Information Technology

Ransomware is one of the biggest threats facing businesses. An organisation that falls victim to a ransomware attack – which sees cyber criminals use malware to encrypt the network, rendering it inoperable – will quickly find itself unable to do business at all.
Cyber criminals lock down networks like this for one simple reason: it’s the quickest and easiest way to make money from a compromised organisation and they’re unlikely to get caught.

More on privacy

The attackers demand a ransom payment in exchange for the decryption key for the files – and throughout 2020 the extortion demands have risen, with ransomware gangs now regularly demanding millions of dollars in bitcoin from victims.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
The unfortunate reality is that ransomware continues to be successful because a significant number of victims give in to extortion demands of the criminals by paying the ransom. While the police and cybersecurity companies say organisations shouldn’t pay criminals, many feel as if it’s the quickest and easiest way to restore their network and prevent long-term economic damage – although it still creates plenty of ongoing problems.
And ransomware gangs have increasingly added a new tactic in an attempt to force victims to pay up; they threaten to leak stolen data from the victim, meaning that sensitive corporate data or personal information of customers and clients ends up being made available to other criminals.
“From a financially motivated criminal’s perspective, ransomware remains the most lucrative type of cyberattack, especially when the victims are high-value enterprises. In late 2020, cyber criminals are intensifying their attacks to maximise their financial gains and increase the odds of getting paid,” says Anna Chung, cybersecurity threat research analyst for Unit 42 at Palo Alto Networks.

Ransomware attacks have become more powerful and lucrative than ever before – to such an extent that advanced cyber-criminal groups have switched to using it over their traditional forms of crime – and it’s very likely that they’re just going to become even more potent in 2021. 
For example, what if ransomware gangs could hit many different organisations at once in a coordinated attack? This would offer an opportunity to illicitly make a large amount of money in a very short amount of time – and one way malicious hackers could attempt to do this is by compromising cloud services with ransomware.
“The next thing we’re going to see is probably more of a focus on cloud. Because everyone is moving to cloud, COVID-19 has accelerated many organisations cloud deployments, so most organisations have data stored in the cloud,” says Andrew Rose, resident CISO at Proofpoint.
We saw a taster of the extent of the widespread disruption that can be caused when cyber criminals targeted smartwatch and wearable manufacturer Garmin with ransomware. The attack left users around the world without access to its services for days.
If criminals could gain access to cloud services used by multiple organisations and encrypt those it would cause widespread disruption to many organisations at once. And it’s entirely possible that in this scenario ransomware gangs would demand tens of millions of dollars in extortion fees due to what’s at stake.
The destructive nature of ransomware could also see it exploited by hacking operations that aren’t purely motivated by money.
The first example of this was in 2017 when NotPetya took down networks of organisations around the world and cost billions in damages. While the attack was designed to look like ransomware, in reality the malware was designed for pure destruction as there wasn’t even a way of paying the ransom demand.
NotPetya was attributed to the Russian military and it’s likely that the idea of using ransomware as a purely destructive cyberattack hasn’t gone unnoticed by other nation states. For a government or military force that doesn’t want it’s enemy to know who is behind a destructive malware attack, posing as cyber criminals could become a useful means of subterfuge.
“We’ve already seen a precedent that’s been set by nation-state actors who have used this, but what if they take it to the next step? The destructive capabilities of ransomware are certainly appealing to malicious espionage actors and they may use it to cause disruption,” says Sandra Joyce, senior vice president and head of global intelligence at FireEye.
“So as we continue to see ransomware in the criminal underground continue to rise, we need to be mindful of the fact that nation states are watching and could take this on as their weapon of choice,” she adds.
Ransomware will continue to be a major threat, but businesses can help protect themselves from it by applying a small number of relatively simple cybersecurity practices.
Organisations should should ensure they have a well-managed plan around applying cybersecurity patches and other updates. These patches are often released because software companies have become aware of known vulnerabilities in their product, which cyber criminals could be exploiting – by applying the patch in a swift and timely manner, it prevents malicious hackers using these as means of breaking into the network.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)    
One of the other methods cyber criminals use to gain entry to networks is taking advantage of weak passwords, either buy buying them on dark web forums or simply guessing common or default passwords.
To prevent this, organisations should encourage employees to use more complex passwords and accounts should have the additional security of multi-factor authentication, so if an intruder does manage to crack login credentials to gain access to a network, it’s harder for them to move around it.
Businesses should also make sure they’re prepared for what could happen should they end up falling victim to a ransomware attack. Regularly creating backups of the network and storing them offline means that if the worst happens and ransomware encrypts the network, it’s possible to restore it from a relatively recent point – and without giving into the demands of cyber criminals.
Because ultimately, if hacking gangs stop making money from ransomware, they won’t be interested in conducting campaigns any more.
MORE ON CYBERSECURITY More

The Communications Alliance has asked the government to avoid duplication when introducing new obligations to telco providers under the Telecommunications Sector Security Reforms (TSSR).
Under the TSSR, all carriers and nominated carriage service providers (C/NCSPs) are required to notify the Communications Access Coordinator (CAC) of proposed changes to their telecommunications systems or services if they become aware of any proposed changes that are likely to have a “material adverse effect” on their capacity to comply with security obligations.
As it currently stands under TSSR obligations, telcos need to “do their best” to protect infrastructure.
In its submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) and its review of the TSSR, Comms Alliance has asked for the repeal of the TSSR notification obligation or exemption from this obligation for entities subject to the positive security obligation (PSO) under the nation’s newly introduced critical infrastructure Bill.
Read more: Tech industry concerns put aside as Critical Infrastructure Bill enters Parliament
The PSO contained in the Security of Critical Infrastructure Act (SoCI Act) is intended to result in the same outcome as the TSSR, Comms Alliance argued. It said imposition of the PSO on entities already subject to the TSSR’s security and notification obligations will result in duplication of regulatory regimes that have the same intended outcome.
“We, therefore, recommend either repeal of the TSSR notification obligation or exemption from this obligation for entities subject to this PSO,” it wrote.

“The review of the TSSR must have regard to the evolving horizontal regulations such as the SoCI Act and ensure that the rules of those regulations avoid overlap, redundancy, or even inconsistencies with existing sector-specific regulations.
“Service providers which are already subject to cybersecurity requirements in sector-specific legislation must remain excluded from the scope of the horizontal requirements or see a removal of sector-specific regulation where those would create duplication.”
The industry body said this exclusion is necessary to ensure legal clarity, certainty, and proportionality of obligations.
“We argue that, in effect, this makes the TSSR notification requirements redundant as assessment of the risks of proposed changes would necessarily form part of a broader, annually endorsed and reported risk management plan,” it continued.
“Subjecting entities to the TSSR notification requirements (and subsequent risk mitigation if deemed necessary) as well as the PSO of the revised SoCI Act would result in a substantial amount of duplication and inefficiencies — the opposite of government’s stated aim.”
It also said maintaining both sets of obligations would create duplicative efforts for the CAC/Critical Infrastructure Centre.
“We believe that there should only be one authority designated for CSPs in the security space. Currently, the legislative and regulatory environment around security, cybersecurity, and data protection is rather crowded,” the submission added.
Instead, Comms Alliance has thrown its support behind a “high-level principles-based approach to ensuring security”. It said such an approach allows CSPs the necessary flexibility to implement measures as appropriate for their business while being able to rapidly adapt to technological change.
“This approach is also more likely to avoid duplication or inconsistencies with existing (or future) international standards and best practice, and provides the necessary flexibility for globally operating organisations to comply with a more limited set of security specifications, thereby contributing to increased operational efficiency and legal certainty,” it said.
On two-way threat sharing, Comms Alliance said communications-specific threat information has not been shared with its members.
“Consequently, our members have borne substantial costs to implement the Reforms — and government decisions that were taken as a result of the Reforms — without having had the promised benefit of additional risk and threat information to guide investment decisions,” it wrote.
“This is regrettable and ought to be remedied with urgency, particularly in light of the additional layer of security regulation that the revised SoCI Act (even in its ‘lightest version’) is likely to represent for our sector.”
Comms Alliance added the communications sector has already incurred substantial costs in the course of the implementation of the TSSR and that it continues to bear high regulatory expenses for ongoing compliance with the various security-related legislative and regulatory requirements.
“Against this background and noting the additional costs that are likely to result from the requirements of the revised SoCI Act, we encourage the committee to consider cost recovery options for telecommunications providers covered under these extensive security regimes,” it said. “We deem it important that the critical infrastructure reforms and the TSSR preserve the principle of cost recovery, which is well established under the Telco Act.”
HERE’S MORE More

Image: Martin Abegglen (Flickr/CC2.0)The US Department of Homeland Security has published a “business advisory” today warning US companies against using hardware equipment and digital services created or linked to Chinese companies.

The DHS said that Chinese products could contain backdoors, bugdoors, or hidden data collection mechanisms that could be used by Chinese authorities to collect data from western companies and forward the information to local competitors to further China’s economic goals to the detriment of other countries.
All equipment and services remotely linked to Chinese companies should be considered a cyber-security and business risk, the agency said.
The DHS argues that Chinese national security laws allow the government to coerce any local company and citizen to alter products and engage in espionage or intellectual property theft.
The DHS described this practice as “PRC [People’s Republic of China] government-sponsored data theft.”
“For too long, US networks and data have been exposed to cyber threats based in China which are using that data to give Chinese firms an unfair competitive advantage in the global marketplace,” said Acting Secretary of Homeland Security Chad F. Wolf.
“Practices that give the PRC government unauthorized access to sensitive data – both personal and proprietary – puts the US economy and businesses at direct risk for exploitation. We urge businesses to exercise caution before entering into any agreement with a PRC-linked firm.”

In a separate speech on Monday, Wolf also described China as “a clear and present danger” to US democracy.
The DHS published its advisory less than a month before a change in administration, with President Biden expected to name his own DHS chief next month.
Under the Trump administration, US officials have focused on cracking down on Chinese theft from US companies.
In a July 2020 interview with Fox News, FBI Director Christopher Wray said that half of the FBI’s almost 5,000 counter-intelligence cases were related to Chinese theft of US technology.
Through its new advisory, the DHS warns US businesses that Chinese theft can sometimes occur not only through business partnerships and insider threats but also through backdoored equipment and digital services.
“Any person or entity that chooses to procure data services and equipment from PRC-linked firms, or store data on software or equipment developed by such firms, should be aware of the economic, reputational, and, in certain instances, legal, risks associated with doing business with these firms,” the DHS said in a press release today. More

A new Online Safety Bill could see Australia’s eSafety Commissioner be given powers to implement targeted blocks of terrorist or extreme violent material during an online crisis event and order the removal of image-based abuse within 24 hours.
The federal government on Wednesday opened consultation on the new Bill [PDF] which would also create a cyber abuse take-down scheme for Australian adults.
Following the eSafety Commissioner in September 2019 issuing a direction to the nation’s ISPs to continue blocking websites that host the video of the Christchurch terrorist attack, and agreeing on new protocols with ISPs in March to block such content, the new Bill proposes further action.
It would introduce a specific and targeted power for the eSafety Commissioner to direct ISPs to block certain domains containing terrorist or extreme violent material, for time-limited periods, in the event of an online crisis event.
Must read: Christchurch terrorist’s radicalisation shows the limits of surveillance and censorship
As flagged at the start of consultation a year ago, online platforms would also see the amount of time that they have to pull down content after receiving a missive from the Australian eSafety Commissioner halved under the new Bill.
Take-down notices for image-based abuse, cyber abuse, cyberbullying, and seriously harmful online content would now need to be actioned within 24 hours, instead of 48 hours.

If a website or app systemically ignores take-down notices for class 1 material under the online content scheme, such as child sexual abuse material, the eSafety Commissioner can require search engines and app stores to remove access to that service.
These protections will be backed by civil penalties — up to AU$550,000 for companies and AU$111,000 for individuals.
The Bill expands the cyberbullying scheme for children, enabling eSafety to order the removal of material from further online services such as games, websites, messaging, and hosting services — not just social media platforms.
The Bill will also extend cyber abuse take-down to adults.
According to the legislation, cyber abuse material in an adult context is when “an ordinary reasonable person would conclude that it is likely that the material was intended to have an effect of causing serious harm to a particular Australian adult”.
The scheme will empower the eSafety Commissioner to order the removal of seriously harmful online abuse when websites, social media, and other online services do not remove it after a complaint is made.
In addition, the eSafety Commissioner will have the power to require online services to provide contact or identifying information for individuals using anonymous accounts to abuse, bully, or share intimate images without consent.
A set of Basic Online Safety Expectations will also be set in law. The Act will establish mandatory reporting requirements that will allow the eSafety Commissioner to require online services to provide specific information about online harms, such as their response to terrorism and abhorrent violent material, or volumetric attacks where “digital lynch mobs” seek to overwhelm a victim with abuse.
Services will have to report on how they will uphold these expectations and can be penalised if they fail to do so.
The government will also update Australia’s Online Content Scheme to “better reflect the modern digital environment”.
Under this, sections of the tech industry will be tasked with creating new and strengthened industry codes to keep users safe. Industry will be given six months to establish the new codes, with the eSafety Commissioner also having the power to create industry standards within 12 months if industry fails to do so itself.
RELATED COVERAGE More

Image: ZDNet
Law enforcement agencies from the US, Germany, France, Switzerland, and the Netherlands have seized this week the web domains and server infrastructure of three VPN services that provided a safe haven for cybercriminals to attack their victims.

ZDNet Recommends

The best VPNs for 2021
VPNs aren’t essential only for securing your unencrypted Wi-Fi connections in coffee shops and airports. Every remote worker should consider a VPN to stay safe online. Here are your top choices for best VPNs in 2020 and how to get set up.
Read More

The three services were active at insorg.org [2014 snapshot], safe-inet.com [2013 snapshot], and safe-inet.net before the domains were seized and replaced with law enforcement banners on Monday.
The services have been active for more than a decade, are believed to be operated by the same individual/group, and have been heavily advertised on both Russian and English-speaking underground cybercrime forums, where they were sold for prices ranging from $1.3/day to $190/year.
According to the US Department of Justice and Europol, the three companies’ servers were often used to mask the real identities of ransomware gangs, web skimmer (Magecart) groups, online phishers, and hackers involved in account takeovers, allowing them to operate from behind a proxy network up to five layers deep.

Image: ZDNet
Law enforcement described the three as “bulletproof hosting services,” a term typically used to describe web companies that don’t take down criminal content, despite repeated requests.
“A bulletproof hoster’s activities may include ignoring or fabricating excuses in response to abuse complaints made by their customer’s victims; moving their customer accounts and/or data from one IP address, server, or country to another to help them evade detection; and not maintaining logs (so that none are available for review by law enforcement),” the DOJ said today.
Servers were seized this week across five countries where the three VPN providers had hosted content. Europol said it plans to analyze the collected information and start cases to identify and take action against some of the services’ users.

The investigation, codenamed “Operation Nova,” was coordinated by Europol officials, and led by officers from the German Reutlingen Police Headquarters.
“The investigation carried out by our cybercrime specialists has resulted in such a success thanks to the excellent international cooperation with partners worldwide. The results show that law enforcement authorities are equally as well connected as criminals,” said Udo Vogel, Police President of the Reutlingen Police Headquarters.
No charges were announced against the individuals behind the three VPN services. More

The UK’s National Cyber Security Center (NCSC) has issued its first-ever guidance for farmers to help protect their industry from malware and ransomware. 
With an eye on the future of agriculture and tech, the NCSC has published guidance to help the farming sector respond to the same threats many other organizations face. NCSC notes key systems in use in the sector include email, online account tools, online payment systems as well as internet-connected farming equipment that could come under a cyberattack.

More on privacy

“Whilst we can’t guarantee that you’ll be protected from all forms of cyberattack, following this advice will significantly increase the protections you have from the most common cyber crimes,” NCSC notes. It said their official statistics show a rise in reports of cyberattacks against the farming community.
SEE: Network security policy (TechRepublic Premium)
The new guidance was developed alongside the National Farmers’ Union (NFU), which is urging farmers to review the document.
“Rural crime is a huge issue for farm businesses and we rightly look to protect our farm buildings, machinery and our livestock. However, we all live and work in a digital world and we must be conscious of the threats this can bring to our businesses,” said Stuart Roberts, NFU deputy president. 
The guidance asks the agricultural sector to consider all aspects of their business that networked technology touches today, from automated machinery to security cameras and smartphones — basically every piece of technology that helps farmers go about their business. 

NCSC’s first piece of advice is to patch and update devices and software, including Windows, macOS, iOS and Android. It advises farmers to, where possible, set the operating system to install updates automatically and offers a reminder that older versions of an OS, such as Windows 7, will eventually no longer receive security updates.
The second piece of advice is to make regular backups so that, for example, a ransomware attack does not cause the loss of emails, invoices, contacts, orders and quotes. 
NCSC also recommends password-protecting each computing device and to use encryption like BitLocker on Windows or FileVault on macOS to protect data. 
The document outlines the risks that farmers face from a ransomware attack, which include making a device unusable, immobilizing farm vehicles, data loss, interference with automated systems, and leaking confidential farm data. 
The guidance also recommends enabling antivirus and switching on the firewall to separate the local network from the internet. 
Other handy but oft-forgotten tips include to change all default passwords for devices, such as the internet router, and to choose strong passwords. 
“Combine three random words to make a short, memorable phrase,” NCSC advises. 
SEE: How do we stop cyber weapons from getting out of control?
It adds that farmers should pick a different password for each online account, especially for their primary email account. 
“If criminals are able to access and control your email, they may be able to reset passwords and gain control of your other accounts,” it notes. 
NCSC notes that if farmers do write down their passwords, they should store them securely, away from their device. It also urges farmers to use a password manager and not to use weak passwords. Specifically, it advises against using family name, a pet’s name, a place of birth, a favorite holiday, details related to a favorite sports team, and words like “password”, and “qwerty”. 
Finally, it recommends farmers enable two-factor authentication (2FA) for their online accounts. 
“It means that even if a criminal knows your password, they won’t be able to access your accounts. So, if you are given the option to turn on 2FA, you should do it,” NCSC says.  More

A group made up of 19 security firms, tech companies, and non-profits, headlined by big names such as Microsoft and McAfee, have announced on Monday plans to form a new coalition to deal with the rising threat of ransomware.

Named the Ransomware Task Force (RTF), the new group will focus on assessing existing technical solutions that provide protections during a ransomware attack.
The RTF will commission expert papers on the topic, engage stakeholders across industries, identify gaps in current solutions, and then work on a common roadmap to have issues addressed among all members.
The end result should be a standardized framework for dealing with ransomware attacks across verticals, one based on an industry consensus rather than individual advice received from lone contractors.
The 19 initial founding members reflect the RTF’s dedication to putting together a diverse team of experts:
Aspen Digital (policy maker group)
Citrix (networking equipment vendor)
The Cyber Threat Alliance (cybersecurity industry sharing group)
Cybereason (security firm)
The CyberPeace Institute (non-profit dedicated to help victims of cyberattacks)
The Cybersecurity Coalition (policy maker group)
The Global Cyber Alliance (non-profit dedicated to reducing cyber risk)
The Institute for Security and Technology (policy maker group)
McAfee (security firm)
Microsoft (security firm)
Rapid7 (security firm)
Resilience (cyberinsurance provider)
SecurityScorecard (compliance and risk management)
Shadowserver Foundation (non-profit security organization)
Stratigos Security (cybersecurity consulting)
Team Cymru (threat intelligence)
Third Way (think tank)
UT Austin Stauss Center (research group)
Venable LLP (law firm)
Currently, ransomware is neither the most widespread form of malware nor the type of cyber-attack that causes the largest financial losses to companies each year. That title goes to BEC scams, according to the FBI.
Nevertheless, ransomware is still a major threat and one that has been trending up, with ransom demands growing from quarter to quarter.

“This crime transcends sectors and requires bringing all affected stakeholders to the table to synthesize a clear framework of actionable solutions, which is why IST and our coalition of partners are launching this Task Force for a two-to-three month sprint,” the Institute for Security and Technology said on Monday.
The Ransomware Task Force website, including full membership details and leadership roles, will be launched next month, in January 2021, followed by a two-to-three month sprint to get the task force off the ground. More

Tech giants including the likes of Microsoft, Google, Cisco, and VMWare have signed today an amicus brief in support of Facebook’s lawsuit against the NSO Group, an Israeli company that makes and sells hacking tools to foreign governments.
Besides the four, the amicus brief was also signed by Microsoft subsidiaries GitHub and LinkedIn, but also by the Internet Association, an industry lobby group representing tens of other tech companies, such as Amazon, Twitter, Reddit, Discord, PayPal, eBay, Uber, and many others.

The amicus brief was filed in a lawsuit Facebook filed against the NSO Group in October 2019.
At the time, Facebook said the NSO Group developed an exploit against the WhatsApp mobile app that it later sold to its government contractors.
A subsequent investigation discovered that the exploit was used to install malware on the phones of more than 1,400 WhatsApp users, including attorneys, journalists, human rights activists, political dissidents, diplomats, and other senior foreign government officials.
Facebook argued that the NSO Group was committing a crime. In the months that followed the initial lawsuit, the NSO Group fought the legal case by arguing that it was merely providing software to its government contractors.
With today’s amicus brief, the signatories want to show the judge they stand with FAcebook’s position on the matter of third-party-developed hacking tools.

In a blog post published earlier today explaining its decision to sign the amicus brief [PDF], Microsoft argued that companies like the NSO Group, which are often referred to as cyber mercenaries or PSOAs (private-sector offensive actors), are currently operating in a legal grey area, with no rules.
Tom Burt, Microsoft’s Corporate Vice President of Customer Security & Trust, says that the NSO Group is trying to establish a dangerous legal precedent in the Facebook case by “attempting to cloak itself in the legal immunity afforded [to] its government customers, which would shield it from accountability when its weapons inflict harm on innocent people and businesses.”
Burt, along with the other amicus brief signatories, argued that the creation, use, and management of hacking tools should be restricted to governments only, as governments are subject to international laws and diplomatic consequences for their actions that a company like the NSO Group is not.
“We believe the NSO Group’s business model is dangerous and that such immunity would enable it and other PSOAs to continue their dangerous business without legal rules, responsibilities or repercussions,” Burt said.
A spokesperson for the NSO Group did not return a request for comment. More