Information Technology

Mimecast has revealed the theft of its source code in a cyberattack linked to the SolarWinds breach. 

According to Mimecast’s security incident disclosure, published on March 16, a malicious SolarWinds Orion update was used to access the company’s production grid environment. The cloud and email security firm said “a limited number of source code repositories” were downloaded during a cyberattack in January, but added that the company currently has “no evidence” that this code was maliciously modified or that the loss will impact any existing products. “We have no evidence that the threat actor accessed email or archive content held by us on behalf of our customers,” Mimecast says. “We believe that the source code downloaded by the threat actor was incomplete and would be insufficient to build and run any aspect of the Mimecast service.”Alongside the source code theft, some Mimecast-issued certificates and limited customer server connection datasets were compromised by attackers. Mimecast was made aware of a certificate security issue by Microsoft in January, which told the company a certificate used to authenticate Mimecast Sync and Recover, Continuity Monitor, and IEP was being exploited to target a small number of M365 tenants from non-Mimecast IP addresses.  A new certificate connection was issued before Microsoft disabled the hijacked certificate on Mimecast’s request. 

In addition, the unidentified threat actors were able to access email addresses, contact information, and credentials, but the latter was encrypted or hashed/salted.  The SolarWinds supply chain attack, first disclosed in December, has impacted thousands of enterprise and government organizations. Software vendor SolarWinds was breached and an update for its Orion software was infected with malware before being pushed to countless users — immediately creating a widespread supply chain-based chain of compromise.  Mimecast and FireEye’s Mandiant team have been working together on an investigation of the security breach. According to the companies, the initial intrusion was made through Sunburst malware loaded alongside the malicious Orion update. Mimecast recommends that customers in the US and UK reset any server connection credentials used on the Mimecast platform as a “precautionary measure.”  The cloud security firm says that hashed credentials are also being reset, and customers involved in the breach have been notified. Mimecast has also upgraded its encryption algorithm for stored credentials and has pulled SolarWinds Orion from its infrastructure. All impacted servers have been replaced. Microsoft estimates that the attack, suspected of being the handiwork of Russian state-sponsored group Nobelium, may have required the efforts of up to 1,000 engineers to create.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Quantum computing is ready for mainstream deployment, where it already is being tapped to resolve real-world business challenges. Use of the technology to crack cryptography and encryption codes, however, still has some ways to go.In particular, D-Wave Systems CEO Alan Baratz believes it can take at least another decade before factoring will be viable on quantum computing systems and used to undermine current cryptographic tools. And this was likely the case whether the gate-based system, along with its volatile error correction, or D-Wave’s annealing technology was tapped to factor the large code volumes used in cryptography tools, Baratz said in a video call with ZDNet. That said, D-Wave had an internal security team that monitored activities on its systems, he revealed, whilst acknowledging that it was still too soon to determine the types of hacking tools that could or had been created on quantum computers.

The Canadian quantum computing vendor does not specifically focus on cryptography, but its technology has been used to power intrusion and threat detection applications. It also has presence in the US, UK, and Japan, where it has 20 paying customers in the Asian market. Its cloud-based Leap quantum computing application is available in Singapore via Amazon Web Services (AWS). A Deloitte Consulting report echoed Baratz’s views, stating that quantum computers would not be breaking cryptography or run at computational speeds sufficient to do so anytime soon. However, it said quantum systems could pose a real threat in the long term and it was critical that preparations were carried out now to plan for such a future. On its impact on Bitcoin and blockchain, for instance, the consulting firm estimated that 25% of Bitcoins in circulation were vulnerable to a quantum attack, pointing in particular to the cryptocurrency that currently were stored in P2PK (Pay to Public Key) and reused P2PKH (Pay to Public Key Hash) addresses. These potentially were at risk of attacks as their public keys could be directly obtained from the address or were made public when the Bitcoins were used. 

Deloitte suggested a way to plug such gaps was post-quantum cryptography, though, these algorithms could pose other challenges to the usability of blockchains. Adding that this new form of cryptography currently was assessed by experts, it said: “We anticipate that future research into post-quantum cryptography will eventually bring the necessary change to build robust and future-proof blockchain applications.” Mathematician Peter Shor in 1994 published a quantum formula that he said could break most common algorithms of asymmetric cryptography. It suggested that, given a large enough quantum computing system, the algorithm could be used to identify a private key that matched its corresponding public key to impersonate digital signatures. A team of engineers and researchers in Singapore last year also announced plans to tap quantum cryptography technology to enhance network encryption tools, so these could be ready to mitigate security risks when quantum computing became mainstream. Specifically, they were looking to use “measurement-device-independent” quantum key distribution (MDI QKD) technology and hoped to their research could pave the way to a new class of “quantum-resilient encryptors”.Quantum ready for mainstream enterprise applicationWhile the technology has yet to break cryptography, quantum computing is ready for mainstream adoption and already is tapped to address real-world enterprise challenges. Pointing specifically to D-Wave’s proprietary annealing technology, Baratz said this allowed quantum computing to scale more easily and be less sensitive to noise and computational errors, to which gate-based systems were prone. Currently in its fifth generation, D-Wave’s quantum computers clock more than 5,000 qubits and capable of supporting commercial rollout “at commercial scale”, he said. This, he added, was a stage that no other market players had been able to achieve thus far with the gate-based model. Commonly adopted in the industry today, the gate system made quantum computers tough to build and sensitive error. Its most stable state currently generated about 30 qubits, which was sufficient to power mostly research work and unlikely to be used to solve business problems at scale for another seven to 10 years, he said. “Error rates on [gate-based systems] are so high you can’t really do anything with them, even with small problems,” he added, noting that a competitor last year said it was able to solve a specific optimisation problem on its quantum computer. However, this was possible once out of every 100,000 attempts, he said. Quantum computing runs on principles of quantum mechanics that include probabilistic computation.  Baratz said annealing technology, designed specifically for optimisation purposes, had a higher influence on the probability of outcomes and, hence, was less sensitive to errors. It also learnt from where it ended with the previous computation to finetune future ones.”When you lose coherence, you end up with garbage. With annealing, when you lose coherence, you settle into a [potential] solution and restart the computation to try and improve the solution,” he said. Gate-based model, in comparison, could not do that since it would lose coherence after every computation rather than pick off from the previous run. A grocery using D-Wave to enhance a portion of the customer’s logistics system was able to solve an optimisation problem in two minutes per week per location, where previously it took 25 hours per week per location, he noted. There currently are more than 20,000 developers worldwide that have signed up to access Leap, with some 1,000 regularly using the service each month. Paying customers fork out an estimated $2,000 an hour to run computations on D-Wave computers. Baratz noted, though, that its systems could not solve all quantum computing issues because annealing was designed specifically to solve optimisation problems, which were common challenges for businesses. Gate-based systems, on the other hand, would be able to solve any computation problems once the error rates were reduced — something he said likely would not actualise for at least another seven years.So while D-Wave’s annealing-powered quantum computers were limited to solving optimisation problems, they were capable of solving real-world business challenges today, he said. Its systems also were on a path to building a universal error correction system by leveraging the technology it had, he added. To date, more than 250 applications had been built with D-Wave systems, most of which used Leap and spanned various use cases including financial modelling, scheduling, protein folding, and manufacturing optimisation, the vendor said. RELATED COVERAGE More

OCBC Bank has turned on face verification at selected ATMs across Singapore, letting its customers authenticate their identity without the need for an ATM card. Access, though, currently is limited to balance queries, before other transactions are added to the mix at a later stage. Facial biometrics are available at eight ATMs in the city-state, including at the local bank’s main branches in Tampines, in CBD, and at a convenience store. For now, OCBC customers will only be able to use the authentication option to check their account balance, according to a statement released Thursday. The Singapore bank said access would be expanded to include cash withdrawals “progressively”, but gave no timeline on when this would be. After this was added to the list of services accessible via face verification, it said others would be introduced from next year including cash deposits, funds transfers to other banks, cashcard top-ups, and credit card bill payments. OCBC noted that balance queries and cash withdrawals were the two most used services at its ATMs, accounting for almost 8 in 10 transactions carried out at these machines in Singapore. 

The feature is powered by the government’s SingPass Face Verification system, where an individual’s scanned face is verified against the national biometric database comprising images and identifies of more than 4 million local residents. The technology is embedded with security features that the Singapore government says safeguard against fraud, such as liveness detection capabilities to detect and block the use of photographs, videos, or masks during the verification process.The option to verify a customer’s identity through facial biometrics also bypassed the need for ATM cards, which could be skimmed or stolen, OCBC said. Customers keen to use the feature would be prompted to enter their identification number before positioning their face within a frame on the screen. The eight selected ATMs were armed with pre-installed web-enabled camera that would take a scan of the customer’s face and verify it in real-time against the national database, to which OCBC’s ATM was digital linked. Once verified, the customer would be allowed to proceed with their transaction. 

Noting that consumers here, including the elderly, were avid digital adopters, the bank’s Singapore head of consumer financial services Sunny Quek said: “While cash is still a key mode of payment in Singapore, the digital overlay to get cash is very welcomed by consumers.”He noted that digital adoption within OCBC had grown more than 40% last year, with more customers signed up on the country’s digital e-payment system PayNow, and PayNow transactions doubling, compared to 2019. QR code cash withdrawals at the bank’s ATMs, launched in July 2019, also grew 88% year-on-year in 2020, Quek said, adding that the introduction of face verification provide another of convenience for customers who accessed the bank’s touchpoints.According to OCBC, ATM use remained high amongst its customers even amidst high adoption of digital banking services, at more than 2 million cash withdrawals a month. It noted that more than 200,000 customers made their first digital banking transactions last year. Its mobile banking app also clocks more than 7 million logins each month via face or fingerprint biometric authentication. Since including SingPass as a login option for its customers last July, OCBC said more than 1 million logins on its digital banking platforms were carried out using the e-government system, instead of access codes and PINs.RELATED COVERAGE More

Australia and New Zealand cyber megamix CyberCX is hoping to fill the gap left by global security firms, focusing locally to forge ahead with a more regionally appropriate response to countering cyber threats.In its Annual Threat Assessment report [PDF], CyberCX, the group of security companies headed by two of Australia’s most experienced technology and cyber veterans, has offered a handful of recommendations for businesses operating in Australia and New Zealand, with the first, under the banner “strategic”, encouraging the development of an incident response plan.”The faster an organisation can detect and respond to an incident, the less likely the incident is to have a significant impact on data, customer trust, operations, reputation, and revenue,” it said.Although obvious, the report drums in the importance of educating and training staff on practices such as good cyber hygiene, creating a security culture, as well as creating and maintain a consistent, up-to-date cybersecurity policy suite.See also: Australia’s answer to thwarting ransomware is good cyber hygieneCyberCX, backed by private equity firm BGH Capital, was formed a little over one year ago when it brought together 12 of Australia’s independent cybersecurity brands: Alcorn, Assurance, Asterisk, CQR, Diamond, Enosys, Klein&Co, Phriendly Phishing, Sense of Security, Shearwater, TSS, and YellIT.It is headed by Alastair MacGibbon, former head of the Australian Cyber Security Centre and once special adviser on cybersecurity to former Prime Minister Malcolm Turnbull, as well as CEO John Paitaridis, who was formerly Optus Business’ managing director.

Since launch, CyberCX has gone on an expansion spree, scooping up a number of local cybersecurity startups simultaneously. In its report, CyberCX encouraged the use of local cybersecurity firms.”Using Australian and New Zealand cybersecurity vendors drives innovation at home and boosts jobs in the local cybersecurity market. Local vendors offer cybersecurity solutions of global calibre and at the same time provide the added benefit of a local perspective,” it wrote.”Analysis tailored specifically to the Australia-New Zealand context is often missing from international vendors, many of which tend to be US-centric.”See also: Former PM Turnbull suggests Australia boosts its cyber capability by buying localThe next item on its checklist is “technical” and includes practices such as securing the attack surface, increasing network visibility, implementing end-point controls, adopting multi-factor authentication, and adopting the MITRE Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK) framework.”Australian and New Zealand organisations remain attractive targets for a range of cyber threat actors,” MacGibbon added in his foreword. “Over the past year, we have seen prominent organisations and agencies suffer incidents, and cyber crime soar off the back of COVID-19 … the threat actors involved in these incidents have been both financially motivated cyber criminals and state-sponsored groups.”2020 victim listThe report also details cyber incidents that occurred in the region in 2020. Here’s the timeline of some of the biggest incidents from Australia and New Zealand:In January, Australian logistics provider Toll Group was infected by Netwalker ransomware affecting its entire global infrastructure. In March, the Australian branch of car-auction house, Manheim Auctions, similarly falls victim to ransomware.Intrusion activity is targeted against COVID-19 research in Australian, US, UK, Spanish, South Korean, and Japanese laboratories in April, while Toll Group suffers its second ransomware incident, this time caused by the Nefilim malware.In May, Service NSW reported it was the victim of a phishing attack that compromised the information of 186,000 customers through the accessing of 47 staff email accounts. BlueScope Steel also experienced a ransomware incident triggering manual processes, but resulting in no material impact to operations.The same month, a man was prosecuted for carrying out DDoS attacks against two Australian retail and telecommunications entities in 2019.In June, food and beverage company Lion, with operations in Australia and New Zealand, suffered a ransomware incident, shutting down IT systems and causing disruption to suppliers and customers.Also in June, a spam campaign distributed banking trojan RM3, targeting Australia-based financial institutions, and New Zealand whitegoods manufacturer, Fisher & Paykel, was struck by Nefilim ransomware, impacting its manufacturing and distribution operations.A research company in New Zealand experienced a privacy breach in July that compromised of contact details of people who called the police.Australian provider Regis Healthcare in August suffered a Maze ransomware incident resulting in a breach of client data, while the New Zealand Stock Exchange (NSX) suffered sustained DDoS attacks impacting network connectivity and trading for four days.In September, misconfiguration at the University of Tasmania caused personally identifiable information of 20,000 students to be leaked through SharePoint to the entire staff and student body; while ransomware operators exfiltrated 17GB of sensitive data from aged care provider Anglicare Sydney.MetService, the meteorological service of New Zealand, also experienced a DDoS attack in September, resulting in no notable loss of performance after all web traffic was redirected to a secured back-up site.French maritime shipping giant CMA CGM’s offices in China were also hit by Ragnar Locker ransomware causing significant shipping delays in Australia.Australian media-monitoring company Isentia disclosed a ransomware intrusion in October that reportedly cost at least AU$7 million.Facilities service provider Spotless also experienced a ransomware incident during merger and acquisition activity by Downer, while an Australian gas producer, retailer, and distributor disclosed that it recently discovered a data breach that occurred in 2014 on a third-party software system.Law In Order, an Australian supplier of document and digital services to law firms, suffered a Netwalker ransomware incident a month later in November, at the same time, Nexia, a network of solutions-focused accountancy and consultancy firms in Australia and New Zealand, suffered a REvil ransomware incident.Ending the year, New Zealand-based financial services firm Staircase suffered a Netwalker ransomware incident in December, which saw personal information belonging to its clients published on multiple dark web forums after the company failed to pay the ransom within the designated timeframe.A breach of 2.6 million email addresses and hashed passwords from Nitro PDF then exposed 4,000 .nz email addresses. The effects of one of the largest supply chain attacks in history were felt by Aussies and Kiwis, respectively, with SolarWinds customers including entities in the government, technology, healthcare, research, and extractive sectors in North America, Europe, Asia, and the Middle East. Lastly, multiple Australian and New Zealand organisations were compromised through an exploit of Accellion File Transfer Appliance software. Transport for New South Wales (TfNSW) confirmed being affected, as did the Australian Securities and Investments Commission (ASIC) and the Reserve Bank of New Zealand.Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaMORE FROM CYBERCX More

Some surgeries have been cancelled at Eastern Health facilities in Victoria, following a “cyber incident” experienced late Tuesday.Eastern Health operates the Angliss, Box Hill, Healesville, and Maroondah hospitals, and has many more facilities under management. In a statement, Eastern Health said it took many of its systems offline in response to the incident.”Many Eastern Health IT systems have been taken off-line as a precaution while we seek to understand and rectify the situation,” it said.”It is important to note, patient safety has not been compromised.”Eastern Health said Category 1 Elective Surgery will continue as planned, however, the incident has impacted its ability to undertake less urgent — Category 2 and 3 — Elective Procedures.Data breach notification to the Office of the Australian Information Commissioner became mandatory under the Notifiable Data Breaches (NDB) scheme in February 2018.

Since the mandate, health has been the most affected sector. The latest NDB report shows no change, with health accounting for 123 of the total 519 notifications in the six months to December 2020.Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaHealth Minister says vaccine booking system ‘glitches’ were just day one rushThe federal government’s COVID-19 vaccine booking service was on Wednesday inundated with people trying to secure their dose, with the Department of Health’s eligibility tool suffering “problems”.According to Minister for Health Greg Hunt, day one was always going to be busy.”The eligibility checker had approximately 243,000 people on health.gov.au, check their eligibility. We had a 98% connection rate, on the advice that we’ve received from the booking engine. And then what happens is that you approach your GP, in the vast majority of cases. Some take online bookings, some take telephone booking,” Hunt said, when asked why the website was not working as expected.”And in addition to that, the Commonwealth vaccination clinics will link through directly from the vaccination information and location service. So yesterday, 98% connection, 243,000 people who checked, 9,000 who actually registered for Phase 2, which is well beyond where we are now. And so what we’ve seen is a high uptake.”And day one was always going to see a significant initial demand and I’m very pleased about that.”Due to the overload, and the fact phase 1b affects many people over the age of 70, the 1,069 GP’s listed as receiving the vaccine were inundated with phone calls.”This is a system that should have been in place well before the commencement, particularly, of phase 1b of the vaccine rollout strategy. Already, we are seeing widespread confusion and widespread frustration,” health and aged care shadow minister Mark Butler said.”The health system website continues to drop out, people are continuing to have problems logging onto a website that is the gateway to the vaccine rollout strategy.”These systems should have been tested and finalised weeks ago. Instead all we are seeing out there today is chaos and confusion.”HealthEngine was selected by the federal government to build its COVID-19 vaccination booking platform.It was reported by The Guardian that day one was actually meant to be Monday and that the medical appointment booking industry had been told to prepare their platforms to feed into HealthDirect, and for their client GP clinics to be trained with the software, by March 22.”We’ve known for months that we would need a national booking system … more than 6 million Australians are due to be able to book their vaccines from next week without a National Booking System,” Butler added. “This is utterly remarkable and irresponsible.”This vaccine rollout is fast becoming a complete mess. It is way behind schedule and the systems that we need in place are still remarkably still being built.”Almost a year ago to the day, the federal government’s myGov portal went down after thousands flocked to the website to sign up for income assistance following forced business closures in the wake of the coronavirus outbreak.The minister in charge of government services Stuart Robert said the portal suffered a distributed denial of service (DDoS) attack while simultaneously blaming the outage on legitimate traffic that pushed past the 55,000 concurrent users limit set by government.Those words were barely two hours old when Robert stood up in Parliament to say it was merely 95,000 people trying to connect to myGov that had triggered a DDoS alert, and not an attack at all.RELATED COVERAGE More

The UK has committed to a new approach to the UK’s cyber capabilities, to better detect, disrupt and deter adversaries.   
Getty Images/iStockphoto
In what has been billed as the largest security and foreign policy strategy revamp since the Cold War, the UK government has outlined new defense priorities – with at their heart, the imperative to boost the use of new technologies to safeguard the country. Prime minister Boris Johnson unveiled the integrated review this week, which has been in the making for over a year and will be used as a guide for spending decisions in the future. Focusing on foreign policy, defense and security, the review sets goals for the UK to 2025; and underpinning many of the targets is the objective of modernizing the country’s armed forces.  

Johnson pledged to pump more money into defense, with a £24 billion ($33.4 billion) multi-year settlement that will represent a sizeable chunk of the UK’s GDP. Up to £6.6 billion ($9.1 billion) will be dedicated to R&D funding to deliver next-generation warfare technologies such as drones, directed energy weapons or advanced high-speed missiles. Where the government seems to be particularly ambitious, however, is in the space of cybersecurity: the review promises commitment to a new, “full-spectrum” approach to the UK’s cyber capabilities, to better detect, disrupt and deter adversaries. Technology has created new opportunities for malicious actors to operate in cyberspace, notes the review, through hacking, spreading disinformation, or carrying out organized crime online, to name a few. State and non-state agents are finding new ways to exploit digital weaknesses, increasing the risk of direct and collateral damage to the UK. “Consequently, cyber power will become increasingly important,” reads the document.  The cyber threat coming from foreign states has been brought to the government’s attention many times in the past. Last year, the UK chief of defense intelligence James Hockenhull warned against the rising challenge posed by Russia and China, which he argued are supercharging conventional methods of conflict while also investing heavily into cyber.  At about the same time, a report from a committee of MPs described Russia’s cyberattack capabilities as an “immediate and urgent threat” to the country’s national security, highlighting examples of Russian hackers intruding into the UK’s critical infrastructure and orchestrating phishing attempts against government departments. 

The new integrated review proposes to draw up a cyber strategy later this year, which is pitched as taking a “whole-of-cyber” approach that looks at a range of capabilities. On top of strengthening the country’s cyber ecosystem and creating a safer online space, the cyber strategy will establish ways for the UK to take the lead in technologies that are vital to cyber power, such as microprocessors, quantum technologies and new forms of data transmission. “The UK is due to publish a new National Cyber Strategy later in 2021 and some of the cyber and technology issues highlighted in the Integrated Review are a useful precursor,” James Sullivan, head of cyber research at the Royal United Services Institute (RUSI) for defence and security studies, tells ZDNet. “Building cyber resilience across the whole of society is the best way to make the most of the opportunities that technology offers.” Notably, the cyber strategy will focus on actively disrupting the activities of adversaries, by imposing costs on them or denying them the ability to harm UK interests – a step up from a purely defensive approach to cyber security.  Central to the UK’s offensive approach will be the formal establishment of the National Cyber Force (NCF), which the prime minister announced will be headquartered in the north of England in an attempt to create a “cyber corridor” across the region. This will see industry and universities in the north of the country working hand-in-hand with government experts to prevent cyberattacks.  Formed only last year, the NCF is a partnership between the Ministry of Defence (MoD) and the Government Communications Headquarter (GCHQ), which draws personnel from both organizations with experts from the Secret Intelligence Service (MI6) and the Defence Science and Technology Laboratory (DSTL). In other words, it brings key players together for the first time with a common task – to conduct targeted offensive cyber operations against terrorists, hostile states and criminal gangs. The exact nature of the NCF’s work is highly secretive. GCHQ has previously asserted that the organization, and the UK at large, is committed to using its cyber capabilities in a responsible way and in line with international law, meaning that the force’s offensives are still tied to legal, ethical, and operational considerations.  It is likely that the NCF, therefore, focuses on cyber operations that can disrupt an adversary’s ability to operate – rather than attacking them head-on. The government specified some of the operations that the force can carry out, which includes interfering with a mobile phone to stop a terrorist from communicating with their contacts, but also preventing cyberspace from being used for serious crimes or keeping military aircraft safe from targeting by weapons system.  Attacks carried out by the NCF are likely to take a similar shape to those described by GCHQ director Jeremy Fleming in 2018, who explained at the time how the organization had been taking offensive action online to stop Daesh from spreading propaganda, and to hinder terrorists’ ability to coordinate attacks. According to some critics, however, some more work is needed to make sure that the NCF now finds a place among all of the government’s well-established security institutions. “It is good to see an emphasis on cyber security holistically with what is an explicitly offensive cyber force, but this sounds more like a sales pitch for what is a significant investment of resources on something that could be unpopular,” Andrew Dwyer, cybersecurity researcher at Durham University, tells ZDNet. “It is unclear what the NCF’s mission really is – it looks like a force that has yet to define what it needs or wants. There is a possibility that a move to the North could give the NCF some identity separate from its main contributors – the MoD and GCHQ – but it is likely to require far more detailed work to get it operationally-ready,” he continues. As online attacks only increase in scale and number, the UK government is unlikely to loosen its focus on cyber security. The integrated review highlighted that the National Cyber Security Centre (NCSC), which was established in 2016, is already working at pace to help protect businesses and the public from cyberattacks; and that the cybersecurity sector in the UK currently boasts over 1,200 companies and 43,000 skilled jobs.  More

Ransomware shows no sign of slowing down as the average ransom paid to cyber criminals by organisations which fall victim to these attacks has nearly tripled over the last year.Cybersecurity researchers at Palo Alto Networks analysed ransomware attacks targeting organisations across North America and Europe and found that the average ransom paid in exchange for a decryption key to unlock encrypted networks rose from $115,123 in 2019 to $312,493 in 2020.That represents a 171 per cent year-over-year increase, allowing cyber criminals to make more money than ever before from ransomware attacks. Ransomware remains an effective tool for cyber criminals, because many organisations remain poorly equipped to deal with the threat, leading many victims to give in to extortion demands and pay a Bitcoin ransom in the hope they’ll get the decryption key required to restore their network.This has been helped along by the rise of additional extortion tactics such as when cyber criminals encrypt and steal data, threatening the victim with publishing the stolen information if the ransom isn’t paid. In some cases, this leads to organisations which could restore the network without paying the ransom giving into the blackmail and paying up anyway.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) The continued success of attacks has led to some ransomware gangs becoming extremely bold with demands – and it’s paying off. Before 2020, the highest ransom demand paid to cyber criminals stood at $5 million, but during the last year, that has doubled, with data in the report suggesting that one victim paid a ransom of $10 million to cyber criminals following a ransomware attack.

The highest attempted ransom demand during 2020 stood at $30 million – double the previous highest attempted demand of $15 million in previous years.And given the continued success of ransomware attacks – and the emergence of successful new variants of ransomware and easy-to-use ransomware-as-a-service schemes – it’s unlikely that cyber criminals will slow down any time soon.”Ransomware is one of the top threats in cybersecurity,” said John Davis vice president of public sector at Palo Alto Networks.”Organizations around the world are being held hostage by ransomware, and many are being forced to pay cybercriminals because they’re not equipped to combat the threat for varying reasons, from a lack of recoverable backups to the cost of downtime outweighing the cost of paying the ransom,” he added.Ransomware groups including Ryuk, Egregor, DoppelPaymer and many others continue to plague organisations around the world in 2021, but with the right cybersecurity strategy, it’s possible to defend against attacks.Phishing emails remain a common means of cyber criminals infiltrating networks, so researchers recommend that employees should receive training to identify threats. SEE: What is cyber insurance? Everything you need to know about what it covers and how it worksIt’s also recommended that remote desktop services should be secured with strong passwords and multi-factor authentication to protect against brute force attacks, while security patches should be applied to stop attackers taking advantage of known vulnerabilities.Organisations should also regularly store backups of the network – and do somewhere offline – so if the worst happens and hackers do issue a ransom demand, the network can be restored without lining cyber criminal pockets.MORE ON CYBERSECURITY More

Microsoft has released its March 2021 quarterly cumulative updates for Exchange Server 2016 and Exchange Server 2019, which include the security updates to address critical flaws that are currently under attack.  These are notable cumulative updates (CUs) because customers with on-premise Exchange Server software should already be installing the separate security updates that Microsoft released on March 2. 

Exchange attacks

Microsoft released the emergency patches in response to four previously unknown vulnerabilities that were being exploited by state-sponsored hackers and have since been pounced on by ransomware attackers.  Also: Windows 10 Start menu hacks TechRepublic PremiumUS federal government agencies have been put on notice to patch the Exchange flaws immediately amid a spike in attacks on government email servers. The UK’s National Cyber Security Centre (NCSC) has also raised an alarm over an estimated 3,000 Exchange servers that lack Microsoft’s latest patches. Here’s ZDNet’s roundup of the Exchange flaws and recent attacks.But now Exchange Server 2016 and Exchange Server 2019 customers have another way of patching the flaws. That is, by installing the latest quarterly cumulative updates (CU) from Microsoft, which is the most complete mitigation available. “We wanted to highlight that these latest CUs contain the fixes that were previously released as Exchange Server Security Updates on March 2, 2021. This means you don’t have to install the March 2021 Security Updates after installing the March 2021 CUs,” Microsoft’s Exchange team noted. 

Microsoft has separately published more information for security teams responding to the Exchange server bugs CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065.Attackers are using the flaws to remotely compromise Exchange servers and then install “web shells” to maintain persistence on compromised machines. Hence, Microsoft warns there is more cleaning up to do on a compromised on-premise Exchange server even after applying the security updates.   “Applying the March 2021 Exchange Server Security Updates is critical to prevent (re)infection, but it will not evict an adversary who has already compromised your server,” Microsoft emphasizes in its advisory for incident response teams. “The best, most complete mitigation is to get to a current Cumulative Update and apply all Security Updates. This is the recommended solution providing the strongest protection against compromise,” Microsoft highlights in its advice for incident response teams handling Exchange Server software that isn’t on supported CUs. Microsoft also offers details for isolating an affected Exchange Server from the public internet until the security patches or the March 2021 CUs have been rolled out. Admins can do this by blocking inbound connections over port 443.

However, this route could break Exchange Server as a tool for supporting remote workers. Blocking inbound connections on port 433 “could inhibit work-from-home or other non-VPN remote work scenarios and does not protect against adversaries who may already be present in your internal network,” Microsoft warns. The advisory also highlights scripts included in the Exchange On-premises Mitigation Tool (EOMT) that Microsoft published on its code-sharing site GitHub. Security teams can use this to check for the presence of web shells on Exchange servers. The other option is to enable Microsoft Defender for Endpoint. “If Microsoft Defender for Endpoint is not running, skip directly to the publicly available tools section. If it is running, we recommend that you follow both methods,” Microsoft notes. The advisory contains step-by-step instructions for investigating each of the four vulnerabilities. Reflecting the severity of this security issue, Microsoft is now offering commercial customers using on-premise Exchange Server a three-month trial of Microsoft Defender for Endpoint.   “Microsoft is making publicly available a 90-day Microsoft Defender for Endpoint trial offer exclusively to support commercial on-premises Exchange Server customers that require continuous investigation and additional post-compromise security event detection beyond what Microsoft Safety Scanner (MSERT) offers,” says Microsoft.  More