back to Williams’ recent foray into virtual reality, which was one such attempt to try something new. The intention was to allow users of a bespoke VR app to view and manipulate the new car in its livery in 3D. The app, which was created by an external agency, was made available for fans to download on the Apple App Store and Google Play Store.However, when pictures of the FW43B started appearing online, the team couldn’t be sure if only the image data for the new car had been unpacked or whether the app itself had been compromised.”We didn’t know if there had been a compromise – we just didn’t know it the app was safe, and so you just couldn’t deploy it,” says Hackland. “If the app had been compromised, and we’d delivered it to our fans, I couldn’t have lived with that decision. So the decision was made to pull it.”Hackland says the company’s subsequent investigations have shown that the issue was a “data-loss incident” rather than someone hacking the app. Everything connected to the incident took place outside the team’s enterprise network.”This was not about someone getting into our network and taking our data. It’s the first time we’ve done something like this. So yeah, we clearly missed some things that next time – and I hope there is next time – we’ll learn from,” he says.”It was just unfortunate. An error was made that exposed the data. We’re still investigating and looking at it, and we’ve got a couple of cybersecurity partners looking at it, too.”Just as Hackland and has team have learnt some important lessons about embracing innovation, so other business leaders will have to ensure the right policies, processes and partners are in place to embrace new ideas in a carefully controlled manner.And rather than showing the downsides of working with external third-party suppliers, Hackland says the incident shows the importance of IT risk management and the role of trusted partners in trying to help reduce the ongoing cybersecurity threat.”I’ve been responsible for IT risk at two racing teams now for the past 15 years, but I don’t claim to know everything. The risk landscape changes constantly, which is why we partner with these organisations,” he says. More