Information Technology

When things take longer than they should, it takes up time that can be much more enjoyably spent elsewhere. There’s no reason for that, when the problem may be that you just don’t have the right software. And if that’s the case, then all you need in order to boost your productivity is The All-Star Mac Bundle Featuring Parallels Pro. Fortunately, it’s being offered at a 30% discount for a very limited time, when you use the code ALLSTARMAC.

For instance, you can streamline your operating systems usage by running macOS and Windows at the same time using the Parallels Pro: 1-Yr Subscription included in this bundle. Buyers really love this service, they gave it a remarkable 4.7 out of 5 stars rating on Trustpilot. Then you can protect your privacy forever, not only on your Mac but also on up to 5 other devices, with a lifetime subscription to FastestVPN. Since you don’t have to sacrifice speed for security, this is a critic’s choice. According to TenBestVPNs:”FastestVPN is one of the most promising VPN services in the market.”Once you’ve got your operations rolling along, you can really begin to turbocharge your productivity in perpetuity with what is arguably the most powerful contact manager you can use on a Mac, because a perpetual license to Busy Contacts is also part of this bundle. The Smart Filter and Tags features allow you to organize your contacts, plus you can sync with all the common cloud services and even integrate it with your social media accounts. While the Activity List keeps track of all your communications and other events with each contact.You will also get a lifetime license for both Macs and Windows to PDFChef, which lets you do everything you need to with pdf files, as well as a perpetual license for Moho Debut. That’s a fun 2D animation program you can use to make cartoons, videos, and more, even if you are a complete novice.Don’t miss this chance to get a 30% discount off The All-Star Mac Bundle Featuring Parallels Pro during the short time it’s available. Use the code ALLSTARMAC today and pay only $35.Prices subject to change.

ZDNet Recommends More

A recent Necro Python bot campaign has shown that the developer behind the malware is hard at work ramping up its capabilities.

On Thursday, researchers from Cisco Talos published a report on Necro Python, a bot that has been in development since 2015. The botnet’s development progress was documented in January 2021 by both Check Point Research (CPR) and Netlab 360, tracked separately as FreakOut and Necro. The developer behind the Necro Python bot has made a number of changes to increase the power and versatility of the bot, including exploits for over 10 different web applications and the SMB protocol that are being weaponized in the bot’s recent campaigns. Exploits are included for vulnerabilities in software such as VMWare vSphere, SCO OpenServer, and the Vesta Control Panel.  A version of the botnet, released on May 18, also includes exploits for EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0147).  The bot will first attempt to exploit these vulnerabilities on both Linux and Windows-based operating systems. If successful, the malware uses a JavaScript downloader, Python interpreter and scripts, and executables created with pyinstaller to begin roping the compromised system into the botnet as a slave machine.  Necro Python will then establish a connection to a command-and-control (C2) server to maintain contact with its operator, receive commands, to exfiltrate data, or to deploy additional malware payloads.  A new addition to the bot is a cryptocurrency miner, XMRig, which is used to generate Monero (XMR) by stealing the compromised machine’s computing resources. 

“The bot also injects the code to download and execute a JavaScript-based miner from an attacker-controlled server into HTML and PHP files on infected systems,” the researchers say. “If the user opens the infected application, a JavaScript-based Monero miner will run within their browser’s process space.” Other features include the ability to launch distributed denial-of-service (DDoS) attacks, data exfiltration, and network sniffing.  A user-mode rootkit is also installed to establish persistence by ensuring the malware launches whenever a user logs in, and to hide its presence by burying malicious processes and registry entries.  Another upgrade of note is Necro Python’s polymorphic abilities. According to the researchers, the bot has a module to allow developers to view code as it would be seen by an interpreter before being compiled to bytecode, and this module has been integrated into an engine that could allow runtime modifications. The engine runs every time the bot is started and it will read its own file before morphing the code, a technique that can make bot detection more difficult.  “Necro Python bot shows an actor that follows the latest development in remote command execution exploits on various web applications and includes the new exploits into the bot,” Talos says. “This increases its chances of spreading and infecting systems. Users need to make sure to regularly apply the latest security updates to all of the applications, not just operating systems.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

In a few days, Amazon will begin enrolling Echo devices, Ring Floodlights, and Spotlight Cams into its Amazon Sidewalk network, a plan to create a huge shared network that will allow other Amazon devices that are experiencing network downtime to automatically connect to a nearby device to get a connection.

ZDNet Recommends

The best smart speakers

Want a speaker for your office that pumps out premium sound and offers Bluetooth streaming or voice control? Here are your best options from all the big players, including Sonos, Bose, Google, Apple, and Amazon.

Read More

Here’s how Amazon describes Sidewalk: “Sidewalk can also extend the working range for your Sidewalk-enabled devices, such as Ring smart lights, pet locators, or smart locks, so they can stay connected and continue to work over longer distances. Amazon does not charge any fees to join Sidewalk.” Your contribution to Sidewalk is a small portion of your internet bandwidth — 80Kbps, capped to a maximum of 500MB a month. In return, you get access to Sidewalk, and if your internet goes down, or you have a device that’s in a location where it has a poor connection, your devices get to tap into that shared bandwidth in order that your devices can continue to send you notifications. Must read: Why is iOS 14 so bad? “By sharing a small portion of their home network bandwidth, neighbors give a little—but get a lot in return,” is how Amazon puts it in its privacy and security whitepaper.

I agree. I’ve come across a lot of commentary related to Amazon Sidewalk. Some sensible, some losing their minds over it. And privacy and security concerns are at the top of people’s worries.

Would I allow Amazon Sidewalk to share my network connection? Having read Amazon’s privacy and security whitepaper, and looking at Amazon’s track record over the years, I’d have no problems using Amazon Sidewalk. Amazon has put a great deal of effort and engineering into this, and it’s a clever solution to a problem that affects more and more people who have an ever-expanding ecosystem of IoT hardware in their homes. If you’re concerned about Amazon’s privacy and security credentials, then I’d question why you have Amazon hardware connected to your network in the first place. I mean, these devices have deep hooks into your life, home, and surroundings, and this hardware is bristling with microphones and cameras that are always ready to start listening and watching. Worrying that someone could do something nefarious with that 80Kbps of bandwidth that you’re making available should be the least of your worries. Also, given the state of home network hardware and how poorly they are patched for knows security issues, that will offer a far bigger and better attack surface than Sidewalk ever will. And Amazon is pretty much on the ball when it comes to patching its hardware, so if bugs do surface — more of a when than an if — patches will be forthcoming and installed in the background. That’s a lot more than your typical home router sees. The fact that Tile users will be able to use this network to find lost items is innovative, and offers real competition to Apple’s AirTags. Amazon Sidewalk is a superb idea. More

A new backdoor used in ongoing cyberespionage campaigns has been connected to Chinese threat actors.  On Thursday, Check Point Research (CPR) said that the backdoor has been designed, developed, tested, and deployed over the past three years in order to compromise the systems of a Southeast Asian government’s Ministry of Foreign Affairs.  The Windows-based malware’s infection chain began with spear phishing messages, impersonating other departments in the same government, in which members of staff were targeted with weaponized, official-looking documents sent via email.  If victims open the files, remote .RTF templates are pulled and a version of Royal Road, an RTF weaponizer, is deployed.  The tool works by exploiting a set of vulnerabilities in Microsoft Word’s Equation Editor (CVE-2017-11882, CVE-2018-0798, and CVE-2018-0802).  CPR says that Royal Road is “especially popular with Chinese [advanced persistent threat] APT groups.” The RTF document contains shellcode and an encrypted payload designed to create a scheduled task and to launch time-scanning anti-sandboxing techniques, as well as a downloader for the final backdoor. 

Dubbed “VictoryDll_x86.dll,” the backdoor has been developed to contain a number of functions suitable for spying and the exfiltration of data to a command-and-control server (C2). 

These include the read/write and deletion of files; harvesting OS, process, registry key and services information, the ability to run commands through cmd.exe, screen grabbing, creating or terminating processes, obtaining the titles of top-level windows, and the option to close down PCs.  The backdoor connects to a C2 to pass along stolen data and this server may also be used to grab and execute additional malware payloads. First stage C2s are hosted in Hong Kong and Malaysia, while the backdoor C2 server is hosted by a US provider.  CPR believes it is likely that the backdoor is the work of Chinese threat actors due to its limited operational schedule — 1.00 am — 8.00 am UTC — the use of Royal Road, and due to test versions of the backdoor, uploaded to VirusTotal in 2018, which contained connectivity checks with Baidu’s web address.  “We learned that the attackers are not only interested in cold data, but also what is happening on a target’s personal computer at any moment, resulting in live espionage,” commented Lotem Finkelsteen, head of threat intelligence at CPR. “Although we were able to block the surveillance operation for the Southeast Asian government described, it’s possible that the threat group is using its new cyberespionage weapon on other targets around the world.”

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

NortonLifeLock has launched a dedicated cryptocurrency mining setup for users of the Norton 360 antivirus platform.Announced on Wednesday, NortonLifeLock says that the new feature, Norton Crypto, will be rolled out today for users signed up to Norton’s early adopter program. Norton Crypto has been designed to allow users to “safely and easily mine cryptocurrency.” In the initial stages, users will be able to mine for Ethereum (ETH).  Mining software leverages a PC’s CPU and graphics capabilities to obtain cryptocurrencies ranging from ETH to Monero (XMR). However, in order to do so, NortonLifeLock says users may have to disable their antivirus solutions — potentially Norton 360 included — and this could allow “unvetted code” to compromise their systems.  The vendor added that cryptocurrency miners taking this risk could lead to the theft of their hard-won coins, or loss if coins are kept in cold storage on user hard drives. To promote the new feature, NortonLifeLock claims that Norton Crypto will protect against these pitfalls by storing coins in a cloud-based wallet, Norton Crypto Wallet.  A company spokesperson told The Verge that once cryptocurrency has been earned, it will be possible to “pull money into Coinbase,” which suggests that Norton Crypto users may also need to sign up for an account with the trading platform — unless other alternative exchanges or means of transfer are also offered. 

“We are proud to be the first consumer Cyber Safety company to offer coin miners the ability to safely and easily turn the idle time on their PCs into an opportunity to earn digital currency,” commented Gagan Singh, NortonLifeLock chief product officer. Users in the US should be aware that cryptocurrency is considered a taxable asset and so earnings may have to be declared.  The timing of the announcement, however, is while the cryptocurrency market is far from flourishing.  The prices of popular coins, including Bitcoin (BTC), ETH, and Dogecoin (DOGE) appear to be on a slow recovery trajectory after cryptocurrencies at large suffered a crash in May, prompted by increasing regulatory scrutiny in China and the US, as well as Elon Musk’s announcement that Tesla would no longer accept BTC as payment.  Norton Crypto will be rolled out and made available to all Norton 360 customers in the coming weeks.  ZDNet has reached out to the vendor with additional queries and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Ransomware is one of the most dangerous cybersecurity threats facing organisations today, yet many are still under prepared when it comes to protecting networks from attacks, and about what to do if ransomware causes disruption.High-profile and highly disruptive ransomware attacks have recently hit Colonial Pipeline, Ireland’s HSE health service and global food producer JBS. In the case of Colonial Pipeline, the organisation paid a ransom of over $4 million in Bitcoin for the key required to restore the affected IT network.

ZDNet Recommends

A ransomware attack can, therefore, be highly damaging when it comes to providing services, it can damage the reputation of the organisation and it can cost a lot of money, both in terms of paying the ransom – if the victim chooses to pay, despite warnings it just funds and encourages criminality – and for restoring and securing the network after an incident.It’s vital that the CEO and the rest of the board are fully equipped with the knowledge to deal with the prospect of a ransomware attack hitting their organisation and are doing as much as possible to ensure this doesn’t happen. And in the unwanted event of an incident, they need to be ready with a plan to restore the network, preferably without paying a ransom.In an effort to provide guidance to CEOs, the UK’s National Cyber Security Centre (NCSC) has detailed five key questions for board members to ask about ransomware. 1. As an organisation and as board members, how would we know when an incident occurred?One of the reasons why ransomware attacks have become so successful is because the attackers are able to lurk within the network for a long time without being discovered.

Organisations should, therefore, know what their IT infrastructure looks like, what monitoring is in place on their network – especially with regards to critical assets – and be able to identify when something is potentially suspicious, as well as having mechanisms for reporting and investigating that malicious activity. By identifying potentially suspicious activity on the network, organisations can go a long way to cutting off ransomware attacks before an intruder has had the time to move around the network.2. As an organisation, what measures do we take to minimise the damage an attacker could do inside our network?One of the key aims of a ransomware attack is to encrypt as much of the network as possible, so organisations should examine what they can do to slow down or stop ransomware from spreading through systems.In order to help make it more difficult for malicious intruders to move around the network, organisations can segment networks, preventing the whole network from being compromised by an attacker gaining access to just one device. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  Organisations should also look to implement two-factor authentication across the network as an additional line of defence that makes it harder for malicious intruders to move around the network.3. As an organisation, do we have an incident management plan for cyber incidents and how do we ensure it is effective?”Organisations should think in terms of ‘when’ rather than ‘if’ they experience a significant cyber incident,” warned the NCSC blog post, so it’s essential to plan incident response carefully and to practice for it. SEE: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay upThe NCSC’s recommendations for an incident management plan include identifying the key contacts who need to know about it, clear allocation of responsibility, a conference number for emergency incident calls, as well as contingency measures for critical functions.4.  Does our incident management plan meet the particular challenges of ransomware attacks?Some ransomware attacks simply encrypt data and demand a ransom in return for the key. But increasingly, ransomware gangs are engaging in double extortion techniques where they’ll steal sensitive data and threaten to release it if they’re not paid.Situations like this might not be in the incident response plan, so it’s recommended that plans are made for what would happen in the event that data is stolen – and what a recovery looks like when stolen information, potentially including sensitive data about customers, is published online.5. How is data backed up, and are we confident that backups would remain unaffected by a ransomware infection?One of the key things an organisation can do to help protect against the impact of a ransomware attack is to store backups and to regularly update them, as this provides a method of restoring the network relatively quickly without giving into the ransom demand.However, the board should also seek assurances over what data is deemed critical, how frequently it’s backed up and how the backups are stored. Some ransomware attacks will target backups, so it’s important to make sure the backups are stored offline and on a separate network to the rest of the organisation. By asking questions like the above, the boardroom can help make sure that the organisation is as resilient against the growing threat of ransomware attacks as possible.”Cybersecurity is a board-level responsibility, and board members should be specifically asking about ransomware as these attacks are becoming both more frequent and more sophisticated,” said the NCSC guide.MORE ON CYBERSECURITY More

WhatsApp has reversed course on its decision to limit app functionality for users who do not agree with policy changes that have caused controversy in recent months. 

The new terms were first due to roll out in February and were then pushed back to a May 15 deadline amidst concerns that Facebook would be given access to user data and potentially chat content, and thereby erode the privacy that WhatsApp was originally created for. WhatsApp, acquired by Facebook in 2014, said the new privacy policy will change how the Facebook and WhatsApp applications function, and “integrations” would be offered for businesses that want to manage WhatsApp chats with customers via the Facebook platform.  However, the changes did not prove popular — nor WhatsApp’s ‘take it or leave it’ approach to users, who were told to expect limited app functionality if they did not agree to the new terms.  Originally, WhatsApp said that users who refused would encounter persistent reminders for a few weeks and gradual, dialed-back functions, such as being unable to access chat lists.  “After a few weeks of limited functionality, you won’t be able to receive incoming calls or notifications and WhatsApp will stop sending messages and calls to your phone,” the company said in its FAQ.  While chats and user contacts wouldn’t be shared with Facebook, user profile data would be shared once that user communicated with a business on WhatsApp. 

However, this assurance wasn’t enough to placate some of WhatsApp’s two billion users, millions of which have since turned to encrypted chat alternatives including Signal and Telegram.  WhatsApp has since attempted to explain what the privacy changes mean for users, but as the controversial changes prompted German regulators to file an emergency three-month ban prohibiting Facebook from processing personal data from WhatsApp “for its own purposes,” it seems the company has finally dialed back its heavy-handed approach.  The privacy term updates have gone ahead, but users that refuse can carry on using WhatsApp as normal.  “No one will have their accounts deleted or lose functionality of WhatsApp on May 15th because of this update,” the company says.  “Considering the majority of users who have seen the update have accepted, we’ll continue to display a notification in WhatsApp providing more information about the update and reminding those who haven’t had a chance to do so to review and accept. We currently have no plans for these reminders to become persistent and to limit the functionality of the app.” Accounts that do not accept the privacy terms will not be deleted. However, WhatsApp added that there will be “opportunities” for those who have not accepted the changes to do so directly in the app, such as when users reregister or “if someone wants to use a feature that’s related to this update for the first time.” In related Facebook news, at the F8 developer conference, Facebook announced a swathe of changes to the WhatsApp Business API to improve uptake, API onboarding, and overall speed; as well as new messaging features to bolster integration of business chatbots on the platform.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The United States FBI issued a short statement on Wednesday pinning the recent JBS ransomware incident on REvil. “As the lead federal investigative agency fighting cyber threats, combating cybercrime is one of the FBI’s highest priorities. We have attributed the JBS attack to REvil and Sodinokibi and are working diligently to bring the threat actors to justice,” the agency said. “We continue to focus our efforts on imposing risk and consequences and holding the responsible cyber actors accountable. Our private sector partnerships are essential to responding quickly when a cyber intrusion occurs and providing support to victims affected by our cyber adversaries. “A cyber attack on one is an attack on us all. We encourage any entity that is the victim of a cyber attack to immediately notify the FBI through one of our 56 field offices.” REvil has previously hit Acer, Travelex, and UnitingCare Queensland. Speaking to Australian Senate Estimates on Wednesday, director-general of the Australian Signals Directorate Rachel Noble said the agency has not used its offensive cyber capabilities against the ransomware crew, which at this time is believed to be Russian-based, but JBS has a private incident response provider.Noble added that ASD is able to use its more secretive powers to warn other organisations if they are on a ransomware attacker’s hit list.

“We were very engaged with [Channel Nine during their March attack] and the technical information that they were able to provide us about what happened on their network helped us, using our more classified capabilities, to warn two other entities that they were about to be victims as well, to prevent them from becoming victims,” the director-general said. JBS said on Tuesday it has seen “significant progress” in resolving the attack that hit its North American and Australian operations while leaving its Mexico and UK without impact. The company said it has received strong support from governments in Washington, Canberra, and Ottawa, and was having daily calls with officials. On Wednesday, JBS said its global operations were back to “near full capacity”. “JBS USA and Pilgrim’s continue to make significant progress in restoring our IT systems and returning to business as usual,” JBS USA CEO Andre Nogueira said. “Today, the vast majority of our facilities resumed operations as we forecast yesterday, including all of our pork, poultry and prepared foods facilities around the world and the majority of our beef facilities in the US and Australia.” On Tuesday, Fujifilm said it disconnected and partially shut down its network after a ransomware attack.”Fujifilm Corporation is currently carrying out an investigation into possible unauthorised access to its server from outside of the company. As part of this investigation, the network is partially shut down and disconnected from external correspondence,” the Japanese giant said.”In the late evening of June 1, 2021, we became aware of the possibility of a ransomware attack. As a result, we have taken measures to suspend all affected systems in coordination with our various global entities.”We are currently working to determine the extent and the scale of the issue. We sincerely apologise to our customers and business partners for the inconvenience this has caused.”Last week, it was reported Japanese government data stored in Fujitsu software was accessed and stolen by hackers.”Fujitsu can confirm unauthorised access to ProjectWEB, a collaboration and project management software, used for Japanese-based projects. Fujitsu is currently conducting a thorough review of this incident, and we are in close consultation with the Japanese authorities,” Fujitsu told ZDNet.”As a precautionary measure, we have suspended use of this tool, and we have informed any potentially impacted customers.”  More on meat and ransomware More