Information Technology

Insurance company AXA has revealed that, at the request of French government officials, it will end cyber insurance policies in France that pay ransomware victims back for ransoms paid out to cybercriminals. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

While unconfirmed, the Associated Press reported that the move was an industry first. AXA is one of the five biggest insurers in Europe and made the decision as ransomware attacks become a daily occurrence for organizations across the world. ZDNet reported last month that AXA is the cyber insurance market share leader based on standalone policies.The changes were made only in France after cybersecurity leaders within the French government and French Senators aired concerns about the massive payouts going to cybercriminals during a roundtable in Paris in April.French companies and enterprises, like those in the US, lost billions in 2020 due to devastating ransomware attacks that left organizations crippled for days or weeks, with some estimates showing the country suffered up to $5.5 billion in losses. Only the US had more ransomware attacks in 2020 than France, according to French cybercrime prosecutor Johanna Brousse, who spoke at the Paris roundtable according to The Associated Press. Christine Weirsky, a spokeswoman for the US AXA subsidiary, told The Associated Press that their cyber insurance policies would still cover the costs of recovery. A report from cyber insurance provider Coalition in September noted that ransomware incidents represented 41% of all cyber insurance claims filed in the first half of 2020. The company said there was a 260% increase in the frequency of ransomware attacks among their policyholders and they found that the average ransom demand increased 47%. Claims ranged from as low as $1,000 to $2 million. 

Cybersecurity experts have long complained that the emergence of cyber insurance policies that included coverage for ransom payouts was having a disastrous effect on the popularity of ransomware incidents and was actually spurring more attacks. Knowing that insurance companies would cover company payouts, ransomware attackers became more and more brazen throughout 2020 and 2021. Many of the attacks in 2020 specifically targeted crucial government institutions like hospitals or K-12 schools, knowing they were more likely to have to pay in order to regain control of systems and important data.  

ZDNet Recommends

“This decision is not a surprise to us. In fact, other carriers may follow the suit. However, businesses need protection from these events and in some cases even from going bankrupt due to ransomware,” said Cowbell Cyber CEO Jack Kudale, adding that often the cost of the ransom itself equals other damaging attack costs like business interruption, notification, restoration, credit monitoring, forensics, and crisis management. Other experts, like Digital Shadows senior cyber threat intelligence analyst Xue Yin Peh, explained that even when organizations are forced to pay ransoms, there is no guarantee that encrypted files and systems will be recovered. Even premiums associated with cyber insurance may increase as a result of a ransomware attack, she added. Sean Cordero, security advisor at Netenrich, said he expects more cyber insurance providers like AXA to seek to minimize their exposure from high-risk policies they’ve written or are considering underwriting, making it more difficult to secure or renew policies. For the first time, some insurers will request new evidence and validation from their policyholders to prove the policyholders’ controls’ adequacy, Cordero explained. “This validation is complex, and many insurers still rely on client self-attestation as the primary input to risk and policy determination. These insurers will hopefully transition to more data-driven models specific to the cybersecurity industry. For huge organizations, this may translate into third-party audits before completing underwriting,” Cordero said. Cordero added that some cyber insurers are now using attack surface intelligence, data science, cyber-specific actuarial models, and more to address the increase in attacks and reduce premiums.This, Cordero said, may “lead to broader coverage when the insured can prove their controls and readiness.” More

More websites hosting phishing domains and other online scams have been taken down during the last year than during the previous three years combined. The UK’s National Cyber Security Centre’s (NCSC) fourth annual Active Cyber Defence report details how it helped remove many more scams from the internet: in total, more than 1.4 million URLs responsible for 700,000 online scams have been removed by the NCSC’s takedown service during the last 12 months.The last year has seen a big rise in Covid-19 themed cyber crime and the NCSC has helped to take down thousands of URLs associated with phishing and malware attacks using warnings about Covid-19 or false offers of vaccines.The NCSC also helped to take down fake online shops hosted in the UK, as well as fake celebrity endorsement scams used in an attempt to lure people into falling victim to cyber attacks. Often these scams begin with phishing messages which take victims through several URLs before they land on the final malicious site.SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)Scams and phishing campaigns designed to look like they came from the government, the NHS, HMRC and many other high profile organisations have all been taken down as part of the NCSC’s Active Cyber Defence (ACD) programme which it said aims to protect “the majority of people in the UK from the majority of the harm caused by the majority of the cyber attacks the majority of the time.” Tools in the ACD arsenal include the takedown service for finding malicious sites and sending notifications to the host to remove them from the internet. It also includes the Suspicious Email Reporting Service, a feature introduced last year which allows members of the public to forward emails suspected to be fraudulent directly to the NCSC for further investigation.

To date, the service has received over four million emails and has helped identify more than 1.5 million malicious URLs and has helped lead to the takedown of tens of thousands of scams that hadn’t previously been identified. However the reported noted there was also a decrease in the percentage of attacks taken down within 24 hours, from 64.6% in 2019 to 55.5% in 2020″The ACD programme is truly a collaborative effort, and it’s thanks to our joint efforts with partners both at home and internationally that we’ve been able to significantly ramp up our efforts to protect the UK,” said Dr Ian Levy, technical director of the NCSC.”The bold defensive approach taken by the ACD programme continues to ensure our national resilience and so I urge public bodies, companies and the general public to sign up to the services available to help everyone stay safe online,” he added.MORE ON CYBERSECURITY More

Amazon’s crusade against counterfeit product sellers on the firm’s platform continues with two million products seized and destroyed in 2020. 

The e-commerce giant, known for shopping events such as Prime Day, allows third-party sellers across the globe to tout their wares on the Amazon platform. However, it takes only a brief glance at some products to know there are issues. Fake, counterfeit products, poor quality, misleading photos, and more are all noted in buyer reviews and there are vast numbers of counterfeit operations that Amazon is attempting to detect and remove.  While some sellers abuse the platform in colorful ways — such as the case of an Instagram influencer who was shut down after allegedly selling dupes with pictures of generic products in the marketplace — others continue to trade without detection.  However, Amazon wants to bring down “counterfeit to zero” on the platform and to benchmark the firm’s progress has released its first Brand Protection Report (.PDF) to the public.  According to the report, which documents anti-counterfeit activities during 2020, there have been “increased attempts by bad actors to commit fraud and offer counterfeit products,” leading to the seizure of millions of products sent to fulfillment centers which were then destroyed.  “Amazon destroyed those products to prevent them from being resold elsewhere in the supply chain,” the company says. 

The e-commerce giant added that over 10 billion “suspect” listings were blocked before being published, and over six million attempts to create seller accounts suspected of being involved in counterfeit operations were prevented.  When it comes to brands being impersonated by counterfeit sellers, Amazon says that less than 0.01% of products sold received an allegation from a customer of being fake, and in these cases, over 7,000 SMBs were connected via Amazon’s Counterfeit Crimes Unit to legal teams in the US and Europe.  Over $700 million was invested in 2020 to combat counterfeit product operations.  “Amazon continues to innovate on its robust proactive controls and powerful tools for brands, and won’t rest until there are zero counterfeits in its store,” Amazon commented. “However, this is an escalating battle with criminals that continue to look for ways to sell counterfeits, and the only way to permanently stop these counterfeiters is to hold them accountable through the court system and criminal prosecution.” Another problem that likely gives Amazon a headache is the custom of unscrupulous sellers who pay customers to leave five-star reviews. A data leak earlier this month implicated approximately 200,000 individuals in a review scam — potentially originating from China — in which sellers ‘refund’ a product’s price once a glowing review is left on the item’s Amazon listing.  In response, the company said, “we suspend, ban, and take legal action against those who violate [community and review] policies.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have explored the latest activities of the Lemon Duck hacking group, including the leverage of Microsoft Exchange Server vulnerabilities and the use of decoy top-level domains. 

The active exploit of zero-day Microsoft Exchange Server vulnerabilities in the wild was a security disaster for thousands of organizations. Four critical flaws, dubbed ProxyLogon, impact on-prem Microsoft Exchange Server 2013, 2016, and 2010. Patches, vulnerability detection tools, and mitigation instructions were made available in March, but it is still estimated that up to 60,000 organizations may have been compromised.  Exploit code, too, is now available, and at least 10 advanced persistent threat (APT) groups have adopted the flaws in attacks this year.  In late March, Microsoft said the Lemon Duck botnet had been observed exploiting vulnerable servers and using the systems to mine for cryptocurrency. Now, researchers from Cisco Talos have provided a deep dive into the cyberattackers’ current tactics.  Lemon Duck operators are incorporating new tools to “maximize the effectiveness of their campaigns” by targeting the high-severity vulnerabilities in Microsoft Exchange Server and telemetry data following DNS queries to Lemon Duck domains indicates that campaign activity spiked in April.  

The majority of queries came from the US, followed by Europe and South East Asia. A substantial spike in queries to one Lemon Duck domain was also noted in India.  Lemon Duck operators use automated tools to scan, detect, and exploit servers before loading payloads such as Cobalt Strike DNS beacons and web shells, leading to the execution of cryptocurrency mining software and additional malware.  The malware and associated PowerShell scripts will also attempt to remove antivirus products offered by vendors such as ESET and Kaspersky and will stop any services — including Windows Update and Windows Defender — that could hamper an infection attempt.  Scheduled tasks are created to maintain persistence, and in recent campaigns, the CertUtil command-line program is utilized to download two new PowerShell scripts that are tasked with the removal of AV products, creating persistence routines, and downloading a variant of the XMRig cryptocurrency miner.  Competing cryptocurrency miner signatures, too, are hardcoded and written up in a “killer” module for deletion.  SMBGhost and Eternal Blue have been used in past campaigns, but as the leverage of Microsoft Exchange Server flaws shows, the group’s tactics are constantly changing to stay ahead of the curve.  Lemon Duck has also been creating decoy top-level domains (TLDs) for China, Japan, and South Korea to try and obfuscate command-and-control (C2) center infrastructure. “Considering these ccTLDs are most commonly used for websites in their respective countries and languages, it is also interesting that they were used, rather than more generic and globally used TLDs such as “.com” or “.net,” Cisco Talos notes. “This may allow the threat actor to more effectively hide C2 communications among other web traffic present in victim environments.” Overlaps between the Lemon Duck botnet and Beapy/Pcastle cryptocurrency malware have also been observed.  “The use of new tools like Cobalt Strike, as well as the implementation of additional obfuscation techniques throughout the attack lifecycle, may enable them to operate more effectively for longer periods within victim environments,” the researchers say. “New TTPs consistent with those reportedly related to widespread exploitation of high-profile Microsoft Exchange software vulnerabilities, and additional host-based evidence suggest that this threat actor is also now showing a specific interest in targeting Exchange Servers as they attempt to compromise additional systems and maintain and/or increase the number of systems within the Lemon Duck botnet.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The US Department of Transportation (USDOT) has invoked emergency powers in response to the Colonial Pipeline ransomware attack in order to make it easier to transport fuel by road.The ransomware attack, disclosed late last week, impacted the pipeline company, which is responsible for supplying 45% of the East Coast’s fuel, including gasoline, diesel, jet fuel, home-heating oil, and fuel for the US military.

Colonial said it is developing a system restart plan and said that while its mainlines remain offline, some smaller lateral lines between terminals and delivery points are now operational. SEE: Security Awareness and Training policy (TechRepublic Premium)”Quickly after learning of the attack, Colonial proactively took certain systems offline to contain the threat. These actions temporarily halted all pipeline operations and affected some of our IT systems, which we are actively in the process of restoring,” the company said. In the meantime, the USDOT’s Federal Motor Carrier Safety Administration (FMCSA) has issued a Regional Emergency Declaration – temporary exemptions involving laws restricting road transport of fuel, and allows drivers to work for longer.The exemptions apply to vehicles transporting gasoline, diesel, jet fuel and other refined petroleum products to Alabama, Arkansas, District of Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland, Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South Carolina, Tennessee, Texas, and Virginia.

“Such emergency is in response to the unanticipated shutdown of the Colonial pipeline system due to network issues that affect the supply of gasoline, diesel, jet fuel, and other refined petroleum products throughout the affected states,” FMCSA said in a statement.  Cybersecurity experts told Reuters today that the ransomware group DarkSide is suspected to have carried out the attack on Colonial Pipeline. Darkside runs a ransomware-as-a-service business that other cybercrime groups can rent. It’s been active since mid-2020 and although a decryptor was released in January, security firm Cyber Reason noted that the group recently released DarkSide 2.0. The group is known for encrypting, as well as stealing, some data and using the threat of its exposure on the internet as leverage for the victim to pay ransoms.SEE: Ransomware just got very real. And it’s likely to get worseFMCSA’s exemption is aimed at providing commercial tanker operators regulatory relief while directly supporting emergency efforts to patch up fuel supply shortages “due to the shutdown, partial shutdown, and/or manual operation of the Colonial pipeline system”.The shutdown of Colonial Pipeline might impact fuel prices depending on the length of the disruption. Gaurav Sharma, an independent oil market analyst, told the BBC that a lot of fuel is banking up at Texas refineries.”Unless they sort it out by Tuesday, they’re in big trouble,” said Sharma. “The first areas to be impacted would be Atlanta and Tennessee, then the domino effect goes up to New York.”  Colonial Pipeline confirmed on Sunday it was the victim of ransomware and said it had engaged an external cybersecurity firm to assist with its recovery effort.  More

Image: Asha Barbaschow/ZDNet
The Australian Department of Parliamentary Services has said its March outage was a result of a “deliberate choice” to shut down its mobile device management (MDM) system after it saw an attempted intrusion on the parliamentary network. “The attack did not cause an outage of the DPS systems. DPS shut down the MDM system. This action was taken to protect system security while investigation and remediation were undertaken,” DPS said in response to Senate Estimates Questions on Notice. “To restore services, DPS brought forward the rollout of an advanced mobile services solution that replaced the legacy MDM. The new solution provides greater security and functionality for mobile devices. This rollout was a complex activity and extended the outage experienced by users.” Nevertheless, DPS also said the legacy MDM system was still being used in a limited capacity. “DPS took two paths to restore services to PCN mobile devices. For some users it was possible to restore services using the legacy MDM in a limited capacity,” it said. “These users were utilising a component of the legacy MDM that did not contain vulnerabilities.” It added the MDM replacement had been piloted for three months leading up to the incident, and hence why the introduction of the planned replacement was able to be brought forward. The department added it had seen no evidence of any email accounts being compromised due to the attack, and the attack had nothing to do with recent Exchange vulnerabilities.

DPS said the Senate President would provide further information and “material not appropriately disclosed in the public domain” to the Senate Appropriations, Staffing and Security Committee. In response to another question asking DPS to list all outages impacting connectivity and email from the 2019-20 fiscal year to the present, the department said answering was not appropriate. Last month, ASIO Director-General Mike Burgess said he was not concerned by the outage. “As the director of security, I’m not concerned, by what I’ve seen,” he said. “From my point of view of, ‘Is espionage or cyber espionage being occurred?’ I’m not concerned by that incident. “Of course, in the broad, any network connected to the internet is subject to that frequently and the levels of cyber espionage attempts in this country are pretty high, so I remain concerned about that and through the actions of others, the [Australian Cyber Security Centre] that is dealing with the terms of that outage, I am not concerned. Related Coverage More

Image: Flurry Analytics
Apple’s app tracking transparency tool, which lets users decide whether they agree to their data being tracked, began rolling out as part of iOS 14.5 last month.The feature requires apps to get users’ permission before tracking their data across other companies’ apps or websites for advertising purposes. When asked by users not to track their data, apps will also have to refrain from sharing information with data brokers. But when given the choice, many users are denying permission for apps to gather tracking data.In a report from Verizon Media-owned Flurry Analytics, only 13% of global iOS users have allowed apps to track by the second week of the feature being enabled.As first spotted by Apple Insider, only around 5% of daily users in the United States by week two were allowing tracking.The Flurry report was compiled from aggregated insights across 2 billion mobile devices. It updates daily and ZDNet last accessed the data on Monday, 10 May 2021 at 9:30am AEST.It also found that there are around 5% of iOS users with “restricted” app tracking, meaning apps cannot ask those users to be tracked. This figure is 3% in the US.

If users select “Ask app not to track”, the app developer won’t be given access to the device’s advertising identifier, which is often used to collect advertising data; and apps that continue to track users that have opted out run the risk of being evicted from the App Store altogether. READ MOREApple’s new privacy tool lets you choose which apps can see and share your data. Here’s what you need to knowThe Cupertino giant has announced a new privacy feature coming next spring, which will let users make their own data choices.Apple now shows you all the ways iOS apps track youAnd for some apps, it’s quite scary.Apple’s new privacy feature will change the web. And not everyone is happy about itWith iOS 14.5, Apple has introduced some new privacy features that will limit targeted advertising. More

There’s just been another ransomware attack, but this one could have more significant consequences than the many that have come before.

Late last week, Colonial Pipeline, which accounts for 45% of the US East Coast’s fuel, was forced to shut down its operations due to a ransomware attack against its systems.Even President Biden was briefed on in the incident; it doesn’t get much more high profile than that. SEE: Security Awareness and Training policy (TechRepublic Premium)So will such a significant incident lead to changes in how ransomware is tackled? Possibly, but it’s worth remembering that there have been plenty of damaging and high-profile ransomware attacks across both the US, and elsewhere, without police or governments coming up with a way of tackling these gangs. That’s largely because the ransomware problem is actually a knotty set of interconnected problems, all of which defy easy solutions.

Certainly many companies need to take cybersecurity more seriously, and vendors need to focus more on selling software that is secure, and not just rushing it out to customers and (maybe) fixing it later. But forcing companies to spend money on cybersecurity with no obvious return is hard; obliging software companies to fix every fault before they ship their software would bring the industry to a halt. Persuading police to take these cases seriously is another problem. Few forces have the expertise to tackle this sort of complicated investigation and, even if they did, tracking down the culprits is hard – and securing a conviction all but impossible. Many of these gangs operate from jurisdictions (such as Russia) that are very unlikely to hand over suspects for trial elsewhere.And every time a victim reluctantly pays the gangs, they are making the gangs stronger, and able to take on even more ambitious attacks, even against organisations that have invested in security. But the bigger issue is that, as we connect more and more systems to the internet, the real world becomes more at risk of threats like this, that until now have only ever been a problem for the online world. That may focus the attention of governments and police a little more. If a ransomware attack means your company loses the sales data held on a few servers, no one – apart from you and your boss – is going to be too upset. But say those servers were running the traffic lights on a busy stretch of road, or running the x-ray machines at the local hospital – then the attack has a real-world impact.The growth of interest in smart cities is one example of how this threat could evolve. The idea behind smart cities is that by using data better we can run cities more effectively and efficiently. In practice that means using all manner of sensors and Internet of Things devices to collect information and automate processes.  But unless this is done with security in mind, it means that when the technology goes wrong, we could have big problems. As the UK’s cybersecurity agency the NCSC points out: “While smart cities offer significant benefits to citizens, they are also potential targets for cyberattacks due to the critical functions they provide and sensitive data they process, often in large volumes. The compromise of a single system in a smart city could potentially have a negative impact across the network, if badly designed.”Any sort of security threat to smart cities could be a problem, but ransomware seems to be the leading candidate for causing chaos right now.SEE: Hackers are actively targeting flaws in these VPN devices. Here’s what you need to doSo will anything really change any time soon? Well, having your activities brought to the attention of the President of the United States is never a good idea, if ransomware gangs have themselves courted publicity for their attacks in the past as a way of putting pressure on their victims. Such a high-profile incident might put a bit of momentum behind efforts to tackle the problem.If more funds are made available to improve the security of creaking but vital infrastructure, that will be a step in the right direction. Making it harder or even banning the payment of ransoms in this context would certainly bring short-term pain for victims but may in the longer term be a way of reducing attacks, too. Of all the complicated problems that have allowed ransomware to flourish, it could be that the geopolitical challenge is one of the toughest to overcome. Sanctions and indictments have done little so far to stop the flood of attacks. But if the nations that still allow these gangs to operate could be persuaded that it’s no longer in their interests to let them do so, that could change the situation hugely.Still, for now it’s hard to see that the threat of ransomware is going to go away any time soon. Even worse, as we put computers in charge of more of the real world around us, the problem is only likely to get worse.ZDNET’S MONDAY MORNING OPENER The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.PREVIOUSLY ON MONDAY MORNING OPENER: More