Information Technology

Google on Wednesday announced a bevy of updates across its Network Security portfolio for Google Cloud customers. New features include enhancements to existing DDoS protections, as well as new capabilities that aim to help customers protect data and applications in the cloud. 

The most significant update is Google’s new Cloud Armor Adaptive Protection networking security technology, which leverages machine learning to protect against Layer 7 DDoS attacks. 
Cloud Armor is a distributed denial of service (DDoS) defense and web application firewall (WAF) service that relies on the same technology and infrastructure that powers Google services. Available since 2019, Cloud Armor also offers IP whitelisting and blacklisting tools and integrates with Google’s Cloud HTTP(S) Load Balancing service.
Google said its new Adaptive Protection technology within Cloud Armor uses multiple machine learning models to analyze security signals across web services to detect potential attacks. The Adaptive Protection system can detect high volume application layer DDoS attacks against web apps and services, and speed up time to mitigation through high confidence alerts about abnormal traffic, the company said.
In addition to surfacing the attack, Adaptive Protection also provides context on why the system deemed it malicious as well as suggested rules to mitigate the attack.
“This protection is woven into our cloud fabric and only alerts the operator for more serious issues with context, an attack signature, and a Cloud Armor rule that they can then deploy in preview or blocking mode,” Google said in a blog post. “Rather than spending hours analyzing traffic logs to triage the ongoing attack, application owners and incident responders will have all of the context they need to make a decision on whether and how to stop the potentially malicious traffic. Cloud Armor Adaptive Protection is going to simplify protection in a big way, and will be rolling out to the public in preview soon.”
Additional network security updates new firewall insights for improved firewall rule management, hierarchical firewall policies for more flexible levels of control, and new controls for packet mirroring to third party network inspection services. Google is also adding new filters to mirror packets that will be generally available soon. More

Image: Cisco, Oksana Latysheva, ZDNet
Cisco plans to fix three vulnerabilities in the Webex video conferencing app that can allow attackers to sneak in and join Webex meetings as ghost users, invisible to other participants.

The vulnerabilities were discovered earlier this year by security researchers from IBM, who conducted a review of remote working tools the tech software giant was using internally during the coronavirus pandemic.
Researchers said the three bugs, when combined, would have allowed an attacker to:
Join a Webex meeting as a ghost user, invisible to others on the participant list, but with full access to audio, video, chats, and screen sharing.
Remain in a Webex meeting as a ghost audio user even after being expelled from it.
Obtain information on meeting participants, such as full names, email addresses, and IP addresses. This information could also be obtained from the meeting room lobby, even before the attacker was admitted to a call.
IBM researchers said the bugs reside in the “handshake” process that takes place when new Webex meetings are established.
Attackers who gained access to a meeting URL can connect to a Webex server, send malformed packets, and manipulate the server into gaining access to meetings and participants’ details.
“In our analysis, we identified the specific values of the client information that could be manipulated during the handshake process to make the attendee invisible on the participants’ panel,” the IBM research team said in a report shared with ZDNet.
“We were able to demonstrate the ghost attendee issue on MacOS, Windows, and the iOS version of Webex Meetings applications, and Webex Room Kit appliance,” the researchers added.

Mitigating circumstances include the fact that the vulnerabilities can only be exploited if attackers know the URLs of scheduled Webex meetings with unique meeting URLs and Webex Personal Rooms.
However, IBM researchers say that “personal rooms may be easier to exploit because they are often based on a predictable combination of the room owner’s name and organization name.”
Cisco will be releasing patches today for the three Webex vulnerabilities reported by the IBM team — namely CVE-2020-3441, CVE-2020-3471, and CVE-2020-3419.
Besides Zoom, Cisco Webex is one of the apps that came on top after the COVID-19 pandemic. It is being reported that Webex usage grew 451% this year, and that at its peak, Webex hosted as many as 4 million meetings in a single day, with as many as 324 million users.
A video summarizing the IBM team’s work is also available below:
[embedded content] More

Liquid, one of today’s top 20 cryptocurrency exchange portals, has disclosed a security breach on Wednesday.

In a blog post on its website, the company said that last week, on Friday, November 13, a hacker managed to breach employee email accounts and pivot to its internal network.
The company said it detected the intrusion before the hacker stole any funds, but a subsequent investigation revealed that the attacker was able to collect personal information from Liquid’s database that stored user details.
Stolen information included real name, home address, emails, and encrypted passwords.
Liquid CEO Mike Kayamori said the company is still investigating if the intruder was able to steal proofs-of-identity that all users must provide when making their first transaction on the platform.
“We do not believe there is an immediate threat to your account due to our use of strong password encryption. Nevertheless, we recommend that all Liquid customers change their password and 2FA credentials at the earliest convenience,” Kayamori said.
Another social engineering attack leading to a DNS hijack
The company blamed the intrusion on its domain name provider, which fell victim to a social engineering attack and incorrectly transferred Liquid’s account to the hacker.

Immediately after gaining control of this account, Liquid said the attacker hijacked the company’s DNS records, pointing incoming traffic to a server under their control.
The hacker is believed to have used access over the company’s DNS records to redirect employees to fake login pages and collect their work email credentials, which they later used to access employee work email accounts, and later pivot to Liquid’s internal infrastructure.
DNS hijacking attacks like these are bold, but they have also been very common against cryptocurrency services over the past few years. For example: More

Palo Alto Networks is rolling out new 5G security capabilities that the company said are designed to help service providers and enterprises secure and protect global network traffic in the 5G era.
The offering aims to provide granular network visibility and control across all 5G network layers and traffic, giving service providers and enterprises end-to-end protection across their 5G networks, services, applications and devices, the company said. Key capabilities of Palo Alto’s 5G security approach include containerization and secure network slices, as well as real-time correlation of threats against users and devices.
Hand-out
“For 5G to live up to its promise of transforming industries, companies need the confidence that 5G networks and services have enterprise-grade security,” said Anand Oswal, SVP and GM of Firewall as a Platform for Palo Alto Networks. “We created 5G-native security in order to give enterprises the confidence they need to harness 5G for business transformation and to help service providers secure the new enterprise services they are creating.”
The company’s new 5G security capabilities are available on the Palo Alto Networks PA-5200 Series and PA-7000 Series hardware firewalls as well as all VM-Series software models running PAN-OS 10.0 or greater, the company said. Security services can be added based on use case requirements, the company said.
Palo Alto Networks also announced this week its first quarter financial results, which topped market estimates. The company reported a net loss of $92.2 million or 97 cents per share. Non-GAAP earnings came to $1.62 per share on revenue of $946 million million, up 23% year-over-year.
Wall Street was looking for earnings of $1.33 a share on $921.7 million in revenue. Looking ahead, Palo Alto expects total revenue the second quarter in the range of $975 million to $990 million. It’s forecasting diluted non-GAAP net income per share in the range of $1.42 to $1.44, using 98 million to 100 million shares.

RELATED: More

Over a quarter of organisations which fall victim to ransomware attacks opt to pay the ransom as they feel as if they have no other option than to give into the demands of cyber criminals – and the average ransom amount is now over $1 million.
A Crowdstrike study based on responses from thousands of information security professionals and IT decision makers across the globe found that 27 percent said their organisation had paid the ransom after their network got encrypted with ransomware.
While law enforcement agencies say organisations should never give in and pay the ransom, many businesses justify making the payment because getting the decryption key from the attackers is viewed as the quickest and easiest way to restore the network.
However, not only does paying the bitcoin ransom just encourage ransomware gangs to continue campaigns because they know they’re profitable, there’s also no guarantee that the hackers will actually restore the network in full.
But infecting networks with ransomware is proving to be highly lucrative for cyber criminals, with figures in the report suggesting the average ransom amount paid per attack is $1.1 million.
In addition to the cost of paying the ransom, it’s also likely that an organisation which comes under a ransomware attack will lose revenue because of lost operations during downtime, making falling victim to these campaigns a costly endeavour.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

However, falling foul of a ransomware attack does serve as a wakeup call for the majority of victims; over three-quarters or respondents to the survey say that in the wake of a successful ransomware attack, their organisation upgraded its security software and infrastructure in order to reduce the risk of future attacks, while two-thirds made changes to their security staff with the same purpose in mind.
It’s unclear why almost a quarter of those who fall victim to ransomware attacks don’t plan to make any changes to their cybersecurity plans, but by leaving things unchanged, they’re likely putting themselves at risk from falling victim to future attacks.
That’s especially the case during 2020, which has brought additional cybersecurity vulnerabilities to organisations due to the rise of people working from home because of the coronavirus pandemic.
“In a remote working situation the attack surface has increased many times and security cannot be secondary business priority,” said Zeki Turedi, Chief Technology Officer for EMEA at CrowdStrike.
To avoid falling victim to ransomware attacks, it’s recommended that organisations ensure that systems are updated with the latest security patches, something which can prevent cyber criminals taking advantage of known vulnerabilities to deliver ransomware.
It’s also recommended that two-factor authentication is deployed throughout the organisation, so that in the event of criminal hackers breaching the perimeter, it’s harder for them to move laterally around the network and compromise more of it with ransomware or any other form of malware.

READ MORE ON CYBERSECURITY More

It’s that time of year again — when we see whether or not password security has improved over the past 12 months. 

Going back to 2015, the worst passwords still commonly used included “123456” and “password.” Fast forward five years, and these examples are still very much alive. 
After analyzing 275,699,516 passwords leaked during 2020 data breaches, NordPass and partners found that the most common passwords are incredibly easy to guess — and it could take less than a second or two for attackers to break into accounts using these credentials. Only 44% of those recorded were considered “unique.”
See also: NSA publishes list of top vulnerabilities currently targeted by Chinese hackers
On Wednesday, the password manager solutions provider published its annual report on the state of password security, finding that the most popular options were “123456,” “123456789,” “picture1,” “password,” and “12345678.”
With the exception of “picture1,” which would take approximately three hours to decipher using a brute-force attack, each password would take seconds using either dictionary scripts — which compile common phrases and numerical combinations to try — or simple, human guesswork. 
As one of the entrants on the 200-strong list describes the state of affairs when it comes to password security, “whatever,” it seems many of us are still reluctant to use strong, difficult-to-crack passwords — and instead, we are going for options including “football,” “iloveyou,” “letmein,” and “pokemon.”

The 10 most common passwords of 2020, based on NordPass’ dataset, are listed below:

CNET: Rules for strong passwords don’t work, researchers find. Here’s what does
When selecting a password, you should avoid patterns or repetitions, such as letters or numbers that are next to each other on a keyboard. Adding a capital letter, symbols, and numbers in unexpected places can help, too — and in all cases, you should not use personal information as a password, such as birthdates or names. 
While vendors need to be reminded that allowing easy and simple combinations do nothing to protect the privacy and security of users, it is also up to us to take responsibility for our own accounts. 
TechRepublic: Hackers for hire target victims with cyber espionage campaign
If you find it hard to remember complex passwords for different accounts, you may want to consider using a password locker. If you need somewhere to start, check out our recommendations for the best password managers and vaults in 2020. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Amazon Web Services (AWS) has announced the general availability of AWS Network Firewall. 

The managed security service has been created in order to give customers improved visibility into their AWS setups and architecture, as well as to bolster network security. 
AWS’ system can be enabled in Amazon Virtual Private Cloud (VPC) environments via the AWS console, and will automatically add a layer of network protection across AWS workloads and servers. In addition, AWS Network Firewall will scale up based on network traffic rates. 
See also: Optus turns to AWS for help with becoming ‘end-to-end’ cloud solutions supplier
The solution’s rules engine can be customized or imported from AWS Partner Network (APN) providers such as CrowdStrike, Fortinet, and Trend Micro, among others. Snort and Suricata rules can also be implemented.
According to Steve Schmidt, chief information security officer at AWS, the solution was built in mind of customer feedback, in which clients said they wanted a cloud network firewall and network protections that “work with their existing security systems and without the headache of managing the underlying infrastructure.”
AWS already provides Web Application Firewall (WAF), AWS Shield — designed to stop Distributed Denial-of-Service (DDoS) attacks, AWS Security Groups for the protection of Amazon Elastic Compute Cloud (EC2) instances, and AWS Firewall Manager, a console to monitor firewall controls across AWS setups. 

CNET: Trump fires top cybersecurity official for debunking election fraud claims
Amazon says that while existing offerings do address specific firewall security needs, Network Firewall will provide a blanket network security layer across all workloads. The system is able to monitor domain-based access controls, identify malicious traffic and implement web filtering, and inspect traffic packets from the network layer to the application layer. 
AWS Network Firewall is now available in the US East, West, and European regions, with more regional deployments coming “soon.”
Amazon’s security solution is paid for based on hours deployed and gigabytes of data processed. 
TechRepublic: How to secure your Zoom account with two-factor authentication
“AWS Network Firewall provides scalable network protections that allow customers to deploy highly customizable rules for their entire AWS infrastructure, and integrates with many of the APN partner services that customers already use,” Schmidt commented. “Best of all, there’s no need to configure or maintain additional infrastructure.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have uncovered a worldwide campaign targeting businesses using the recently-disclosed ZeroLogon vulnerability. 

The active cyberattack is thought to be the handiwork of Cicada, also tracked as APT10, Stone Panda, and Cloud Hopper. 
Historically, the threat group — first discovered in 2009 and one that the US believes may be sponsored by the Chinese government — has targeted organizations connected to Japan, and this latest attack wave appears to be no different.
Symantec researchers have documented companies and their subsidiaries in 17 regions, involved in automotive, pharmaceutical, engineering, and the managed service provider (MSP) industry, which have been recently targeted by Cicada.
See also: Chaes malware strikes customers of Latin America’s largest e-commerce platform
According to the company, Cicada’s latest attack wave has been active since mid-October in 2019 and has continued up to at least October this year. 
Cicada appears to be well-resourced and uses a variety of tools and techniques. This includes DLL side-loading, network reconnaissance, credential theft, command-line utilities able to install browser root certificates and decode data, PowerShell scripts, and both RAR archiving and a legitimate cloud hosting provider for the download, packaging, and exfiltration of stolen information. 

Of particular note is a recent addition to the hacking group’s toolkit; a tool able to exploit ZeroLogon. Tracked as CVE-2020-1472, issued a CVSS score of 10, and both disclosed and patched by Microsoft in August, the vulnerability can be used to spoof domain controller accounts and hijack domains, as well as compromise Active Directory identity services.
CNET: Trump fires top cybersecurity official for debunking election fraud claims
Cicada has also launched Backdoor.Hartip, a custom form of malware not before seen in connection to the APT, against its targets. 
It appears that the group is focused on the theft of information and cyberespionage. Data of interest — including corporate records, HR documents, meeting memos, and expense information — is often packaged up and whisked away to Cicada’s command-and-control (C2) servers. 
“The amount of time the attackers spent on the networks of victims varied, with the attackers spending a significant amount of time on the networks of some victims, while spending just days on other victim networks,” the researchers say. “In some cases, too, the attackers spent some time on a network but then the activity would cease, but start again some months later.”
TechRepublic: How to secure your Zoom account with two-factor authentication
The campaign has been assessed with “medium” confidence to Cicada due to clues in how code is obfuscated; the use of DLL side-loading and DLL names including “FuckYouAnti,” which has been previously documented in a Cylance report on the same APT. In addition, the final payload combines QuasarRAT, used in the past by Cicada, as well as Backdoor.Hartip.
“Cicada clearly still has access to a lot of resources and skills to allow it to carry out a sophisticated and wide-ranging campaign like this, so the group remains highly dangerous,” Symantec says. “Its use of a tool to exploit the recently disclosed ZeroLogon vulnerability and a custom backdoor […] show that it continues to evolve its tools and tactics to actively target its victims.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More