Information Technology

Voice over Internet Protocol (VoIP) services company Bandwidth.com has confirmed that it was suffering from outages after reports emerged on Monday night that the service was dealing from a DDoS attack. Bandwidth CEO David Morken said in a statement that “a number of critical communications service providers have been targeted by a rolling DDoS attack.”

ZDNet Recommends

“While we have mitigated much intended harm, we know some of you have been significantly impacted by this event. For that I am truly sorry. You trust us with your mission-critical communications. There is nothing this team takes more seriously,” Morken said.  “We are working around the clock to support your teams and minimize the impact of this attack. Our account managers and support teams have been actively reaching out to customers individually to address any issues. We will not rest until we end this incident, and will continue to do all we can to protect against future ones.” In an earlier statement, the company told ZDNet that Bandwidth “has experienced intermittent impacts” to its services. “All our services are currently functioning normally. Our network operations and engineering teams are continuing to monitor the situation and we are actively working with our customers to address any issues. We will post updates to status.bandwidth.com as we have additional information to share,” the company said. Since that statement was shared, the company has updated the status showing partial outages for a number of inbound and outbound calling services. 

Bleeping Computer was the first to report on Monday evening that Bandwidth.com was facing issues because of a distributed denial of service attack, which are routinely targeted at VoIP providers.  The news outlet noted that other VoIP vendors like Accent, RingCentral, Twilio, DialPad and Phone.com were experiencing outages and telling customers that the problems were with an “upstream provider.” On its Cloud Service Status page, Accent said on Tuesday that the “upstream provider continues to acknowledge the DDoS attack has returned to their network however we are seeing a very limited impact to inbound calling for our services.”  “Mitigation steps are being put in place to route inbound phone numbers around the upstream carrier the impact to service grows. We will continue to monitor the situation and update the status as appropriate,” Accent wrote.  A source, who asked to have their name withheld, told ZDNet on Monday that their customers were having major problems with their ported phone numbers and that they could not make any changes like forwarding phones.  The company is a downstream reseller of products hosted by Bandwidth and said they knew of a major telecommunications company that “was in emergency mode” due to the situation with Bandwidth.  Just a few weeks ago, Canada-based VoIP provider VoIP.ms said it was still battling a week-long, massive ransom DDoS attack. The REvil ransomware group demanded a $4.5 million ransom to end the attack.  Recent reports have said DDoS attacks are becoming more frequent, more disruptive and increasingly include ransom demands.  Cloudflare said last month that its system managed to stop the largest reported DDoS attack in July, explaining in a blog post that the attack was 17.2 million requests-per-second, three times larger than any previous one they recorded. More

1Password and Fastmail have announced a new service designed to offer users a way to create email aliases and protect their real email addresses. The “Masked Email” service will allow 1Password users to create and manage secure, unique email aliases directly within the 1Password platform. The feature is designed to help users hide their email addresses from certain apps or services they need to use. 

Fastmail COO Helen Horstmann-Allen said adding the email alias feature to 1Password lets customers protect their email identity in the same way they protect their passwords. “Together, we built a feature I’m really proud of, with a partner who shares our values for both customer privacy and open standards,” Horstmann-Allen said. By allowing users to generate a unique email address, 1Password customers can protect themselves from the kind of phishing emails that have become all too common. A recent report from Deloitte noted that 91% of all cyberattacks start with a phishing email. Andrew Beyer, browser experience lead at 1Password, said people’s email addresses are entry points to their digital lives, making it essential that they remain in control of how they are used and dispersed. “Working with Fastmail, we’ve developed a way to make creating and filling a unique email address through 1Password as easy as generating passwords are today,” Beyer said. 

Fastmail CEO Bron Gondwana noted that email addresses are effectively a person’s online identity, and if their information is compromised in a data breach, having a randomly generated email address adds a second line of defense “because it can’t be associated with your primary email address, and therefore, your identity.”The companies said the feature is ideal for when someone needs to register for a free Wi-Fi network or sign up for an email newsletter. The email addresses never expire unless you manually remove them, and users can manage their aliases from the Fastmail platform. Users can also pause receiving mail to their email aliases.Troy Hunt, strategic advisor at 1Password and founder of Have I Been Pwned, said it is now known empirically that data breaches happen many times every single day, and the full extent of the problem is larger than anyone can quantify.”My service is now tracking 5 billion email addresses, with each one appearing in an average of 2 data breaches. It’s more important than ever that we protect our privacy, and protecting the primary key to our digital lives — our email address — will have a really positive impact,” Hunt said.  More

The nefarious FinSpy spyware has now been upgraded for deployment within UEFI bootkits.

FinSpy, also known as FinFisher/Wingbird, is surveillanceware that has been detected in the wild since 2011. The software’s Windows desktop-based implants were detected in 2011, and mobile implants were discovered a year later. In 2019, Kasperksy researchers found new, upgraded Android and iOS samples, as well as signs of ongoing infections in Myanmar. The Indonesian government was also connected to the spyware’s use.  At Kaspersky’s Security Analyst Summit (SAS) on Tuesday, researchers Igor Kuznetsov and Georgy Kucherin said that detection rates for Windows FinSpy implants have declined steadily over the past three years. However, the software has now been upgraded with new PC infection vectors.  According to Kaspersky, the malware has moved on from deployment purely through Trojanized installers — normally bundled with legitimate applications — including TeamViewer, VLC, and WinRAR. In 2014, its developers added Master Boot Record (MBR) bootkits, which aim to ensure malicious code is loaded at the earliest possible opportunity on an infected machine.  The researchers say that now, Unified Extensible Firmware Interface (UEFI) bootkits have also been added to FinSpy’s arsenal. The malware will, however, check for the presence of a virtual machine (VM), and if found, only shellcode is delivered, likely in an attempt to avoid reverse engineering attempts. 

UEFI systems are critical to computer systems as they have a hand in loading operating systems. FinSpy is not the only malware to target this machine element, with LoJax and MosaicRegressor also being prime examples. Kucherin did say, however, that the FinSpy bootkit was “not the average we normally see” and all that was necessary to install it was administrator rights. A sample of a UEFI bootkit that loaded FinSpy provided the team with clues to its functionality. The Windows Boot Manager (bootmgfw.efi) was replaced with a malicious variant, and once loaded, two encrypted files were also triggered, a Winlogon Injector and the Trojan’s main loader. FinSpy’s payload is encrypted, and once a user logs on, the loader is injected into winlogon.exe, leading to the decryption and extraction of the Trojan.If a target machine is too old to support UEFI, this does not mean it is safe from infection. Instead, FinSpy will target the system via the MBR. It is possible for the malware to strike 32-bit machines. The spyware is capable of capturing and exfiltrating a wide variety of data from an infected PC, including locally stored media, OS information, browser and virtual private network (VPN) credentials, Microsoft product keys, search history, Wi-Fi passwords, SSL keys, Skype recordings, and more.On mobile, FinSpy will target contact lists, SMS messages, files in memory, email content, and GPS location coordinates. In addition, the malware can monitor Voice over IP (VoIP) communication and is able to rifle through content exchanged via apps including Facebook Messenger, Signal, Skype, WhatsApp, and WeChat.  The macOS version of FinSpy contains only one installer — and the same applies to the Linux version. However, in the latter case, the infection vector used to deliver FinSpy is currently unknown, although it is suspected that physical access may be required.   The latest investigation into FinSpy took eight months. According to Kuznetsov, it is likely the operators “will keep upgrading their infrastructure all of the time” in what will be a “never-ending story.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

While cloud computing services are often touted as more secure than building applications and hosting them in-house, that doesn’t mean those cloud services are without their own flaws. And with hackers increasingly looking to deploy their attacks through the software supply chain, cloud security is back in the spotlight.Cybersecurity researchers found vulnerabilities in the infrastructure of a large software-as-a-service provider which if exploited by an attacker, could’ve been used by cyber criminals as part of a cloud-based supply chain attack. The unspecified SaaS provider invited cybersecurity researchers at Palo Alto Networks to conduct a red team exercise on their development software pipeline in order to identify vulnerabilities in the supply chain.”In just three days, a single Unit 42 researcher discovered critical software development flaws that left the customer vulnerable to an attack similar to those on SolarWinds and Kaseya VSA,” the security company said.At a time when so many businesses are reliant on cloud services, it demonstrates how misconfigurations and vulnerabilities can have a huge impact if not managed properly because of the hundreds or even thousands of companies which are reliant on the infrastructure.SEE: A winning strategy for cybersecurity (ZDNet special report)Initially provided with the limited developer access a contractor would have, the researchers managed to elevate privileges to the extent they were able to gain administrator rights to the wider continuous integration (CI) cloud environment.  

Using this access, researchers examined all of the environment they could and were able to locate and gain access to 26 Identity and Access Management (IAM) keys. Some of these contained hard-coded credentials which provided unauthorised access to additional areas of the cloud environment, which could be exploited to gain administrator access – allowing what should have been an account with limited access gain privileges which open up the whole environment. While the company which had requested penetration testing was able to detect some of the activity researchers engaged in, it was only after administrator access had been gained that this was the case – in the event of a real attack, this would’ve been too late and attackers would have compromised the system.  After the exercise, the researchers worked with the organization’s security operations center, DevOps, and red and blue teams to develop a plan of action to tighten up security with a focus on the early identification of suspicious or malicious operations within their software development pipelineThe researchers knew what they were looking for so were able to easily identify misconfigurations and vulnerabilities to exploit. While this might involve advanced knowledge of these environments and how to exploit them, it’s the sort of thing that specialised attack operations like ransomware gangs or nation-state backed Advanced Persistent Threat Groups (APTs) would also be familiar with – and will actively exploit if they can, as demonstrated by recent incidents. “Successful supply chain attacks are particularly devastating due to the widespread fallout of the attacks, for example potentially thousands of downstream customer environments being compromised. The risk of fallout conditions should mandate the increase of security mechanisms and procedures used to protect the supply chain”, Nathaniel Quist, principal researcher at Unit 42 at Palo Alto Networks told ZDNet. SEE: Cloud security in 2021: A business guide to essential tools and best practicesPart of the reason these environments can be exploited is because they’re complex and can be difficult to secure – it’s understandably not a simple task and vulnerabilities and misconfigurations can snowball to the extent that with patience and the right skills, attackers could exploit access to service providers and leave customers vulnerable to attacks. There are a number of things which can be done to help protect cloud environments from unauthorised access, including providing access to systems and services on a role-based basis. If developer staff don’t need access to access management keys, then there’s no reason they should be able to gain hold of them. “Role-Based Access Controls (RBAC) within the developer roles would have prevented the Unit 42 researchers from accessing all of the developer repositories. Had the client limited developer user accounts to only the repositories required to perform their job, it would have prevented the red team from identifying all of the 26 hardcoded IAM keys,” said Quist. Organisations should also implement security checks and barriers as part of the development lifecycle. Because if this is implemented properly, it might be possible to determine that there’s been unauthorised access to systems, something which could prevent an attack from being sent down the line to customers.In this scenario, there’s still a security issue to deal with, but dealing with it before hundreds or thousands of customers have been affected is a much better way to deal with it. MORE ON CYBERSECURITY More

Microsoft has uncovered another piece of malware used by the attackers who were behind the SolarWinds software supply chain attack discovered in December.   Security researchers have discovered numerous modules used by the attack group, which Microsoft calls Nobelium. The US and UK in April officially blamed the attack on the hacking unit of the Russian Foreign Intelligence Service (SVR), which are also known as APT29, Cozy Bear, and The Dukes.  

Microsoft in March uncovered the GoldMax, GoldFinder, and Sibot components from Nobelium, building on other malware from the group including Sunburst/Solarigate, Teardrop and Sunspot.  SEE: Four months on from a sophisticated cyberattack, Alaska’s health department is still recoveringThe newly discovered malware, called FoggyWeb by Microsoft, is a backdoor used by the attackers after a targeted server has already been compromised. In this case, the group uses several tactics to steal network usernames and passwords to gain admin-level access to Active Directory Federation Services (AD FS) servers, which gives them access to identity and access management infrastructure for controlling user access to apps and resources. This allows the attackers to stay inside a network even after a clean up. FoggyWeb has been used in the wild since as early as April 2021, according to Microsoft.  “Nobelium uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components,” explains Ramin Nafisi of the Microsoft Threat Intelligence Center. 

“FoggyWeb is a passive and highly targeted backdoor capable of remotely exfiltrating sensitive information from a compromised AD FS server. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server,” Nafisi adds. The backdoor allows abuse of the Security Assertion Markup Language (SAML) token, which is used to help users authenticate to applications more easily.SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakesMicrosoft recommends potentially affected customers take three key steps: auditing on-premise and cloud infrastructure for configurations, and per-user and per-app settings; removing user and app access, review configurations, and re-issue new, strong credentials; and using a hardware security module to prevent FoggyWeb from stealing secrets from AD FS servers. Microsoft in May uncovered more Noeblium infection tools, including EnvyScout, BoomBox, NativeZone, and VaporRage, as well as a spear-phishing campaign that piggy-backed on a legitimate US email-marketing service. More

When you think of automatic bots, it may be that the first thing that springs to mind is the annoyance of getting up early and waiting in anticipation for concert tickets to go on sale for your favorite band — only to have them all slurped up within seconds. 

It’s a well-known practice. Set up a bot to purchase a coveted item or service and then sell them on the market with a steep mark-up. Generate profit, move on to the next in-demand product.  Reselling online is big business, and when individuals lost their jobs due to the COVID-19 pandemic, some turned to bot operations to make ends meet.   Others simply work this business to make a profit on hot ticket items. One group, for example, claimed to have secured 3,500 PlayStation 5 consoles in the Europe and UK, contributing to an almost immediate sell-out of the next-generation gaming system.  An issue surrounding the supply of PS5s is a global shortage of chips, made worse by the pandemic and natural disasters. Graphics cards, for example, are in high demand not only by tech vendors but also gamers and cryptocurrency miners — and in response to this demand, scalper bots have made their presence known.   On Tuesday, bot mitigation platform Netacea published its Top Five Scalper Bots Quarterly Index, a tracking report that identifies the hottest products most often targeted by scalper bots.  Covering April to June this year, the company says that the most popular item were the $110 Air Jordan Retro 1 High OG sneakers, which once scalped and resold, have gone for up to seven times — or more — their original price tag. 

The second most coveted item was the PS5. One bot observed by Netacea made “one million purchase attempts” in only six hours. In third place were graphics cards suitable for gaming purposes. The most popular product scalpers tried to secure was the NVIDIA RTX 3000 series. In fourth was another fashion item, Yeezy Boost 700 MNVN sneakers, and in fifth, chips made a comeback — graphics cards marketed for cryptocurrency mining purposes.”It’s an especially difficult time for retailers,” commented Andy Still, chief technology officer at Netacea. “In addition to supply chain issues adding to the challenges of the last two years, they increasingly face the risk of bots buying their most popular items before their customers — a trend that negatively impacts prices and a brand’s reputation.”  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

An “incident” is defined as unplanned downtime, or interruption, that either partially or fully disrupts a service by offering a lesser quality of service to the users. If the Incident is major, then it is a “crisis.”When it starts to affect the quality of service delivered to the customers, it becomes an issue, as most service provides have service level agreements with the consumers that often have penalties built in.As I continue my research in these areas, and after talking to multiple clients, I have come to the realization that most enterprises are not set up to handle IT-related incidents or crises in real time. The classic legacy enterprises are set up to deal with crises in old-fashioned ways, without considering the Cloud or the SaaS model, and social media venting brings another quirk. Newer digital native companies do not put much emphasis on crisis management, from what I have seen.Especially with the need and demand for “always-on,” incidents do not wait for a convenient time. Problems can, and often do, happen on weekends, holidays, or weeknights when no one is paying attention. When an incident happens, a properly prepared enterprise must be in a situation to identify, assess, manage, solve, and effectively communicate it to the customers.Another key issue to note here is the difference between security and service incidents. A security incident is when either data leakage or data breach happens. The mitigation and crisis management there involves a different set of procedures, from disabling the accounts to notifying stakeholders and account owners and escalating the issue to security and identity teams. A service incident is when a service disruption happens, either partially or fully. It needs to be escalated to DevOps, developers and Ops teams. Since they are similar, some of the crisis management procedures might overlap. But if your support teams are not aware of the right escalation process, then they might be sending critical alerts up the wrong channel when minutes matter in a critical situation. For the sake of this article, I am going to be discussing only service interruptions, though a lot of parallels can be drawn to a security incident as well.Avoid incidents when possibleAvoidance is better than fixing issues in any situation. There are many things an enterprise can do to avoid situations, such as vulnerability audits, early warning monitoring, code profile audits, release review committees, anomaly detection, etc. One should also invest in proper observability, monitoring, logging, and tracing solutions. I have written many articles on those areas as well; they are too complex to cover in detail here.

Prepare for the unexpectedWith most enterprises, there is no preparation or plan of action when an incident happens. In the digital world, incidents do not wait around for days to be solved or managed. If you let social media take over, it will. Sometimes it can even have a mind of its own. When you are not telling the story, the social media pundits will be telling your story for you.Identify the incident before others doI wrote a few articles on this topic. In my latest article, “In the digital economy, you should fail fast, but you also must recover fast,” I discuss the need for speed to find issues faster than your customers or partners can. Software development has fully adopted the DevOps and agile principles, but the Ops teams have not fully embraced the DevOps methodologies. For example, the older monitoring systems, whether they are application performance monitoring (APM), infrastructure monitoring, or digital experience monitoring (DEM) systems, can also find if there is a service interruption fairly quickly. However, identifying the micro service that is causing the problem, or the changes that went into effect that caused this issue, is complex in the current landscape. I have written about the need for observability and for finding the issues faster at the speed of failure repeatedly.Act quickly and decisivelyWhen major incidents happen, it should be an all-hands on deck situation. As soon as a critical incident (Sev. 1) is identified, an incident commander should be assigned to the incident, a collaborative war room (virtual or physical) must be immediately opened, and proper service owners must be invited. If possible, the issue must be escalated immediately to the right owner who can solve the problem rather than going through the workflow process of L1 through L3, etc. In the collaborative war room, often finger-pointing and blaming someone else is quite common, but that will delay the process further. In addition, if too many people are invited to these collaborative war rooms, there has to be a mechanism to identify mean-time-to-innocence (MTTI) so anyone who is invited can continue their productive work by leaving if they are not directly related and cannot assist in solving the issue.Own your story on your digital channels.When a Sev. 1 or a major service interruption happens, your users need to know, your service owners need to know, and your executives need to know. In other words, everyone who has skin in the game should know. Part of it would be external communication. At the very minimum, there has to be a status page that will display the status and quality of service, so everyone is aware of the service status all the time. In addition, an initial explanation of what went wrong, what are you doing to fix it, and a possible ETA should be posted either as a status update or on regular posts on LinkedIn, Twitter, Facebook, and other social media platforms where your enterprise brand is present. Going dark on social media will only add fuel to the fire. Your users know your services are down. If they get no updates from you, speculators, or even competitors, will spread rumors to ruin your brand.This is where most digital companies are weak as they are not prepared, which can make or break an SMB enterprise. Real-time crisis and reputation management are crucial in those critical moments while engineers and support teams are trying to solve the problem. It is also a good idea to use sentiment analysis and reputation tools to figure out who is saying extremely negative things and to try to either take them offline to deal with them directly or respond in kind to avoid further escalation.Do a blameless post-mortemA common pattern I see across organizations is after the crisis is solved and the incident is fixed, everyone seems to move on to the next issue quickly. It could be because there are too many issues that the support, DevOps, and Ops teams are overwhelmed, or they do not think it is necessary to analyze what or why this happened. An especially important part of crisis/incident management is to figure out what went wrong, why it went wrong, and more importantly, how can you fix this once and for all, so this will not happen ever again. After figuring out a solution, document it properly. You also need to have a repository to store these solutions so in the unfortunate incident that it happens again, you know how to solve this quickly and decisively.Follow-upIn addition, discuss the situation with your top customers who were affected by it; explain what you did to solve the issue and how you fixed it so it will not repeat. More importantly, discuss how you were prepared for the incident before it happened. This instills huge confidence in your brand. Not only will you not lose customers, but you will gain more because of how you handled it.In addition, the general advice from crisis management firms would be to cancel any extravagant events that are planned in the immediate future. If your critical services were down for days, but your executives were having a huge conference in Vegas, the social media world would be at it for days. Monitor social media platforms (LinkedIn, Twitter, Facebook at a minimum or whatever other social media platforms your company has a presence on, including negative comments on your own blog sites) for tone; you can even use AI-based sentiment analysis tools to identify still unsatisfied customers to discuss their concerns and how you can address them. Until these concerns are addressed, your incident is not completely solved.Another best practice would be to avoid hype content or marketing buzz for a while after a major incident happens. I have seen companies go on with the plan and get a backlash from customers that they are all talk and nothing really works.ConclusionLet’s face it: every enterprise is going to face this sooner than later. No one is invincible. The question is, are you ready to deal with it when it happens to you? The ones who handle it properly can win the customers’ confidence, showing they are prepared to handle future incidents if they were to happen again.Do you earn your customers’ trust by doing this the right way, or do you lose it by botching and covering this up? That will define you going forward.At Constellation research, we advise companies on tool selection, best practices, trends, and proper IT incident/crisis management setup for the cloud era so you can be ready when it happens to you. We also advise the customers in the RFP, POC, and vendor contract negotiation process as needed.   More

Cryptocurrency expert Virgil Griffiths has pleaded guilty to helping North Korean officials evade sanctions using blockchain and cryptocurrency in 2019. Griffiths is now facing up to 20 years in prison and will be sentenced on January 18, 2022.  Griffiths was arrested in November 2019 after he flew to North Korea in April 2019 and gave a technical talk at the Pyongyang Blockchain and Cryptocurrency Conference. Griffiths was allegedly warned by US State Department officials not to go ahead of his trip but went anyway. The 38-year-old, who was a resident of Singapore before his arrest, pled guilty to conspiring to violate the International Emergency Economic Powers Act in US District Court on Monday. “As he admitted in court today, Virgil Griffith agreed to help one of our nation’s most dangerous foreign adversaries, North Korea. Griffith worked with others to provide cryptocurrency services to North Korea and assist North Korea in evading sanctions, and traveled to North Korea to do so,” US Attorney Audrey Strauss said. “In the process, Griffith jeopardized the national security of the United States by undermining the sanctions that both Congress and the President have enacted to place maximum pressure on the threat posed by North Korea’s treacherous regime.” 

US citizens are banned from “exporting any goods, services, or technology” to North Korea without a license from the Department of the Treasury’s Office of Foreign Assets Control.The Justice Department claimed Griffith began planning his assistance to the North Korea government in 2018 by “developing and funding cryptocurrency infrastructure there, including to mine cryptocurrency.”

He allegedly knew that the tools he was creating would be used to evade US sanctions and fund government activities that include the North Korean nuclear weapons program and “other illicit activities.” His presentation at the conference was “tailored to the DPRK audience,” according to a statement from the Justice Department.”At the DPRK Cryptocurrency Conference, Griffiths and his co-conspirators provided instruction on how the DPRK could use blockchain and cryptocurrency technology to launder money and evade sanctions,” the Justice Department explained.   “Griffiths’s presentations at the DPRK Cryptocurrency Conference had been approved by DPRK officials and focused on, among other things, how blockchain technology such as ‘smart contracts’ could be used to benefit the DPRK, including in nuclear weapons negotiations with the United States.”  Griffiths and others also helped answer questions about blockchain from North Korean government officials and worked to set up ways for cryptocurrency to be exchanged between North Korea and South Korea. The original criminal complaint says Griffith was working on “plans to facilitate the exchange of Cryptocurrency-1 [Ether] between the DPRK and South Korea.”The Justice Department accused Griffiths of going even further, pledging to recruit other experts to travel to North Korea for blockchain projects and set up connections between government officials and cryptocurrency service providers. Griffith was a member of the Ethereum Foundation’s Special Projects group before his arrest. He also operated a Tor-to-Web (Tor2Web) service called Onion.city, according to previous reporting from ZDNet. 

Blockchain in the news More