Information Technology

There’s never been a greater need for cybersecurity experts. Recent studies show that big companies experience significant security issues every 12 hours. If you’re interested in a security-related career in the tech industry, this $69 Infosec4TC Platinum Membership: Lifetime Access deal could be your path forward. The membership gives you access to over 90 courses that you can take at your own pace, and they are all security-related. Even better, the membership will give you access to any new courses that are offered in the future.

In addition to the courses, the membership includes free access to the student portal, all certification training bundles, future updates, private social media groups, frequently updated extra course materials, and the most recent exam questions. The courses include Hacking using Python From A to Z, The Complete Ethical Hacker Course, and multiple courses for becoming a Certified Information Systems Security Professional- CISSP 2021, including CISSP® Exam Preparation Training Course.There are also classes for certification as an Information Security Manager, as well as an Information Systems Auditor. Plus, the membership includes a free career consulting and planning session. Infosec4TC is familiar with the essentials, requirements, and concerns of businesses today. They will work with you to make sure you reach the career title you want. The company has the highest passing rate for certification, so they make great mentors.Not only can you get the skills you need today for a career in cybersecurity, but you can rest assured that you will be able to keep those skills up-to-date for as long as you’re working. And there’s no doubt that the training works because Infosec4TC is rated 4.4 out of 5 stars on Trustpilot. Don’t pass up this chance to get a lifetime of self-paced training, get the Infosec4TC Platinum Membership: Lifetime Access today, while it is available for only $69.

ZDNet Recommends More

Ransomware gangs are still using phishing as one of the main ways to attack an organization, according to a new survey from Cloudian featuring the insights of 200 IT decision-makers who experienced a ransomware attack over the last two years. More than half of all respondents have held anti-phishing training among employees, and 49% had perimeter defenses in place when they were attacked.  Nearly 25% of all survey respondents said their ransomware attacks started through phishing, and of those victims, 65% had conducted anti-phishing training sessions. For enterprises with fewer than 500 employees, 41% said their attacks started with phishing. About one-third of all victims said their public cloud was the entry point ransomware groups used to attack them.  “This reflects the increasing sophistication of phishing schemes, with attackers now mimicking emails from trusted associates such as high-level executives (known as ‘whaling’ attacks). These emails will sometimes include personal details, usually gleaned from social media, making it more likely that even a wary individual will fall prey,” the report explained. The speed of ransomware groups is also startling, with 56% saying ransomware actors managed to take over their data and send a ransom demand in under 12 hours. 30% said their data was taken in 24 hours. For companies attacked through phishing, 76% of victims noted that attackers took over systems within 12 hours. The report added that “44% of respondents’ total data was held hostage, with financial, operational, customer and employee data all being targeted.” Enterprises experienced an average downtime of three days.  The average financial cost for respondents was nearly $500,000, and 55% said they ended up paying the ransom, with an average ransom cost of $223,000. Nearly 15% said they paid $500,000 or more. Even after paying, just 57% were able to get all of their data back. 

“The findings reveal the cold, hard truth about such attacks: They are hard to prevent even when you’re prepared. Ransomware can penetrate quickly, significantly impacting an organization’s financials, operations, customers, employees and reputation. Even if you pay the ransom, other related costs can be significant,” the report said.  The other costs associated with responding to a ransomware attack added up to an average of $183,000. On average, victims got 60% of their costs covered through cyber insurance. But almost 90% of victims said their cyber insurance rates increased after they were attacked, and there was an average increase of 25%.  According to the survey, more than half of respondents dealt with additional impacts to “their financials, operations, employees, customers and reputation.” “The threat of ransomware will continue to plague organizations around the world if they do not change their approach and response to it,” said Jon Toor, chief marketing officer at Cloudian. Read the full report: 2021 Ransomware Victims Report.

ZDNet Recommends More

A prolific ransomware group that targets organisations around the world looks for sensitive info and files that suggest its victims are aware of illegal activity, with the aim of exploiting this as additional leverage in their hunt to make money from ransom payments. The Mespinoza ransomware group – also known as PYSA – demands millions of dollars in exchange for a decryption key and threatens to publish private information stolen from the compromised network if the victims don’t pay.  

Mespinoza has claimed victims around the world, but focuses predominantly on the United States, where it has targeted organisations in manufacturing, retail, engineering, education and government. The cybercrime group has become so prolific that the FBI issued a warning about attacks.  SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)     Cybersecurity company Palo Alto Networks has analysed Mespinoza attacks and detailed what it describes as an “extremely disciplined” ransomware group, which actively searches for evidence of illegal activity as well as other sensitive information to use as blackmail for double extortion campaigns. Like many ransomware groups, Mespinoza first gains a foothold in networks by compromising remote desktop protocol (RDP) systems. It’s uncertain whether the attackers use brute force attacks or use phishing attacks to steal login credentials, but by using legitimate usernames and passwords to access systems, it’s much easier for them to remain undetected as they move around the network and attempt to lay the foundations for the ransomware attack. But this isn’t the only way in which Mespinoza ensures that it has persistent access to hacked networks, as the group also installs a backdoor, which – based on the malware’s code – researchers have named Gasket. This in turn references a capability called “MagicSocks”, which uses open-source tools to provide continued remote access to the network.  

All of this allows the attackers to maintain persistence as they carefully take the time to assess the network. Mespinoza takes specific interest in file and server names relating to sensitive and confidential information, financial data and even information that might allude to illegal activity by the victim for use as leverage when demanding a ransom.  “They search using sensitive terms such as illegal, fraud, and criminal. In other words, the actors are also interested in illegal activities known to the organisation that could provide extreme leverage should a negotiation start,” Alex Hinchliffe, threat intelligence analyst for Unit 42 at Palo Alto Networks, told ZDNet. The ransom demands are often over $1.5 million, but the group is willing to negotiate with victims and has received many payments of almost $500,000 in exchange for a decryption key as well as to prevent stolen information from being published.

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

The group has been active since April 2020 – a time when the global pandemic forced many organisations to suddenly adapt to remote working, making many more vulnerable to RDP attacks. And while Mespinoza isn’t as high-profile as other ransomware groups, the fact that it has been operating for over a year suggests it’s successful.”They’re relatively new but making a large impact given the number of victims listed on their leak site, and likely making a lot of money from their extortion,” said Hinchliffe. SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chiefIt’s currently not known where Mespinoza is operating from, but it’s likely that their attacks will continue so long as they’re making money from ransoms – and organisations with unsecured RDP will remain a prime target for campaigns by this group and other cyber-criminal ransomware operations. “Organisations need to know more about their attack surface area because without knowing their footprint, especially the internet-connected part, it’s almost impossible to see what’s happening, let alone defend against it,” said Hinchliffe. “Far too many organisations have services such as a RDP exposed to the internet and are exposing themselves to the risk of remotely launched attacks, negating the need from the threat actor to create and deliver phishing attacks at much higher cost to them,” he added. Organisations can help prevent their RDP services from being compromised by avoiding the use of default passwords and by applying multi-factor authentication to user accounts. MORE ON CYBERSECURITY More

Image: Telstra
Telstra and its CEO Andy Penn have a policy to never pay ransom, with the chief saying at the National Press Club (NPC) on Thursday that it never ends well. “I can certainly see in situations where businesses are tempted to do so. Their whole business livelihood could be at threat from a ransomware attack. But candidly, it’s hard to see how that is ever going to end well,” he told ZDNet. “If you pay a ransom, obviously you’re sending a signal to criminals that that’s something that you’d be willing to do.” Apart from inviting further attacks, Penn said there was no guarantee the other party was trustworthy and the best defence was having recent offline backups, good password management, and proper patching. “Prevention, frankly, is much better than trying to solve it after the event, but certainly our policy position would be not to pay ransoms.” Penn said during his speech that Telstra has helped 17 of its enterprise customers over the past year recover from ransomware attacks, and that a number of “very senior individuals who are customers of Telstra” were targeted by business email compromise (BEC) scams. “Once the attack starts, it is very persistent,” Penn said on the BEC attacks.

On whether companies should be disclosing attacks, the CEO said a disinclination still existed not to disclose attacks, but he noted that some businesses have seen benefits from being transparent. “Companies that are transparent in dealing with it, recognising it, and communicating with their customers are actually building more trust with their customers,” he said. “Because one thing that I think we have to take into account is often what will happen is if an organisation is hacked, and data is stolen, the issue with that data, is that data is usually data that belongs to that company’s customers as opposed to necessarily itself — and it is those customers who are best able to understand the risks associated with that data being disclosed on the dark web, and so you need to communicate with those customers as quickly as possible.” Although currently preferring a carrot to a stick on the issue of whether company directors should be held legally responsible for cyber breaches, Penn said a line did exist. “Ultimately, in egregious situations, where the exposure to cyber risk is seriously potentially a threat to national security or it’s a threat to health or safety, or otherwise, and there has been complete sort of negligence towards ensuring that there are some basic cyber defences in place, then I think directors obviously have to be responsible,” he said. “As they are in other situations, whether it’s in health and safety, or in doing business responsibly and acting in a fair and non-misleading way.” Liberal MPs misunderstand how the free market operates for political gain Penn saved some of his most stinging criticism on Thursday for calls that the company should boost its spending in regional Australia following the sale of 49% of its tower business. At the time of the announcement in June, Telstra said it would be using AU$75 million from the sale to increase coverage in regional Australia and handing 50% of the net proceeds back to shareholders. Speaking to the NPC, Penn said the deal was a way of raising capital, and generating returns for its shareholders, the majority of which are the nation’s superannuation funds. He then pointed to the company’s mobile coverage to rebut claims the company was not spending money in regional areas. “Telstra invests more than anybody in regional and rural Australia — we’ve spent about AU$5 billion, literally, over the last three or four years. In fact, I announced a further AU$500 million in recent weeks investing in regional and rural Australia,” he said. “Those members of Parliament, I think, are confusing their own government policy and their own obligations — which tells you we’re a private enterprise, we’re there to work with and to help and support investment, and we are investing very significantly. We invested overwhelmingly in the mobile blackspots program, more than the rest of the industry put together. We were the only major operator to support the Regional Connectivity Program. “It is, unfortunately a fact that not every part of Australia will receive mobile coverage.” Penn said while the landmass of Australia is around 7.8 million square kilometres, and the company’s network reaches 2.5 million square kilometres, it was a million square kilometres more than second-placed Optus. “The bottom line is, we’re not going to be able to cover every square inch of Australia. That is a reality, and unfortunately those members of Parliament need to come to terms with that reality,” Penn said. “The other point I should say as well, is that in certain electorates, we actually have plans in place to put towers in, but unfortunately those members have not been able to actually get their own local councils to approve the planning permits to get the job done. “I have said this previously with a couple of these individuals, that they need to go and have a walk down the corridor of Parliament house and talk to their colleagues, not to Telstra. In response, Penn was asked whether some Liberal members of Parliament did not understand how the free market worked.”Either that or they choose not to, because it’s politically helpful for them to say the comments that they say,” Penn replied. Related Coverage More

After introducing Fleets in November, Twitter is set to bin the disappearing content idea on August 3. Reasoning provided by the company in a blog post explained Fleets was intended to promote new people to contribute, but that did not happen. “Although we built Fleets to address some of the anxieties that hold people back from tweeting, Fleets are mostly used by people who are already Tweeting to amplify their own Tweets and talk directly with others.” the company said. “We’ll explore more ways to address what holds people back from participating on Twitter. And for the people who already are tweeting, we’re focused on making this better for you.” Responding to a Fleet was only possible via direct message. Twitter said it would test bringing elements from the Fleet composer into its standard tweet composer, such as full-screen camera, text formatting options, and GIF stickers. Instead of seeing Fleets at the top of user timelines, Twitter said the space would be occupied by Spaces.

“If we’re not evolving our approach and winding down features every once in a while — we’re not taking big enough chances,” the blog post said. “We’ll continue to build new ways to participate in conversations, listening to feedback and changing direction when there may be a better way to serve people using Twitter.” Earlier this week, the company said it had enabled users to change who could reply to a tweet after it was posted, users previously had to select who could reply before posting. Japan and India lead world in throwing legal requests at Twitter Twitter on Wednesday released its latest transparency report for the half year to December 31, highlighting it received over 38,500 legal demands to remove content from almost 132,000 accounts. Those demands has a 30% success rate. “Although there was a 9% decrease in the number of legal demands Twitter received, compared to the previous reporting period, these requests sought removal of content from the largest number of accounts ever in a single reporting period,” the company said. “Accounts of 199 verified journalists and news outlets from around the world were subject to 361 legal demands, a 26% increase in these requests since the previous reporting period.” Twitter said 94% of legal requests were from five countries: Japan, India, Russia, Turkey, and South Korea. Japan accounted for 30% of legal requests, almost 55,600, with India making over 12,400 demands. Japan’s strike rate against the 67,400 accounts it targeted was 31.6%, while India specified 48,300 accounts but was only sucessful 12.4% of the time. See also: With Modi squeezing Twitter, India’s love for big tech may be ending The number of legal requests from Japan was down 10% from its previous high for the first half of the 2020 calendar year. “The 16,649 requests from Japan were primarily related to laws regarding narcotics and psychotropics, obscenity, or money lending,” Twitter said. “The next highest volume of legal demands came from India, comprising 18% of global legal demands and representing a 152% increase from the previous reporting period. Notably, the number of accounts specified in requests from India also increased by 45% this reporting period.” India was the country with the highest number of legal demands against journalists and news outlets, while South Korea issued four legal demands over content on Vine alleging breaches of privacy and sexual misconduct. Twitter said it removed that content. The company listed multiple examples where it did not take action. “Twitter received multiple legal demands from Hong Kong police in relation to allegations of unlawful and obscene activities against members of law enforcement. No actions were taken as the content did not violate Twitter’s [terms of service],” it said. “Twitter received a legal demand from the Malaysian Communications and Multimedia Commission for alleged hate speech violations under Malaysia’s Penal Code. No action was taken as the account shared newsworthy content and remained compliant with Twitter’s parody, Newsfeed, commentary, and fan account policy.” The company added it received legal demands from Sri Lanka and Saudi Arabia that it did not act on, as well as not acting to two Thai court orders. Indonesia did slightly better on a wide-ranging demand. “Twitter received a legal demand for 60,472 accounts from Indonesia’s Ministry of Communication and Information Technology for violating their Electronic Information and Transaction Law, Number 11 Year 2008. More than 90% of the reported content was determined not to violate Twitter’s [terms of service].” Related Coverage More

Google has released new details about four zero-day security vulnerabilities that were exploited in the wild earlier this year. Discovered by Google’s Threat Analysis Group (TAG) and Project Zero researchers, the four zero-days were used as part of three targeted malware campaigns that exploited previously unknown flaws in Google Chrome, Internet Explorer, and WebKit, the browser engine used by Apple’s Safari.

Google’s researchers also noted that 2021 has been a particularly active year for in-the-wild zero-day attacks. So far this year, 33 zero-day exploits used in attacks have been publicly disclosed — 11 more than the total number from 2020. Google attributes some of the uptick in zero-days to greater detection and disclosure efforts, but said the rise is also due to the proliferation of commercial vendors selling access to zero-day vulnerabilities as compared to the early 2010s.”0-day capabilities used to be only the tools of select nation states who had the technical expertise to find 0-day vulnerabilities, develop them into exploits, and then strategically operationalize their use,” Google said in a blog post. “In the mid-to-late 2010s, more private companies have joined the marketplace selling these 0-day capabilities. No longer do groups need to have the technical expertise, now they just need resources. Three of the four 0-days that TAG has discovered in 2021 fall into this category: developed by commercial providers and sold to and used by government-backed actors.”As for the zero-days discovered by Google, the exploits include CVE-2021-1879 in Safari, CVE-2021-21166 and CVE-2021-30551 in Chrome, and CVE-2021-33742 in Internet Explorer.With the Safari zero-day campaign, hackers used LinkedIn Messaging to target government officials from western European countries, sending malicious links that directed targets to attacker controlled domains. If the target clicked on the link from an iOS device, the infected website would initiate the attack via the zero-day.”This exploit would turn off Same-Origin-Policy protections in order to collect authentication cookies from several popular websites, including Google, Microsoft, LinkedIn, Facebook and Yahoo and send them via WebSocket to an attacker-controlled IP,” Google TAG researchers said. “The victim would need to have a session open on these websites from Safari for cookies to be successfully exfiltrated.”

Google researchers said the attackers were likely part of a Russian government-backed actor abusing this zero-day to target iOS devices running older versions of iOS (12.4 through 13.7). Google’s security team reported the zero-day to Apple, which issued a patch on March 26 through an iOS update. The two Chrome vulnerabilities were renderer remote code execution zero-days and are believed to have been used by the same actor. Both of the zero-days were targeting the latest versions of Chrome on Windows and were delivered as one-time links sent via email to the targets. When a target clicked the link, they were sent to attacker-controlled domains and their device was fingerprinted for information that the attackers used to determine whether or not to deliver the exploit. Google said all of targets were in Armenia. With the Internet Explorer vulnerability, Google said its researchers discovered a campaign targeting Armenian users with malicious Office documents that loaded web content within the browser.”Based on our analysis, we assess that the Chrome and Internet Explorer exploits described here were developed and sold by the same vendor providing surveillance capabilities to customers around the world,” Google said.Google also published root cause analysis for all four zero-days: More

Networking device maker SonicWall sent out an urgent notice to its customers about “an imminent ransomware campaign using stolen credentials” that is targeting Secure Mobile Access (SMA) 100 series and Secure Remote Access (SRA) products running unpatched and end-of-life 8.x firmware. In addition to the notice posted to its website, SonicWall sent an email to anyone using SMA and SRA devices, urging some to disconnect their devices immediately. They worked with Mandiant and other security companies on the issue, according to the release. “The exploitation targets a known vulnerability that has been patched in newer versions of firmware. SonicWall PSIRT strongly suggests that organizations still using 8.x firmware review the information below and take immediate action,” the company said, noting that this was for those with the SMA 100 and the older SRA series.SonicWall urged their users to update to the latest available SRA and SMA firmware, explaining that those who don’t deal with the vulnerabilities are “at imminent risk of a targeted ransomware attack.”Anyone using SRA 4600/1600 (EOL 2019), SRA 4200/1200 (EOL 2016) or SSL-VPN 200/2000/400 (EOL 2013/2014) should disconnect their appliances immediately and change all associated passwords. “Organizations using the following end-of-life SMA and/or SRA devices running firmware 8.x should either update their firmware or disconnect their appliances per guidance below. If your organization is using a legacy SRA appliance that is past end-of life status and cannot update to 9.x firmware, continued use may result in ransomware exploitation,” SonicWall said.  “The affected end-of-life devices with 8.x firmware are past temporary mitigations. Continued use of this firmware or end-of-life devices is an active security risk. To provide a transition path for customers with end-of-life devices that cannot upgrade to 9.x or 10.x firmware, we’re providing a complimentary virtual SMA 500v until October 31, 2021.”

SonicWall added that customers “should also immediately reset all credentials associated with your SMA or SRA device, as well as any other devices or systems using the same credentials.”Two weeks ago, SonicWall announced a vulnerability in their Network Security Manager that was discovered by Positive Technologies and another with its VPN Portal in June. SonicWall did not respond to questions about which ransomware groups were targeting the vulnerability, but earlier this year, researchers with NCC Group’s Incident Response team discovered a new variant of the FiveHands ransomware targeting SonicWall. Cybersecurity firm FireEye said more than 100 organizations were targeted and some may have been infected even though SonicWall patched the SMA 100 series remote access product vulnerability in February 2021. In a statement to ZDNet, SonicWall said, “Threat actors will take any opportunity to victimize organizations for malicious gain. This exploitation targets a long-known vulnerability that was patched in newer versions of firmware released in early 2021.” “SonicWall immediately and repeatedly contacted impacted organizations of mitigation steps and update guidance. Even though the footprint of impacted or unpatched devices is relatively small, SonicWall continues to strongly advise organizations to patch supported devices or decommission security appliances that are no longer supported, especially as it receives updated intelligence about emerging threats,” the statement said. “The continued use of unpatched firmware or end-of-life devices, regardless of vendor, is an active security risk.” More

As the price of cryptocurrency increases so does the volume of illicit mining detected in the wild, researchers say. 

Cryptocurrency has become a favored means for many threat actors to monetize cyberattacks. While, perhaps, the most well-known application of crypto including Bitcoin (BTC), Ethereum (ETH), and Monero (XMR) in the criminal realm is when ransomware payments are made, more covertly, cryptocurrency mining is also a problem.  Cryptocurrency mining malware, when deployed on PCs or unsecured servers, quietly siphons away computing resources to generate virtual currency which is then sent to wallets controlled by its operators.  Also known as cryptojacking, the most common forms of this malware — which may start out as legitimate programs before being twisted for criminal purposes — in the wild include Coinhive, Jsecoin, XMRig, and Cryptoloot.  Cyberattackers will look for the best returns for their time, and in an examination of the topic published on Wednesday, researchers from Cisco Talos attempted to define the links between cryptojacking rates and cryptocurrency prices.  Monero was chosen as the cryptocurrency of interest and cryptomining activity for this coin, against its value, between November 2018 and June 2021, was analyzed. “Monero is a favorite for illicit mining for a variety of reasons, but two key points are: It’s designed to run on standard, non-specialized, hardware, making it a prime candidate for installation on unsuspecting systems of users around the world, and it’s privacy-focused,” the researchers say.

Talos notes that while the value of this cryptocurrency has fluctuated over the years — indeed, like many others — its price increased from late 2020 to now, when it has experienced a pullback.  The researchers then applied network-based cryptojacking detection tools which monitored Monero in millions of events associated with cryptocurrency mining.  According to the team, not only were they “floored” to see how much more common cryptojacking is since 2018, but also, outside of the price drop in early 2021, “the graph tracks almost identically to the value of the currency.”
Cisco Talos
“This was honestly a pretty surprising correlation since it’s believed that malicious actors need a significant amount of time to set up their mining operations, so it’s unlikely they could flip a switch overnight and start mining as soon as values rise,” Talos says. “This may still be true for some portion of the threat actors deploying miners, but based on the actual data, there are many others chasing the money.”However, considering crackdowns on cryptocurrency mining and trading around the world, if the cryptojacking environment becomes more difficult or less lucrative, it is entirely possible that threat actors will turn their attention to the next big thing.  “Detection for cryptomining can be spread into a variety of different places including blocking mining-related domains, to enforcing limitations on the end system preventing the mining from starting and lots of network-based detection, which this research is based on,” Talos says. “Regardless of the detection point, organizations should be working to prevent it.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More