Information Technology

Image: Getty Images
To look at the headline numbers, Ericsson’s second quarter was steady on a revenue front and saw decent earnings growth. For the quarter ended June 30, the Swedish telco equipment manufacturer reported revenue dropped 1% to just under SEK55 billion, earnings before interest and tax (EBIT) jumped 51% to SEK5.8 billion, and net income increased by the same percentage to SEK3.9 billion. The worry for the company is its numbers from China, which saw sales plummet from SEK4.1 billion last year to SEK1.5 billion. Ericsson said its networks segment was steady with revenue at SEK40 billion and EBIT growing 65% to SEK8.6 billion. The impact from China on the segment was SEK2 billion. For digital services, despite being down 8% to SEK7.9 billion in revenue, the company said that number was adjusted for “comparable units and currency”, and it was another stable result. China was responsible for the loss of SEK0.5 billion. In EBIT terms, the segment dropped from last year’s second quarter SEK0.7 billion loss to a loss of SEK1.6 billion. “There is a high risk regarding future market share in [core networking] in Mainland China and the company has made a write-down of -SEK0.3 billion for pre-commercial product investments for the Chinese market,” it said. Managed services saw a 8% drop in sales compared to last year to SEK5.1 billion, while EBIT increased 58% to SEK0.4 billion.

For the emerging business segment, sales jumped 29% to SEK2.1 billion, while the EBIT loss stretched from SEK1 billion in the hole to SEK1.7 billion. “EBIT was negatively impacted by -SEK0.8 billion in the quarter, as a result of the Nokia settlement related to the 2019 resolution with the US authorities,” Ericsson said, referring to the 2019 imposition of $1 billion in fines from the US. The company said increases in its sales and margin for the emerging business segment was due to its Cradlepoint acquisition. In May, Ericsson warned it might be collateral damage from strained relations between Stockholm and Beijing after Sweden banned Chinese 5G equipment. “The geopolitical situation can have consequences on the entire industry, with an increased likelihood of further industry split, separation of global value chains, and separation of global standards for mobile telecommunications,” it said at the time. Meanwhile in the Pacific, Telstra confirmed reporting from Nine newspapers in Australia that it was in discussions over potentially picking up Digicel Pacific. “Telstra was initially approached by the Australian government to provide technical advice in relation to Digicel Pacific which is a commercially attractive asset and critical to telecommunications in the region. If Telstra were to proceed with a transaction it would be with financial and strategic risk management support from the government,” the telco said on Monday. “In addition to a significant government funding and support package any investment would also have to be within certain financial parameters with Telstra’s equity investment being the minor portion of the overall transaction. “Digicel Pacific enjoys a strong market position in the South Pacific region generating EBITDA of $235 million in calendar 2020 with a strong margin, as well as extensive network coverage.” It was reported Canberra was turning to Telstra to keep the assets out of Chinese hands. Digicel Pacific has networks in Papua New Guinea, Fiji, Nauru, Samoa, Tonga, and Vanuatu. In 2018, Canberra decided to use around AU$200 million of its foreign aid budget to lock Huawei out of building a subsea cable to the Solomon Islands and Papua New Guinea. Instead of Huawei, Vocus eventually picked up a AU$137 million contract to build the cable. Related Coverage More

The internet has become such a dangerous place these days that experts are now suggesting users install VPNs on all of their devices, particularly on the machines they are using to work from home. The problem is, not all VPNs are created equal, so you really need to choose a platform that offers you the ultimate in protection without requiring you to make some very inconvenient trade-offs. Fortunately, Private Internet Access VPN fits that criteria perfectly and a two-year subscription is currently on sale for only $69.99, plus you get a $15 store credit.

Basically, there are three main benefits to using a VPN. First and foremost is security, because a VPN can protect your most sensitive data from cybercriminals. The second is privacy protection, it’s no one’s business what you do online. The third benefit of using a VPN is being allowed to unlock content that may not be available in your geographical region.Private Internet Access VPN has you covered for all of those. It has an advanced firewall to block undesirable connections and keeps your data secure with strong encryption. The VPN will also protect your identity and ensure your privacy by masking your IP address, as well as your location. Plus, the MACE feature blocks trackers, ads, and malware. Geographically blocked or censored websites, services and apps will be a thing of the past, too, since Private Internet Access VPN has more than 30,000 servers in over 75 countries.Additionally, the platform gets bonus points for two things that are uncommon among VPNs. While other services are notorious for slowing down your internet connection, Private Internet Access VPN offers blazing fast speeds. You also get to use it on up to 10 devices at a time with unlimited bandwidth. It’s no wonder that Private Internet Access VPN is rated 4.5 of 5 stars on Google Play, an even better 4.7 out of 5 stars on the App Store, and that CNET chose it as one of the Best VPN Services of 2021.Don’t pass up this chance to web surf worry-free for 2 years with this fast, secure, and user-friendly platform. Get a two-year subscription to Private Internet Access VPN today while it’s on sale and includes a $15 store credit for just $69.99.

ZDNet Recommends More

keeps is your location data. Doing a Google search or using Google Maps gives the company your location to pinpoint accuracy. Why does Google want this? To serve you more relevant ads and search results and so on, but for some people, that’s an unacceptable privacy tradeoff.Here’s how to stop handing over your location data to Google.Must read: These three simple tips will keep your iPhone safe from hackersFire up your browser, and go to Google.com.Click on your profile pic and sign into your account.Click on your profile pic followed by Manage your Google AccountFrom Privacy & Personalization, select Manage your data & personalizationGo to Activity controls and select Manage your activity controlsGo to Web & App Activity and switch the toggle to offOn the screen that follows (a screen explaining the downsides to turning this feature off), click PausePhew! That was a long trip!But what about all the location data Google has collected? That’s still stored, but if you want to delete it, here’s how (we have to retrace some of our steps!):Fire up your browser, and go to Google.com.Click on your profile pic followed by Manage your Google AccountFrom Privacy & Personalization, select Manage your data & personalizationGo to Activity controls and select Location HistorySelect Manage activity to go to your Google TimelineClick on the settings icon to the left of a button marked Map, and from the pop-up select Delete all Location HistoryConfirm that you do indeed want to delete location data, and click Delete Location History More

Many victims of the Kaseya ransomware attack are still in the process of recovering but one victim is facing a particularly difficult issue. Mike Hamilton, former CISO of Seattle and now CISO of ransomware remediation firm Critical Insight, told ZDNet that a customer, who asked not to be named, was one of the few Kaseya victims to pay a ransom to the REvil ransomware group.Hamilton explained that the company paid the ransom and received the decryption keys from REvil but have found that they aren’t working. REvil typically offers a help desk function that aids victims with getting back their data. But REvil made news this week when all of their websites went dark, causing widespread speculation about why they potentially closed shop. Now that REvil has shuttered its operation, the company has been left with few options to address their issue, Hamilton said.

Kaseya attack

“Some of our customers got off really easily. If you had that agent installed on unimportant computers, you just rebuilt them and got back to life. But we got a distress call a few days ago from a company that got hit hard because they had a company that was managing a lot of their servers with the Kaseya VSA. They got a lot of their servers hit and had a lot of information on them and so they brought in their insurance company and decided to pay the ransom,” Hamilton said. “They got their decryption key and when they started to use it, they found that in some places it worked and in other places it didn’t. These ransomware gangs have customer support but all of a sudden they went dark. They’re completely gone and so there is no help and these folks are just stuck. They’re going to end up losing a lot of data and they’re going to end up spending a lot of money to completely rebuild their network from scratch.”

ZDNet contacted multiple cybersecurity experts and companies to see whether other Kaseya victims were facing similar issues. But almost all of those contacted said most victims did not pay ransoms and that they have not seen any other company going through an issue similar to this. Hamilton said that due to the size of the attack — estimates say about 1,500 organizations were affected — there had to be others who paid the ransom but are now struggling to decrypt their files without the help of REvil’s support systems. Recorded Future ransomware expert Allan Liska theorized that REvil was not expecting all of these single machine infections and was ill-prepared to handle decryptions for each one. Following the attack, there was significant discussion online about whether one decryption key would work for all of the Kaseya victims. Experts said it was absolutely possible for REvil to have created separate decryption keys for each victim but the ransomware group eventually came forward to offer Kaseya a universal decryptor for a $70 million ransom. “My guess is [REvil] has shit decryptor key management so they may not know which key to give out to each individual victim. They may have been handing out the wrong keys to the few $45,000 victims who paid,” Liska said.Hitesh Sheth, CEO at Vectra, said his team has seen descriptions of sophisticated customer support channels run by ransomware bandits but noted that REvil’s disappearance is more evidence that these groups are “out to make money, not nurse their victims back to strength.” Hamilton said the situation facing the company unable to get their decryptor working “is the result of a well-intended federal policy that caused a lot of collateral damage.” While both US authorities and Russian officials have denied any involvement in REvil’s disappearance, Hamilton said he believes the gang went dark because of how the conversation about ransomware has changed in the US over the last few months. While he does think it’s a possibility that the people behind REvil stopped of their own volition, he said it was more likely that Russian government officials put pressure on REvil due to the increased pressure coming from the Biden administration. “This particular predicament that a lot of companies find themselves in right now is the result of being collateral damage for our federal policy changes. Who knows? This could have been an intentional act on the way out the door. ‘We’re going to do this huge thing and then we’re going to disappear as a final poke in the eye.’ But I’m still going to say that this is the result of our change in policy and how that is affecting Vladimir Putin’s conversation with his intelligence people,” Hamilton said.  “It just happened to be timed in such a way that it left a bunch of people high and dry right after this this shotgun blast went out. Other companies that are in this particular predicament right now are probably just going to lose data, and they’re going to have to rebuild from scratch, and this may drive some companies out of business.” More

Outsourcing key banking data and services to a small number of cloud service providers means that those providers have the power to dictate their own terms.  
Getty Images/iStockphoto
Banks’ growing reliance on cloud computing could pose a risk to financial stability and will require stricter oversight, according to top executives from the UK’s central bank. In a report focusing on financial stability in the UK over the past few months, the Bank of England drew attention to the increasing adoption of public cloud services, and voiced concerns about those services being provided by only a handful of huge companies that dominate the market. Outsourcing key banking data and services to a small number of cloud service providers (CSPs), said the Bank of England, means that those providers have the power to dictate their own terms, potentially to the expense of the stability of the financial system. 

For example, cloud providers might fail to open up the inner workings of their systems to third-party scrutiny, meaning that it is impossible for customers to know if they are ensuring the level of resilience that is necessary to carry out banking operations. “As regulators and people concerned with financial stability, as (CSPs) become more integral to the system, we have to get more assurance that they are meeting the level of resilience that we need,” Andrew Bailey, the Bank of England governor, told reporters in a press conference.  In the past years, financial institutions have accelerated their plans to scale up their reliance on CSPs. From file sharing and collaboration to fraud detection, through business management and communications: banks have used cloud outsourcing both to run software and access additional processing capacity, and to support IT infrastructure. Until recently, cloud services were used mostly to run applications at the periphery of banking operations, such as HR systems with no direct impact on financial services. According to the Bank of England, however, this is now changing, with CSPs being called in to process operations that are more integral to the core running of banks.  

“We’ve crossed a further threshold in terms of what sort of systems and what volumes of systems and data are being outsourced to the cloud,” said Sam Woods, the chief executive officer of the Prudential Regulation Authority (PRA). “As you’d expect, we track that quite closely.” Last year, the Bank of England opened bidding for a cloud build partner, with the goal of creating a fit-for-purpose cloud environment that could better support operations in a digital-first environment. At the time, the institution said that it had already been in talks with Microsoft’s Azure, Google Cloud and Amazon’s AWS, and that it would likely be targeting Azure in a first instance. The possibility of adopting a multi-cloud strategy was also raised. There are many benefits to moving financial services to the public cloud. For example, while using old-fashioned, on-premises data centers incurs extra expenses, a recent analysis by the Bank of England estimated that adopting the ready-made services offered by hyperscalers could reduce technology infrastructure costs by up to 50%. Another advantage of public cloud services is that they are more resilient. The sheer scale of CSPs enables them to implement infrastructure that integrates multiple levels of redundancy, and as such, is less vulnerable to failures.  Moving to the cloud, therefore, is not intrinsically detrimental to banking services – quite the contrary. But the main sticking point, according to the regulators, lies in the concentration of major players that dominate the cloud market. According to tech analysis firm Gartner’s latest numbers, the top five cloud providers currently account for 80% of the market, with Amazon holding a 41% share and Azure representing nearly 20% of the market. “As of course a market becomes more concentrated around one supplier or a small number of suppliers, those suppliers can exercise market power around of course the cost but also the terms,” said Bailey.  “That is where we do have a concern and do have to look carefully because that concentrated power on terms can manifest itself in the form of secrecy, opacity, not providing customers with the information they need in order to be able to monitor the risk in the service. And we have seen some of that going on.” As Bailey stressed, part of the reason for CSPs to remain secretive comes down to better protecting customers, by not opening up key information to potential hackers. But the regulator said that a careful balance has to be maintained on transparency, to enable an appropriate understanding of the risks and resilience of the system without compromising cybersecurity. Leighton James, the CTO of UKCloud, which provides multi-cloud solutions to public sector organizations across the country, explains that these issues are not unprecedented, and it is unsurprising to see them trickle down to the financial services. “We’re anxious about cloud providers becoming so big that the terms and conditions are pretty much ‘take it or leave it’. We’re definitely seen that happening already in the public sector, and we can definitely see it happening in the financial services sector if we are not careful,” James tells ZDNet. According to James, part of the risk stems from traditional banks attempting to compete against new disruptive players in the sector. Financial institutions are now rushing to overhaul their legacy infrastructure and catch up with the digital-native customer experiences that were born in the cloud and are now widely available thanks to fintech companies.  “It’s clearly imperative for the financial sector to modernize and adopt digital technologies,” says James. “The question becomes how best they can do that by balancing the risk of digital transformation.” And in this scenario, the risks of placing all of banks’ eggs in a handful of CSP’s baskets is too high, argues James.  The Bank of England has similarly urged financial institutions to exert caution when developing their digital transformation strategies, and is currently in talks with various regulators to discuss how to best tackle those risks. With cloud concerns widely shared by other nations, especially in the EU, those discussions are likely to become international, and the UK’s central bank predicts that global standards will be created to develop a consistent approach to the issue.  More

Update (July 16, 2021): Artwork Archive told ZDNet it received notice a month or so ago about a single open S3 bucket — a folder where it keeps publicly shareable reports. It addressed it, and after a review by its team, it found no suspicious activity. Artwork Archive said it has also alerted users about this issue. Researchers say a platform used to connect artists and potential buyers leaked the personally identifiable information (PII) of users. 

On Friday, the WizCase team, led by Ata Hakçıl, said that misconfigurations in an Amazon S3 bucket belonging to Artwork Archive exposed over 200 000 files. Based in Denver, Colorado, Artwork Archive is marketed as a platform to “give artists, collectors, and organizations a better way to manage their art.” Software solutions are offered on a subscription basis to manage both the purchase and sale of artwork. The security researchers discovered the bucket, which did not require any authentication to access, on May 23.In total, 421GB of data was exposed. Dating back to August 2015, the records related to over 7000 artists, collectors, and galleries, and “potentially their customers, too,” according to WizCase. Data available to view included full names, physical addresses, and email addresses.  Purchase details, too, were exposed. WizCase found approximately 9000 invoices, as shown below, including the price of artwork and sales agreements, alongside revenue reports.
WizCase

WizCase

In addition, “exported contacts” were stored in the bucket, containing full names, phone numbers, email addresses, city and country, and company affiliations of individuals.”These were usually contacts an artist added to Artwork Archive via their contact management feature and included art institutions, individual artists, art collectors, friends, and family,” the researchers say.  Finally, WizCase discovered inventory reports which listed artwork owned by “specific artists, buyers, and galleries.”  Artwork Archive was made aware of the security issue on May 23 and secured the storage system three days later, on May 26.  ZDNet has reached out to Artwork Archive, and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have provided a deep dive into Toddler, a new Android banking Trojan that is surging across Europe. 

In a report shared with ZDNet, the PRODAFT Threat Intelligence (PTI) team said that the malware, also known as TeaBot/Anatsa, is part of a rising trend of mobile banking malware attacking countries, including Spain, Germany, Switzerland, and the Netherlands. Toddler was first disclosed by Cleafy following its discovery in January. While still under active development, the mobile Trojan has been used in attacks against the customers of 60 European banks.   In June, Bitdefender said that Spain and Italy were infection hotspots, although the UK, France, Belgium, Australia, and the Netherlands were also being targeted. According to PTI, in an analysis of the malware this year, Spain has secured the top spot for cyberattacks. So far, at least 7 632 mobile devices have been infected. After infiltrating a command-and-control (C2) server used by the Trojan’s operators, the researchers also found over 1000 sets of stolen banking credentials.  Although researchers from multiple organizations have tracked Toddler to malicious .APK files and Android apps, infection vectors vary. While the Trojan has not — as of now — been found on Google Play, numerous legitimate websites have been compromised to host and serve the malware.  

While Toddler is pre-configured to target the users of “dozens” of banks across Europe, the company has found that 100% of infections detected, so far, relate to only 18 financial organizations. In total, five of the companies accounted for close to 90% of attacks — which the team believes may indicate a successful SMS-based phishing campaign.  Toddler is run-of-the-mill Trojan software in many ways. It contains the functions you would typically expect: the ability to steal data, including banking details, keylogging, taking screenshots, intercepting two-factor authentication (2FA) codes, SMS interception, and connecting to a C2 to transfer information, accept commands, and link the infected device to a botnet.  The Trojan will use overlay attacks to dupe victims into submitting their EU bank credentials by displaying fake login screens. Upon installation, the malware monitors what legitimate apps are being opened — and once target software is launched, the overlay attack begins. “Toddler downloads the specially-crafted login page for the opened target application from its C2,” PRODAFT noted. “The downloaded webview phishing page is then laid over the target application. The user suspects nothing because this event happens almost instantaneously when the legitimate application is opened.”The malware will also attempt to steal other account records too, such as those used to access cryptocurrency wallets.  The C2’s command list includes activating an infected device’s screen, prompting permission requests, changing volume levels, attempting to grab codes from Google Authenticator via Accessibility, and uninstalling apps.  The level of persistence this Trojan is able to maintain is unusual. Toddler contains multiple persistence mechanisms — the most notable of which is preventing an infected device from being rebooted by abusing Accessibility functions. Toddler can also prevent a handset from being used in safe mode. “Toddler sets a new precedent for persistence module implementation,” the researchers say. “Removal of the malware from the device requires huge technical expertise, and it looks like the process will not get easier in the future.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A Chinese advanced persistent threat (APT) group is spreading fake Zoom software to spy on targets in South East Asia. 

The group, dubbed LuminousMoth by Kaspersky, is focused on cyberespionage and the theft of information from high-profile targets. Dating back to at least October 2020, roughly 100 victims have been detected in Myanmar, and close to 1,400 have been recorded in the Philippines. However, these infection rates may not tell the whole story, as the researchers believe that only a small subset of these numbers was of interest to the APT and were exploited further.  LuminousMoth’s true targets, in particular, are government agencies in both of these countries and abroad. According to the researchers, the preliminary rate of infection may be due to LuminousMoth’s initial attack vector and spreading mechanisms, deemed “noisy” and unusual for an APT to adopt.  The APT begins by sending spear phishing emails that contain Dropbox download links to a .RAR archive, named with political or COVID-19 themes. This file contains two malicious .DLL files which are able to then pull and deploy malicious executables on an infected system.  Once this stage of infection has been completed, LuminousMoth will download a Cobalt Strike beacon and side-load two malicious libraries designed to establish persistence and to copy the malware onto any removable storage drives connected to a victim system.

In cases noted by Kaspersky, the threat actors have then deployed a fake Zoom app, software that has become a lifeline — alongside Microsoft Teams, and others — for many businesses forced to go remote during the COVID-19 pandemic.  The software, signed by an organization in Shanghai, is actually used to exfiltrate files of interest to LuminousMoth. Any file found with pre-defined extensions is copied and transferred to a command-and-control (C2) server.   LuminousMoth will also look for cookies and credentials, including those used for Gmail accounts.  “During our test, we set up a Gmail account and were able to duplicate our Gmail session by using the stolen cookies,” Kaspersky says. “We can therefore conclude this post-exploitation tool is dedicated to hijacking and impersonating the Gmail sessions of the targets.” The APT’s activities also appear to overlap with HoneyMyte/Mustang Panda, another Chinese-speaking group, linked to an attack against the office of Myanmar’s president (1,2).  LuminousMoth and HoneyMyte have adopted similar tactics during campaigns including C2 overlaps, .DLL side-loading, the deployment of Cobalt Strike beacons, and similar cookie-stealing functionality. “Both groups, whether related or not, have conducted activity of the same nature — large-scale attacks that affect a wide perimeter of targets with the aim of hitting a few that are of interest,” the researchers say.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More