Information Technology

Cisco’s AppDynamics has launched a new solution for tackling security and exploit management while preserving application performance.

AppDynamics, the tech giant’s application performance management (APM) arm, now offers Cisco Secure Application, software built natively into the AppDynamics platform.
On Thursday, Cisco said that the “AppDynamics with Cisco Secure Application” will “drastically simplify vulnerability management, defend against attacks, and protect applications.”
While APM solutions usually focus on scrutinizing the performance of applications, the new offering has been designed to bring cybersecurity into the mix. 
As businesses feel the strain of extended working from home models set to continue into the foreseeable future, the transition from just BYOD to full remote working, for some organizations, has increased their potential cyberattack exposure and is also applying pressure to existing data management protocols. 
With enterprise operations now spread across on-premise, hybrid, and cloud systems, Cisco says that data is being shifted from pillar to post, and when combined with remote laptops and devices, this situation is “testing the limits of monitoring practices and vastly expanding the IT perimeter, creating new weaknesses and vulnerabilities in even the most secure IT estates.”
As a result, some corporations may be choosing to sacrifice either security or performance. However, it is hoped that the new software introduced by the company will take some of the load off IT teams. 

Secure Application includes automatic runtime protection, deviation identification and blocks, simplified vulnerability management at the code level — including dependency and configuration-level bug detection — and threat data correlated with an app’s infrastructure and potential relevant business impact.
“With applications now running anywhere from on-premise to multi-cloud and cloud-native microservices, combined with accelerated innovation, the need for an application-led approach to security is paramount,” Cisco says. “This critical shift will enable technologists to identify vulnerabilities within the application during production, correlate vulnerabilities and breaches with business impact, and bring together application and security teams to facilitate speedy remediation.”
AppDynamics with Cisco Secure Application is now accessible through early availability programs. 
AppDynamics was acquired by Cisco in 2017 for $3.7 billion. In related news, in December, Cisco purchased Dashbase to leverage the software startup’s log and events analytics technology and improve AppDynamics’ observability platform. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A form of ransomware that was once the most popular choice among cyber criminals has made a comeback and is being used to target healthcare.
Back in 2017, Cerber was the most dominant family of ransomware, at one point accounting for 90% of all ransomware attacks targeting Windows systems.

More on privacy

What helped make it so prolific was its ‘as-a-service’ model, whereby Cerber’s authors allowed other cyber criminals to use their code – complete with an easy-to-use service portal – in exchange for a percentage of any bitcoin made in ransom payments.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)    
Typically, ransoms only amounted to a few hundred dollars – minuscule compared to today’s ransomware attacks demanding hundreds of thousands or millions of dollars in exchange for a decryption key – but the potency of Cerber led to a lot of victims giving in to ransom demands, providing a profitable business model for both Cerber authors and affiliates.
By 2018, it looked as if Cerber had disappeared, replaced by other forms of ransomware as cyber-criminal business models changed and attackers went after whole enterprise networks and started demanding much higher sums for decryption keys.
But Cerber is back with cybersecurity researchers at security company VMware Carbon Black identifying it as the most common ransomware targeting healthcare during 2020.

Analysis of 239 million attempted cyberattacks targeting Carbon Black customers in healthcare found Cerber to be the most common form of ransomware, accounting for 58% of ransomware attacks attempting to target the sector.
Cerber might be one of the older forms of ransomware, but the prolific way it’s being distributed by phishing emails and compromised websites suggests that it’s still effective.
“Although old malware variants such as Cerber tend to resurface, these are often re-factored to include new tricks, though at the core are still leveraging tried and true techniques,” said Greg Foss, senior cybersecurity strategist at VMware Carbon Black.
“All it takes is a quick search on the dark web for someone to license out a ransomware payload to infect targets. Today, it’s unfortunately just as easy to sign up for a grocery delivery service as it is to subscribe to ransomware,” he added.
Some of the other most prolific ransomware attacks targeting healthcare include Sodinokibi, VBCrypt, Cryos and VBKrypt.
Hospitals are, unfortunately, a regular target for cyber criminals distributing ransomware because healthcare relies on systems being accessible in order to provide patient care.
This sometimes leads to hospitals quickly opting to pay a ransom demand, because it’s seen as the best way to avoid compromising the health of patients – and increasingly, stopping cyber criminals from publishing stolen data, which in healthcare can be highly sensitive.
SEE: Cybersecurity: This ‘costly and destructive’ malware is the biggest threat to your network
For cyber criminals, healthcare also makes an appealing target because the 24/7 nature of the sector means that it can be difficult to take parts of the network offline in order to install the relevant patches and security updates to protect against cyberattacks exploiting known vulnerabilities.
However, it’s crucial that healthcare finds a way of applying these patches. Not only can they help protect the hospital from falling victim to cyberattacks in the first place, taking part of the network offline to apply updates is going to be much less painful than the whole hospital network being taken offlie by a ransomware attack.
MORE ON CYBERSECURITY More

The new practices would require project maintainers to be identifiable, accountable, and authenticated.
Image: Getty Images/iStockphoto
Open-source software should be more secure than closed source, but only if people are inspecting it and that’s not an easy job, Google argues. 
But to ensure future software supply chain attacks don’t involve key open-source software projects, some of Google’s top engineers have proposed new ‘norms’ that might cause problems with open-source contributors – if their project is considered “critical”. 

Open Source

If the industry as a whole can decide that a particular project is “critical”, Google has suggested new practices that would require project owners and maintainers to be identifiable, accountable, and authenticated. That would mean no more changes to code at will, and subjecting changes to third-party review.  
SEE: Hiring Kit: Python developer (TechRepublic Premium)
Google acknowledges its suggestions for critical open-source software are more “onerous” on project owners, and so it is expecting resistance to its recommendations. 
Google admits “we are but one voice in a space where consensus and sustainable solutions matter most of all.” But it’s a powerful voice in tech. The company has outlined its suggestions for attaining these goals in the blogpost. 
Rob Pike, a key designer of Google’s Go programming language, and Eric Brewer, and VP Infrastructure & Google Fellow argue in a new blogpost that the industry should agree to “define collectively the set of “critical” software packages, and apply these higher standards only to this set.” 

The objectives for critical open-source software include:
No unilateral changes to code. Changes would require code review and approval by two independent parties
Authenticate participants. This means owners and maintainers cannot be anonymous; contributors are required to use strong authentication (eg 2FA)
There need to be notifications for changes in risk to the software
Enabling transparency for software artifacts
Create ways to trust the build process  
“The [goals are] more onerous and therefore will meet some resistance, but we believe the extra constraints are fundamental for security,” the engineers explain. 
The first set of goals Google wants the industry to consider for all open-source software are less contentious, but would still require more work and address issues that even Google finds challenging.   
The first three key objectives overall for all open-source software include:
Know about the vulnerabilities in your software
Prevent the addition of new vulnerabilities, and
Fix or remove vulnerabilities.
The recent supply chain attacks involving SolarWinds and others that led to the compromise of thousands of organizations involved closed source or proprietary software. 
While open source doesn’t suffer from ‘security through obscurity’, it doesn’t follow that open source is actually free of vulnerabilities.
“Open-source software should be less risky on the security front, as all of the code and dependencies are in the open and available for inspection and verification. And while that is generally true, it assumes people are actually looking,” they write. 
Open-source software projects, particularly Java and JavaScript/Node.js, rely on thousands of direct and indirect dependencies, making them tough to explore for vulnerabilities.  
The Google engineers note that it is “impractical to monitor them all” and, they add, many open-source packages are not well maintained.
“Open source likely makes more use of dependencies than closed source, and from a wider range of suppliers; the number of distinct entities that need to be trusted can be very high,” they write. 
“This makes it extremely difficult to understand how open source is used in products and what vulnerabilities might be relevant. There is also no assurance that what is built matches the source code.”
SEE: Microsoft 365 vs Google Workspace: Which productivity suite is best for your business?
To address supply chain attacks, the industry needs to focus on addressing the “majority of vulnerabilities” because attackers frequently pursue known vulnerabilities rather than finding their own. 
The problem for organizations using open source is that few verify all the packages they’re using. Even Google finds this task difficult. 
“Tracking these packages takes a non-trivial amount of infrastructure, and significant manual effort.
“At Google, we have those resources and go to extraordinary lengths to manage the open-source packages we use—including keeping a private repo of all open-source packages we use internally—and it is still challenging to track all of the updates. The sheer flow of updates is daunting.”
Google sees automation as a way forward to address the torrent of updates to open-source packages.  More

A LockBit ransomware controller has given researchers a glimpse into lone-wolf operations and the reasons why he chose to go down a criminal route. 

In an interview this week with the Cisco Talos cybersecurity team (.PDF), an operator of LockBit explained his modus operandi, his preferred targets, tool use, and why it is difficult to become a white-hat specialist in his thought-to-be country of residence, Russia. 
Ransomware has become a serious threat to the enterprise in recent years. While ransomware can cause personal devastation to individuals who suddenly find themselves locked out of their PCs and with little recourse to recovering their files unless they pay a ransom demand in return for a decryption key — usually required in cryptocurrency such as Bitcoin (BTC) — businesses face consequences that can be far worse. 
Once a ransomware variant has infiltrated a corporate network and has finished its encryption spree, victims are faced with disruption and may be forced to suspend core services. If backups are not readily available, cybercriminals can potentially demand thousands and thousands of dollars, on pain of either keeping resources encrypted or potentially leaking sensitive corporate data. 
According to Coveware, the average payout decreased in Q4 2020 to $154,108 in comparison to $233,817 in the third quarter. However, as long as organizations give in and pay up, the ransomware market will remain lucrative. 
During Cisco Talos’ interview with the LockBit operator, referred to as “Aleks” and thought to be located in the Siberian region of Russia, he claimed to be self-taught in skills including penetration testing, network security, and reconnaissance. 
Aleks, believed to be in his early 30s, secured a job with an IT company while finishing a university degree, but demonstrated “a general sense of disappointment, at times even resentment, for not being properly appreciated within the Russian cyber industry,” Talos says. 

“His frustration was evident during our conversations, with him disparaging several well-known Russian cybersecurity companies,” the interview reads. “He also remarked that, “In the West, I would probably work in white [hat security] and earn easily…” suggesting that his perceived underappreciation and low wages drove him to participate in unethical and criminal behavior.”
Several examples of such “underappreciation” were noted, including being rebuffed when he reported security issues in websites, including a Russian social network. His “well-intentioned efforts were ignored,” Aleks claimed, which further drove him down a cybercriminal path. 
However, even if your country does not appreciate legitimate researchers, there is still the option of participating in bug bounties — and there is a demand globally for assistance in securing online assets. 
The LockBit operator appears to be disillusioned with this industry, telling Talos that companies are doing their best to forgo paying bug bounty hunters for their findings. 
“This stands completely at odds with our professional observations from the security community,” the researchers noted. “It may be the case that Aleks chooses to view vulnerability programs through this lens to account for his own decision to not participate in them or because he has heard inaccurate stories from other threat actors.”
His motives for becoming a ransomware operator, however, do not seem to be purely financial. During the interview, Aleks said that while ransomware is profitable, he also wanted to “teach” companies the “consequence of not properly securing their data.”
Aleks also said that “for a cybercriminal, the best country is Russia,” and victim organizations in the United States and Europe “will pay quicker and more” than targets in post-Soviet states. 
The threat actor claimed that when it comes to organizations with cyberinsurance, a payout is “all but guaranteed,” and in Europe, companies are also under more pressure to pay as they are “scared” of the consequences of violating the EU’s GDPR data protection regulations.
“It is not unusual for criminals to view their own actions as justifiable after the fact even if there was no real moral ambiguity to the crime,” Cisco Talos concluded. “In this case, the lack of jobs that meet his satisfaction, appears to be the introductory course to cybercrime. His feelings of underappreciation, resentment, and economic incentive are common motivators of illicit cyber activity, and his story, as portrayed to us, illustrates how one could be driven toward cybercrime.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Digital Defense has been acquired by HelpSystems in a bid to improve the firm’s vulnerability management and penetration testing services. 

On Wednesday, HelpSystems said the purchase of Digital Defense will assist “threat-weary” IT teams by providing additional tools and services to improve infrastructure security and risk assessment capabilities. 
The financial terms of the deal were not disclosed. 
Founded in 1999, San Antonio, Texas-based Digital Defense is a cybersecurity firm that provides a Software-as-a-service (SaaS) platform to enterprise clients. The platform includes vulnerability scanning, network asset analysis, and risk score generation to help IT teams focus remediation efforts. 
According to HelpSystems, the SaaS solutions will be integrated into the firm’s existing portfolio “to give organizations end-to-end infrastructure protection.”
The purchase builds upon the acquisition of Core Security assets from SecureAuth in 2019 and Cobalt Strike, a penetration testing company, in 2020. Digital Defense will be joining these groups, combining identity management, pen testing, threat detection, vulnerability scanning, and risk assessment. 
“The addition of Digital Defense offers threat-weary IT teams the capabilities they need to increase infrastructure security on two fronts: via leading-edge vulnerability management technology as well as seasoned pen testing resources to broaden our existing expertise,” commented Kate Bolseth, HelpSystems chief executive.

In other cybersecurity acquisition news this month, Rapid7 purchased Kubernetes security technology provider Alcide for approximately $50 million. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Netlab, the networking security division of Chinese security firm Qihoo 360, said it discovered this week a new fledgling malware operation that is currently infecting Android devices for the purpose of assembling a DDoS botnet.
Named Matryosh, the botnet is going after Android devices where vendors have left a diagnostics and debugging interface known as Android Debug Bridge enabled and exposed on the internet.
Active on port 5555, this interface has been a known source of problems for Android devices for years, and not only for smartphones but also smart TVs, set-top boxes, and other smart devices running the Android OS.
Over the past few years, malware families like ADB.Miner, Ares, IPStorm, Fbot, and Trinity, have scanned the internet for Android devices where the ADB interface has been left active, connected to vulnerable systems, and downloaded and installed malicious payloads.
According to a report published this week, Netlab said Matryosh is the latest in this long line of ADB-targeting botnets, but one that comes with its own twist.
This uniqueness comes from using the Tor network to hide its command and control servers and the use of a multi-layered process for obtaining the address of this server —hence the botnet’s name, inspired from the classic matryoshka Russian dolls.

Image: Netlab
Netlab researchers, who are usually among the firsts to discover emerging botnets, said the botnet contains several clues to suggest this is the work of the same group which developed the Moobot botnet in 2019 and the LeetHozer botnet in 2020.

Both botnets were essentially built and used for launching DDoS attacks, which also appears to be Matryosh’s primary function, as well.
The Netlab team says they found functions in the code specific to features that will use infected devices to launch DDoS attacks via protocols like TCP, UDP, and ICMP.
Very little that users can do
As it was stated in previous articles about the “ADB issue,” there is very little that end users can do about it.
While smartphone owners can easily turn off their ADB feature using a setting in the OS options, for other types of Android-based devices, such an option is not available on most devices.
Hence, as a result, many systems will remain vulnerable and exposed to abuse for years to come, providing botnets like Matryosh and others with a solid mass of devices they can abuse for crypto-mining, DNS hijacking, or DDoS attacks. More

The Digital Transformation Agency (DTA) has been working on Australia’s digital identity system for a number of years, going live with the myGovID — developed by the Australian Taxation Office — and accrediting an equivalent identity service from Australia Post last year.
The myGovID and the Australia Post Digital ID are essentially just forms of digital identification that allow a user to access certain online services, such as the government’s online portal myGov.
There has been conversation around extending digital ID to allow the private sector and state government entities to develop their own platform. Eftpos previously flagged its interest and according to the minister in charge of digital transformation, Stuart Robert, PharmacyID is also interested.
“Now I’m building up, on behalf of the government, a federated model, a trusted digital identity framework,” he said on Wednesday.
“We’ll have another Act through the Parliament, this year, all going well, that allows other digital identities to be created, so DigiID from Australia Post, Eftpos is interested, so is Pharmacy for PharmacyID, that the idea of replicating 100 point check-in paper form, like you do now at a bank or a telco, but doing that digitally with absolute and utter assurance, and you can get a PharmacyID and you’ll be able to use that seamlessly for government.”
Appearing before Senate Estimates in November, DTA CDO Peter Alexander said his agency is moving forward with the plan to bring in legislation to allow private entities onboard.
“It is important to note, today we’re using myGovID, but into the future, you’ll be able to use a choice of identity provider, there’ll be additional providers … it could be a bank, it could be a state and territory identity provider. So individuals and businesses dealing with the Australian government and national services will be able to make a choice,” he said.

See also: More privacy conscious and not Australia Card 2.0: DTA defends digital identity play
The Trusted Digital Identity Framework sets out the operating model for digital identity. It’s essentially a set of rules that federal government agencies can follow, but they can’t be applied to states and territories, or to the private sector.
This is where legislation will be used.
Robert highlighted there has been a number of impediments to data sharing over the years, saying while they all have meant well, it has prevented the use of data. “For example, I can’t use Medicare data to assist you with a simple inquiry. I can’t use disability data for a disability support payment to help you get on the NDIS,” he said.  
The DTA is also looking to add a digital, biometrically anchored identity, which Alexander previously said would allow users to simply take a photograph of themselves for it to be matched to a passport.
“In time, that will be able to match the other biometrics that are held like driver’s licences, working with vulnerable children — whatever biometric is held,” he said.
With concerns that law enforcement could have access to the data, particularly the biometric “anchoring” the service provides for, Robert said access would be denied in the coming Bill.
“We will bring a Bill to the Parliament that will allow the use of data about a citizen to be used only for service delivery and I’ll specifically deny the use for law enforcement or compliance,” he said. “That way if you tell us once you won’t have to fill in a multiple forms, because we’ll have your data once.”
The minister said 2 million Australians have a myGovID.
RELATED COVERAGE More

Google said today that a quarter of all the zero-day vulnerabilities discovered being exploited in the wild in 2020 could have been avoided if vendors had patched their products correctly.
The company, through its Project Zero security team, said it detected 24 zero-days exploited by attackers in 2020.
Six of these were variations of vulnerabilities disclosed in previous years, where attackers had access to older bug reports so they could study the previous issue and deploy a new exploit version.
“Some of these 0-day exploits only had to change a line or two of code to have a new working 0-day exploit,” Maddie Stone, a member of the Project Zero team, said today in a blog post.
This included zero-days in Chrome, Firefox, Internet Explorer, Safari, and Windows.

Image: Google Project Zero
Furthermore, three other zero-days discovered and patched in 2020 could have been exploited in a similar fashion.
Stone said that initial patches for three zero-days —impacting Chrome, Internet Explorer, and Windows— required additional fixes.

If a threat actor would have examined the patches, they could have easily created new exploits and re-weaponized the same vulnerability and continue their attacks.

Image: Google Project Zero
Stone, which also presented her findings at the USENIX Enigma virtual security conference this week, said that this situation could have been avoided if vendors had investigated the root cause of the bugs in greater depth and invested more into the patching process.
The Project Zero researcher urged other security experts to take advantage of when a zero-day vulnerability is exposed and analyze it in greater depth.
Stone argued that zero-days provide a window into an attacker’s mind that defenders should take advantage of and try to learn about the entry vectors an attacker is trying to exploit, determine the vulnerability class, and then deploy comprehensive mitigations.
Stone said this was the primordial reason why the Google Project Zero team was founded years ago, namely to “learn from 0-days exploited in-the-wild in order to make 0-day hard.” More