Information Technology

Global aviation industry IT supplier SITA has confirmed it has fallen victim to a cyberattack, with hackers gaining access to personal information of airline passengers.
The information technology and communications company, which claims to serve around 90% of the world’s airlines, said that a cyberattack on February 24, 2021 led to “data security incident” involving passenger data that was stored on SITA Passenger Service System Inc. servers located at Atlanta, Georgia in the United States.

More on privacy

A statement by SITA describes the incident as a “highly sophisticated attack” and said that the company “acted swiftly” to contain the incident, which still remains under investigation by SITA’s Security Incident Response Team, alongside external cybersecurity experts.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
“We recognize that the COVID-19 pandemic has raised concerns about security threats, and, at the same time, cyber criminals have become more sophisticated and active,” said the SITA statement.
Star Alliance airlines including Singapore Airlines, New Zealand Air and Lufthansa have warned passengers about the SITA data breach, while some One World airlines including Malaysia Airlines, Finnair, Japan Airlines and Cathay Pacific have also informed passengers about the cyberattack. South Korean airline JeJu Air has emailed passengers about the incident
While SITA hasn’t confirmed the exact nature of the information that has been accessed by hackers, a spokesperson told ZDNet that “it does include some personal data of airline passengers”.

Some airlines have detailed what information was accessed in the attack, stating that frequent flyer data – such as name, tier status and membership number – has been stolen. An email sent to customers of New Zealand Air said that the data breach doesn’t contain information on passwords, credit card details, passport information or contact addresses.
An exact figure for the number of passengers affected by the breach remains unclear as SITA has yet to publicly comment on the matter, but a report by The Guardian claims that hundreds of thousands of passengers could have had their information stolen.
MORE ON CYBERSECURITY More

Linus Torvalds has issued a warning to open-source developers to avoid the first release candidate (RC) of the Linux kernel 5.12. 
Linux kernel 5.12 was released on time despite the snow storms that lashed Oregon and knocked out power to Torvalds’ home for the better part of a week. Torvalds and his thousands of contributors managed to get version 5.12 out on time, but he now says RC 5.12 is a “double ungood” that can have catastrophic consequences for a computer’s filesystem. 

“This merge window, we had a very innocuous code cleanup and simplification that raised no red flags at all, but had a subtle and very nasty bug in it: swap files stopped working right. And they stopped working in a particularly bad way: the offset of the start of the swap file was lost. Swapping still happened, but it happened to the wrong part of the filesystem, with the obvious catastrophic end results,” wrote Torvalds on the Linux kernel Mailing list.  
SEE: Hiring Kit: Computer Hardware Engineer (TechRepublic Premium)
Torvalds went on: “Yes, this is very unfortunate, but it really wasn’t a very obvious bug, and it didn’t even show up in normal testing, exactly because swapfiles just aren’t normal. So I’m not blaming the developers in question, and it also wasn’t due to the odd timing of the merge window, it was just simply an unusually nasty bug that did get caught and is fixed in the current tree.”
He said he wanted devs to be aware because if the bug strikes: “you can end up with a filesystem that is essentially overwritten by random swap data. This is what we in the industry call ‘double ungood’,” he writes, nodding to George Orwell’s newspeak language from the novel Nineteen Eighty-Four. 
It is, he cautions, an unusually bad bug – even for a first run of a release candidate that’s expected to have bugs. 

“Yes, rc1 tends to be buggier than later rc’s, we are all used to that, but honestly, most of the time the bugs are much smaller annoyances than this time,” warns Torvalds. 
He also had some advice about the assumptions people make in industry when a system proves reliably stable over time, which can impact the safety of systems in the future. 
In this case, the bug regards swap partitions but he’s also concerned that developers will assume because he’s remedied the bug in code for distribution – via the Git versioning system – that code that’s already been installed has been remedied too. He’s worried about downstream projects, which could accidentally leave this bug in a project.     
“One additional reason for this note is that I want to not just warn people to not run this if you have a swapfile – even if you are personally not impacted (like I am, and probably most people are – swap partitions all around) – I want to make sure that nobody starts new topic branches using that 5.12-rc1 tag,” wrote Torvalds.  
“I know a few developers tend to go “Ok, rc1 is out, I got all my development work into this merge window, I will now fast-forward to rc1 and use that as a base for the next release”. Don’t do it this time. It may work perfectly well for you because you have the common partition setup, but it can end up being a horrible base for anybody else that might end up bisecting into that area.”
SEE: Developer: Rust programming language is being used for bigger projects
Otherwise Linux 5.12 is basically a spring-cleaning effort from Torvalds who’s handled 10,982 non-merge commits from 1,500 people who contributed to this RC of the kernel. 
“Sorry for this mess,” wrote Torvalds.  More

Flagstar Bank has been added to a list of companies breached due to an Accellion software zero-day vulnerability. 

The bank, headquartered in Michigan, is a Flagstar Bancorp, subsidiary and provides mortgages and other financial services to US customers. 
In a statement posted on Flagstar Bank’s website, the organization says that Accellion first informed the company of a security issue on January 22, 2021. 
Accellion’s file-sharing program, File Transfer Appliance (FTA), is an enterprise product used to transfer large files. While now discontinued and supplanted by other software such as Kiteworks, a zero-day vulnerability in the legacy software was found in December and has since been exploited by attackers in the wild. 
Reported victims include Qualys, the Reserve Bank of New Zealand, the Australian Securities and Investments Commission (ASIC), and Transport for New South Wales (TfNSW). 
“After Accellion informed us of the incident, Flagstar permanently discontinued use of this file sharing platform,” Flagstar Bank says. “Unfortunately, we have learned that the unauthorized party was able to access some of Flagstar’s information on the Accellion platform and that we are one of numerous Accellion clients who were impacted.”
In an email sent to a customer on March 6 and viewed by ZDNet, the company says it “acted immediately to contain the threat and have engaged a team of third-party forensic experts to investigate and determine the full scope of this incident.”

Flagstar Bank says that operations were not impacted and the Accellion platform was “segmented” from other network elements such as core banking and mortgage systems. 
The financial organization has not revealed how many customers have been embroiled in the leak, or what records may have been compromised. The bank added that anyone thought to be involved will be contacted via mail and “will receive information regarding free credit monitoring services.”
Kroll has been hired to provide free credit monitoring tools. 
When a customer queried why Flagstar Bank was made aware of the breach in January and has only reached out now upon receipt of the email, the company apologized and said it “understood [their] frustration.”  
“Investigations of this nature take time and the results are not instantaneous,” the email read. “We’re working as fast as we can to ensure a thorough, diligent review and are committed to providing updates as soon as we have them.”
ZDNet has reached out to Flagstar Bank with additional queries and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images/iStockphoto
A new Online Safety Bill is awaiting its passage in Australia. It aims to protect Australians of all ages from online harm, but many have submitted concerns with the rushed nature of the Bill, the harm it can cause to the adult industry, and the overbearing powers it affords to the eSafety Commissioner, as some examples.
eSafety Commissioner Julie Inman Grant on Friday faced the Senate Standing Committee on Environment and Communications as part of its probe of the Online Safety Bill 2021, admitting the details of how the measures legislated in the Bill would be overseen are still being worked out.
“This is the sausage being made right now, if you will,” she said.
“It’s a novel scheme; we’re no strangers to setting up novel schemes,” she later added.
Inman Grant said eSafety went through the “same conundrum” when developing the cyberbullying scheme, as well as defining what constitutes seriously harassing, threatening, intimidating, and humiliating.
“We’re going through the same process now. We’re thinking through what’s in, what’s out, what our standard operating procedures look like, what is the staffing profile that we need to have which may which is likely to be different for what we have for youth-based cyberbullying and then how do we develop — we’re basically looking at scenarios and other experiences that we had,” she said.
“And one of my priorities is making sure that we are very clear. And we’re setting the right kinds of expectations.”

Inman Grant said her office would look at “every tweet, every video, and every post” to determine whether it meets the threshold of serious cyber abuse with the intent to cause harm directed at a specific Australian individual.
“Of course, will have the discretion to take into consideration a range of contextual factors, but this will not be a rapid fire at scale kind of takedown regime, every decision we make will have to stand up to the AAT tribunal and potentially judicial review.”
“These new powers will be very targeted, and dare I say surgical.”
Asked if eSafety was sufficiently resourced to manage elements such as complaints, representatives from the Department of Infrastructure, Transport, Regional Development and Communications said the commissioner was given an extra AU$39 million in the Budget to support implementation of the legislation.
“These are all things that we are thinking about, were actively planning for in the hopes that this legislation moves forward,” Inman Grant said, noting that includes thinking about staffing profiles.
eSafety received 31,000 complaints in 2020. The office also currently boasts around 100 staff.
“What we’re working towards now, really, about how we operationalise the legislation,” eSafety head of investigations Toby Dagg added. “We already have experience in managing the child cyber bullying scheme, and on an informal basis, adult cyber abuse reports.”
“The time has come to be very clear with the internet companies about what we expect from them when operating in this country,” Inman Grant said.
MORE ON THE BILL More

Microsoft’s Exchange Server team has released a script for IT admins to check if systems are vulnerable to recently-disclosed zero-day bugs. 

As noted in an alert published by the US Cybersecurity and Infrastructure Security Agency (CISA) on Saturday, Microsoft’s team has published a script on GitHub that can check the security status of Exchange servers. 
The script has been updated to include indicators of compromise (IOCs) linked to four zero-day vulnerabilities found in Microsoft Exchange Server. 
On March 2, the tech giant warned of the active exploit of the zero-days by a state-sponsored Chinese threat group called Hafnium. FireEye’s Mandiant Managed Defense team has also tracked ongoing attacks against US organizations leveraging the bugs. So far, victims include local government entities, a university, and retailers. 
“CISA is aware of widespread domestic and international exploitation of these vulnerabilities and strongly recommends organizations run the Test-ProxyLogon.ps1 script — as soon as possible — to help determine whether their systems are compromised,” the agency warns. 
Previously, CISA issued an emergency directive ordering federal agencies to examine their systems for any trace of suspicious activity and to apply patches provided by Microsoft immediately. 
Earlier this week, Microsoft revealed new malware families associated with the threat actors responsible for the compromise of SolarWinds. The Redmond giant believes the group behind the hack is Nobelium, Russian state-sponsored cyberattackers. 
Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Have you been following the Perseverance rover that landed on Mars in February? It was fun to watch as the robot landed on the surface of Mars, ready to explore. And it’s been even more mesmerizing to watch as videos — with sound — and pictures have made their way back to Earth. Part of the technology that makes the communication between the rover and NASA possible is Zigbee. 
My ZDNet Jason Squared co-host, Jason Cipriani, and I recently had the opportunity to interview Tobin Richardson, the CEO, and president of the Zigbee Alliance, about this project, as well as the future of the Zigbee wireless standard. 

Jason Cipriani: Tobin, thanks for joining us today. If you don’t mind, tell our readers and listeners a little bit about yourself. 
Tobin Richardson: Tobin Richardson, CEO of the Zigbee Alliance. I’ve been with the organization for the better part of a decade and first joined Zigbee Alliance to help it get into smart meters around the planet. And then, as it became a more mature technology, I stayed on as a CEO to help the organization grow into a lot of different market segments, which is why you’re seeing us in smart homes, smart buildings, industrial automation, and its use on the Perseverance Mars mission.
Jason Perlow: We have occasionally discussed Zigbee and other wireless data communications technologies used in the home automation industry and other verticals such as wireless sensors and industrial control systems. For our listeners who may not be familiar with it, can you tell us a bit about the Zigbee standard and the typical use cases? 
Tobin Richardson: It started almost two decades ago, and I had some experience with Wi-Fi and Bluetooth early on when they were more on the proprietary side. Those two have excellent use cases, but the use cases that drove Zigbee early on were around Personal Area Networking (PANs) or industrial wireless sensor controls and networking. This was based on an IEEE 802.15.4 standard, specifying how to implement that standard with what we call the Zigbee Stack. And early on, that was really about lighting systems, industrial controls, and wireless sensor control networks. And that was the first area where it entered the marketplace.
Jason Perlow: Today, the Zigbee protocol has a maximum transmission rate of 250kbps. That’s significantly slower than other low-power data communications protocols like Bluetooth Low Energy which caps out at about 2Mbps. I understand that there are important differences between the two in how they perform and what situations you might choose one over the other, and what distances they are effective at. Do you see them as complementary technologies? 

Feature Set

Bluetooth

Zigbee

Frequency Operation

2.4Ghz-2.483Ghz

2.4Ghz and 900MHz

RF Channels

79

16

Modulation

GFSK

BPSK/QPSK UWB

Cell Nodes

8

65,000

Bandwidth/Transmission Rate

2Mbps

256Kbps

Range

10 Meters

> 100M using 2.4Ghz, 1km with Sub-Gigahertz

IEEE Standard

802.15.1

802.15.4

Tobin Richardson: So, as an organization, we have a lot of different technologies and applications. The number of technologies we have and how we relate to Bluetooth and Wi-Fi use cases is growing. Zigbee can have up to thousands of nodes and is a much longer range. There are other use cases where there are one or two devices, and it’s OK to use the Wi-Fi or Bluetooth standard for those. For Zigbee, we’ve seen it grow for lighting applications, especially if you are at the San Diego Convention Center. At one point, I think virtually all the lighting there was done with ZigBee; you’ve got hundreds and hundreds of devices off a single network controller. So it’s perfect for really large, diverse networks, and the range is still pretty impressive. 
On Zigbee, you’re going to get 50 meters using a Smart Home application. On Bluetooth, you’ll experience drop-off on your headphones or speaker after five or ten meters, depending on your specific use case. Bluetooth is doing some good work. And a lot of these standards will evolve. And we’d love to see what Bluetooth and what Wi-Fi is doing in a lot of complementary areas and where Zigbee continues to evolve. The original Zigbee stack is on revision 23. So we keep growing, exploring how that looks, how the technology functions, and it’s got a really good sweet spot around diverse networks that take advantage of mesh.
Jason Perlow: What is the history of the protocol, and where are we at today with its feature set, with 3.0?
Tobin Richardson: It’s been a fascinating kind of evolution. And honestly, one of the things that have kept me personally involved is how the standard is evolving. So if you think back to where it started, Wi-Fi, at that point, was really about the network — so a typical use case is a laptop or a desktop and an access point, where you’ve got a limited number of devices. You’re just really throwing packets over a network and gaining access to a web server, and for things like that, it’s fantastic. Zigbee came in with kind of the same approach; we’re just going to connect all these devices, we’re going to figure out how the networking works. And then we’ll just let people figure out what they’re going to do with that, with one node connected to a controller or another node connected to 25 different nodes, let them route appropriately. So that’s kind of the origin story, as you have these really lightweight communications. 
You mentioned the new 250Kbps transmission. When you’re looking at the packet sizes and things like that, you’re not going to be serving web pages over that. But also, you might build a light bulb; I might make a light bulb, and someone else a light switch. And if we’re all doing that, in proprietary ways, all our on-off commands are different. And as you and your audience probably know, you can argue about on and off and what that looks like; you would think it’s binary. However, it’s not quite so much in terms of how you turn that into something that’s implemented. Again, this is part of that evolution, where we started, it was about how to apply the IEEE 802.15.4 standard and choosing how best to do the networking, and getting into the application. 

So for Zigbee Alliance members, there were many lighting companies and a lot of building automation companies who effectively were doing things a little bit differently. However, they said, let’s build a standard, let’s agree on what that looks like, let’s agree on what on and off looks like, let’s agree on what kinds of currents we’re going to use, as well. So this turned into a new area of work for the Alliance, but it was still tied together in one stack. And so you’ve got the Zigbee professional networking component, we started building this application layer on top. And that’s really what’s led us to where we are today, in the Zigbee stack. 
We still have a flexible mindset. But we could have a lot of applications in medicine — cool. Let’s go off and do that. We might have some really good energy applications, so let’s define that application layer in energy. Super. How about home automation? Great, let’s go to that. 
But in home automation and energy, both have thermostats. So are we going to define thermostats differently? And these separate application profiles, okay, we’re defeating the purpose. So we brought that back together — and that’s what Zigbee 3.0 is today, which is a really good natural evolution, right? So today, 18 years later, starting with the lightweight personal era and industrial, you now have a full-stack Zigbee 3.0 standard that defines all this. And that’s in our revision 22. We’re working on our revision 23 right now, where we’ll start getting into usability across various hubs. And it’s all part of that kind of Zigbee evolution, to standardize as much as possible with that alignment of the nodes. So the controllers all work together seamlessly, with a consistent language for those devices that are attached as well. 
Jason Cipriani: What role is Zigbee playing with the Perseverance rover and the Ingenuity drone on Mars?
Tobin Richardson: I had the good fortune of being part of a retreat put on by Amazon five years ago, where I met the project lead for the Mars Rover and finding out about amazing work that they’re doing, which we didn’t even know about early back then. And I don’t know if Zigbee was part of it. But this is about communication between the rover and the helicopter. The helicopter flies autonomously when it’s up in flight, but it can transmit data back about the location or other information about battery and things like that when it lands. So it’s the mission telemetry that can get back to it. You’ve got a Zigbee 900 megahertz radio on the rover and another one on the helicopter itself that can communicate that way.
Jason Cipriani: Why is Zigbee suitable for data communication between the Perseverance rover and the Ingenuity drone? What sort of data is being transmitted? 
Tobin Richardson: Zigbee is the way to go. And, and I will defer kindly to them and let them explain that, but from my perspective, I think we’re making a lot of sense for them as the low power component to this with the low data rate. Looking at really extreme environments, like Mars, it’s good to have a very lightweight purpose-built standard. So it was built up from that perspective, where it’s essential to get the basic information across and makes it possible for extended battery usage for those kinds of applications on Mars. I haven’t seen a power system up there yet — I don’t think Matt Damon’s put in one yet, as far as I know. I believe that that low-power component makes it a really attractive solution for that application as well as the sub-gigahertz frequency range for longer distance communications.

Anatomy of the Ingenuity Mars Semi-Autonomous Drone
NASA JPL
Jason Perlow: From my understanding of how the Ingenuity drone works, it’s semi-autonomous; it’s not a fully intelligent thing. It’s more like a ride that you would see in an amusement park running down the track — an invisible telerobotically scripted, pre-programmed route that uses telemetry that will be sent between the rover to the helicopter. As I understand, that track can be adjusted on the fly as needed, but on Mars, there is no Global Positioning System, so any positioning and navigation are being done with cameras and sensors. A lot of telemetry signaling occurs between the drone and the rover and then back to JPL through the four Mars satellites. Zigbee at 900Mhz has a maximum effective distance of about 3000 feet, so that’s within the mission profile of what the helicopter is doing. You’re not going to want to do a 3000 foot Wi-Fi transmission or even a Bluetooth connection. I can barely get Bluetooth to work 15 feet away from my desk, let alone 3000 feet.
Tobin Richardson: These technologies have great use cases, right? And no, not at all, not good Bluetooth or Wi-Fi use cases. This is not the right application for that. There are a lot of challenges in the operating environment too. We were talking about this on the team as this became public what other real-world cases there are where this might be useful. I’m not going to say there are Mars-like environments on Earth, but there are places where it’s difficult, and you need high reliability — remote areas that don’t have access to a lot of the power capabilities in just a typical building. In places like pipelines and other remote areas, where you want to get good telemetry and want something that you can rely on, there are many good use cases there. And yes, Mars, this is one of those use cases.
We’re fascinated by what’s happening over this implementation. I think there are a lot of areas really in power usages, such as the transmit power and the transmission rates, and getting a better understanding of how that operates, in negative 40-50 degrees Celsius environments, we’re really very curious about how that works and in terms of what we might learn from that, as well as packet delivery failure. Zigbee is really good for that in terms of retries and things like that. But those are a few of the areas that we think would be really interesting to learn from. Of course, this is a demonstration project, the way that NASA JPL has described it, they’ve set the expectation that this is the first time they’re trying, so they’ve already learned a lot in terms of the data. We certainly hope that they can get good separation, get the missions and the flights to do they’re expecting to, and get some good learning from them. 
Jason Perlow: Is Zigbee involved with any of these emergency field worker apps, like text device capabilities — like potentially putting a Zigbee chipset inside a smartphone? So, for example, If a 4G or 5G network infrastructure were to go down in an emergency situation, would it be possible to do mesh network texting and maybe some rudimentary burst voice capabilities between handhelds?
Tobin Richardson: You know, you should be able to do that, but I’m not familiar with these directly. I know there are organizations like FirstNet that are looking to serve first responders as well. It’s happening with fire departments; those are the things you’re talking about, right? There are areas in which the technology is being used in new ways, such as in those field environments, such as where you’re dropping sensors to track where the fire line is in a wildfire. Certainly, from a human perspective, tracking people in distress is instrumental in positioning emergency signals. So certainly, those are areas that Zigbee can be used. And, and as we evolve as an organization, there are other technologies we have in our house, with this common language for devices that we think can be used across technology. So not just a Zigbee network, not just a narrowband IoT, or 5G, but you can do a mix of those together and effectively have one common language kind of going across those different mediums.
Jason Perlow: A lot has been discussed about Amazon’s new mesh network, Sidewalk, for use in its Echo smart speaker devices, which is implemented over its built-in Zigbee transceiver modules. Zigbee has been designed to be secure so that it may operate over private networks and not interfere with or cross-traffic with other nearby Zigbee networks. Amazon has altered the use case by having all of their Echos, regardless of who owns them, communicate over Sidewalk to share firmware patches and such. What is Zigbee’s position on this? Do you feel there is a good use case scenario for public mesh networking with Zigbee outside of Amazon’s Sidewalk?
Tobin Richardson: That’s an interesting question; I think we’re still kind of in a wait-and-see on Sidewalk and see where Amazon goes. Amazon is very active in the Zigbee Alliance. In fact, they’re on our board of directors; we have some terrific engineers and principal architects that participate both in the Zigbee side and Project CHIP (Connected Home over IP) and in the MACfi stuff that we do within the Zigbee Alliance. Having a little bit of latency, I think in terms of the public networks, the way Amazon is doing it, that’s a fascinating approach. There are some areas that we want to look at a little more in dealing with privacy and security. And as you said, in terms of how secure this is, how the mixed networks operate together. And that’s an area that we want to investigate a little bit more, let’s say for now, but right now, a little bit of wait and see on Sidewalk.

ZDNet Recommends

Home Office Tours
ZDNet contributors welcome you inside their home-based workspaces and show off the tech gear that drives their productivity.
Read More

Jason Cipriani: Narrowing down more on Zigbee, how does the relatively new IoT Thread protocol compare? I say new, only in that consumers can finally start using it with Apple’s HomePod mini and some accessories. 
Tobin Richardson: In terms of low power mesh networking, we really kind of are sitting in the same area. The Zigbee network is not native IP, necessarily.  Of course, you can easily map to it, and you can address a single device on a MAC address and things like that. So it’s not without addressing, but the notion of IP has been one that we’ve been tracking closely over the 20-year history of the organization. And Thread came around right about the time as an organization we were looking at developing a similar low power IP stack with a lot of the same functionality. When we learned about that, with our sister organization, we said, do we create a competing one, or do we partner with them, because we knew that that language is going to operate not just on Zigbee networks, but also on other IP networks. So we decided at that point that we would partner with Thread Group. And we’ve contributed quite a bit to their development as well, even on the McAfee side of Thread. And so we’re effectively a good sister organization with Thread Group. As they get to commercial rollout, we will have an application layer on that and Project CHIP. The differences today between Zigbee and Thread today are mainly around the IP addressability, probably the most known difference between the two. But we see a lot of synergies there with the organizations. Today, if you want to build a quickly usable product and in virtually every ecosystem on the planet, Zigbee is a great choice for you. As you look at this evolutionary piece, we kind of see this competence in terms of IP with Thread as a fantastic solution. And, and we think the right language and the right standard on top of that will be Project CHIP on top of Thread. And that will have a lot in common with what we do on the ZigBee side and the development side will be a lot easier there as well. 
Jason Perlow: Is there a Zigbee 4.0 in the planning stages yet? What improvements can we expect to see from Zigbee in the future? Have we improved data rates?
Tobin Richardson: Zigbee 3.0 is kind of how we’re describing the complete stack. We did that when we brought the different profiles together. And so we’re continuing on that path. Right now, we’re working on our revision 23. One of the biggest functionalities in R23 is focused on what we call “All Hubs.” And that’s effectively trying to get all the hub operators to effectively treat devices with the same route joining processes and other pieces. So there’s a lot of good improved functionality for consumers. Hopefully, consumers will just enjoy it in a cleaner, crisp experience getting devices into the network, regardless of which hub or devices they use. Also, we’re going to be adding some support for sub-gigahertz in R23. So we’ll start taking advantage of other channels and frequencies. And we’ve had some demand for that in different markets and market segments, whether it’s home automation and smart energy, as utility companies want to try and reach larger places. Sub-gigahertz and 2.4 gigahertz have different behaviors regarding how they act with interference and barriers, and sub-gigahertz in big thick concrete buildings is a nice solution. In the UK, we’ve actually already done that. So we’ll bring that over into our R23. So I don’t think we’re going to be calling it anything different, but there will be more functionality in the next release, which should be a really good improvement for consumer experiences on smart homes. 
Jason Perlow: Thanks, Tobin. Looking forward to everything that Zigbee is doing on Earth and other planets.

Innovation More

Microsoft has disclosed more malware that was used by the suspected Russian-government-backed hackers who planted malware in software from US software vendor SolarWinds. 

ZDNet Recommends

Microsoft has named the threat actors as Nobelium, continuing its tradition of naming notable nation-state hacking groups after chemical elements, such as Russia’s Strontium, China’s Barium, Iran’s Phosphorus, and North Korea’s Thallium.  
Until now, Microsoft and security vendor FireEye had identified Sunburst (which Microsoft called Solorigate) and Teardrop malware. In January, security firm CrowdStrike found Sunspot, a piece of software dedicated to monitoring the build server for build commands that assembled Orion. 
Orion is the SolarWinds network monitoring software that Nobelium attackers used to broadly distribute the Sunburst backdoor to 18,000 organizations throughout 2020, prior to cherrypicking nine US federal agencies and about 100 US companies to actually compromise and steal information from, according to the White House’s investigation. 
Microsoft has now disclosed three new malware components used by the Nobelium hackers: GoldMax, GoldFinder, and Sibot. FireEye calls the group UNC2452 has called the newly discovered malware Sunshuttle. 
GoldMax is considered by Microsoft as an implant that serves as a command-and-control (C2) backdoor. The backdoor was written in Google’s popular system programming language, Go. 
FireEye said it does not know how this malware is installed but guesses it is a second-stage backdoor that’s dropped after an initial compromise. The company described the design of Sunshuttle as “sophisticated” and “elegant”. 

“The new SUNSHUTTLE backdoor is a sophisticated second-stage backdoor that demonstrates straightforward but elegant detection evasion techniques via its “blend-in” traffic capabilities for C2 communications,” FireEye notes in its analysis. 
GoldMax is used to exclusively communicate with the attacker’s C2 and relied on resold domains with high reputations that were built over time. This choice of domains helped GoldMax avoid setting off alarms in most security products that looked at reputation scores in this way, according to Microsoft.  
“The malware writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique per implant and based on environmental variables and information about the network where it is running,” explains Microsoft. 
“GoldMax establishes a secure session key with its C2 and uses that key to securely communicate with the C2, preventing non-GoldMax-initiated connections from receiving and identifying malicious traffic.”
Sibot, built with Microsoft’s Visual Basic Scripting (VBScript), is a dual-purpose malware, according to Microsoft. 
“The VBScript file is given a name that impersonates legitimate Windows tasks and is either stored in the registry of the compromised system or in an obfuscated format on disk. The VBScript is then run via a scheduled task,” Microsoft notes.
Its main goal was persistence on an infected machine so that it could download and execute a payload from a remote C2 server. Microsoft has identified three variants of Sibot that all download a malicious payload.  
GoldFinder, which is also written in Go, is thought to be a custom HTTP trace tool that logs the route or hops that a packet takes to reach a hardcoded C2 server.  
As part of the broader Russia-backed hacking campaign, some of the cyber security companies were compromised via SolarWinds’ tainted Orion update, such as Microsoft, but this wasn’t the only way the hackers infiltrated systems; as many as 30% of the organisations breached had no direct link to Solar Winds and were attacked by other means. More

Two newly discovered forms of ransomware with very different traits show just how diverse the world of ransomware has become as more cyber criminals attempt to join in with cyber extortion.
Both forms of ransomware emerged in February and have been detailed by cybersecurity researchers at Trend Micro –AlumniLocker and Humble – with the two versions attempting to extort a bitcoin ransom in different ways.
AlumniLocker is a variant of Thanos ransomware and immediately stands out for demanding a payment of 10 Bitcoins from the infected victim – a figure currently equivalent to around $450,000.
The ransomware is delivered to victims via a malicious PDF attachment claiming to be an invoice which is distributed in phishing emails. The PDF contains a link which will extract a ZIP archive which runs a PowerShell script to drop the payload and execute the ransomware.
Like an increasing number of ransomware campaigns, the attackers behind AlumniLocker threaten to publish data stolen from the network of their victim if they’re not paid within 48 hours – although given the ransom demand is so large, victims may decide it’s too much to pay.
The ambitious ransom demand and other inconsistencies in their attack techniques – including how the data leak site doesn’t actually work – could indicate that those behind AlumniLocker are probably just starting out.
“It does seem like this might be a new group that does not have experience in successfully ransoming their victims as the ransom demand is much higher than typical. Being that the leak site doesn’t work is another example of showing their hand of being newbies. ” Jon Clay, director of global threat communications at Trend Micro told ZDNet.

Humble ransomware also first appeared during February, but is very different in a number of ways. Firstly, the ransomware is much smaller, demanding just 0.0002 Bitcoins – currently just under $10 – for the return of files, indicating that Humble might be targeting individuals rather than organisations.
It’s still unknown how exactly Humble is distributed, but researchers note that it’s likely to be via phishing attacks.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
In an effort to push victims towards paying the ransom, Humble threatens the victim by stating that if they restart their system, the Master Boot Record (MBR) will be rewritten, rendering the machine unusable. A second version of Humble carries the same threat, but instead says this will happen if the victim doesn’t pay after five days.
Humble is unusual for ransomware in being compiled with an executable wrapper (Bat2Exe) in batch file. What’s also strange is that it uses Discord – a voice, text and video communications service popular among gamers – to send reports back to its author.
Both forms of new ransomware are unusual, but both demonstrate that ransomware continues to be appealing to cyber criminals who see how the top gangs are making so much money, and want to do the same.
Organisations can help protect themselves from ransomware attacks with cybersecurity procedures including applying patches and using multi-factor authentication.
MORE ON CYBERSECURITY More