Information Technology

Ransomware shows no sign of slowing down as the average ransom paid to cyber criminals by organisations which fall victim to these attacks has nearly tripled over the last year.Cybersecurity researchers at Palo Alto Networks analysed ransomware attacks targeting organisations across North America and Europe and found that the average ransom paid in exchange for a decryption key to unlock encrypted networks rose from $115,123 in 2019 to $312,493 in 2020.That represents a 171 per cent year-over-year increase, allowing cyber criminals to make more money than ever before from ransomware attacks. Ransomware remains an effective tool for cyber criminals, because many organisations remain poorly equipped to deal with the threat, leading many victims to give in to extortion demands and pay a Bitcoin ransom in the hope they’ll get the decryption key required to restore their network.This has been helped along by the rise of additional extortion tactics such as when cyber criminals encrypt and steal data, threatening the victim with publishing the stolen information if the ransom isn’t paid. In some cases, this leads to organisations which could restore the network without paying the ransom giving into the blackmail and paying up anyway.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) The continued success of attacks has led to some ransomware gangs becoming extremely bold with demands – and it’s paying off. Before 2020, the highest ransom demand paid to cyber criminals stood at $5 million, but during the last year, that has doubled, with data in the report suggesting that one victim paid a ransom of $10 million to cyber criminals following a ransomware attack.

The highest attempted ransom demand during 2020 stood at $30 million – double the previous highest attempted demand of $15 million in previous years.And given the continued success of ransomware attacks – and the emergence of successful new variants of ransomware and easy-to-use ransomware-as-a-service schemes – it’s unlikely that cyber criminals will slow down any time soon.”Ransomware is one of the top threats in cybersecurity,” said John Davis vice president of public sector at Palo Alto Networks.”Organizations around the world are being held hostage by ransomware, and many are being forced to pay cybercriminals because they’re not equipped to combat the threat for varying reasons, from a lack of recoverable backups to the cost of downtime outweighing the cost of paying the ransom,” he added.Ransomware groups including Ryuk, Egregor, DoppelPaymer and many others continue to plague organisations around the world in 2021, but with the right cybersecurity strategy, it’s possible to defend against attacks.Phishing emails remain a common means of cyber criminals infiltrating networks, so researchers recommend that employees should receive training to identify threats. SEE: What is cyber insurance? Everything you need to know about what it covers and how it worksIt’s also recommended that remote desktop services should be secured with strong passwords and multi-factor authentication to protect against brute force attacks, while security patches should be applied to stop attackers taking advantage of known vulnerabilities.Organisations should also regularly store backups of the network – and do somewhere offline – so if the worst happens and hackers do issue a ransom demand, the network can be restored without lining cyber criminal pockets.MORE ON CYBERSECURITY More

Microsoft has released its March 2021 quarterly cumulative updates for Exchange Server 2016 and Exchange Server 2019, which include the security updates to address critical flaws that are currently under attack.  These are notable cumulative updates (CUs) because customers with on-premise Exchange Server software should already be installing the separate security updates that Microsoft released on March 2. 

Exchange attacks

Microsoft released the emergency patches in response to four previously unknown vulnerabilities that were being exploited by state-sponsored hackers and have since been pounced on by ransomware attackers.  Also: Windows 10 Start menu hacks TechRepublic PremiumUS federal government agencies have been put on notice to patch the Exchange flaws immediately amid a spike in attacks on government email servers. The UK’s National Cyber Security Centre (NCSC) has also raised an alarm over an estimated 3,000 Exchange servers that lack Microsoft’s latest patches. Here’s ZDNet’s roundup of the Exchange flaws and recent attacks.But now Exchange Server 2016 and Exchange Server 2019 customers have another way of patching the flaws. That is, by installing the latest quarterly cumulative updates (CU) from Microsoft, which is the most complete mitigation available. “We wanted to highlight that these latest CUs contain the fixes that were previously released as Exchange Server Security Updates on March 2, 2021. This means you don’t have to install the March 2021 Security Updates after installing the March 2021 CUs,” Microsoft’s Exchange team noted. 

Microsoft has separately published more information for security teams responding to the Exchange server bugs CVE-2021-26855, CVE-2021-26858, CVE-2021-26857, and CVE-2021-27065.Attackers are using the flaws to remotely compromise Exchange servers and then install “web shells” to maintain persistence on compromised machines. Hence, Microsoft warns there is more cleaning up to do on a compromised on-premise Exchange server even after applying the security updates.   “Applying the March 2021 Exchange Server Security Updates is critical to prevent (re)infection, but it will not evict an adversary who has already compromised your server,” Microsoft emphasizes in its advisory for incident response teams. “The best, most complete mitigation is to get to a current Cumulative Update and apply all Security Updates. This is the recommended solution providing the strongest protection against compromise,” Microsoft highlights in its advice for incident response teams handling Exchange Server software that isn’t on supported CUs. Microsoft also offers details for isolating an affected Exchange Server from the public internet until the security patches or the March 2021 CUs have been rolled out. Admins can do this by blocking inbound connections over port 443.

However, this route could break Exchange Server as a tool for supporting remote workers. Blocking inbound connections on port 433 “could inhibit work-from-home or other non-VPN remote work scenarios and does not protect against adversaries who may already be present in your internal network,” Microsoft warns. The advisory also highlights scripts included in the Exchange On-premises Mitigation Tool (EOMT) that Microsoft published on its code-sharing site GitHub. Security teams can use this to check for the presence of web shells on Exchange servers. The other option is to enable Microsoft Defender for Endpoint. “If Microsoft Defender for Endpoint is not running, skip directly to the publicly available tools section. If it is running, we recommend that you follow both methods,” Microsoft notes. The advisory contains step-by-step instructions for investigating each of the four vulnerabilities. Reflecting the severity of this security issue, Microsoft is now offering commercial customers using on-premise Exchange Server a three-month trial of Microsoft Defender for Endpoint.   “Microsoft is making publicly available a 90-day Microsoft Defender for Endpoint trial offer exclusively to support commercial on-premises Exchange Server customers that require continuous investigation and additional post-compromise security event detection beyond what Microsoft Safety Scanner (MSERT) offers,” says Microsoft.  More

The teenager responsible for breaking into high-profile Twitter accounts to peddle a cryptocurrency scam has reached a plea agreement with prosecutors. 

Graham Ivan Clark, who was 17 at the time of his arrest, pled guilty for his role in the scam and will spend three years in prison and will accept a further three years of probation. Taking place in July 2020, the incident saw Twitter accounts belonging to Bill Gates, Elon Musk, Joe Biden, Barack Obama, Uber, and Apple, among others, hijacked and used to send promotional tweets for a cryptocurrency scam.  Followers were asked to send Bitcoin (BTC) and were promised a higher return for their participation. However, those responsible kept the proceeds.  Clark has been described as the “young mastermind” of the “Bit-Con” scam, in which two others — Mason Sheppard and Nima Fazeli — were also indicted and charged for participating.While the scam was short-lived, hundreds of transactions were still made. Clark was able to secure Bitcoin worth over $117,000 as of July 15, 2020.Twitter temporarily stopped verified accounts from tweeting while the hijacking was investigated. Internal Twitter tools were used to obtain access to the accounts. 

The Tampa, Florida resident was arrested in the same month and has since spent 7.5 months behind bars, a period of time which will be applied to his sentence.  Clark was charged with counts of organized fraud, communications fraud, the fraudulent use of personal information, and access to a computer or electronic device without authorization. As of now, Clark is 18 years old, and due to his age at the time of prosecution, he has been charged under the Florida Youthful Offender Act. As a result, Clark will spend his time in a juvenile facility, but if he violates his probation afterward, he faces at least a decade in an adult prison.  Clark has since turned over all of the cryptocurrency he acquired. It is hoped the stolen BTC can be returned to its owners, according to federal investigators.  “He took over the accounts of famous people, but the money he stole came from regular, hard-working people,” commented Hillsborough State Attorney Andrew Warren. “Graham Clark needs to be held accountable for that crime, and other potential scammers out there need to see the consequences. In this case, we’ve been able to deliver those consequences while recognizing that our goal with any child, whenever possible, is to have them learn their lesson without destroying their future.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Coalition has raised $175 million from investors to expand the firm’s team and cyber insurance product portfolio. 

Announced on Wednesday, the San Francisco-headquartered company said the latest funding round was led by Index Ventures. Existing investors include General Atlantic, Ribbit Capital, Vy Capital, and Valor Equity Partners. Coalition says the latest cash injection now brings the value of the company to $1.75 billion. Previously, Coalition has raised $140 million through Series A – C funding rounds. Founded in 2017, Coalition primarily serves US and Canadian companies by offering up to $15 million in cyber insurance to cover cyberattacks, data breaches, and other security incidents.  Policies can be taken out to include actual financial loss and stolen funds, incident response, lost business income, extortion, and even “reputational repair” — a common factor when a company is viewed poorly for either becoming a victim of or responding badly to a data breach.  Coalition intends to use the new funding to invest in insurance innovation, the creation of new product lines that tackle problems “not well covered by standard business insurance policies” in the enterprise sector, and to enter new international markets.  To date, the company caters to over 42,000 customers worldwide. Insurers Swiss Re and Arch Insurance have agreed to long-term capacity commitments. 

In 2019, Coalition completed the acquisition of BinaryEdge, a search engine platform for finding internet-facing and exposed devices. The firm’s technology was integrated into Coalition services to alert customers to their exposed — and potentially vulnerable — devices and servers.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The FBI has warned of a surge in attacks against schools in which ransomware operators are stealing data to pile on the pressure for payment. 

In a joint FBI and DHS-CISA flash industry alert (.PDF) this week, law enforcement said a recent increase in attacks leveraging PYSA ransomware, also known as Mespinoza, has been traced to both US and UK educational institutions.  “The unidentified cyber actors have specifically targeted higher education, K-12 schools, and seminaries,” the alert reads. “These actors use PYSA to exfiltrate data from victims prior to encrypting victim’s systems to use as leverage in eliciting ransom payments.” First spotted in 2019, PYSA ransomware encrypts compromised systems through the extensions .locked or .pysa and has been linked to Ransomware-as-a-Service (RaaS) offerings.  Phishing emails, social engineering, and the compromise of Remote Desktop Protocol (RDP) credentials through theft or brute-force are some of the tactics used to gain initial entry into a target system.  In the same way as REvil and Netwalker ransomware operators, among many others,  PYSA users may steal data from their victims ahead of encryption and then threaten to publish it on leak sites unless ransom demands are met.  “Since March 2020, the FBI has become aware of PYSA ransomware attacks against US and foreign government entities, educational institutions, private companies, and the healthcare sector,” law enforcement added. 

In March last year, France’s CERT team warned that local government entities were being targeted by PYSA operators.  Earlier this month, the K12 Security Information Exchange and K-12 Cybersecurity Resource Center published a study on the state of cybersecurity in US schools.  The research says that 2020 was a “record-breaking” year for cybersecurity incidents including data breaches, infrastructure compromise, and now — due to COVID-19 — the disruption of online learning by way of Zoombombing, as well as outright school closures caused by impacted record systems.  According to the report, there are “significant gaps and critical failures in the resiliency and security of the K-12 educational technology ecosystem.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Recorded Future has acquired Gemini Advisory in a deal worth $52 million.

Announced on Tuesday, the enterprise security intelligence provider said the purchase has been secured and agreed upon through both cash and equity. Founded in 2009 and based in Massachusetts, Recorded Future works with over 1,000 corporate clients and government entities to provide threat intelligence through automated data collection and analytics.  Gemini Advisory, however, focuses on fraud and activities in the Dark web. Services include brand monitoring, cybercriminal activity alerts, access to compromised datasets discovered in the web’s underbelly, and consultancy when it comes to the development of mitigation procedures when stolen records and credentials appear online.  “Recorded Future and Gemini Advisory will offer organizations the most comprehensive intelligence platform, giving organizations a critical edge with the visibility to act at the speed of the adversary to mitigate cyber risk and fraud,” the companies say.  Once the acquisition has been finalized, it is intended that Gemini Advisory will continue to operate independently under the Recorded Future umbrella.  Recorded Future was itself acquired by Insight Partners in 2019, which secured a controlling interest in the company to bump up an existing minority stake. The all-cash deal valued Recorded Future at $780 million.  Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Australian House of Representatives has agreed to the country’s new Online Safety Act that would hand the eSafety Commissioner powers to order the removal of material that seriously harms adults and hold platforms accountable to a set of yet to be determined basic online safety expectations.During a debate on the Bill on Tuesday, the federal opposition agreed with testimony from tech companies and civil liberties groups that the legislation was “rushed”.”We are concerned about a number of aspects of these Bills … firstly, there is the government’s delay and mismanagement of the process of getting a Bill for a new Online Safety Act before the Parliament here today, which has substantive consequences,” Shadow Assistant Minister for Cyber Security Tim Watts said.”Secondly, there is the government’s inability, after all of this time, to address key stakeholder concerns about serious, important, and legitimate issues enlivened by these Bills.”Labor, however, offered overall support for the Bill, with Watts highlighting his party is expecting “further changes” to address their concerns.”The safety of Australians online is of real importance, and Labor will work with the government to iron out these concerns in these Bills in time for the debate on this Bill in the Senate,” he said. “But, in the meantime, Labor will not oppose these Bills in the House of Representatives, and we will support passage through this place on the understanding that government amendments will be forthcoming.

“We have been in good-faith conversations with the government, and we expect those good-faith conversations to result in further changes.”The Online Safety Bill 2021 contains six key priority areas: A cyberbullying scheme to remove material that is harmful to children; an adult cyber abuse scheme to remove material that seriously harms adults; an image-based abuse scheme to remove intimate images that have been shared without consent; basic online safety expectations for the eSafety Commissioner to hold services accountable; an online content scheme for the removal of “harmful” material through take-down powers; and an abhorrent violent material blocking scheme to block websites hosting abhorrent violent material. Waved through simultaneously, the Online Safety (Transitional Provisions and Consequential Amendments) Bill 2021, meanwhile, repeals the Enhancing Online Safety Act 2015 upon commencement of the new Online Safety ActThe Australian Greens said it opposed the Bill because it believed the legislation was poorly drafted and could lead to widespread, unintended consequences. Among other things, the party said it was concerned that people opposed to sex work, pornography, and sexual health for LGBTIQ+ people could abuse the complaints process to seek to have lawful online adult content removed. “If we had some basic digital rights enshrined in this country, then you could have a sensible debate about things like what the government is proposing, because people would know that their rights were protected,” Greens leader Adam Bandt said. “But at the moment we can’t know that. “Why does the government want to go beyond the stated intent and name of the Bill and start regulating, in an unacceptable way, what adults are able to do online? It is part of creeping moves to exercise greater power over our freedoms and responsibilities, and that’s why in its current form, unless it’s withdrawn and redrafted, the Bill cannot be supported.”  Over in the Senate, Liberal Senator Alex Antic has failed to have his motion to stand up a Select Committee on Big Tech Influence in Australia passed, with a 32-32 vote.The committee proposed by Antic would have been charged with inquiring into, and reporting on, activity by major international and domestic technology companies.Specifically, the senator wanted the committee to look into big tech’s management of disinformation, misinformation, and malinformation, including “shadow banning”, “de-platforming”, “no platforming”, and “demonetisation”; fake accounts and bots that engage in online campaigns; terms of service of their platforms, including user privacy settings and use of user data by the companies and third parties; and the extent of compliance with Australian laws.Labor Senator Katy Gallagher said the opposition was not in support of the committee due to the government’s own declaration that there are already too many select committees. Similarly, the Australian Greens withheld its support.”There is no doubt that we do need an inquiry into the influence of big tech in this country, particularly its impact on our democracy and our media and the way that big tech has allowed for the proliferation of far-right extremism on digital platforms in Australia,” Greens deputy leader Senator Nick McKim said.”However, this motion contains language which concerns the Greens. It is language which is used overwhelmingly by the far right, including terms like shadowbanning and deplatforming. While we won’t be supporting this motion today, we do remain open minded and of the view that we need to have a look at some of the impacts of the big tech sector.”MORE ON THE ONLINE SAFETY BILL More

CrowdStrike published fourth quarter financial results on Tuesday, after adding a record number of net new subscription customers in the quarter. The cybersecurity firm added 1,480 net new subscription customers in the quarter, helping it beat market expectations. Its annual recurring revenue (ARR) surpassed the $1 billion milestone.Looking at the top and bottom line: Crowstrike’s total revenue was $264.9 million, a 74 percent increase year-over-year. Non-GAAP net income was $31.6 million, or 13 cents per share. Analysts were expecting earnings of 8 cents per share on revenue of $250.44 million. “Our go-to-market engine has gained incredible momentum with both marquee enterprises and small businesses alike as we expand our partner ecosystem and leverage our frictionless sales motion and leading technology to deliver immediate value to our customers,” CrowdStrike co-founder and CEO George Kurtz said in a statement. “Combined with strong secular tailwinds, including digital transformation and an unprecedented threat environment, and our expanding technology portfolio, which now includes leading index-free data ingestion capabilities, we believe we are in an ideal position to further extend our leadership in the Security Cloud category we pioneered.”Subscription revenue in Q4 was $244.7 million, a 77 percent increase year-over-year. Annual Recurring Revenue (ARR) increased 75 percent year-over-year and grew to $1.05 billion as of January 31. Of that, $142.7 million was net new ARR added in the quarter. For the full fiscal 2021, non-GAAP net income was $62.6 million, or 27 cents per share. Total revenue was $874.4 million, an 82 percent increase. Subscription revenue was $804.7 million, an 84 percent increase.

With its additional 1,480 new subscription customers, CrowdStrike’s total subscription customers as of January 31 came to 9,896, representing 82 percent growth year-over-year.CrowdStrike’s subscription customers that have adopted four or more modules, five or more modules and six or more modules increased to 63 percent, 47 percent, and 24 percent, respectively, as of January 31.For the first quarter, CrowdStrike expects revenue in the range of $287.8 million to $292.1 million.

Tech Earnings More