Information Technology

Cyber attacks targeting vulnerabilities in virtual private networks (VPN) are on the rise, and many organisations are struggling to protect their networks.The Covid-19 pandemic forced many businesses to suddenly move to higher levels of remote working than before, with many organisations dealing with it for the first time. While this was necessary to keep businesses operating, the sudden rise in remote working also provided benefits for cyber criminals, who looked to take advantage of it to carry out attacks against public-facing VPN and cloud services in order to breach networks.

Many organisations still aren’t taking the action required to fully protect their networks from these attacks, say researchers.”Organisations aren’t prepared for these incidents,” Bart Vanautgaerden, senior incident response consultant at Mandiant, told ZDNet. “They’re familiar with compromises on Windows, but with a VPN compromise, they’re not trained or technically prepared to deal with an incident like that”.In a presentation at Black Hat Europe, Vanautgaerden detailed how VPN vulnerabilities were being exploited by numerous cyber criminal groups. These include at least eight Advanced Persistent Threat (APT) hacking operations aimed at cyber espionage, as well as various ransomware gangs targeting vulnerabilities in VPNs to launch ransomware attacks.

Cyber attackers can breach usernames and passwords to access VPN services – especially if multi-factor authentication isn’t used as an additional layer of protection – as well as exploit vulnerabilities in VPN appliances themselves. For example, earlier this year, Mandiant disclosed vulnerabilities in Pulse Secure’s VPN. Pulse Secure later released security updates to protect against the vulnerabilities. Other providers, including Fortinet and Palo Alto Networks, have also had to release critical security updates to protect VPNs from attacks. SEE: A winning strategy for cybersecurity (ZDNet special report) Many organisations may be unaware this is an issue they need to think about – meaning patches aren’t being applied, and VPN servers remain open to compromise. “For many organisations we’ve talked to, it’s the first time they’ve had such an incident, so they’re not on the lookout for it,” said Vanautgaerden.To remain robust against cyber attacks, organisations should apply security patches as soon as possible. Not being able to use VPNs for a short time while the updates are applied isn’t ideal, but it’s better than having to uproot the entire network after a full-scale breach.”Organisations should really focus on an aggressive patching strategy, not to lose any time as soon as there’s a vulnerability disclosed to implement the patch itself,” Vanautgaerden said.”It may sound straightforward, but with so much reliance on VPN tunnels, organisations often don’t want to face the downtime that’s often required when patching these applications. It’s easier said than done, but organisations need to have systems in place to ensure they have a fast and aggressive policy.”Businesses should also ensure they have a response plan at the ready to reset accounts and assess damage in the event that a cyber security breach does take place, said Vanautgaerden. “[Organisations] need to be able to investigate and reset VPN appliances and also provide additional entry to the network so legitimate users can still access the network while they investigate.”MORE ON CYBERSECURITY More

IT professionals have seen increased cyber risk over the last 12 months, according to a survey from cybersecurity company Armis.Armis and Censuswide spoke with 400 IT professionals working in healthcare organizations across the US as well as 2,030 general respondents, finding that nearly 60% of IT respondents had dealt with a ransomware incident at their organization over the last year.  According to Armis, there are about 430 million connected medical devices already in deployment worldwide, leaving many hospitals vulnerable to a variety of cybersecurity flaws in pneumatic tubes, technologies used in HVAC systems, B. Braun infusion pumps and more.

More than 32% of general respondents said they had been the victim of a healthcare cybersecurity attack and IT professionals said they are most worried about the kind of hospital data breaches that have become commonplace in recent years. More than half of IT respondents said data breaches leading to the leak of confidential patient data was a top concern. After data breaches, 23% of IT professionals were most concerned about attacks on hospital operations and 13% cited ransomware attacks as a concern. Building systems like HVACs and electrical devices were the most risky from a cybersecurity perspective, according to 54% of IT professionals, followed by imaging machines, medication dispensing equipment, check-in kiosks and vital sign monitoring equipment.Thankfully, many IT respondents said their healthcare organization was taking steps to make cybersecurity a priority, with 86% saying their organization has hired a CISO and 95% saying their connected devices were up to date with the latest software. 

But 75% said recent attacks have been the driving force behind cybersecurity changes. More than half of IT workers said their healthcare organization is allocating more money as a way to secure systems. More than 62% of respondents said their healthcare organization has had to submit a cyber insurance claim. “Continuous visibility, context and alignment of security analytics to enterprise risk is the beacon to which we need to move to improve how we view device and asset management,” said Oscar Miranda, CTO for healthcare at Armis. “It is critical for healthcare organizations to take the entire patient journey into consideration when thinking about security. A strong healthcare security strategy is multi-faceted and requires a holistic view.”From a potential patient perspective, nearly half of respondents said they would change hospitals if they knew their hospital had been hit with a ransomware attack and 37% were concerned about hospitals using online portals for patient information. The survey comes on the heels of a report from Forescout Technologies and Medigate about more than a dozen vulnerabilities in Siemens software affecting about 4,000 devices made by a range of vendors. First reported by CNN, the vulnerabilities affect versions of the Nucleus Real-time Operating System, which manages patient monitors, anesthesia tools, ultrasound machines and x-ray devices. More

Well, there we have it. The Apple CEO has said it. If you want to sideload apps on a smartphone, buy an Android.Speaking at The New York Times “DealBook” summit, Cook set out the battle lines:”I think that people have that choice today, Andrew, if you want to sideload, you can buy an Android phone. That choice exists when you go into the carrier shop. If that is important to you, then you should buy an Android phone. From our point of view, it would be like if I were an automobile manufacturer telling [customers] not to put airbags and seat belts in the car. He would never think about doing this in today’s time. It’s just too risky to do that. And so, it would not be an iPhone if it didn’t maximize security and privacy.”

Putting aside the fact that the bulk of the automobile industry fought tooth and nail to not have to fit seatbelts and airbags, this is Apple flat out telling users who want the ability to sideload apps to buy an Android smartphone.And this is happening at a time when there are a lot of legal and governmental eyes on Apple’s App Store practices, and how iPhone users buy and download apps.Sideloading would allow iPhone owners the ability to bypass the Apple App Store and get their apps via a third party.While I’m all for giving users options, I think Cook is right here.The App Store offers a safe, convenient one-stop-shop for apps.

But there’s more than that.The bottom line is that the vast majority of iPhone users won’t care one jot about sideloading.Nope.Not a jot.In fact, I’d be willing to bet a steak dinner (or vegetarian equivalent) that the number of Android users who sideload is a tiny drop in the ocean.It’s a bit like iOS jailbreaking. Yes, there are people who do jailbreak, and who find it useful to be able to do so, but there’s no need to exaggerate how widespread it is.It’s a tiny fraction of iPhone users.In fact, the people who seem to care the most about this are those who own multibillion-dollar corporations who either are unhappy about Apple making money from the App Store or who are unhappy that Apple doesn’t give them unfettered access to user’s data.Changes made to iOS in recent months have companies that trade in user data — such as Facebook — worried. Being able to bypass Apple’s App Store rules would allow companies better and deeper access to user data.And it’s hard to frame that in a way that makes it sound good for users.I agree with Cook. If users want to sideload, let them go to Android.

ZDNet Recommends More

Microsoft has released security updates for its Exchange on-premises email server software that businesses should take on board.

ZDNet Recommends

The security updates are for flaws in Exchange Server 2013, 2016, and 2019 — the on-premises versions of Exchange that were compromised earlier this year by the Beijing-backed hacking group that Microsoft calls Hafnium. Four vulnerabilities in on-premises Exchange server software were exploited, and now Microsoft has warned that one newly-patched flaw — tracked as CVE-2021-42321 — is also under attack. The Exchange security updates were released as part of Microsoft’s November 2021 Patch Tuesday updates for Windows, the Edge browser, the Office suite, and other software products. “The Exchange bug CVE-2021-42321 is a “post-authentication vulnerability in Exchange 2016 and 2019. Our recommendation is to install these updates immediately to protect your environment,” Microsoft said in a blog post about the new Exchange bugs. “These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action,” Microsoft notes.  Attacks that affect users after authentication are risky because they affect users who have authenticated with legitimate but stolen credentials. Some post-authentication attacks can render two-factor authentication useless since the malware does its trick after a person has authenticated with a second factor. The China-based attackers accessed Exchange Servers through the four bugs or stolen credentials, allowing them to create web shells — a command-line interface — to remotely communicate with an infected computer. Web shells are handy for attackers because they can survive on a system after a patch and need to be manually removed.

Attackers generally go after admin credentials to run malware, but they also use connections that aren’t protected by a VPN. Alternatively, they attack VPNs themselves. Microsoft provides detailed update instructions that Exchange admins should follow, including updating the relevant cumulative updates (CU) for Exchange Server 2013, 2016, and 2019. The company cautions that admins should update to one of the supported CUs: it won’t be providing updates to unsupported CUs, which won’t be able to install the November security updates.  Microsoft confirmed that two-factor authentication (2fa) won’t necessarily protect against attackers exploiting the new Exchange flaws, particularly if an account has already been compromised. “If auth is successful (2FA or not) then CVE-2021-42321 could be exploitable,” says Microsoft program manager Nino Bilic.  “But indeed, 2FA can make authentication be harder to go through so in that respect, it can ‘help’. But let’s say if there is an account with 2FA that has been compromised — well, in that case it would make no difference,” Bilic adds. To detect compromises, Microsoft recommends running the PowerShell query on your Exchange server to check for specific events in the Event Log: Get-EventLog -LogName Application -Source “MSExchange Common” -EntryType Error | Where-Object { $_.Message -like “*BinaryFormatter.Deserialize*” } More

A new spying campaign involving PhoneSpy malware has infected thousands of victim devices to date. 

On Wednesday, Zimperium zLabs published a new report on PhoneSpy, spyware developed to infiltrate handsets operating on Google’s Android OS. To date, 23 malicious apps harboring the spyware have been found, but none of the samples were discovered in the official Google Play Store — suggesting that PhoneSpy is being distributed via third-party platforms.  Also: How to find and remove spyware from your phoneThe latest PhoneSpy campaign appears to be focused on South Korea, with the malware bundled into seemingly-benign mobile apps including messaging, yoga instruction, photo collection and browsing utilities, and TV/video streaming software.  zLabs suspects that the initial infection vector is a common one: the use of phishing links posted to websites or social media channels.  Once a victim installs and executes the app’s APK file, PhoneSpy is deployed. PhoneSpy targets Korean-speakers and will throw up a phishing page, pretending to be from a popular service — such as the Kakao Talk messaging app — in order to request permissions and to steal credentials. 

When you think of spyware right now, it may be that Pegasus comes to mind — a silent, pernicious form of malware that has been used to spy on high-profile lawyers, activists, government figures, and journalists.  While PhoneSpy appears to be more run-of-the-mill, the malware’s capabilities, too, cannot be dismissed out of hand. The malware is described as an “advanced” Remote Access Trojan (RAT) capable of quietly conducting surveillance on a victim and sending data to a command-and-control (C2) server.  PhoneSpy’s functionality includes monitoring a victim’s location via GPS; recording audio, images, and video in real-time by hijacking mobile microphones and both front and rear cameras; intercepting and stealing SMS messages, call forwarding, call log and contact list theft, sending messages on behalf of the malware’s operator, and exfiltrating device information.  In addition, PhoneSpy has been developed with obfuscation and concealment features and will hide its icon to stay undetected — a common tactic employed by spyware and stalkerware. The malware may also attempt to uninstall user apps, including mobile security software. zLabs believes that the campaign has been used to gather “significant amounts of personal and corporate information [from] victims, including private communications and photos.” The campaign is still ongoing. US and Korean authorities have been informed.  “The victims were broadcasting their private information to the malicious actors with zero indication that something was amiss,” the researchers say. “Even though thousands of South Korean victims have fallen prey to the spyware campaign, it is unclear whether they have any connections with each other. But with the ability to download contact lists and send SMS messages on behalf of the victim, there is a high chance that the malicious actors are targeting connections of current victims with phishing links.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

ZDNet Recommends More

A hacker-for-hire operation offered by cyber mercenaries has targeted thousands of individuals and organisations around the world, in a prolific campaign of financially driven attacks that have been ongoing since 2015.

ZDNet Recommends

Human rights activists, journalists, politicians, telecommunications engineers and medical doctors are among those who have been targeted by the group, which has been detailed by cybersecurity researchers at Trend Micro. They’ve dubbed it Void Balaur, after a multi-headed creature from Slavic folklore. The cyber-mercenary group has been advertising its services on Russian-language forums since 2018. The key services offered are breaking into email and social media accounts, as well as stealing and selling sensitive personal and financial information. The attacks will also occasionally drop information-stealing malware onto devices used by victims. See also: A winning strategy for cybersecurity (ZDNet special report). It doesn’t appear to matter who the targets are — as long as those behind the attacks get paid by their contractors. Only a handful of campaigns are run at any one time, but those that are being run command the full attention of Void Balaur for the duration.  “There will just be a dozen targets a day, usually less. But those targets are high-profile targets — we found government ministers, members of parliaments, a lot of people from the media and a lot of medical doctors,” Feike Hacquebord, senior threat researcher for Trend Micro told ZDNet, speaking ahead of the research being presented at Black Hat Europe. Some of those targeted include the former head of intelligence and five active members of the government in an unspecified European country.

The individuals and organisations being targeted are spread around the world, spanning North America, Europe, Russia, India and more. Many of the attacks appear to be politically motivated, carried out against people in countries where, if exposed, the victim could have their human rights violated by governments.  Like other malicious hacking campaigns, the entry point of many Void Balaur campaigns is phishing emails, which are tailored towards the chosen victim. However, the group also claims to offer the ability to gain access to some email accounts without any user interaction at all, offering this service at a premium rate compared with other attacks. The service relates to several Russian email providers and the research paper notes: “We have no reason to believe that it is not a real business offering”. Some of the campaigns go on for extended periods of time. For example, one targeting an unspecified large conglomerate in Russia was active from at least September 2020 to August 2021 and didn’t just target the owner of the businesses, but also their family members, and senior members of all the companies under the same corporate umbrella. “There’s a set of companies owned by one person and his family members were targeted, the CEOs of the companies were being targeted and that all happens over more than one year,” said Hacquebord. The hackers-for-hire target a wide range of victims in many industries at the behest of whoever is hiring their illicit services — but the key theme is that the targets are almost all organisations and individuals who have access to large amounts of sensitive data. For example, one campaign has targeted at least 60 IVF doctors. There’s a lot of sensitive information involved in healthcare, but there’s also a lot of money exchanged, so it’s possible the end goal of this particular Void Balaur contract was personal data, financial data, or both. See also: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakes. Another campaign targeted senior engineers working for mobile phone companies, predominantly in Russia, but there were also targets in the West. These individuals would be useful to compromise for cyber-espionage campaigns. “If you’re able to compromise these engineers, you might be able to get a foothold in the company. You see the same for banks and fintech — key people are being targeted. These people have a lot of access to information, it matches the offerings of Void Balaur,” said Hacquebord. Researchers haven’t attributed Void Balaur to any one particular country or region, but note that the attackers work long hours, starting around 6am GMT and going through until 7pm GMT. Those working for the group seem to be active seven days a week and rarely take holidays – potentially indicating the vast demand for their services. “Cyber mercenaries is an unfortunate consequence of today’s vast cybercrime economy,” said Hacquebord “Given the insatiable demand for their services and harbouring of some actors by nation-states, they’re unlikely to go away anytime soon. The best form of defence is to raise industry awareness of the threat in reports like this one and encourage best practice cybersecurity to help thwart their efforts,” he added. In order to protect against hacking campaigns by cyber mercenaries and other malicious cybercriminals, researchers at Trend Micro recommend using multi-factor authentication to protect email and social media accounts — and to use an app or physical key rather than a one-time SMS passcode, which could be exploited by attackers. It’s also recommended that people use email services from a reputable provider with high privacy standards and that encryption should be used for as many communications as possible.
More on cybersecurity More

A new report from Mimecast has found that the US leads the way in the size of payouts following ransomware incidents. In the “State of Ransomware Readiness” study from Mimecast, researchers spoke with 742 cybersecurity professionals and found that 80% of them had been targeted with ransomware over the last two years. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

Of that 80%, 39% paid a ransom, with US victims paying an average of $6,312,190. Victims in Canada paid an average of $5,347,508 while those in the UK paid nearly $850,000. Victims in South Africa, Australia, and Germany all paid less than $250,000 on average.More than 40% of respondents did not pay any ransom, and another 13% were able to negotiate the initial ransom figure down. Of the 742 experts who spoke to Mimecast, more than half said the primary source of ransomware attacks came from phishing emails with ransomware attachments, and another 47% said they originated from “web security.” Phishing emails that led to drive-by downloads were also a highly-cited source of ransomware infections. Less than half of respondents said they have file backups that they could use in the event of a ransomware attack, and almost 50% said they needed bigger budgets to update their data security systems. Also: What is malware? Everything you need to know about viruses, trojans, and malicious software

Despite the lack of backups, 83% of those surveyed said they could “get all their data back without paying the ransom.” Another 77% of executives said they believed they could get their company back to normal within two days following a ransomware incident. This confused Mimecast researchers, considering nearly 40% of respondents admitted to paying ransoms. A number of respondents called for more training and more information-sharing about threats. “Ransomware attacks have never been more common, and threat actors are improving each day in terms of their sophistication and ease of deployment,” said Jonathan Miles, head of strategic intelligence & security research at Mimecast. “Preparation is key in combating these attacks. It’s great to see cybersecurity leaders feel prepared, but they must continue to be proactive and work to improve processes. This report clearly shows ransomware attacks pay, which gives cybercriminals no incentive to slow down.”Ransomware incident costs stretch far beyond the ransom itself; 42% of survey respondents reported a disruption in their operations, and 36% said they faced significant downtime. Almost 30% said they lost revenue, and 21% said they lost customers. Another cost? Almost 40% of the cybersecurity professionals surveyed said they believed they would lose their jobs if a ransomware attack was successful.Two-thirds of respondents said they would “feel very or extremely responsible if a successful attack occurred. When asked why, almost half said it would be because they “underestimated the risk of a ransomware attack.” More

You know the non-profit Internet Security Research Group (ISRG) for its Let’s Encrypt certificate authority, the most popular way of securing websites with TLS certificates. The group wants to do more. Its newest project, Prossimo, seeks to make many basic internet programs and protocols memory-safe by rewriting them in Rust.

Rust, like some other memory-safe programming languages such as Go and Java, prevents programmers from introducing some kinds of memory bugs. All too often memory safety bugs go hand-in-hand with security issues. Unfortunately, much of the internet’s fundamental software is written in C, which is anything but memory safe. Of course, you can write memory-safe programs in C or C++, but it’s difficult. Conversely, you can create memory bugs in Rust if you try hard enough, but generally speaking Rust and Go are much safer than C and C++.Also: The most popular programming languages and where to learn themThere are many kinds of memory safety bugs. One common type is out-of-bounds reads and writes. In these, if you wrote code to track a to-do list with 10 items in C without memory protection measures, users could try to read and write for an 11th item. Instead of an error message, you’d read or write to memory that belonged to another program. In a memory-safe language, you’d get a compile error or crash at run time. A crash is bad news too, but it’s better than giving a hacker a free pass into some other’s program memory. Using that same example, what happens if you delete the to-do list and then ask for the list’s first item? A badly written program in a non-memory-safe language will try to fetch from the old memory location in what’s called a use-after-free error. This trick is used all the time to steal data and wreak havoc on a poorly secured program. Again, with Rust or Go, you must go far out of way to introduce such a blunder. As ISRG’s executive director, Josh Aas, explained in a speech at the Linux Foundation Membership Summit: We’ve only started talking about security seriously recently. The problem is mainly C and C++ code. That’s where these vulnerabilities are coming from. New memory safety vulnerabilities come up in widely used software every day. I think it’s fair to say that this is out of control. 90% of vulnerabilities in Android; 70% from Microsoft and 80% of zero-day vulnerabilities come from old language memory-based. There are real costs to this stuff every day people get hurt.

Why are they doing this now? Because, Aas explained, “We didn’t have great system languages to replace C. Now, we have that option.”So it is that under the Prossimo umbrella, ISRG is sponsoring developers to create memory-safe versions of internet programs. So far this includes a memory-safe TLS library, Hyper, and module, mod_tls, for the Apache webserver; a memory-safe curl data transfer utility; and memory-safe Rustls, a safer OpenSSL alternative.Next up, Prossimo wants to give Network Time Protocol (NTP) the memory-safe treatment. For now, though, this NTP project lacks funding. Of course, replacing critical C-based programs throughout the internet is a gigantic and complex task. But it’s a job that must be done as we grow ever more dependent on the internet for our personal lives, business work, and indeed the entire global economy. Related Stories: More