Information Technology

Microsoft has revealed it awarded 341 researchers a total of $13.6 million during the past year for reporting security vulnerabilities in its bug bounty programs. The awards were issued between July 1, 2020 and June 30, 2021 and is slightly less than what it paid out in 2019. That year, Microsoft tripled the awards from the previous year. 

The largest award was $200,000 under the Hyper-V Bounty Program, Microsoft’s program for its virtualization layer on Windows 10, Windows Server 2016, and containers for running Windows and Linux applications in the cloud. SEE: Network security policy (TechRepublic Premium)”With an average of more than $10,000 USD per award across all programs, each of the over 1,200 eligible reports reflect the talent and creativity of the global security research community and their invaluable partnership in addressing the challenges of a constantly changing security environment,” the Microsoft Security Response Center (MSRC) said in a blogpost. Microsoft has launched some new bug bounties this year, including one for Microsoft Teams with awards up to $30,000 for critical bug reports. The other bounty is aimed at a potential future post-quantum cryptography standard called Supersingular Isogeny Key Encapsulation (SIKE). Microsoft currently has 17 bug bounty programs available for researchers to earn rewards. The Hyper-V program offers the largest possible award of up to $250,000. 

The Microsoft Identity bounty is also important, covering Microsoft Account, Azure Active Directory, or select OpenID standards. The top payout is $100,000. Some individual security researchers can earn significant sums – even millions – from bug bounty programs. More

Ransomware is very profitable. The reason why cyber criminals continue to hack into corporate networks, encrypting files and servers, is that enough victims will pay the ransom – usually in Bitcoin or another cryptocurrency – to make it worth their while.Some of those ransoms can be enormous; recent weeks have seen one company pay $5 million to restore the network after falling victim to Darkside ransomware, while another hit by a REvil ransomware attack paid $11 million for the decryption key. 

Kaseya attack

REvil ransomware was also used in a massive ransomware attack, which saw management software company Kaseya hacked, affecting 1,500 companies around the world.  SEE: Have we reached peak ransomware? How the internet’s biggest security problem has grown and what happens nextThe attackers demanded a ransom payment of $70 million in exchange for a universal decryption tool to supposedly resolve a problem affecting customers around the world – including a chain of supermarkets in Sweden that temporarily closed due to the cyberattack. These are just a handful of examples, but cyber criminals are regularly demanding millions of dollars from victims – and in many cases, they’re paying up because they don’t feel as if they’ve got any other option when it comes to restoring their network.  However, there are concerns that this creates a self-perpetuating cycle.

While governments discourage organisations from paying ransoms to cyber criminals, the practice isn’t illegal – but there have been calls for legislation to be drawn up to ban paying ransoms. The potential positive and negative consequences of banning ransom payments were recently discussed by a group of experts during a panel on disrupting the ransomware ecosystem, which was hosted by Royal United Services Institute for Defence and Security Studies (RUSI), a defence and security think tank.  “From an ideological point of view, most people agree that you want to ban ransom payments. Fundamentally, we are funding crime and that’s a bad thing,” says Jen Ellis, vice president of community and public affairs at Rapid7 and a co-chair of the Institute for Security and Technology’s (IST) Ransomware Task Force (RTF). Not only does paying ransoms show criminals that ransomware works, encouraging further attacks, but the nature of the criminal ecosystem also means that payments are used to fund other crimes.Of course, when the network is down and they can’t operate, or if ransomware has compromised industrial control systems and manufacturing is impossible, businesses aren’t thinking about the long-term consequences of paying the ransom, they just want the issue resolved as quickly as possible. In some cases, businesses can claim back this cost from cyber-insurance policies. This is something a RUSI paper has argued could be enabling ransomware – but according to one insurer, paying ransoms is not something they want to do.”Believe me, insurers do not want to pay ransoms. It’s our client’s ultimate decision to take and I’m afraid to say there are times when there really is no other alternative,” says Graeme Newman, international cyber underwriter at CFC Underwriting, an insurance provider. Cyber-insurance policy holders who pay the ransom need to do it from their own budgets and it’s possible to recover that if certain conditions are met – but insurers aren’t just automatically handing over a large sum of money in the aftermath of a ransomware attack. Newman argues that the reason that businesses are paying ransoms, and then claiming the payments back on cyber-insurance policies, is because they’re in a desperate position, one which for many small- and medium-sized businesses would mean they go out of business if they don’t pay. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

“If we banned payments, there would be a significant disadvantage to all the businesses which have been attacked,” he says. “What you need is a structured system of a small number of heavily supervised, heavily regulated bodies that can determine when it’s okay to make a payment”. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) Currently, there isn’t any guidance over what situations it would be deemed acceptable to pay a ransom or what action should be taken against ransomware victims who choose to pay a ransom in the event of a ban – but there’s an argument that in the event of a ban, it isn’t insurers who should be penalised. “You ban payments, not the people who may or may not facilitate payments. Banning insurers from covering payments, but not banning payments, doesn’t make any sense – you either ban payments or you don’t. It’s not for insurers to make public policy, it’s for governments to do it,” says Ciaran Martin, professor of practice at the University of Oxford’s Blavatnik School of Government – and former director of the National Cyber Security Centre (NCSC), who says he’s “in favour of a ban in principle”. Currently, the decision on making a ransom payment is entirely in the hands of private enterprises and they’re ultimately going to decide on what’s best for them – and if that means paying a ransom, then they’ll pay the ransom. However, while the idea of banning ransoms might sound appealing, it wouldn’t be a silver bullet against ransomware attacks. It’s likely that cyber criminals will continue to conduct their campaigns, but in the knowledge that they can still go after the soft targets that don’t have a choice when it comes to paying a ransom – whether is is illegal to or not. “They’ll still target organisations that are least able to resist paying – critical infrastructure that cannot face the burden of disruption or small- to medium-sized businesses that don’t have the ability to have resilience. So, the likelihood is if we ban payments, attackers will focus on these groups,” says Ellis. “Banning payments seems like a good thing to do in the long term, it seems like a desirable outcome – we don’t know how to do that pragmatically speaking to make it work in a way that isn’t going to cause a lot of unintended harm in the short term. That’s the dilemma,” she adds. What is clear is that ransomware is going to remain a major cybersecurity problem for some time yet – but organisations can attempt to avoid becoming the next major victim by following the appropriate steps to protect their network from attacks. MORE ON CYBERSECURITY More

Kaseya has urged customers to be wary of a wave of phishing emails taking advantage of the disruption caused by a recent ransomware attack. 

Kaseya attack

Last Friday, Kaseya — which serves managed service providers (MSPs) among its client base — was hit by REvil, a ransomware group that managed to exploit vulnerabilities in the firm’s VSA software. As a precaution, the company pulled both VSA and SaaS servers offline. However, roughly 50 direct clients and up to 1,500 businesses further down the chain have been impacted.  On July 8, the software solutions provider said that scam artists are leveraging the security incident to “send out fake email notifications that appear to be Kaseya updates.” “These are phishing emails that may contain malicious links and/or attachments,” the company added.  Samples of fake, emailed Kaseya advisories, as noted by Malwarebytes, urge recipients to download and execute an attachment called “SecurityUpdates.exe” to resolve a vulnerability in Kaseya and to protect themselves against ransomware.  However, the attachment, a Windows executable, is actually a Cobalt Strike package. The legitimate threat emulation tool is used by penetration testers, but unfortunately, is also widely abused by threat actors. 

Cobalt Strike may be used to set up a connection with a command-and-control (C2) server. Together with Metasploit, an open source penetration testing toolkit, these tools were used to host over a quarter of all malware-linked C2s in 2020.  The email sample also contained a direct link to a malicious executable.  Previously, some legitimate emails sent to customers appear to have included links to the Kaseya helpdesk; however, if customers are used to this sort of format then they may be more susceptible to clicking on malicious links sent via email by threat actors.  In light of this potential security risk adding to the existing burden of restoration efforts, the company says it will no longer send email updates containing any links or attachments.  Kaseya has encountered some issues during recovery attempts. In a July 8 update, Kaseya CTO Dan Timpson said the vulnerabilities have been fixed and additional security measures “are being created prior to deployment to improve the overall security posture of our products.” At present, the company hopes to bring customers back online this Sunday at 4 PM EDT.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A resident of Houston, Texas, has been sentenced to over seven years in jail for his role in romance and business scams that netted over $2.2 million in illicit proceeds. 

Akhabue Ehis Onoimoimilin, otherwise known as David Harrison, stood before US District Judge Robert Pitman this week and was sentenced to 87 months in prison and ordered to pay back just over $865,000 in restitution. According to the US Department of Justice (DoJ), the 29-year-old has been embroiled in romance and Business Email Compromise (BEC) scams since approximately 2015.Romance scams will often begin with the creation of fake profiles on social media and dating apps. Predators will target individuals and will try to establish trust with their victim, who believes they are a potential romantic partner.  Requests for money soon follow for fake reasons; a need for credit, a medical emergency, or in recent years, in order to join a time-sensitive and lucrative financial opportunity.  However, once a vulnerable person has no money left to give, the scam artist vanishes.  UK police, too, have warned of another form of romance scam that has become more prevalent due to stay-at-home orders: requests for explicit photos, videos, or live camera sessions are made, and then victims are threatened with this content being leaked to family members or employers unless they pay the scammer. 

BEC schemes take a different road. Organizations, large and small, are phished and employees — such as those in accounts or HR — are duped into believing they are being emailed by other staff, including executives and business leaders.  Spoof emails request wire transfers and invoice payments, but the bank details included ensure that payment is sent to attacker-controlled accounts.  In both romance and BEC scams, a way to launder cash may be needed — and Onoimoimilin has pleaded guilty to this role. While working with co-conspirators, he used a fake passport to open bank accounts under the name of David Harrison in both Austin and Houston, Texas.  These accounts were used to launder funds, and for his efforts, Onoimoimilin took a cut of between 10% and 15% of over $420,000 banked.  Following his prison term, Onoimoimilin will also have to submit to two years of supervised release. A money judgement to the amount of $50,605 against the Nigerian national was also recognized. “These morally reprehensible schemes deprive people of their hard-earned money and even their entire life savings and retirement funds, leaving humiliation and financial ruin behind,” commented US Attorney Ashley Hoff. “Our office will continue to vigorously prosecute those who conspire to prey on vulnerable victims in this manner.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The CEO of Australia’s Cyber Security CRC Rachael Falk has offered clarity on the contentious government “step in” powers that are set to be legislated under the Security Legislation Amendment (Critical Infrastructure) Bill 2020.She told the Parliamentary Joint Committee on Intelligence and Security (PJCIS) that there has been a “bit of a labelling problem” in the Bill when it is called “step in” powers or powers to intervene.”I don’t think what is intended, if I may say so, is not what we call in traditional corporations law step in rights, which is traditionally associated with companies in liquidation where you have liquidators come in and step into the shoes of the companies and literally operate the company as if it were their own,” she said. “So I think this power has kind of been misunderstood and mislabelled.”Falk said, instead, it should be explained as a way for the Australian Signals Directorate (ASD) or its Australian Cyber Security Centre (ACSC) to lend their expertise.”It could be by way of a compulsory notice served in an organisation when it is clearly struggling to gain control of quite a serious cyber attack, that they then are able to be served with a compulsory notice, and then they have to engage and discuss with ASD,” she said. “I think what’s lost here a little bit in the debate is the Australian Signals Directorate are the experts here in terms of poacher and gamekeeper, they do this for a living every day. So a compulsory notice to be served, not step in rights, I think that label should be removed.”

During its hearing on Thursday, the PJCIS heard from four large technology firms that declared they did not need assistance from the Australian government and the installation of software would do more harm than good. But later that day it was a different story, with representatives from the nation’s water, electricity, and logistics sectors accepting government assistance if it was within reason.As part of his testimony, Water Services Association of Australia’s director of business excellence Greg Ryan discussed the potential for an indemnity or insurance that provides security to the organisation ahead of ASD/ACSC engagement.Falk believes rebranding it to “compulsory engagement” rather than being a step in power would remove the need for indemnity.”I think there’s a bit of a vision that Homer Simpson comes in and presses all sorts of red buttons, which in that case you might want the indemnity scenario. I think if there were more of a compulsory notice to engage, then they would be working with the impacted organisation, not working as the impacted organisation,” she said.”So it might mean there is no need for an indemnity because they are saying you need to engage and we advise you to take this advice.”I can see the advantages of an indemnity but if they were simply the subject of a compulsory notice to engage, they could disregard ASD advice and therefore wouldn’t need the indemnity.”She also touched on the requirement to notify the government of an incident within 12 hours. While Falk accepted it may not be known within 12 hours that an incident has occurred, she suggested a “staged approach” to notification.”Immediate notification isn’t too onerous. Once you realise you’re in the middle of an incident, and details can also follow in a reasonable period of time … I think a staged process where there’s immediate notification, we have an incident running, we’re unsure of what it is, we will come back once we have clarity within up to a timescale of 21 days,” she pondered. A case for ransomware payment notificationThe federal opposition last month introduced a Bill to Parliament that, if passed, would require organisations to inform the ACSC before a payment is made to a criminal organisation in response to a ransomware attack. The Ransomware Payments Bill 2021 was introduced in the House of Representatives by Shadow Assistant Minister for Cyber Security Tim Watts, who at the time took the opportunity to say the government’s current position of telling businesses to defend themselves by “locking their doors to cyber-criminal gangs” was “not good enough”.Cybersecurity expert and former United States CISA chief Chris Krebs agreed with Watts.He told the PJCIS it would be useful to compel critical infrastructure providers to disclose cybersecurity incidents, including ransomware.”Mandatory reporting for any ransomware victim before they make a payment,” he told the committee. “For ransomware, in particular, we do not know how big this problem is, in fact, probably the only people that know how big it is, are the criminals themselves. And they’re not apparently sharing that with us. “We have to get to the denominator of ransomware attacks and the easiest way to do that is require ransomware victims to make a notification to the government. This is not yet in determination on whether paying ransom itself is illegal, I think that’s a separate conversation, but just at a minimum, if you’re going to be engaging with the transaction, with the ransomware group, that that needs to be notified.”Krebs said this was so authorities could understand the scope of the problem and also collect the data on the payment. “We also want to make sure that the information, specifically the wallet to which the ransomware payment is going, to be tracked by law enforcement intelligence officials to light up the economy,” he explained.Last month, the US Department of Justice (DoJ) revealed it managed to recover some of the ransom paid by Colonial Pipeline to the cybercriminals behind the DarkSide ransomware in May.The DoJ and the FBI seized 63.7 bitcoins — valued at $2.3 million at the time — of the 75 bitcoins that the Colonial Pipeline CEO admitted to paying. Despite paying for the ransom, the encryption tools handed over did not work nor help the company’s efforts to restore its systems.Apprentice sparkies to be treated like an ASIO employeeActing national secretary of the Electrical Trades Union of Australia Michael Wright told the committee during his testimony that the Bill, as currently drafted, would see apprentice electricians held to the same security standards that ASIO officers are.”We’ve been engaging with the Department of Home Affairs around the rules that have been drafted … the department isn’t familiar with our industry, nor would you reasonably expect it to be. The issue we have is that they’re requiring the draft rules that they’ve designed have said that everyone who accesses, provides access to assets, would therefore need to go through the Auscheck process,” Wright said.”That may or may not make sense in other industries, but in an industry where asset means power pole and you do need an access permit to work on that, that means that the entire workforce … or workers in that industry would wind up being required to go through that Auscheck, that ASIO backgrounding … it really stats to pry into their personal lives.”Senator James Paterson said he considered it to be an unintended consequence for an apprentice electrician to be subject to the federal government’s ASIO vetting process, calling the idea “absurd”.”That’s a process that can take anywhere between six months and a year and researches all of the family and personal connections that a person might have, their international travel, their prior employment — are you suggesting seriously that apprentice electricians will have to get PV [positive vetting] security clearance to work?,” Paterson questioned.”We raised these concerns and we get nothing back,” Wright said in response.MORE FROM THE INQUIRYThe Chris Krebs case for including election systems as critical infrastructureThe cybersecurity expert has told an Australian Parliamentary committee there are elements of the election administration function that should ‘absolutely’ be considered critical infrastructure.Logistics and utilities providers agree to help from ASD in the event of a cyber incidentAfter being hit twice by ransomware last year, Toll has said it welcomes the installation of software from the Australian government to help with thwarting cyber criminals, admitting it already let the ASD into its systems. Qantas, AGL, and Water Services Association of Australia are all happy with the looming mandate, too, providing it is done proportionately.Tech giants say government cyber assistance would simply cause more problemsGoogle, Microsoft, AWS, and Atlassian all believe they are best placed to respond to cyber incidents and that installing software from the Australian government would only increase the risk in their respective platforms and systems. More

Image: Getty Images
Cybersecurity expert and former United States CISA chief Chris Krebs has testified before an Australian security and intelligence committee, providing a case as to why policymakers should consider adding elements of the country’s election system to the list of what constitutes as critical infrastructure.”I think there are elements of the election administration function that should absolutely be considered critical infrastructure, and that is the administration element,” he said. “That’s the systems, the machines, the counting process, the protocols around it — I think it’s, at least in the US, a step too far to call the political parties themselves as part of the infrastructure, but they do have certainly a contribution and a piece involvement.”The Parliamentary Joint Committee on Intelligence and Security (PJCIS) is currently looking into Australia’s Security Legislation Amendment (Critical Infrastructure) Bill 2020, which, among other things, looks to bring more sectors into the definition of “critical infrastructure”.These are communications, financial services and markets, data storage and processing — including cloud providers — defence industry, higher education and research, energy, food and grocery, healthcare and medical, space technology, transport, and water and sewerage sectors.Krebs said Russian interference in the 2016 US election led the focus for the 2020 election to be on thwarting technical attacks and disruptions of election systems by ransomware attacks against voter registration databases, and of media outlet hacks, both on websites and television, such as changing the results on the live tally.”But as we got closer to the election, what we actually realised were the most likely were perception hacks, or disinformation campaigns, claiming to have been able to access the system, claiming to have been able to change an outcome, or that somebody else was doing it,” Krebs explained. “And ultimately, that’s what we saw with some of the claims of Hugo Chávez from the grave hacking into the vote counting systems, and those persist to this very day, with the so-called audit in Arizona, and elsewhere. “Those are the more pervasive, much harder to debunk, because there’s an asymmetry of the adversary. Even if it’s domestic, it’s still an adversary, in this case, [a] domestic actor that is trying to undermine confidence in the process for their own outcomes.”

He said what is at stake is defending democracy.See also: Researchers found three flaws in ACT e-voting system that could affect election outcomesAdding to Krebs’ remarks was the director of the Australian Strategic Policy Institute’s international cyber policy centre, Fergus Hanson, who considers political parties themselves as a key vulnerability, given the scale to which their operations need to grow come election time. “Trying to provide a solid cybersecurity basis for that is very difficult for a very small organisation that’s undergoing massive and rapid scaling. I think providing government support for all political parties to be more resilient to interference, I think, would be really important,” he told the PJCIS. “And we’ve seen in lots of countries where political parties have been breached [or] there’s been hacks or leaks — operations that have potentially swayed people’s views on parties during the heat of a campaign.”Further on misinformation and disinformation, Krebs said an understanding exists of there being underinvestment in cybersecurity and the critical infrastructure community, but there has been “virtually no investment on countering disinformation, nowhere”. “More important is that right now than in the deployment of COVID-19 vaccinations, we are seeing an active threat environment from Russia and China for vaccine diplomacy and we’re also seeing it from conspiracy theorists and just anti-vaxxers in general — there’s a much longer tail on the disinformation,” he said. “But I will say that I’ve been impressed with the Australian government’s efforts over the last several years to take disinformation and threats to democracy in particular, very, very seriously. In fact, they’re well ahead of where I would say the United States is.”RELATED COVERAGECountering foreign interference and social media misinformation in AustraliaDFAT, the Attorney-General’s Department, and the AEC have all highlighted what measures are in place to curb trolls from spreading misinformation across social media.ASPI wants statutory authority to prevent foreign interference through social mediaIt said the authority would be granted explicit insight into how content is filtered, blocked, amplified, or suppressed, both from a moderation and algorithmic amplification point of view.Facebook, Google, Microsoft, TikTok, and Twitter adopt Aussie misinformation codeCode will not apply to government content, political advertising, satirical work, or other journalistic pieces that are governed by an existing Australian law. More

CSO Group has signed a four-year cybersecurity deal with the New South Wales (NSW) Department of Communities and Justice (DCJ) to provide real-time visibility, intelligence, and remediation. Worth AU$7 million, the deal will see CSO Group deliver a fully-managed security monitoring service, security operations centre (SOC), and managed security information and event management, which will be delivered through a sovereign architecture via Macquarie Government’s protected cloud and government-certified environment. “Working with enterprise-grade Australian cybersecurity companies that house the data in a protected Australian data centre is a highly valuable requirement.” NSW DCJ CISO Matthew Fedele-Sirotich said.”Furthermore, the services offered enables our internal teams to conduct the in-depth threat hunts to continuously validate the secure nature of our environment. All the while knowing our service partner is acting as our overwatch, ensuring we identify and respond to malicious behaviours and events.”The contract is part of the NSW DCJ’s cyber refresh program and is in addition to a four-year AU$16 million deal that was recently awarded to CSO Group to deliver new cybersecurity solutions for the cloud, endpoint, and email.At the end of last year, the Information and Privacy Advisory Committee was set up by the NSW government to provide it with information, advice, assistance, and training on how to best deliver information and privacy management practices in government. The committee was also tasked with facilitating collaboration between government, industry, and academia.A dedicated cyber and privacy resilience group was also established by the state government as a vow to keep customer data safe.

It followed the state government announcing a AU$240 million commitment to improve NSW’s cybersecurity capabilities, including investments towards protecting existing systems, deploying new technologies, and increasing the cyber workforce. With that funding, it announced plans to create an “army” of cyber experts.Related Coverage More

Brazilians are concerned about the security of their data despite knowing that companies they interact with keep some type of information about their consumption and leisure habits, according to a new survey. According to te research carried out by Datafolha Institute on behalf of Mastercard with 1517 users of digital services in January 2021, 92% of respondents said they are aware companies retain their information to some degree. However, on a scale of 1 to 10 where 10 is “very secure”, 5.1 is the average score given to how secure respondents feel their information is in digital environments.

The survey, carried out with the goal of measuring the level of concern regarding the security of consumers within data and information exchange environments, found that only 13% consider their data to be very secure, while 21% consider their data to be insecure.The fear of cyber attacks is high among Brazilian users, according to the survey, which suggests that 73% of respondents reported having suffered some kind of digital threat such as receiving fake messages from companies and stolen passwords. As a result of these incidents, many of those polled have taken additional security measures, the study noted. More than 80% of the survey respondents said they avoid clicking suspicious links while 75% avoid using public Wi-Fi networks and 64% have different passwords for each of the accounts they have on digital platforms or apps. Social networks were considered by respondents as the least trustworthy environments, while hospitals, medical examination clinics, schools and colleges are the institutions that respondents have the greatest level of confidence.Moreover, nearly 70% of respondents stated they know that when they access a social network, shop over the internet or make financial transactions online, the data is stored by the companies they are transacting with, and that data can be used to better target offers, benefits and monitor consumption habits.

Brazilians are willing to allow the collection of their personal data, as long as they give something in return, according to a separate study, published by cybersecurity firm Kaspersky in June 2020. Some 43% of respondents said they would share sensitive private data to ensure better ranking in social rating systems, discounts, or to receive customized services. Brazilian consumers are also more willing to share their social media profiles in exchange for other benefits, they Kaspersky study noted, such as protecting their job, finding a better place to live, a place at a good school for their children or getting a visa. More