Information Technology

Image: Microsoft
Microsoft’s security solution for smart devices and industrial equipment —known as Azure Defender for IoT— has entered public preview this week.

Azure Defender for IoT (previously Azure Security Center for IoT) was announced earlier this month at the Microsoft Ignite 2020 developer conference.
The product is a security solution for companies that manage IoT (Internet of Things) or OT (Operational Technology, aka industrial equipment) networks.
Smart devices and industrial equipment usually don’t have the resources to run dedicated security software, or their firmware doesn’t allow add-on software to be installed.
Additionally, IoT and OT systems also run on specialized industrial protocols (Modbus, DNP3, BACnet, etc.), for which classic antivirus and security software isn’t designed to inspect.
Azure Defender for IoT is a solution for companies that have large fleets of IoT/OT gear and works by passively inspecting all the network traffic inside a company to discover, inventory, and then monitor IoT and OT devices.
“You can deploy these capabilities fully on-premises without sending any data to Azure,” said Phil Neray, Director of Azure IoT Security Strategy at Microsoft. “Or, you can deploy in Azure-connected environments using our new native connector to integrate IoT/OT alerts into Azure Sentinel, benefiting from the scalability and cost benefits of the industry’s first cloud-native SIEM/SOAR platform.”
For any threats detected on a network, Azure Defender for IoT will send an alert to a local on-premise dashboard or to a cloud-based Azure Sentinel instance.
Detection capabilities include the likes of:
Unauthorized device connected to the network
Unauthorized connection to the internet
Unauthorized remote access
Network scanning operation detected
Unauthorized PLC programming
Changes to firmware versions
“PLC Stop” and other potentially malicious commands
Device is suspected of being disconnected
Ethernet/IP CIP service request failure
BACnet operation failed
Illegal DNP3 operation
Master-slave authentication error
Known malware detected (e.g., WannaCry, EternalBlue)
Unauthorized SMB login

Azure Defender for IoT sample alert
Image: Microsoft
Microsoft says Azure Defender for IoT comes with out-of-the box integration with third-party IT security tools like Splunk, IBM QRadar, and ServiceNow.
It also can work out-of-the-box with existing OT environments using automation equipment from all major OT suppliers, such as Rockwell Automation, Schneider Electric, GE, Emerson, Siemens, Honeywell, ABB, and Yokogawa.
Neray said Azure Defender for IoT would be free of charge during public preview. More

British Airways has been fined £20 million for “unacceptable” failures that led to personal details of hundreds of thousands of customers’ data being being stolen by hackers in 2018.
The fine represents the largest financial penalty issued by the UK’s Information Commissioner’s Office (ICO) to date and is based on GDPR data protection regulation.

More on privacy

The incident started in summer 2018 and went undetected by the airline for over two months, before being finally publicly disclosed in September 2018.
SEE: IT pro’s guide to GDPR readiness (free PDF)
Over 400,000 British Airways customers who used the website during the summer of 2018 were redirected to a fraudulent website run by cyber criminals who harvested personal details including names, addresses and payment card information.
An investigation by the ICO concluded that British Airways should’ve been able to identify the cybersecurity weaknesses and resolved them with security measures available at the time.
“People entrusted their personal details to BA and BA failed to take adequate measures to keep those details secure,” said Information Commissioner Elizabeth Denham.
“Their failure to act was unacceptable and affected hundreds of thousands of people, which may have caused some anxiety and distress as a result. That’s why we have issued BA with a £20m fine – our biggest to date.”
The ICO’s investigation concluded that there were numerous measures British Airways could have taken to mitigate the attack that weren’t being used.
These include limiting access to applications to only those required to fulfil a user’s role, undertaking rigorous testing of cybersecurity, and protecting accounts with multi-factor authentication.
The ICO notes that none of these measures would have required “excessive cost or technical barriers” and some of these undeployed security measures were available but weren’t used.
The investigation also concluded that it’s “not clear” whether British Airways would have identified the attack themselves, having only been alerted to the incident by a third party. The ICO considers this a “severe failing” because of the number of people who had their data compromised by the attack.
SEE: Cybersecurity warning: Hackers are targeting your smartphone as way into the company network
However, in the years since the attack, the ICO notes that British Airways has made “considerable” improvements to information security procedures.
“We alerted customers as soon as we became aware of the criminal attack on our systems in 2018 and are sorry we fell short of our customers’ expectations,” a British Airways spokesperson told ZDNet.
“We are pleased the ICO recognises that we have made considerable improvements to the security of our systems since the attack and that we fully co-operated with its investigation.”
The ICO initially issued BA with a notice of intent to fine in June last year and has come to the final figure of £20m based on regulatory processes – and the impact COVID-19 has had on the business.
“When organisations take poor decisions around people’s personal data, that can have a real impact on people’s lives. The law now gives us the tools to encourage businesses to make better decisions about data, including investing in up-to-date security,” said Denham.
MORE ON CYBERSECURITY More

The billionaire chief executive of Ohio-based Reynolds and Reynolds Co, Robert Brockman, has been indicted on charges of tax evasion and wire fraud conducted over “decades.”

The scheme, in which roughly $2 billion was hidden away in offshore accounts and through money laundering, took place between 1999 and 2019, the US Department of Justice (DoJ) said on Thursday. 
See also: DoJ charges four brothers for defrauding Amazon in overshipping scheme
According to the indictment (.PDF), the resident of both Houston, Texas, and Pitkin County, Colorado allegedly used a “web” of offshore organizations in Bermuda and Nevis to hide the profits he made from investments in private equity funds. 
Brockman squirreled away his capital gains and also tampered with the evidence of his alleged activities, prosecutors say, by methods including backdating records and using “encrypted communications and code words” to communicate with co-conspirators, including the phrases “Permit,” “King,” and “Redfish.”
A ranch, luxury home, and yacht were among the purchases apparently made with non-taxed income. 
US prosecutors also say that between 2008 and 2010, Brockman used a third-party entity to purchase $67.8 million in debt securities from the software company. As CEO, the executive is not permitted to do so without full disclosure as it can have an impact on share prices and trading; however, Brockman allegedly did so without informing sellers. 
CNET: Your phone may help you fight off deepfakes before they’re even made
As a result, approximately $2 billion in income was kept hidden from the US Internal Revenue Service (IRS). In addition, US prosecutors allege that investors in the software firm’s debt securities were also defrauded. 
A federal grand jury in San Francisco, California has issued a 39-count indictment, including seven counts of tax evasion, 20 counts of wire fraud, money laundering, evidence tampering, and destruction of evidence. 
Prosecutors suggest the indictment of the software mogul should stand as a warning to others currently using offshore accounts and other means to conduct tax evasion. 
TechRepublic: Survey: 53% of young cybersecurity professionals fear replacement by automation
“As alleged, Mr. Brockman is responsible for carrying out an approximately two billion dollar tax evasion scheme,” commented Jim Lee, Chief of IRS Criminal Investigation. “IRS Criminal Investigation aggressively pursues tax cheats domestically and abroad. No scheme is too complex or sophisticated for our investigators. Those hiding income or assets offshore are encouraged to come forward and voluntarily disclose their holdings.”
Robert Smith has also been charged with tax fraud. The operator of Vista Equity Partners, ensnared in the same scheme, has agreed to pay $139 million to settle the matter and is cooperating in the investigation against Brockman. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Adobe has released a set of out-of-band security fixes to resolve serious issues in the Magento platform. 

Published on October 15, the security advisory is outside of the firm’s typical monthly patch cycle and resolves nine vulnerabilities, eight of which are considered either critical or important, as well as one moderate-severity flaw. 
The vulnerabilities impact Magento Commerce and Magento Open Source, versions 2.3.5-p1, 2.4.0, and earlier.
See also: Adobe Experience Manager, InDesign, Framemaker receive fixes for critical bugs in new update
Adobe Magento’s critical vulnerabilities, now resolved, are tracked as CVE-2020-24407 and CVE-2020-24400. The file upload allow list bypass and SQL injection bug can lead to the execution of arbitrary code or arbitrary read/write database access. However, neither security flaw is pre-auth and both require an attacker to have already obtained admin privileges. 
In addition, the software giant has tackled a vulnerability that allows attackers to manipulate and modify customer lists, CVE-2020-24402. 
A stored cross-site scripting (XSS) issue (CVE-2020-24408), a user session invalidation bug (CVE-2020-24401), a security flaw that allows Magento CMS pages to be modified without permission (CVE-2020-24404), and two restricted resource access bugs — CVE-2020-24405 and CVE-2020-24403 — have also been resolved. 
CNET: Your phone may help you fight off deepfakes before they’re even made
The least dangerous bug, CVE-2020-24406, is the unintended disclosure of a document root path that could lead to sensitive information disclosure. 
In Adobe’s standard monthly security update, the company patched a single, critical vulnerability in Flash for Windows, macOS, Linux, and Chrome OS. The vulnerability, CVE-2020-9746, is a null pointer dereference flaw that could be exploited to cause software crashes or arbitrary code execution. 
TechRepublic: Survey: 53% of young cybersecurity professionals fear replacement by automation
Microsoft, too, releases security fixes for its software every four weeks. In October, 87 security issues were resolved, including 21 remote code execution vulnerabilities impacting products including Excel, Outlook, and the Windows TCP/IP stack. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: SonicWall
Almost 800,000 internet-accessible SonicWall VPN appliances will need to be updated and patched for a major new vulnerability that was disclosed on Wednesday.

Discovered by the Tripwire VERT security team, CVE-2020-5135 impacts SonicOS, the operating system running on SonicWall Network Security Appliance (NSA) devices.
SonicWall NSAs are used as firewalls and SSL VPN portals to filter, control, and allow employees to access internal and private networks.
Tripwire researchers say SonicOS contains a bug in a component that handles custom protocols.
The component is exposed on the WAN (public internet) interface, meaning any attacker can exploit it, as long as they’re aware of the device’s IP address.
Tripwire said exploiting the bug is trivial even for unskilled attackers. In its simplest form, the bug can cause a denial of service and crash devices, but “a code execution exploit is likely feasible.”
The security firm said it reported the bug to the SonicWall team, which released patches on Monday.
On Wednesday, when it disclosed the CVE-2020-5135 bug on its blog, Tripwire VERT security researcher Craig Young said the company had identified 795,357 SonicWall VPNs that were connected online and were likely to be vulnerable.
CVE-2020-5135 is considered a critical bug, with a rating of 9.4 out of 10, and is expected to come under active exploitation once proof-of-concept code is made publicly available. Exploiting the vulnerability doesn’t require the attacker to have valid credentials as the bug manifests before any authentication operations.
The bug is also SonicWall’s second major bug this year, after CVE-2019-7481, disclosed earlier this winter.
Tenable and Microsoft researchers have shared this week Shodan dorks for identifying SonicWall VPNs and getting them patched. More

Image: BlueMauMau on Flickr
The card details of more than three million customers of Dickey’s Barbecue Pit, the largest barbecue restaurant chain in the US, have been posted this week on a carding and fraud marketplace known as Joker’s Stash.
The discovery was made by Gemini Advisory, a cyber-security firm that tracks financial fraud.
“We worked with several partner financial institutions who independently confirmed our findings,” a Gemini Advisory spokesperson said in response to a report the company shared with ZDNet today.
The company said it discovered the breach earlier this week after cybercriminals began advertising a massive collection of payment card details named “Bleeding Sun.”

Image: ZDNet

Image: ZDNet
After analyzing the data together with its financial partners, Gemini said the data appears to had been obtained after hackers compromised the in-store Point-of-Sale (POS) system used at Dickey’s restaurants.
Gemini says hackers appear to have compromised 156 of Dickey’s 469 locations, with the compromised restaurants located across 30 states; and with the highest exposure being in California and Arizona.

Image: Gemini Advisory (supplied)
The security firm said the card data appears to have been collected between July 2019 and August 2020.
The payment card records are mostly for cards using outdated magstripe technologies and are being sold for a median price of $17 per card.
When reached out for comment on today’s report, Dickey’s provided the following statement, indicating that the company is still investigating the incident.
“We received a report indicating that a payment card security incident may have occurred. We are taking this incident very seriously and immediately initiated our response protocol and an investigation is underway. We are currently focused on determining the locations affected and time frames involved. We are utilizing the experience of third parties who have helped other restaurants address similar issues and also working with the FBI and payment card networks. We understand that payment card network rules generally provide that individuals who timely report unauthorized charges to the bank that issued their card are not responsible for those charges.”  More

A ransomware gang going by the of Egregor has leaked data it claims to have obtained from the internal networks of two of today’s largest gaming companies — Ubisoft and Crytek.
Data allegedly taken from each company has been published on the ransomware gang’s dark web portal on Tuesday.
Image: ZDNet
Details about how the Egregor gang obtained the data remain unclear.
Ransomware gangs like Egregor regularly breach companies, steal their data, encrypt files, and ask for a ransom to decrypt the locked data.
However, in many incidents, ransomware gangs are also get caught and kicked out of networks during the data exfiltration process, and files are never encrypted. Nevertheless, they still extort companies, asking victims for money to not leak sensitive files.
Usually, when negotiations break down, ransomware gangs post a partial leak of the stolen files on so-called leak sites.
On Tuesday, leaks for both Crytek and Ubisoft were posted on the Egregor portal at the same time, with threats from the ransomware crew to leak more files in the coming days.
For the Ubisoft leak, the Egregor group shared files to suggest they were in possession of source code from one of the company’s Watch Dogs games. On its web portal, the group touted they were in possession of the source code for the Watch Dogs: Legion game, scheduled to be released later this month. It was, however, impossible to verify that these files came from the new game, rather than an existing release.

Image: ZDNet
For the past year, security researchers have tried to reach out and notify Ubisoft about several of its employees getting phished, with no results, which may provide a clue of how the hackers might have got it.
But while hackers leaked only 20 MB from Ubisoft, they leaked 300 MB from Crytek, and this data contained a lot more information.
The Crytek files included documents that appeared to have been stolen from the company’s game development division. These documents contained resources and information about the development process of games like Arena of Fate and Warface, but also Crytek’s old Gface social gaming network.

Image: ZDNet

Image: ZDNet

Image: ZDNet
Neither Ubisoft nor Crytek responded to emails seeking comment on the leaks. None of the companies reported major security incidents weeks, nor any abnormal and prolonged downtimes, suggesting the Egregor intrusion didn’t likely impact cloud and gaming system, but merely backend office and work networks, where most ransomware incidents usually incur damages.
However, in an email interview with ZDNet, the Egregor gang provided more details about the two incidents. The ransomware operators said they breached the Ubisoft network, but only stole data, and did not encrypt any of the company’s files.
On the other hand, “Crytek has been encrypted fully,” the Egregor crew told ZDNet.
The Egregor group said that neither company engaged in discussions, despite their intrusions, and no ransom has been officially requested yet.
“In case Ubisoft will not contact us we will begin posting the source code of upcoming Watch Dogs and their engine,” the group threatened, promising to publish more data in a press release tomorrow. More

Image: SWIFT
The US Department of Justice has unsealed today charges against 14 members of an international money laundering group known as QQAAZZ.

US authorities said the group has been active since 2016 and operated by advertising its services on Russian-speaking hacker forums.
There, the group established connections with some of today’s largest malware operations, including the likes of operators of malware botnets like Dridex, Trickbot, and GozNym.
According to the DOJ, QQAAZZ members operated a large network of bank accounts and money mules that allowed malware gangs to funnel money from hacked accounts to new, clean destinations.
QQAAZZ members were organized on a business-like hierarchy. Leaders would handle customer communications, mid-level managers recruited money mules, and money mules opened bank accounts and picked up money from ATMs, when needed.
US officials said the group managed a huge network of bank accounts around the world using fake identities and shell companies.
These accounts would serve as landing spots for funds received from hacks, malware infections, and other cybercrime operations. The money would travel through the QQAAZZ accounts and get converted into cryptocurrency.
In a digital form, the cryptocurrency would then be passed through a “tumbling” service to anonymize transactions even more, and then the funds would be returned back to the cybercrime groups, with QQAAZZ operators retaining a cut varying from 40% to 50% for their efforts.
20 arrests made in a transnational operation
Besides the 14 suspects charged today [indictment PDF], the DOJ said it also charged five others in October 2019 [indictment PDF].
US authorities said that while charges were filed in the US, this was an international crackdown against the QQAAZZ group, and other criminal prosecutions were initiated in other countries, such as Portugal, Spain, and the US.
Sixteen countries were involved in an international operation against QQAAZZ, which Europol named “Operation 2BaGoldMule.”
As part of this crackdown, Europol said participant countries carried out more than 40 house searches across Latvia, Bulgaria, the United Kingdom, Spain and Italy, and made 20 arrests.

Image: Europol More