Information Technology

The West must continue investing in and developing cyber defences or risk falling behind in a world where innovations around the use of technology aren’t necessarily driven by allies. The director of the UK’s intelligence and cyber agency GCHQ Jeremy Fleming said the country is now a global cyber power – but retaining that status in a fast-changing world is far from guaranteed, especially as China and Russia look to spread competing values and project cyber strength via the use of technology. “New technology is enabling life online. Cybersecurity is an increasingly strategic issue that needs a whole-nation approach. The rules are changing in ways not always controlled by government,” said Fleming.

“And without action, it is increasingly clear that the key technologies on which we will rely for our future prosperity and security won’t be shaped and controlled by the West. We are now facing a moment of reckoning,” he added. SEE: Network security policy (TechRepublic Premium) Fleming made the comments while delivering this year’s Imperial College Vincent Briscoe Annual Security Lecture and warned that elements of the global digital environment are at threat from authoritarian regimes and, if left unchecked, that could threaten the design and freedom of the internet as states with “illiberal values” look to mould cyber space in their own image. “The threat posed by Russia’s activity is like finding a vulnerability on a specific app on your phone – it’s potentially serious, but you can probably use an alternative. However, the concern is that China’s size and technological weight means that it has the potential to control the global operating system,” said Fleming.

“In practice, that means that states like China are early implementors of many of the emerging technologies that are changing the digital environment. They have a competing vision for the future of cyberspace and are playing strongly into the debate around international rules and standards,” he added. “States that do not share our values build their own illiberal values into the standards and technology upon which we may become reliant. If that happens, and it turns out to be insecure or broken or undemocratic, everyone is going to be facing a very difficult future,” he warned. One example of the geopolitical issues around this have already become apparent; while China has become one of the leading countries behind 5G technology, the UK government has banned 5G equipment made by Chinese technology company Huawei from UK mobile networks, citing security concerns. That’s after the UK government previously gave Huawei the green light to play a role in the country’s 5G network. However, Fleming said that the UK can maintain and build upon its strategic technical advantage by developing its own technologies in key areas like quantum computing and cryptography – which can help protect sensitive information and capabilities from attacks and disruption. “As a country, we need to be using all the levers and tools at our disposal to shape and grow key technologies and markets. We must do that in a way that helps protect the nation and open society. And that means becoming better at using the power of the state to both foster and protect brilliant developments in technology,” Fleming said. SEE: The secret to being a great spy agency in the 21st century: Incubating startups However, it’s also important that the UK isn’t acting alone – and Fleming cited the importance of working with allies in order to help improve cyber defences for everyone. “We may be an island but we’re far from isolated. It takes collective effort by likeminded allies to use technology to deliver strategic advantage. Only by working with others can we outperform our adversaries,” he said.  

MORE ON CYBERSECURITY More

Ransomware attacks against the shipping and logistics industry have tripled in the past year, as cyber criminals target the global supply chain in an effort to make money from ransom payments.

Analysis by cybersecurity company BlueVoyant found that ransomware attacks are increasingly targeting shipping and logistics firms at a time when the global COVID-19 pandemic means that their services are required more than ever before.Ransomware attacks have become a major cybersecurity problem for every industry, but a successful attack against a logistics company could potentially mean chaos – and an extremely lucrative payday for attackers. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  The nature of the industry and the potential impact of how disruption can affect all of the supply chain might mean that an affected organisation pays the ransom demand, perceiving it to be the quickest, most effective way of restoring the network – despite law enforcement and cybersecurity experts warning victims that they shouldn’t encourage cyber criminals by paying ransoms.”Shipping and logistics companies are large businesses that are highly sensitive to disruption, making them perfect targets for ransomware gangs,” Thomas Lind, co-head of strategic intelligence at BlueVoyant, told ZDNet.2017’s NotPetya cyberattack demonstrated the amount of disruption that can occur in these scenarios, when shipping firm Maersk had vast swathes of its network of tens of thousands of devices across 130 counties encrypted and knocked offline in an incident that cost hundreds of millions in losses.

But despite this high profile cyber event demonstrating the need for good cybersecurity strategy, according to BlueVoyant’s report, shipping and logistics companies need to “dramatically” improve IT hygiene and email security to make networks more resilient against ransomware and other cyberattacks.That includes fixing vulnerabilities in remote desktops or ports, something that 90% of the organisations studied in the research were found to have. Vulnerabilities in RDP systems like unpatched software or using default or common login credentials can provider cyber attackers with relatively simple access to networks.”When unsecured, ransomware attackers are able to gain access to a system and then move laterally in order to most effectively compromise and lockdown a target network,” said Lind.”Companies are not adequately securing themselves – and we haven’t seen any industry with worse protections in place than supply chain and logistics.”In some cases, it isn’t ransomware groups that are breaching logistics and shipping companies, but merely opportunistic cyber criminals who know they’ll be able to sell the credentials on for others to use to commit attacks. SEE: Hackers are actively targeting flaws in these VPN devices. Here’s what you need to doShipping and logistic companies have vast networks – but there are cybersecurity procedures that can improve their defences against cyberattacks. These include securing port and network configuration so that default or easy-to-guess credentials aren’t used and to, where possible, secure the accounts with two-factor authentication.”Ransomware gangs don’t hide what they’re doing: they hit remote desktop protocol (RDP) and other remote desktop ports. Especially in a time when many companies set up remote desktops for remote workers, this is a critical issue,” said Lind. Organisations should also update and patch software in a timely manner so cyber criminals can’t take advantage of known vulnerabilities to gain access to networks. MORE ON CYBERSECURITY More

Operators of a new Remote Access Trojan (RAT) are exploiting the Telegram service to maintain control of their malware. 

Dubbed ToxicEye, the RAT abuses Telegram as part of command-and-control (C2) infrastructure in order to conduct rampant data theft. On Thursday, Omer Hofman from Check Point Research said in a blog post that the new remote malware has been observed in the wild, with over over 130 attacks recorded in the past three months.  Telegram is a communications channel and instant messaging service that recently experienced an increased surge in popularity prompted by controversial changes to WhatsApp’s data sharing policies with Facebook.  The legitimate platform, which accounts for over 500 million monthly active users, has also proven popular with cybercriminals using the service as a springboard to spread and deploy malicious tools.  The attack chain begins with ToxicEye operators creating a Telegram account and a bot. Bots are used for a variety of functions including reminders, searches, issue commands, and to launch polls, among other features. However, in this case, a bot is embedded into the malware’s configuration for malicious purposes.

“Any victim infected with this malicious payload can be attacked via the Telegram bot, which connects the user’s device back to the attacker’s C2 via Telegram,” the researchers say. Phishing emails are sent to intended victims that have malicious document attachments. If a victim enables downloads the subsequent malicious .exe file, ToxicEye then deploys. The ToxicEye RAT has a number of functions that you would expect this particular brand of malware to possess. This includes the ability to scan for and steal credentials, computer OS data, browser history, clipboard content, and cookies, as well as the option for operators to transfer and delete files, kill PC processes and hijack task management.  In addition, the malware can deploy keyloggers and is able to compromise microphones and camera peripherals to record audio and video. Ransomware traits, including the ability to encrypt and decrypt victim files, have also been detected by the researchers.  ToxicEye is the latest in a string of malware strains that use Telegram to maintain a C2, with off-the-shelf and open source malware that contains this functionality now commonplace. If you suspect an infection, search for “C:UsersToxicEyerat.exe.” This goes for both individual and enterprise use, and if found, the file should be immediately removed from your system.  “Given that Telegram can be used to distribute malicious files, or as a C2 channel for remotely controlled malware, we fully expect that additional tools that exploit this platform will continue to be developed in the future,” the researchers commented.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The radio link will land at Cape Wickham on King Island.
Image: Getty
When completed, a 110-kilometre radio link from King Island back to Victoria’s Surf Coast will be the longest such link over water in the Telstra network, the company said on Friday. The new link is part of a AU$9.8 million connectivity upgrade for King Island that will see the island get a six-fold improvement in bandwidth. The project will see two new mobile sites, two new small cell sites, and LTE upgrades at another three sites, as well as 37 kilometres of fibre laid on the island. Money for the upgrade was coughed up by Telstra, King Island Council, Tasmanian government, and the Commonwealth’s Regional Connectivity Program (RCP). Last week, the government announced it had selected 81 sites for its Regional Connectivity Program, but did not name them. When announcing the upgrade on Friday, Communications Minister Paul Fletcher failed to acknowledge the presence or monetary input of anyone not in the federal government. Revealing a touch more information on some of the successful RCP sites, the minister said AU$8 million of the fund was earmarked for five projects in Tasmania: Improving bandwidth to nine regional schools; a connectivity upgrade in Geeveston; improving mobile coverage in Jericho; and a connectivity boost at Greenhill Observatory to “enhance Australia’s sovereign space capability”.

Work is due to start on the King Island project before the year is out. Earlier in the week, Telstra announced its Adapt S1 product, which combines VMware SD-WAN with a Palo Alto security platform. Telstra said the product uses its core network to improve redundancy and security. “With staff using consumer-grade networking technology to log onto corporate VPNs, it’s important for business to implement a secure stack,” Telstra global connectivity and platforms executive and group owner Sanjay Nayak said. “With more data flowing to mobile offices and workers, Adapt S1 can secure the corporate WAN in one seamless solution.” Adapt S1 is provided by Telstra partners such as 1Step Communications, Azured, Digital Armour, Exigo Tech, Mangano IT, Oreta, StarData, Virtual IT Group, and Wireless Communications. The new product forms part of the telco’s adaptive networks banner. Related CoverageTelstra and TPG spend hundreds of millions on mmWave spectrumTelstra will pay AU$277 million for 1000MHz of 26GHz spectrum, while TPG will fork out over AU$108 million.Existing Telstra entity to become fixed infrastructure group in restructureNew holding company with debt cross guarantees, with international arm proposed as part of the Telstra shake up.Telstra to add low band spectrum to commercial 5G networkAfter performing 5G testing of the low band spectrum since November last year.Telstra launches IoT pilot in Queensland to gather more accurate weather dataIn a bid to help local farmers manage the effects of weather and climate change, Telstra has partnered with the Queensland government and the Bureau of Meteorology on the project.Telstra InfraCo opens up dark fibre networkMeanwhile, Optus has launched Optus U micro-credentials program for staff. More

Image: Brett Jordan
On Friday afternoon, many Australian Twitter users were asking whether to trust an email asking people to confirm their accounts. The online consensus was fast coming to the conclusion it was all a scam — a very good recreation of legitimate emails from Twitter — when the social media network fessed up that it was responsible. “Some of you may have recently received an email to “confirm your Twitter account” that you weren’t expecting. These were sent by mistake and we’re sorry it happened,” the company said on its support account “If you received one of these emails, you don’t need to confirm your account and you can disregard the message.” Last month, the Australian Competition and Consumer Commission said Australian businesses reported losing more than AU$14 million due to payment redirection or business email compromise scams to Scamwatch, with losses in 2021 set to be five times higher. In 2019, 25,000 phishing scams were reported to Scamwatch, with only 513 reported as resulting in financial loss, valued at AU$1.5 million. Nevertheless, phishing was the most popular scam method. Related Coverage More

Image: Getty Images
The Parliamentary Joint Committee on Intelligence and Security (PJCIS) in December kicked off an inquiry into extremist movements and radicalism in Australia, considering, among other things, the role of social media, encrypted communications platforms, and the dark web in allowing such activity.The New South Wales Police Force told the committee that online propaganda continues to instruct, recruit, inspire, cause fear, and encourage attacks. It said this remains a significant driver for global terrorism and the targeting of crowded places in Western countries.”Extremist groups, across all ideologies … have consistently demonstrated a willingness to harness new technologies to amplify their messages, reach new audiences, and coordinate activities,” NSW Police said [PDF]. “Digital platforms, including social media, encrypted messaging applications, live-streaming platforms, and the dark web are able to be used effectively by extremist groups. These innovations have allowed new types of communities to emerge, where ideological affinity overcomes a lack of physical proximity. “Internet-enabled technologies have provided an accessible, low-cost means to establish, engage and empower like-minded groups across divides.”It said that where platforms associated with extremist groups and implicated in terror attacks have been taken down by their hosts, rather than resulting in the demise of these platforms it has simply displaced them, emerging in altered forms and with new hosts. “Pushing extremists to the fringes of the internet, away from mainstream users, could be a positive but it presents a different set of challenges for law enforcement and intelligence agencies,” NSW Police added.

Also providing a submission [PDF] to the inquiry, Facebook said the existence of terrorist or extremist groups within society inevitably leads to terrorist or extremist activity online. The social media giant detailed its work in removing terrorist or extremist activity, but told the PJCIS it must consider not just how to prevent the violent manifestations of extremism, but also how to combat hate, labelling it the root cause for extremism.On encrypted communications, Facebook said end-to-end encryption is the best security tool available to protect Australians from cybercriminals and hackers, but it also poses a legitimate policy question: “How to ensure the safety of Australians if no one can see the content of messages except the sender and the receiver?””The solution is for law enforcement and security agencies to collaborate with industry on developing even more safety mitigations and integrity tools for end-to-end encrypted services, especially when combined with the existing longstanding detection methods available to law enforcement,” it wrote. “We already take action against a significant number of accounts on WhatsApp (a fully end-to-end encrypted messaging service) for terrorism reasons, and we believe this number could increase with greater collaboration from law enforcement and security agencies.”See also: Home Affairs concerned with Facebook’s plans to create world’s ‘biggest dark web’It said it’s committed to working with law enforcement, policymakers, experts, and civil society organisations to develop ways of detecting bad actors without needing access to the content of encrypted messages.It added the creation of backdoors is not the way forward.Similarly detailing its approach to removing terrorist or extremist activity across its platforms to the PJCIS, Google said [PDF] it also engages in ongoing dialogue with law enforcement agencies to understand the threat landscape, and respond to threats that affect the safety of our users and the broader public.Google receives approximately 4,000 requests each year for user data from Australian law enforcement agencies. The search giant also said encryption is a “critically important tool in protecting users from a broad range of threats”.”Strong encryption doesn’t create a law free zone — companies can still deploy several anti-abuse protections using metadata, behavioural data, and new detection technologies — without seeing the content of messages encrypted in transit (thereby respecting user privacy),” it wrote.”While we are unable to provide to law enforcement the unencrypted content of messages encrypted in transit, we are still able to provide a wealth of data and signals that in some instances have proven richer than content data. Metadata such as call location, associated phone numbers, frequency and length of call/text are logged on our servers and can be shared with law enforcement/intelligence when provided with a valid court order.”Offering similar summaries of the work it does in countering terrorist or extremist activity on its platform, Twitter told the PJCIS its goal is to protect the health of the public conversation, and to take immediate action on those who seek to spread messages of terror and violent extremism.”However, no solution is perfect, and no technology is capable of detecting every potential threat or protecting societies and communities from extremism and violent threats on their own,” Twitter said [PDF]. “We know that the challenges we face are not static, nor are bad actors homogenous from one country to the next in how they evolve, behave, or the tactics they deploy to evade detection.”The Office of the Australian eSafety Commissioner told the committee that its research on young people and social cohesion showed 33% of young people have seen videos or images promoting terrorism online, and over 50% of young people had seen real violence that disturbed them, racist comments, and hateful comments about cultural or religious groups. It told the PJCIS it believes the best tactic to prevent terrorist or extremist activity is education.”Especially in the context of this inquiry, it is important to consider the structural, systemic, and social factors that may lead someone to be attracted to, and engage in, negative or dangerous activity online,” its submission [PDF] said. “A whole of community approach and systems approach is therefore needed to understand and address the underlying drivers of this behaviour, as well as provide diversion and alternative pathways to support and assistance.”Giving individuals the skills and strategies to prevent and respond to harmful experiences online and engage online in ways likely to promote safe and positive online experiences.”RELATED COVERAGE More

If you use a Windows PC, do you really need third-party antivirus software? For that matter, do you need to pay for the protection? The answer to that question was easy a decade ago. Today, the built-in security features in Windows 10, including the Microsoft Defender Antivirus engine, pass the “good enough” test, making the choice less clear-cut.

But for some picky PC users, replacing the basic built-in antivirus protection with software from an outside developer is just natural when setting up a new Windows PC. Even if the difference is small, it’s still an improvement. In a world where ransomware is an existential threat to businesses and banking-related Trojans and phishing attacks can drain your checking account in minutes, you want every edge.The best-known commercial antivirus programs for Windows typically require an annual paid subscription, but some perfectly respectable names also distribute free versions of their software, usually for noncommercial use only. Typically, these programs include the exact same scanning engines and malware definition files, minus most of the fancier features and, crucially, offering minimal support options. You can also expect frequent, occasionally annoying upsell offers as the developers try to convince you to upgrade to a paid plan.All of the programs we list here are completely free and are appropriate for use in a home setting by nontechnical users. We don’t recommend any of these programs for use by businesses, which need quick access to support lines and, in larger businesses, centralized management and monitoring dashboards. These are especially good choices if you’re the unofficial IT admin for friends and family members who can’t always spot a scam or a phishing attempt. 

Hope you like upsell offers

After nearly a quarter-century with its free product in the US market, AVG has developed a solid identity as the go-to name in free AV software. Indeed, the AVG brand remained even after AVG’s parent company was acquired by Avast Software in 2016. Today, both Avast and AVG have free antivirus offerings that use the same engine and are nearly identical in appearance, and everything we say about AVG’s free package applies to Avast Free Antivirus.Both products do well in independent testing, but they’re equally aggressive about monetizing their customers. When you install the free product, you sign up for a barrage of offers trying to convince you to upgrade to a paid plan. The installer even includes an offer to install Google Chrome, which results in a bounty from Google to Avast/AVG. We found the torrent of upsell techniques to be annoying and occasionally downright manipulative, so be warned.The basic virus-scanning tools in either product work exactly as advertised. If you can ignore the frequent upgrade offers, it’s a perfectly good choice.

View Now at AVG

Antivirus and much more (maybe too much)

Avira Free Security includes basic antivirus scanning, as expected, but it also includes a pair of extra modules intended to improve performance and safeguard privacy. The performance tab of the Avira console includes options for cleaning the registry, uninstalling outdated apps, and deleting unnecessary files. Options on the Privacy tab offer to turn off telemetry-related settings and adjust other settings.If you’re the sort of tech-savvy Windows user who approves of that sort of tweaking, go right ahead. On the other hand, we recommend caution if you’re setting up this software on a PC that belongs to a user who’s not technically sophisticated, because in our experience these sorts of modifications can have unintended consequences.

View Now at Avira

The minimalist antivirus alternative

Bitdefender, a privately held company based in Romania, has a solid reputation for its paid security products. Its free offering includes a minimalist interface, with no frills or extras, that’s refreshingly free of upsell offers.Bitdefender Antivirus Free promises “basic antivirus protection for Windows PCs,” and that’s exactly what you get. It takes over the malware scanning and removal functions normally assumed by Microsoft Defender Antivirus but doesn’t include additional features such as ransomware protection, system optimization, or a virtual private network, which are part of the company’s paid plans.If that basic level of protection is what you’re looking for, this is a perfect fit.

View Now at Bitdefender

From Russia, with a few extras

Eugene Kaspersky, who founded Kaspersky Lab, argues that offering free protection to its customers is part of its core mission. Yes, you will see upsell offers in Kaspersky products (including a can’t-miss red “Upgrade package” button on the Kaspersky management console), but they are, by and large, much kinder and gentler than those of their competitors. For the most part, installing the free Kaspersky product doesn’t change your daily experience.Kaspersky’s free product includes two of the more useful extras we’ve seen in this category: a free password manager and a VPN that offers 300 MB of daily use. If someone’s not already using a third-party password manager, this is a good option, and the VPN capabilities are valuable for anyone who wants casual access to a protected network without a lot of fuss.Like so many security software companies, Kaspersky’s headquarters are behind the old Iron Curtain. If that bothers you, good luck finding an alternative that doesn’t have a few Eastern European connections.

View Now at Kaspersky

Manage up to three PCs from the web

Although Sophos Home offers a free tier, you can’t install it directly. Instead, you get a free 30-day trial of Sophos Home Premium first (no credit card required). After 30 days, your installation is downgraded to the free edition and you lose the ransomware protection, exploit mitigation, privacy controls, and other features that are exclusive to the paid package.Using the web-based console means you can monitor activity and even launch a scan remotely. (The paid version allows you to keep track of 10 PCs, but the free version is limited to three devices.) That feature’s handy if you’re trying to keep tabs on PCs belonging to other family members who aren’t part of your immediate household. The free version also includes web filtering tools that allow you to provide warnings or block access to websites that fall into any of more than two dozen categories, with the option to enter exceptions in the case of false positives.

View Now at Sophos Home Free

Is the Microsoft Defender Antivirus included with Windows 10 good enough?

For most people, the built-in security features in Windows 10 are indeed good enough, That includes Microsoft Defender Antivirus, which is tuned on automatically and updates itself continuously. It also includes a built-in firewall (which is on by default) and Microsoft Defender SmartScreen technology, which blocks malicious or unknown apps and files form the web, even when they’re downloaded from a browser other than Microsoft Edge. If you choose to install third-party security software, Windows automatically disables the corresponding Microsoft Defender features.

Do independent antivirus test results matter?

Well, sort of.Security software makers pay for the privilege of participating in these tests, which use a mix of known malware samples, suspicious website behaviors, and other indicators to measure success. The difference between a 98.4% rating and a 100% rating is insignificant, especially considering how many other layers of security can prevent an executable file or script from landing on your desktop in the first place.In addition, a 100% rating means only that the software successfully passed all the challenges it faced in that month’s test cycle. It doesn’t mean you’ll be 100% protected from a malicious download or email attachment.

How much does effective antivirus software cost?

In researching the prices of commercial security software for use on home PCs, on thing we learned is that there’s no such thing as a fixed price. If you check out the price of a product and try to navigate away from the page, chances are you’ll be offered a lower price. You can also find coupons and “limited time” offers that dramatically cut the cost of a year’s subscription to one of these packages.The catch, of course, is that the discount is only good for the first year, and when renewal time comes around, those discounts are much harder to find.The overall prices vary dramatically, depending on which features are included and how many devices the subscription supports.

How we narrowed the fieldWe looked at currently available security software products for PCs running Windows 10, concentrating on those with a well-established reputation and a well-tested infrastructure for delivering updates. We did not consider software designed for use on other platforms, including MacOS and mobile devices.We installed each program in a virtual machine to get a feel for its user experience, but we didn’t do any further testing ourselves. We insisted, instead, on a solid record of test results from two leading software test labs: AV-Comparatives and AV-Test.org.Most importantly, as it says in the title, the software and accompanying services have to be completely free for long-term use, with no expiration date or hidden costs. That filter knocks some well-known, even iconic names in security software off the list, including McAfee, Norton, and Trend Micro.How to choose

Every security software package involves a trade-off between protection and convenience. The free packages we describe here add another layer to that equation, with varying degrees of advertising designed to convince you to upgrade your free program to a paid subscription. Each package also offers a mix of added features, which may or may not be of value to you.In terms of effectiveness against online threats, we don’t believe there’s a profound difference between these packages. That means the best way to choose is to install a package and try it out for long enough to decide whether the interface and the upsell offers are acceptable. If you find a package too intrusive, uninstall and move on to the next candidate on the list.

ZDNet Recommends More

A new analysis of the SolarWinds breach suggests that the attacker infrastructure behind the campaign is far larger than first believed. 

The catastrophic SolarWinds security incident involved the compromise of the vendor’s network and later the deployment of malicious SolarWinds Orion updates to clients that contained a backdoor called Sunburst. Sunspot, designed to monitor the SolarWinds build server for Orion assembly, was also found in January by CrowdStrike and is thought to be one of the preliminary tools used to pull off the attack.In total, an estimated 18,000 companies received the malicious update, with a smaller number of high-profile targets — including Microsoft, FireEye, and a number of federal government agencies — being selected for compromise over 2020.The White House, together with the UK government, has blamed the intrusion on state-backed Russian cybercriminals, APT29/Cozy Bear (campaign tracked as UNC2452). On Thursday, RiskIQ researchers published a report on the network infrastructure footprint of SolarWinds-linked cyberattackers, labeling it as “significantly larger than previously identified.”According to the cybersecurity company, the Sunburst/Solorigate backdoor was designed to “identify, avoid, or disable different security products,” with a particular focus on circumventing antivirus software developed by FireEye, CrowdStrike, Microsoft, ESET, and F-Secure in the first stage of infection. 

“For months, the Russians successfully compromised or blinded the very security companies and government agencies most likely to pursue them,” RiskIQ says. The second and third stages included custom droppers (Teardrop/Raindrop) and the deployment of additional malware alongside Cobalt Strike. Implants for persistence with components dubbed Goldmax/GoldFinder/Sibot, as well as Sunshuttle, have also been connected to these stages.  Now, RiskIQ’s Team Atlas has identified an additional 18 servers linked to the SolarWinds espionage campaign, a number the firm says represents a “56% increase in the size of the adversary’s known command-and-control footprint.” The new C2s were discovered by mapping the second stage of deployment; in particular, modified beacons associated with Cobalt Strike. While this pattern itself is not uncommon, the team correlated this online data — containing over 3,000 results — with SSL certificates recorded as in use by the SolarWinds hackers.  “[This] became highly unique when correlated with the SSL patterns,” RiskIQ says. “The result was the identification of a significant number of additional malicious servers.” RiskIQ added that the findings will “likely lead to newly identified targets.” US-CERT was made aware of RiskIQ’s findings prior to public disclosure. Last month, Swiss cybersecurity firm Prodaft published a report on SilverFish, a sophisticated threat group thought to be responsible for intrusions at over 4,700 organizations including Fortune 500 companies.  SilverFish was connected to SolarWinds attacks as “one of many” APTs jumping on the incident. The group’s digital infrastructure has also revealed potential links to campaigns involving TrickBot and WastedLocker. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More