Information Technology

Researchers have disclosed a set of API vulnerabilities in the Coursera platform. 

Kaseya attack

On Thursday, Checkmarx security researcher Paulo Silva revealed the discovery of multiple security failings in the Coursera online learning platform, which caters to millions of learners, both at home and in the enterprise.The company collaborates with over 200 universities and companies, including Stanford University, Duke University, AWS, Google, Cisco, and IBM. Courses on offer range from degrees in the STEM field to shorter classes in health, the humanities, and languages.  Silva says that Checkmarx decided to investigate Coursera’s security posture due to the increased popularity of remote and on-demand learning prompted by the COVID-19 pandemic, in line with the organization’s Vulnerability Disclosure Program, launched in 2015. The researchers focused on access control, a security point mentioned in the program as an in-scope issue: accessing data you are not authorized to, that of other learners, or being able to tap into internal, backend administrative systems.  Checkmarx found multiple API problems, including an enumeration via password reset function error, resource limitations relating to both a GraphQL and a REST API, and a GraphQL misconfiguration.  However, the main issue of note was a Broken Object Level Authorization (BOLA) security flaw, considered by OWASP to be a major threat due to the ease of exploitation. 

BOLA flaws in APIs may expose endpoints that handle object identifiers, potentially opening the door to wider attacks.  The BOLA vulnerability that was found related to preferences stored in learner accounts. Anonymous users could retrieve this information and change them — and in addition, some user metadata was also leaked.  “Authorization issues are, unfortunately, quite common with APIs,” the researchers say. “It is very important to centralize access control validations in a single, well and continuously tested and actively maintained component. New API endpoints, or changes to the existing ones, should be carefully reviewed regarding their security requirements.” Checkmarx reported its findings to Coursera on October 5, 2020, and the e-learning provider began to triage the report on October 26. By December 18, a partial patch was issued, but an additional “issue” required re-tests, delaying the confirmation of fixes until May 24. Despite delays in fully resolving the vulnerabilities, the researchers say that Coursera took “prompt ownership” of the API bugs, once reported.  “The privacy and security of learners on Coursera is a top priority,” Coursera told ZDNet. “We’re grateful to Checkmarx for bringing the low-risk API-related issues to the attention of our security team last year, who were able to address and resolve the issues promptly.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

ZDNet Recommends More

Kaseya, an IT solutions developer for MSPs and enterprise clients, announced that it had become the victim of a cyberattack on July 2, over the American Independence Day weekend. 

It appears that attackers have carried out a supply chain ransomware attack by leveraging a vulnerability in Kaseya’s VSA software against multiple managed service providers (MSP) — and their customers. Also: Should Kaseya pay the ransom? Experts are dividedAccording to Kaseya CEO Fred Voccola, less than 0.1% of the company’s customers were embroiled in the breach — but as their clientele includes MSPs, this means that smaller businesses have also been caught up in the incident.  Present estimates suggest that 800 to 1500 small to medium-sized companies may have experienced a ransomware compromise through their MSP.  The attack is reminiscent of the SolarWinds security fiasco, in which attackers managed to compromise the vendor’s software to push a malicious update to thousands of customers. However, we are yet to find out just how widespread Kaseya’s ransomware incident will prove to be.  Here is everything we know so far. ZDNet will update this primer as we learn more. 

What is Kaseya?

Kaseya’s international headquarters is in Dublin, Ireland, and the company has a US headquarters in Miami, Florida. The vendor maintains a presence in 10 countries. Kaseya provides IT solutions including VSA, a unified remote-monitoring and management tool for handling networks and endpoints. In addition, the company provides compliance systems, service desks, and a professional services automation platform. The firm’s software is designed with enterprises and managed service providers (MSPs) in mind, and Kaseya says that over 40,000 organizations worldwide use at least one Kaseya software solution. As a provider of technology to MSPs, which serve other companies, Kaseya is central to a wider software supply chain. 

What happened?

On July 2 at 2:00 PM EDT, as previously reported by ZDNet, Kaseya CEO Fred Voccola announced “a potential attack against the VSA that has been limited to a small number of on-premise customers.”At the same time, out of an abundance of caution, Voccola urged clients to immediately shut down their VSA servers. “It’s critical that you do this immediately because one of the first things the attacker does is shut off administrative access to the VSA,” the executive said. Customers were notified of the breach via email, phone, and online notices. As Kaseya’s Incident Response team investigated, the vendor also decided to proactively shut down its SaaS servers and pull its data centers offline. By July 4, the company had revised its thoughts on the severity of the incident, calling itself the “victim of a sophisticated cyberattack.” Cyber forensics experts from FireEye’s Mandiant team, alongside other security companies, have been pulled in to assist. “Our security, support, R&D, communications, and customer teams continue to work around the clock in all geographies to resolve the issue and restore our customers to service,” Kaseya said, adding that more time is needed before its data centers are brought back online. Once the SaaS servers are operational, Kaseya will publish a schedule for distributing a security patch to on-prem clients. In a July 5 update, Kaseya said that a fix has been developed and would first be deployed to SaaS environments, once testing and validation checks are complete. “We are developing the new patch for on-premises clients in parallel with the SaaS Data Center restoration,” the company said. “We are deploying in SaaS first as we control every aspect of that environment. Once that has begun, we will publish the schedule for distributing the patch for on-premises customers.”

The ransomware attack, explained

The FBI described the incident succinctly: a “supply chain ransomware attack leveraging a vulnerability in Kaseya VSA software against multiple MSPs and their customers.”Huntress (1,2) has tracked 30 MSPs involved in the breach and believes with “high confidence” that the attack was triggered via an authentication bypass vulnerability in the Kaseya VSA web interface. According to the cybersecurity firm, this allowed the attackers to circumvent authentication controls, gain an authenticated session, upload a malicious payload, and execute commands via SQL injection, achieving code execution in the process. Kyle Hanslovan, CEO and co-founder of Huntress, told attendees of a webinar discussing the technical aspects of the attack on July 6 that the threat actors responsible were “crazy efficient.””There is no proof that the threat actors had any idea of how many businesses they targeted through VSA,” Hanslovan commented, adding that the incident seemed to be shaped more due to a “race against time.” “Some of the functionality of a VSA Server is the deployment of software and automation of IT tasks,” Sophos noted. “As such, it has a high level of trust on customer devices. By infiltrating the VSA Server, any attached client will perform whatever task the VSA Server requests without question. This is likely one of the reasons why Kaseya was targeted.”The vendor has also provided an in-depth technical analysis of the attack. Security expert Kevin Beaumont said that ransomware was pushed via an automated, fake, and malicious software update using Kaseya VSA dubbed “Kaseya VSA Agent Hot-fix”.”This fake update is then deployed across the estate — including on MSP client customers’ systems — as it [is] a fake management agent update,” Beaumont commented. “This management agent update is actually REvil ransomware. To be clear, this means organizations that are not Kaseya’s customers were still encrypted.”With a tip from RiskIQ, Huntress is also investigating an AWS IP address that may have been used as a launch point for the attack. On July 5, Kaseya released an overview of the attack, which began on July 2 with reports of ransomware deployment on endpoints. “In light of these reports, the executive team convened and made the decision to take two steps to try to prevent the spread of any malware: we sent notifications to on-premises customers to shut off their VSA servers and we shut down our VSA SaaS infrastructure,” the company says.According to the firm, zero-day vulnerabilities were exploited by the attackers to trigger a bypass authentication and for code execution, allowing them to infect endpoints with ransomware. However, Kaseya emphasizes that there is no evidence of the VSA codebase being “maliciously modified”. Wietse Boonstra, a Dutch Institute for Vulnerability Disclosure (DIVD) researcher, previously identified a number of vulnerabilities, tracked as CVE-2021-30116, which were used in the ransomware attacks. They were reported under a Coordinated Vulnerability Disclosure pact.”Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. When items in our report were unclear, they asked the right questions,” DIVD says. “Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. ” 

[embedded content]

Who has been impacted?

Over the weekend, Kaseya said that SaaS customers were “never at risk” and current estimates suggest that fewer than 40 on-prem clients worldwide have been affected. However, it should be noted that while a small number of Kaseya clients may have been directly infected, as MSPs, SMB customers further down the chain relying on these services could be impacted in their turn. According to reports, 800 Coop supermarket chain stores in Sweden had to temporarily close as they were unable to open their cash registers.Huntress said in a Reddit explainer that an estimated 1,000 companies have had servers and workstations encrypted. The vendor added that it is reasonable to suggest “thousands of small businesses” may have been impacted.”This is one of the farthest-reaching criminal ransomware attacks that Sophos has ever seen,” commented Ross McKerchar, Sophos VP. “At this time, our evidence shows that more than 70 managed service providers were impacted, resulting in more than 350 further impacted organizations. We expect the full scope of victim organizations to be higher than what’s being reported by any individual security company.”On July 5, Kaseya revised previous estimates to “fewer than 60” customers, adding that “we understand the total impact thus far has been to fewer than 1,500 downstream businesses.”Now, on July 6, the estimate is between 50 direct customers, and between 800 and 1,500 businesses down the chain. When it comes to SaaS environments, Kaseya says, “We have not found evidence that any of our SaaS customers were compromised.”In a press release dated July 6, Kaseya has insisted that “while impacting approximately 50 of Kaseya’s customers, this attack was never a threat nor had any impact to critical infrastructure.” The number of vulnerable Kaseya servers online, visible, and open to attackers dropped by 96% from roughly 1,500 on July 2 to 60 on July 8, according to Palo Alto Networks.

[embedded content]

Kaseya CEO Fred Voccola said that the attack, “for the very small number of people who have been breached, it totally sucks.” “We are two days after this event,” Voccola commented. “We have about 150 people that have probably slept a grand total of four hours in the last two days, literally, and that’ll continue until everything is as perfect as can be.” Less than 0.1% of the company’s customers experienced a breach. “Unfortunately, this happened, and it happens,” the executive added. “Doesn’t make it okay. It just means it’s the way the world we live in is today.”

What is ransomware?

Ransomware is a type of malware that specializes in the encryption of files and drives. In what has become one of the most severe and serious security problems modern businesses now face, ransomware is used by threat actors worldwide to hijack systems and disrupt operations. Once a victim’s system or network has been encrypted, cyber criminals will place a ransom note on the system, demanding payment in return for a decryption key (which may, or may not, work). Today’s ransomware operators may be part of Ransomware-as-a-Service (RaaS), when they ‘subscribe’ to access and use a particular type of ransomware. Another emerging trend is double extortion, in which a victim will have their information stolen during a ransomware raid. If they refuse to pay up, they may then face the prospect of their data being sold or published online. Common and well-known ransomware families include REvil, Locky, WannaCry, Gandcrab, Cerber, NotPetya, Maze, and Darkside. Read on: What is ransomware? Everything you need to know about one of the biggest menaces on the webSee also:

Who is responsible?

Charlie Osborne | ZDNet

The cyberattack has been attributed to the REvil/Sodinikibi ransomware group, which has claimed responsibility on its Dark Web leak site, “Happy Blog.”In an update over the weekend, the operators, believed to have ties to Russia, claimed that more than “a million” systems have been infected. REvil has offered a decryption key, allegedly universal and, therefore, able to unlock all encrypted systems, for the ‘bargain’ price of $70 million in the bitcoin (BTC) cryptocurrency.REvil has been previously linked to ransomware attacks against companies, including JBS, Travelex, and Acer. 

What are the ransomware payment terms?

The ransomware note claims that files are “encrypted, and currently unavailable.” A file extension .csruj has reportedly been used. Operators are demanding payment in return for a decryption key and one ‘freebie’ file decryption is also on the table to prove the decryption key works. The operators add (spelling unchanged):”Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities – nobody will not cooperate with us. Its not in our interests. If you will not cooperate with our service –for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice – time is much more valuable than money.”Sophos malware analyst Mark Loman shared a screenshot on Twitter of a ransomware note planted on an infected endpoint demanding $44,999. John Hammond, senior security researcher at Huntress, told ZDNet that the company has already seen ransom demands of up to $5 million. Kevin Beaumont says that, unfortunately, he has observed victims “sadly negotiating” with the ransomware’s operators. Fabian Wosar, CTO of Emsisoft, has also explained in a Twitter thread why using a key obtained by a single organization paying up is unlikely to be a viable path for unlocking all victims. “REvil absolutely has the capability of decrypting only a single victim without these purchased decryption tools being applicable for other victims hit by the same campaign public key,” the security expert noted.CNBC reports that the universal ransom demand has been reduced to $50 million in private conversations. However, as of July 7, the public demand for $70 million on the threat group’s leak site remains unchanged.

What are the reactions so far?

At the time of the breach, Kaseya notified law enforcement and cybersecurity agencies, including the Federal Bureau of Investigation (FBI) and US Cybersecurity and Infrastructure Security Agency (CISA).The FBI and CISA have released a joint statement on the security incident and are urging customers to run a tool provided by Kaseya to determine the risk of exploit, and to both enable and enforce multi-factor authentication (MFA) on enterprise accounts, wherever possible.Kaseya has been holding meetings with the FBI and CISA “to discuss systems and network hardening requirements prior to service restoration for both SaaS and on-premises customers.”The White House is asking organizations to inform the Internet Crime Complaint Center (IC3) if they suspect they have been compromised.On Saturday, US President Biden said he has directed federal intelligence agencies to investigate. “Targeting [an] MSP platform (that is managing many customers at once) was very well thought and planned,” Amit Bareket, CEO of Perimeter 81, told ZDNet. “What’s unique is that hackers are becoming more strategic and targeting platforms that will filtrate down to many companies with one shot. RMMs [remote monitoring and management] are basically keys to many many companies, which amount to the kingdom for bad actors.”The White House has attempted to strengthen its stance on cybercrime in light of this attack, warning Russian President Vladimir Putin that unless he deals with the problem in his own backyard, “we will take action or reserve the right to take action on our own.” 

Are there any recovery plans?

As of July 4, Kaseya says the company has now moved on from a root cause analysis of the attack to recovery and patch plans, consisting of:Communication of our phased recovery plan with SaaS first followed by on-premises customers.  Kaseya will be publishing a summary of the attack and what we have done to mitigate it.   Some lightly-used legacy VSA functionality will be removed as part of this release out of an abundance of caution. A specific list of the functionality and its impact on VSA capabilities will be outlined in the release notes.  There will be new security measures implemented including enhanced security monitoring of our SaaS servers by FireEye and enablement of enhanced WAF capabilities. We have successfully completed an external Vulnerability Scan, checked our SaaS Databases for Indicators of Compromise, and have had external security experts review our code to ensure a successful service restart.Data centers starting with the EU will be restored, followed by the UK, APAC, and then North American systems.  By late evening on July 5, Kaseya said a patch has been developed and it is the firm’s intention to bring back VSA with “staged functionality” to hasten the process. The company explained: The first release will prevent access to functionality used by a very small fraction of our user base, including: Classic Ticketing Classic Remote Control (not LiveConnect). User Portal Kaseya has now published an updated timeline for its restoration efforts, starting with the relaunch of SaaS servers, now set for July 6, 4:00 PM EDT and 7:00 PM EDT. Configuration changes to improve security will follow, including an on-premise patch, expected to land in 24 hours, or less, from the time SaaS servers come back online. “We are focused on shrinking this time frame to the minimal possible — but if there are any issues found during the spin-up of SaaS, we want to fix them before bringing our on-premises customers up,” the firm says. Additional security improvements include the creation of 24/7 SOCs for VSA, as well as a complimentary CDN with a web application firewall (WAF) for every VSA. Update July 7: The timeline has not been met. Kaseya said that “an issue was discovered that has blocked the release” of the VSA SaaS rollout. “We apologize for the delay and R&D and operations are continuing to work around the clock to resolve this issue and restore service,” Kaseya commented.In a service update, the vendor said it has been unable to resolve the problem.”The R&D and operations teams worked through the night and will continue to work until we have unblocked the release,” Kaseya added.July 7, 12 pm EDT: Kaseya hopes to resolve the SaaS systems rollout no later than the evening of Thursday, July 8. A playbook is currently being written up, due to be published today, which will provide guidelines for impacted businesses to deploy the upcoming on-prem VSA patch.

Current recovery status

As of July 8, Kaseya has published two run books, “VSA SaaS Startup Guide,” and “On Premises VSA Startup Readiness Guide,” to assist clients in preparing for a return to service and patch deployment. Recovery, however, is taking longer than initially expected. “We are in the process of resetting the timelines for VSA SaaS and VSA On-Premises deployment,” the company says. “We apologize for the delay and changes to the plans as we work through this fluid situation.”In a second video message recorded by the firm’s CEO, Voccola said:”The fact we had to take down VSA is very disappointing to me, it’s very disappointing to me personally. I feel like I’ve let this community down. I let my company down, our company let you down. [..] This is not BS, this is the reality.”The new release time for VSA is Sunday, in the early afternoon, Eastern Time, in order to also harden the software and bolster its security ahead of deployment. 

What can customers do?

Kaseya has released a tool, including Indicators of Compromise (IoC), which can be downloaded via Box. There are two PowerShell scripts for use: one on a VSA server, and the other has been designed for endpoint scanning. The self-assessment scripts should be used in offline mode. They were updated on July 5 to also scan for data encryption and REvil’s ransom note.However, the scripts are only for potential exploit risk detection and are not security fixes. Kaseya will release patches as quickly as it can, but in the meantime, customers simply have to wait. “All on-premises VSA Servers should continue to remain offline until further instructions from Kaseya about when it is safe to restore operations,” the firm said. “A patch will be required to be installed prior to restarting the VSA.”Cado Security has provided a GitHub repository for responders, including malware samples, IoCs, and Yara Rules. Truesec CSIRT has also released a script on GitHub to identify and mitigate damage on infected systems. Kaseya has also warned that “customers who experienced ransomware and receive a communication from the attackers should not click on any links  —  they may be weaponized.”

Kaseya attack More

Nobody and nothing is perfect. Get that into your head early on in life, and you’ll be a million times happier.But that doesn’t mean we shouldn’t want things to be better.

see also

The best browsers for privacy

If you’re like most people, you’re probably using Google Chrome as your default browser. It’s hard to fault Google’s record on security and patching but privacy is another matter for the online ad giant.

Read More

I like the Brave browser. A lot. But when I first started using it, I had concerns about a few things. A few things that felt a bit odd to me. But I put them aside, and they were soon forgotten.However, the other day I wrote about Brave, and how I think this is the perfect alternative to Google Chrome for those who want a powerful privacy-focused browser.But then a few comments came in, reminding me of those things that I initially didn’t like about Brave.Must read: The best browser to replace Google Chrome on Windows, Mac, iPhone, and Android

The first comment relates to the dashboard page and how this page feels cluttered and, because it occasionally displays ads, spammy.”Spammy” was a word that was used a few times.And it’s true that it does display ads, and there are links to several cryptocurrency services. They’re “safe” ads, and you can turn them off, but it wasn’t what some people expected to see in a browser that had been billed as putting privacy at its core.But the feedback I received makes it clear that some were not expecting to see huge trading ads, and what seem like deep links to crypto services.I understand the problem here. On the one hand, Brave needs to pay the bills, but on the other, first impressions matter.  I’m not sure if there’s a solution to this. Maybe give users a choice (although you and I both know what most will say). Maybe it doesn’t matter. Either way, it is all a bit jarring, especially for people not into crypto. And it doesn’t help that when people do a search, a few controversies float to the surface.The other thing that I got a fair amount of feedback on was the settings. Brave has a lot of settings. A lot more than the likes of Google Chrome, and while hardened stalwarts to browsers won’t have a problem — or will be able to drive to the nearest search engine for clarification — Brave can feel unfriendly and overwhelming to those who don’t live and breathe tech. And all the settings and buttons related to all the cryptocurrency stuff goes some way to bloating out the user interface.I don’t see either of these as showstoppers, but they are barriers and obstacles that some stumble on.I’m curious to know your thoughts on this. Do you think that Brave needs to address these issues, or is Brave a browser for a specific audience? More

Over 170 mobile apps in the Android ecosystem have been identified as scam services designed to jump on the cryptocurrency bandwagon. 

Lookout researchers said this week that the apps, 25 of which were hosted on Google Play, are scamming people interested in cryptocurrencies by offering cloud-based mining services. In return for a fee, these mobile apps promise to perform cryptocurrency mining on behalf of subscribers.  Cryptocurrency mining leverages computing power — either from a personal device or a rented system — to solve computational and cryptographic puzzles, and coins are received in return.  However, the power required for many types of cryptocurrency is now more than a personal PC can manage, which means that individuals may join mining pools, sharing the work — and the proceeds.  Lookout analyzed each cryptocurrency mining app that appeared on the firm’s radar and found that not a single one performed any kind of legitimate cloud-based cryptocurrency mining. In other words, users have been paying for a non-existent service.  There are two main categories of fraudulent apps involved in these schemes, classified by the researchers as “BitScams” and “CloudScams.”

CloudScams offer mining options using cloud computing power, and it is common for developers to create realistic-looking mining services to appear legitimate. BitScams are mobile apps that offer users additional “virtual hardware” — for prices between $12.99 – $259.99 — that promise additional mining returns.  Payments can either be made via Google Play or through Bitcoin (BTC) and Ethereum (ETH) direct transfers to the developers’ wallets.
Lookout
Both types use similar business models, but there are groups behind the apps that appear to be competing forces. According to the company, over 93 000 people have been scammed in this way. An estimated $350 000, or more, has been lost with users paying for fake apps and upgrades, based on the average ‘subscription’ price the apps requested and installation rates. “What enabled BitScam and CloudScam apps to fly under the radar is that they don’t do anything actually malicious,” the researchers say. “In fact, they hardly do anything at all. They are simply shells to collect money for services that don’t exist.” Once Google was made aware of Lookout’s findings, offending apps hosted on Google Play were rapidly removed. However, the company has no means to wipe out Android apps hosted on third-party websites, and so users should remain cautious if applications promise returns that are too good to be true.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has released patches for more versions of Windows affected by the PrintNightmare bug, but researchers claim the patches don’t provide complete protection. Microsoft released out-of-band patches for Windows systems affected by two critical bugs being tracked as CVE-2021-1675 and CVE-2021-34527, and has advised admins to disable the print spooler service until patches are applied. One is a remote code execution flaw, while the second is a local privilege escalation bug. 

“Microsoft identified a security issue that affects all versions of Windows and have expedited a resolution for supported versions of Windows that will automatically be applied to most devices,” it said in an update on Wednesday.  SEE: Windows 10 Start menu hacks (TechRepublic Premium) The company has now released patches for Windows 10 1607 for enterprise customers still on that version, plus Windows Server 2016 and Windows Server 2012. Upon installing the security update, users who aren’t admins are restricted to installing signed print drivers to a print server while admins can install signed and unsigned printer drivers.  Admins also have the option to configure the ‘RestrictDriverInstallationToAdministrators’ registry setting to prevent non-administrators from installing signed printer drivers on a print server.

“Prior to installing the July 6, 2021, and newer Windows Updates containing protections for CVE-2021-34527, the printer operators’ security group could install both signed and unsigned printer drivers on a printer server,” Microsoft notes in an advisory.  “After installing such updates, delegated admin groups like printer operators can only install signed printer drivers. Administrator credentials will be required to install unsigned printer drivers on a printer server going forward.” CISA’s advice for this bug is available here.  SEE: Ransomware: Now gangs are using virtual machines to disguise their attacks However, via The Register, the creator of the Mimikatz penetrating testing kit, said he has found a way to bypass the patch on systems by using UNC or the Universal Naming Convention (UNC) string, which is used to point to shared files or devices. Reportedly, Microsoft’s patch for CVE-2021-34527 improperly checks remote libraries; it doesn’t check for UNC for pointing to remote files.  And security researcher Will Dormann notes that certain registry settings that are meant to mitigate the bug don’t prevent local privilege escalation (LCE) or remote code execution (RCE).  More

(Source: Cyber Security Agency of Singapore)×sgsecurity2020-csa.pngThe number of reported cybercrime cases accounted for almost half of total crimes in Singapore last year, where both ransomware and botnet attacks saw significant spikes. The city-state is anticipating intensifying threats from ransomware as well as malicious attacks targeting remote workers and supply chains. The Singapore Computer Emergency Response Team (SingCERT) last year handled 9,080 cases, up from 8,491 the year before and 4,977 in 2018, according to the latest Singapore Cyber Landscape report released Thursday by Cyber Security Agency of Singapore (CSA). The government agency noted that last year saw marked increases in ransomware, online scams, ad COVID-19 phishing activities. In particular, the number of reported ransomware attacks saw a significant spike of 154% in 2020, with 89 incidents, compared to 35 in 2019. These mostly affected small and midsize businesses (SMBs) in various sectors including manufacturing, retail, and healthcare. In one such incident in August 2020, an F&B business found its servers and devices infected with NetWalker, with a ransom note directing the company to a webpage on the Dark Web to view the ransom demands. None of the F&B company’s data could be recovered as it also stored its backups on the affected servers and it had to rebuild its IT system from scratch. 

CSA attributed the increase in ransomware cases in Singapore to the global ransomware outbreak, where such attacks moved from being indiscriminate and opportunistic in nature to more targeted “Big Game Hunting”. Cybercriminals also shifted towards ransomware-as-a-service and “leak and shame” tactics, the agency said. It noted that the number of malicious command-and-control (C&C) server attacks also grew 94% to 1,026 reported incidents last year. These were fuelled partly by the increase in such servers distributing the Emotet and Cobalt Strike malware, which accounted for one-third of malware in C&C servers. Some 6,600 botnet drones with Singapore IP addresses were identified daily last year, up from 2,300 in 2019. CSA revealed that Mirai and Gamarue malware variants were prevalent amongst infected botnets in 2020, with the former malware targeting primarily Internet of Things (IoT) devices. 

But while COVID-19 themed phishing campaigns were pervasive globally, Singapore-hosted phishing URLs dipped 1% to some 47,000 last year. Defacements affecting “.sg” website also fell 43% to 495 cases last year, with SMBs again mostly impacted by such attacks. CSA said this dip might be due to activist groups opting to target other platforms such as social media to drive awareness of their causes. In total, 16,117 cybercrime cases were reported last year, accounting for 43% of all crimes in Singapore. The number also climbed from 9,349 cases in 2019. Online scams were the most common form of cybercrime in the city-state, with such cases up 62% to hit 12,251 last year, compared to 7,580 in 2019. CSA noted that the this was due to the accelerated growth of e-commerce as well as community marketplace and social media platforms, as more users in Singapore turned to online shopping amidst the global pandemic. CSA said: “Throughout 2020, global threat actors had capitalised on the anxiety and fear wrought by the pandemic, with repercussions felt by individuals and businesses. These threat actors made their presence felt, targeting areas such as e-commerce, data security, vaccine-related research and operations, as well as contact tracing operations. “Some of these trends were mirrored locally, where a surge in ransomware incidents as well as the emergence of COVID-19-related phishing activities were seen. These also coincided with the rise of work-from-home arrangements, as individuals and businesses adopted new technologies to maintain business continuity,” the government agency said. It pointed to an increasingly complex security landscape, where it anticipated ransomware to evolve into “a massive and systemic threat”.  Such attacks were no longer confined to sporadic and isolated incidents, it warned, noting that the recent spate of high-profile ransomware attacks worldwide had affected critical service providers and major organisations, including Colonial Pipeline and JBS. These incidents indicated that cyber attacks could have real-world effects and had the potential to become national security concerns, CSA said. It urged organisations to assess their cybersecurity readiness and ensure their systems were sufficiently resilient to recover from such attacks. It also warned that cybercriminals would increasingly target remote workers, given the rise of such work arrangements amidst the COVID-19 pandemic. “Poorly configured network and software systems, which are part of the new remote work ecosystems, have widened the attack surface and exposed organisations to greater risk of cyber attacks,” CSA said.Supply chains also were expected to be targeted and attacks more sophisticated, it said, pointing to the SolarWinds breach. CSA’s chief executive and commissioner of cybersecurity David Koh said in the report: “Cybersecurity threats to supply chains have been around for more than a decade, but the impact of the SolarWinds attack was unprecedented. The incident is a stark reminder of the cybersecurity risks that all companies–big and small–face within their supply chains and when engaging third-party vendors, which is a near-certainty in today’s highly-interconnected global economy. He added that ransomware had transformed from “a sporadic nuisance” impacting just a handful of machines to a massive threat affecting entire networks of large enterprises. “This is now a major security issue that affects critical information infrastructure (CII) sectors and nations,” Koh said. RELATED COVERAGE More

Image: Getty Images
The New South Wales Department of Education has on Thursday revealed it fell victim to a cybersecurity attack.In a statement, the department said a number of its internal systems were deactivated on Wednesday as a precaution.”The timing of this creates considerable challenges for staff as we prepare for the start of Term 3,” NSW Education Secretary Georgina Harrisson said. “Thankfully, our teams have been able to isolate the issues and we are working to reactivate services as soon as possible.”Harrisson said the department’s priority would be the safety and security of its student and staff data, which she explained was why the precautionary decision was made to take some systems offline as it investigates further.Department of Education and Cyber Security NSW teams are working to ensure normal access is restored in time for the start of Term 3, the statement continued.Most of NSW is currently in week two of a three-week lockdown in response to the COVID-19 outbreak affecting the state.”I am confident we will have the issue resolved soon and want to reassure teachers and parents that there will be no impact on students learning from home next week,” Harrisson said.

“Whilst we are confident all systems will be back online before day 1, Term 3, we are making information to support home learning available on our public website so that preparations for the start of term can continue.”Education said it has been working closely with Cyber Security NSW to resolve the issue, and that the matter has been referred to the NSW Police and federal agencies.The department said it was inappropriate to make any further comment as the matter is under investigation.Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaRELATED COVERAGE More

Australian logistics and utilities providers have raised concerns with the speed at which consultation on the looming critical infrastructure legislation has been pursued by the government, but they have otherwise accepted the Bill, including the installation of software on their systems to help with incident response.Among other things, the Security Legislation Amendment (Critical Infrastructure) Bill 2020 would allow government to provide “assistance” to entities in response to significant cyber attacks on Australian systems. This includes the proposal for software to be installed that is touted as aiding providers in dealing with threats.The Parliamentary Joint Committee on Intelligence and Security (PJCIS) on Thursday morning heard from four large technology firms who declared they did not need assistance from the Australian Signals Directorate (ASD) nor its Australian Cyber Security Centre (ACSC) and that the installation of software would do more harm than good.But later that day it was a different story, with representatives from the nation’s water, electricity, and logistics sectors accepting government assistance, within reason, however.”I’m quite open to the idea, but it needs to be, for it to be effective, it actually has to be done with us,” Toll global head of information security Berin Lautenbach said. “It’s very hard to walk into an organisation and just know where the critical servers are, how the network works, everything like that, we’ll just roll some stuff out and everything will be good. But it’s not quite the way it’s going to work, it’s actually got to be, ‘Right, we’re coming in to help, here’s software, here’s what it does, here’s where we think it needs to go, here’s how it’s going to be deployed.”Lautenbach continued by saying it needed to be a joint exercise between the company and ASD.”It does have to be done with care, because it is very easy to have unintended consequences when installing software in a network,” he added.

Last year, Toll found itself victim to ransomware on two occasions. Lautenbach said Toll has already had the ASD load software on its systems.”I don’t see how you can have this kind of legislation and not have a power to walk in,” he added. “If we have something critical to the nation that is out or failed or something is going wrong and the necessary actions aren’t being taken, there has to be an ability to do something about that, so I think that’s fair.”What I worry about is the practical reality of how that would work. And it is really hard to walk into a large network or a large company and understand the IT environment well enough to be able to quickly take action.”Water Services Association of Australia similarly accepted the idea of government assistance, but added it would be open to some sort of indemnity or insurance that provides security to the organisation. “Something that provides security to the organisation that if something does go — there are some of these unintended consequences — that the federal government is willing to then pick up the tab and take ownership of the problem,” the association’s director of business excellence Greg Ryan added.His colleague Luke Sawtell said he preferred to see ASD’s intervention occur “few and far between” and as a last resort.In agreement with Lautenbach and the Water Services Association was Qantas Group security officer Luke Bramah and representatives from AGL.”I think that’s absolutely correct that if it were emergent need, you need the hook in the legislation, but very sparingly used,” Bramah said.While those appearing before the PJCIS testified that they were consulted on the legislation, many raised concerns with the speed at which it has been pushed through and the lack of clarity around what is actually considered critical.Clean Energy Council policy officer Lucinda Tonge asked for a clearer definition of “critical electricity asset” and Ports Australia CEO Michael Gallacher wants a distinction drawn between the Bill and competing legislation affecting his industry, as some examples.”We want to see these issues resolved, we want to support this legislation, we will support it, but we want to see it work … and while there is a glaring weakness in the legislation, that has a real confusion between who’s actually responsible for the delivery of port services and the response, we think we need to get it fixed, otherwise, the only people are going to take advantage of it are going to be bad people,” Gallacher said.Bramah, as well as AGL, testified that the “early days” of consultation had moved “a little too fast” and Lautenbach said it was more important to get things right than out the door.”We’d just like to see the time spent on getting the rules right, work with us on that, and we will work with Home Affairs,” he said. “We’re a bit concerned that things will be missed.”RELATED COVERAGE More