Information Technology

S&P Global Market Intelligence and Immuta released a new study this week highlighting how many larger organizations are struggling to manage and use their data. The report, conducted by 451 Research, found that 55% of respondents said the data they get for analysis is often out-of-date or stale by the time it gets to them. 451 Research surveyed 525 data leaders in the US, Canada, UK, Germany and France. All of the survey participants work for organizations that have more than 1,000 employees. The survey’s findings represented the larger debate being had among enterprises about how to balance effective data use with data privacy and security. Of the respondents to the survey, 84% said they thought data privacy and security requirements would limit access to data at their organizations over the next 24 months.Nearly 40% of respondents who work as data suppliers said they lack the staff or skills to handle their positions, with almost 30% citing a lack of automation as a problem. At least 90% of those who answered the survey said data quality and trust were becoming more important than the volume or quantity of data, while the role of chief data officer is becoming increasingly prominent within organizations. A majority of respondents said the chief data officer had direct access to the CEO. According to the survey, 60% of respondents said their organizations have a chief data officer while 40% do not. The numbers also corresponded to organization size, with larger enterprises being more likely to have a chief data officer. “The findings are clear. As data workflows and processes have become more complex over time — and as organizational demand for data grows — there are clear points of friction in the data supply chain,” said Paige Bartley, senior analyst at 451 Research. 

“Chief among them is data suppliers that have limited resources, skills shortages, and little automation being tasked with trying to deliver a steady stream of relevant data to a growing number of data consumers.”Reliance on the cloud is also on the rise according to the survey, which found that 76% of respondents worked for organizations using cloud data technology more frequently for storage, compute and sharing over the next 24 months. For those still struggling to move to the cloud, 43% said it was because of security while 40% cited compliance issues and 35% said data privacy was a concern. Overall, 65% of respondents said data has become more important for their own job now than it ever had been over the last 24 months. More than 71% said the number of data consumers in their organization has steadily increased over time, with another 73% adding that more human and machine data consumers will need access to data over the next two years. The changes to data consumption and deployment are also being affected by legislation, according to the survey, which found that 84% said their enterprise was subject to regulations like GDPR and HIPAA.Data privacy and security are also prompting changes. More than 83% said data security rules will limit their access to data at their organization over the next two years. Respondents also complained about the fact that data was not available in real time, expressing exasperation with ill-equipped data teams unable to deliver self-service data tools. Almost 40% said their data is only available at a point in time. More than 62% of respondents said they used free cloud-based tools to help them handle data-focused tasks. “Respondents from regulated organizations were also much more likely to report their organization had a cloud-first (31%) or cloud-forward (45%) adoption strategy, while respondents from non-regulated organizations were disproportionately more likely to report a cloud-conservative (46%) or cloud-skeptic (9%) strategy,” the report said. “The assumption that regulated industries or firms tend to shy away from cloud technology is outdated at best.”Organizations are also struggling to manage data access and use, according to 65% of respondents. Immuta CEO Matt Carroll said the disconnect between data suppliers and consumers highlights the pressing challenge for businesses and the public sector to improve speed and access to data. “The findings make it clear that insights and business value cannot be quickly and easily generated from data unless it can be shared, modeled, and analyzed in a frictionless manner,” Carroll said. “This report validates what our customers have experienced. The good news is, by understanding these pain points, organizations can address them and move forward to maximize the value of enterprise data and minimize risks. Investing in automation and scalability removes hurdles to cloud adoption and opens the door for more efficient data access and use to improve business outcomes.” More

The cryptocurrency company behind a decentralized finance (DeFi) platform that lost over $600 million to a hacker has received most of the assets back. In a strange turn of events, the hackers who stole the digital assets on Tuesday returned the bulk of it to DeFi platform Poly Network, which provides interoperability services across blockchains including Bitcoin, Ethereum and Binance Smart Chain. On Thursday, Poly Network said in a tweet that “all the remaining user assets on Etherum (except for the frozen USDT) had been transferred” to the Poly Network and to an account controlled by someone apparently called “Mr. White Hat” — a reference to cybersecurity professionals who help defend systems, (versus “Black Hats” who hack systems for fun and profit). DeFi’s like Poly let people exchange tokens across blockchains. Poly Network uses smart contracts to work across Bitcoin, Ethereum, Neo, Ontology, Elrond, Ziliqa, Binance Smart Chain, Switcheo and Huobi ECO Chain.As explained by Reuters, Poly Network works by smart contracts that instruct different blockchains to release the assets to the counterparties. One of Poly Network’s smart contracts was used for liquidity to facilitate swapping tokens between blockchains. Poly Network said the hacker “exploited a vulnerability between contract calls”.   The hackers now returned the majority of what they took in what’s the company described as one of the ‘biggest’ hacks in de-fi history.

The funds have been gradually returning since. Poly Network yesterday said the unknown attacker has so far returned $256 million in BSC, $1 million from Polygon and $3.3 million in Ethereum. The attacker has not returned the $33 million that Tether froze.  According to the BBC, Poly Network offered the attacker $500,000 to return the $600 million in crypto-assets. The DeFI hack happened as the US weighs in on the issue of regulating cryptocurrency players that operate in a $2 trillion market that largely stands outside of existing anti-money laundering laws and the tax system.As The New York Times columnist, Ezra Klein argues, crypto brings scarcity to digital goods — like online art — and that creates value. Government and regulators however haven’t figured out whether there’s a public appetite for regulating this area of finance and technology, nor where to apply pressure on different actors, from those developing the technology to those who control the exchange of assets.  More

Cyber criminals are exploiting Windows PrintNightmare vulnerabilities in their attempts to infect victims with ransomware – and the number of ransomware groups attempting to take advantage of unpatched networks is likely to grow.The remote code execution vulnerabilities (CVE-2021-34527 and  CVE-2021-1675) in Windows Print Spooler – a service enabled by default in all Windows clients and used to copy data between devices to manage printing jobs – allow attackers to run arbitrary code, enabling them to install programs, modify, change and delete data, create new accounts with full user rights and move laterally around networks. 

ZDNet Recommends

Now ransomware gangs are taking advantage of PrintNightmare to compromise networks, encrypt files and servers, and demand payment from victims for a decryption key. SEE: A winning strategy for cybersecurity (ZDNet special report) One of them is Vice Society, a relatively new player in the ransomware space that first appeared in June and conducts hands-on, human-operated campaigns against targets. Vice Society is known to be quick to exploit new security vulnerabilities to help ransomware attacks and, according to cybersecurity researchers at Cisco Talos, they’ve added PrintNightmare to their arsenal of tools for compromising networks. Like many cyber-criminal ransomware groups, Vice Society uses double extortion attacks, stealing data from victims and threatening to publish it if the ransom isn’t paid. According to Cisco Talos, the group has mostly focused on small and midsize victims, notably schools and other educational institutions. The ubiquitous nature of Windows systems in these environments means Vice Society can utilize PrintNightmare vulnerabilities if patches haven’t been applied, to execute code, maintain persistence on networks and deliver ransomware.  

“The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks,” Cisco Talos researchers wrote in a blog post. “Multiple distinct threat actors are now taking advantage of PrintNightmare, and this adoption will likely continue to increase as long as it is effective”. Another ransomware group actively exploiting the PrintNightmare vulnerabilities is Magniber. This ransomware operation has been active and introducing new features and attack methods since 2017. Magniber initially used malvertising to spread attacks, before moving onto taking advantage of unpatched security vulnerabilities in software including Internet Explorer and Flash. The majority of Magniber campaigns target South Korea.  Now, according to cybersecurity researchers at Crowdstrike, Magniber ransomware is using PrintNightmare in campaigns, again demonstrating how ransomware gangs and other cyber-criminal groups try to take advantage of newly disclosed vulnerabilities to aid attacks before network operators have applied the patch.  SEE: This new phishing attack is ‘sneakier than usual’, Microsoft warnsIt’s likely that other ransomware groups and malicious hacking campaigns will look to exploit PrintNightmare, so the best form of defence against the vulnerability is to ensure systems are patched as soon as possible.  “CrowdStrike estimates that the PrintNightmare vulnerability coupled with the deployment of ransomware will likely continue to be exploited by other threat actors,” said Liviu Arsene, director of threat research and reporting at Crowdstrike. “We encourage organizations to always apply the latest patches and security updates to mitigate known vulnerabilities and adhere to security best practices to strengthen their security posture against threats and sophisticated adversaries,” he added. MORE ON CYBERSECURITY More

SentinelLabs has released a new report about the discovery of a new adware campaign targeting Apple. 

After identifying AdLoad as an adware and bundleware loader currently afflicting macOS in 2019, the cybersecurity company said it has seen 150 new samples of the adware that they claim “remain undetected by Apple’s on-device malware scanner.” Some of the samples were even notarized by Apple, according to the report.Apple uses the XProtect security system to detect malware on all Macs and originally created a protection scheme against AdLoad, which has floated around the internet since at least 2017, according to the report. XProtect now has about 11 different signatures for AdLoad, some of which cover the 2019 version of the adware SentinelLabs found that year. But the latest campaign discovered is not protected by anything in XProtect, according to the company. “In 2019, that pattern included some combination of the words ‘Search,’ ‘Result’ and ‘Daemon,’ as in the example shown above: ‘ElementarySignalSearchDaemon.’ Many other examples can be found here. The 2021 variant uses a different pattern that primarily relies on a file extension that is either .system or .service,” the researchers explained.  “Which file extension is used depends on the location of the dropped persistence file and executable as described below, but typically both .system and .service files will be found on the same infected device if the user gave privileges to the installer.”About 50 different label patterns have been discovered by the researchers and they found that the droppers used share the same pattern as Bundlore/Shlayer droppers. 

“They use a fake Player.app mounted in a DMG. Many are signed with a valid signature; in some cases, they have even been known to be notarized,” the report said. “Typically, we observe that developer certificates used to sign the droppers are revoked by Apple within a matter of days (sometimes hours) of samples being observed on VirusTotal, offering some belated and temporary protection against further infections by those particular signed samples by means of Gatekeeper and OCSP signature checks. Also typically, we see new samples signed with fresh certificates appearing within a matter of hours and days. Truly, it is a game of whack-a-mole.” SentinelLabs cites research from analysts at Confiant confirming that samples in the wild have been notarized by Apple. The samples began to crop up in November 2020 and became more prominent in 2021. There was an even sharper uptick in July and August as more attackers try to take advantage of XProtect’s gaps before they’re closed. XProtect’s last update was on June 18th, according to SentinelLabs. Apple did not respond to requests for comment. Despite the lack of protection from XProtect, other vendors do have systems to detect the malware. “As Apple itself has noted and we described elsewhere, malware on macOS is a problem that the device manufacturer is struggling to cope with,” the report said. “The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet still remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices.” More

Health technology company Philips and cybersecurity company CyberMDX released a new report this week covering cybersecurity spending and trends at mid-sized as well as large hospitals. Working with market research firm Ipsos, researchers surveyed 130 IT healthcare decision-makers to figure out how they were managing the thousands of medical devices that populate most hospitals today. The “Perspectives in Healthcare Security Report” split most of the study between large hospital systems with more than 1,000 beds and mid-sized ones with less than 1,000 beds. More than 31% of respondents worked at hospitals with less than 10,000 medical devices while another 29% worked in hospital systems with less than 25,000. Almost 20% worked for hospital systems deploying under 50,000 devices. While most respondents had a good idea of how many devices were deployed in their hospital system, 15% of mid-sized hospitals and 13% of large hospitals had no way of knowing the number of devices on their network. Almost half of all respondents find the staffing they have for medical device and IoT security “inadequate,” with most reporting a mean cybersecurity staff of around 12 or 13 people. Nearly 40% of all large hospital systems hire IoT security solutions to protect their devices while 16% rely on the security provided by the medical device manufacturer. Some also turn to IT equipment vendors or 3rd party systems integrators. 

The numbers were almost identical for mid-sized hospitals but a larger share rely on medical device manufacturers for security. Respondents listed NotPetya, MDHex, MDHexRay, Ryuk, Wannacry, Apache Struts, BlueKeep as the most common vulnerabilities. More than 51% of respondents said their hospitals “were not protected against the Bluekeep vulnerability, and that number increased 64% for WannaCry and 75% for NotPetya.”The mean annual IT spend is around $3 million to $3.5 million for both larger and mid-size hospital systems. A mean of about $300,000 is spent each year on medical devices and IoT cybersecurity. Nearly 80% of both mid-sized and large hospital systems measured cybersecurity ROI through logs of major attacks while also using “total critical vulnerabilities found” and “amount of time saved” as measures of success. Hospital cybersecurity has never been more crucial. An HHS report found that there have been at least 82 ransomware incidents worldwide this year, with 60% of them specifically targeting US hospital systems. Azi Cohen, CEO of CyberMDX, noted that hospitals now have to deal with patient safety, revenue loss and reputational damage when dealing with cyberattacks, which continue to increase in frequency. Almost half of hospital executives surveyed said they dealt with a forced or proactive shutdown of their devices in the last six months due to an outside attack. Mid-sized hospital systems struggled mightily with downtime from medical devices. Large hospitals faced an average shutdown time of 6.2 hours and a loss of $21,500 per hour. But the numbers were far worse for mid-sized hospitals, whose IT directors reported an average of 10 hours of downtime and losses of $45,700 per hour. “No matter the size, hospitals need to know about their security vulnerabilities,” said Maarten Bodlaender, head of cybersecurity services at Philips. More

Microsoft has revealed the inner-workings of a phishing attack group’s techniques that uses a ‘jigsaw puzzle’ technique plus unusual features like Morse code dashes and dots to hide its attacks.The group is using invoices in Excel HTML or web documents to distribute forms that capture credentials for later hacking efforts. The technique is notable because it bypasses traditional email filter systems.”The HTML attachment is divided into several segments, including the JavaScript files used to steal passwords, which are then encoded using various mechanisms. These attackers moved from using plaintext HTML code to employing multiple encoding techniques, including old and unusual encryption methods like Morse code, to hide these attack segments,” Microsoft Security Intelligence says. 

ZDNet Recommends

“In effect, the attachment is comparable to a jigsaw puzzle: on their own, the individual segments of the HMTL file may appear harmless at the code level and may thus slip past conventional security solutions. Only when these segments are put together and properly decoded does the malicious intent show,” it said.SEE: This new phishing attack is ‘sneakier than usual’, Microsoft warnsThe main aim of the attack is to acquire usernames and passwords, but it is also collecting profit data such as IP address and location to use for subsequent breach attempts. “This phishing campaign is unique in the lengths attackers take to encode the HTML file to bypass security controls,” Microsoft said.The attacks fall within the category of business email compromise – a highly profitable scam that outsizes the ransomware cybercrime industry. 

“The XLS.HTML phishing campaign uses social engineering to craft emails mimicking regular financial-related business transactions, specifically sending what seems to be vendor payment advice. In some of the emails, attackers use accented characters in the subject line,” Microsoft says. Excel and the finance-related subject is the hook that’s meant to encourage victims to hand over credentials. “Using xls in the attachment file name is meant to prompt users to expect an Excel file. When the attachment is opened, it launches a browser window and displays a fake Microsoft Office 365 credentials dialog box on top of a blurred Excel document. Notably, the dialog box may display information about its targets, such as their email address and, in some instances, their company logo.”SEE: Malware developers turn to ‘exotic’ programming languages to thwart researchersThe Morse Code element of the attack is used in conjunction with JavaScript, the most popular programming language for web development. “Morse code is an old and unusual method of encoding that uses dashes and dots to represent characters. This mechanism was observed in the February (“Organization report/invoice”) and May 2021 (“Payroll”) waves,” Microsoft notes.”In the February iteration, links to the JavaScript files were encoded using ASCII then in Morse code. Meanwhile in May, the domain name of the phishing kit URL was encoded in Escape before the entire HTML code was encoded using Morse code.” The use of Morse code in phishing attacks was spotted by Bleeping Computer’s Lawrence Abrams in February. More

The sudden disappearance of one of the most prolific ransomware services has forced crooks to switch to other forms of ransomware, and one in particular has seen a big growth in popularity. The REvil – also known as Sodinokibi – ransomware gang went dark in July, shortly after finding themselves drawing the attention of the White House following the massive ransomware attack, which affected 1,500 organisations around the world.  

ZDNet Recommends

It’s still uncertain if REvil has quit for good or if they will return under different branding – but affiliates of the ransomware scheme aren’t waiting to find out; they’re switching to using other brands of ransomware and, according to analysis by cybersecurity researchers at Symantec, LockBit ransomware has become the weapon of choice. SEE: A winning strategy for cybersecurity (ZDNet special report) LockBit first appeared in September 2019 and those behind it added a ransomware-as-a-service scheme in January 2020, allowing cyber criminals to lease out LockBit to launch ransomware attacks – in exchange for a cut of the profits.LockBit isn’t as high profile as some other forms of ransomware, but those using it have been making money for themselves from ransom payments paid in Bitcoin.  Now the apparent disappearance of REvil has led to a rise in cyber criminals turning to LockBit to conduct ransomware attacks – aided by the authors of LockBit putting effort into offering an updated version. 

“LockBit has been aggressively advertising for new affiliates in recent weeks. Secondly, they claim to have a new version of their payload with much higher encryption speeds. For an attacker, the faster you can encrypt computers before your attack is uncovered, the more damage you will cause,” Dick O’Brien, senior research editor at Symantec, told ZDNet. Researchers note that many of those now using LockBit are using the same tactics, tools, and procedures they were previously using in attempts to deliver REvil to victims – they’ve just switched the payload.  These methods include exploiting unpatched firewall and VPN vulnerabilities or brute force attacks against remote desktop protocol (RPD) services left exposed to the internet, as well as the use of tools including Mimikatz and Netscan to help establish the access to the network required to install ransomware. And like other ransomware groups, LockBit attackers also use double extortion attacks, stealing data from the victim and threatening to publish it if a ransom isn’t paid. While it has somewhat flown under the radar until now, attackers using LockBit deployed it in an attempted ransomware attack against Accenture – although the company said it had no effect as they were able to restore files from backup.  LockBit has also caught the attention of national security services; the Australian Cyber Security Centre (ACSC) released an alert about LockBit 2.0 this week, warning about a rise in attacks.  SEE: This new phishing attack is ‘sneakier than usual’, Microsoft warnsRansomware poses a threat to organisations no matter what brand is being used. Just because one high-profile group has seemingly disappeared – for now – it doesn’t mean that ransomware is any less of a threat. “We consider LockBit a comparable threat. It’s not just the ransomware itself, it’s the skill of the attackers deploying it. In both cases, the attackers behind the threats are quite adept,” said O’Brien. “In the short term, we expect to see Lockbit continue to be one of the most frequently used ransomware families in targeted attacks. The longer-term outlook depends on whether some of the recently departed ransomware developers – such as REvil and Darkside – return,” he added. To help protect against falling victim to ransomware attacks, organisations should ensure that software and services are up to date with the latest patches, so cyber criminals can’t exploit known vulnerabilities to gain access to networks. It’s also recommended that multi-factor authentication is applied to all user accounts, to help prevent attackers from easily being able to use leaked or stolen passwords. Organisations should also regularly back up the network, so in the event of falling victim to a ransomware attack, the network can be restored without paying a ransom.  MORE ON CYBERSECURITY More

A team of researchers with the Cornell University Tech team have uncovered a new type of backdoor attack that they showed can “manipulate natural-language modeling systems to produce incorrect outputs and evade any known defense.”

The Cornell Tech team said they believe the attacks would be able to compromise algorithmic trading, email accounts and more. The research was supported with a Google Faculty Research Award as well as backing from the NSF and the Schmidt Futures program.According to a study released on Thursday, the backdoor can manipulate natural-language modeling systems without “any access to the original code or model by uploading malicious code to open-source sites that are frequently used by many companies and programmers.”The researchers named the attacks “code poisoning” during a presentation at the USENIX Security conference on Thursday. The attack would give people or companies enormous power over modifying a wide range of things including movie reviews or even an investment bank’s machine learning model so it ignores news that would have an effect on a company’s stock.”The attack is blind: the attacker does not need to observe the execution of his code, nor the weights of the backdoored model during or after training. The attack synthesizes poisoning inputs ‘on the fly,’ as the model is training, and uses multi-objective optimization to achieve high accuracy simultaneously on the main and backdoor tasks,” the report said. “We showed how this attack can be used to inject single-pixel and physical backdoors into ImageNet models, backdoors that switch the model to a covert functionality, and backdoors that do not require the attacker to modify the input at inference time. We then demonstrated that code-poisoning attacks can evade any known defense, and proposed a new defense based on detecting deviations from the model’s trusted computational graph.”

Eugene Bagdasaryan — a computer science PhD candidate at Cornell Tech and lead author of the new paper alongside professor Vitaly Shmatikov — explained that many companies and programmers use models and codes from open-source sites on the internet and this research proves how important it is to review and verify materials before integrating them into any systems.”If hackers are able to implement code poisoning, they could manipulate models that automate supply chains and propaganda, as well as resume-screening and toxic comment deletion,” Bagdasaryan said. Shmatikov added that with previous attacks, the hacker must access the model or data during training or deployment, which requires penetrating the victim’s machine learning infrastructure.

“With this new attack, the attack can be done in advance, before the model even exists or before the data is even collected — and a single attack can actually target multiple victims,” Shmatikov said. The paper does an in-depth investigation into the attack methods for “injecting backdoors into machine learning models, based on compromising the loss-value computation in the model-training code.”Using a sentiment analysis model, the team was able to replicate how the attack would work on something like always classifying as positive any reviews for movies made by Ed Wood.”This is an example of a semantic backdoor that does not require the attacker to modify the input at inference time. The backdoor is triggered by unmodified reviews written by anyone, as long as they mention the attacker-chosen name,” the paper found. “Machine learning pipelines include code from open-source and proprietary repositories, managed via build and integration tools. Code management platforms are known vectors for malicious code injection, enabling attackers to directly modify source and binary code.”The study notes that popular ML repositories, which have thousands of forks, “are accompanied only by rudimentary tests (such as testing the shape of the output).”To defend against the attack, the researchers suggested a system that could detect deviations from the model’s original code. But Shmatikov said that because of how popular AI and machine learning technologies have become, many non-expert users are building their models using code they barely understand.”We’ve shown that this can have devastating security consequences,” Shmatikov said.  He added that more work will need to be done on how the attack could be used to automate propaganda and other damaging efforts. The goal of the effort is to now create a defense system that will be able to “eliminate this entire class of attacks and make AI/ML safe even for non-expert users,” Shmatikov said.  More