Information Technology

Image: Software AG
Software AG, one of the largest software companies in the world, has suffered a ransomware attack over the last weekend, and the company has not yet fully recovered from the incident.
A ransomware gang going by the name of “Clop” has breached the company’s internal network on Saturday, October 3, encrypted files, and asked for more than $20 million to provide the decryption key.
Earlier today, after negotiations failed, the Clop gang published screenshots of the company’s data on a website the hackers operate on the dark web (a so-called leak site).
The screenshots show employee passport and ID scans, employee emails, financial documents, and directories from the company’s internal network.

Image: ZDNet
Software AG disclosed the incident on Monday when it revealed it was facing disruptions on its internal network “due to [a] malware attack.”
The company said that services to customers, including its cloud-based services, remained unaffected and that it was not aware “of any customer information being accessed by the malware attack.” This statement was recanted in a later press release two days later, when Software AG admitted to finding evidence of data theft.
The message about the attack remained on its official website homepage all week, including today.
Software AG did not return phone calls today for additional details or comments about the incident.
A copy of the ransomware binary used against Software AG was discovered earlier this week by security researcher MalwareHunterTeam. The $20+ million ransom demand is one of the largest ransom demands ever requested in a ransomware attack.

Image: supplied
The ID provided in this ransom note allows security researchers to view the online chats between the Clop gang and Software AG on a web portal managed by the ransomware group. At the time of writing, there is no evidence the German company paid the ransom demand.

Image: supplied
Software AG is Germany’s second-largest company with more than 10,000 enterprise customers across 70 countries. Some of the company’s most recognizable customers include Fujitsu, Telefonica, Vodafone, DHL, and Airbus.
Its product line includes business infrastructure software such as database systems, enterprise service bus (ESB) frameworks, software architecture (SOA), and business process management systems (BPMS). More

special feature

Securing Your Mobile Enterprise
Mobile devices continue their march toward becoming powerful productivity machines. But they are also major security risks if they aren’t managed properly. We look at the latest wisdom and best practices for securing the mobile workforce.
Read More

Google has changed how a core component of the Chrome browser works in order to add additional privacy protections for its users.
Known as the HTTP Cache or the Shared Cache, this Chrome component works by saving copies of resources loaded on a web page, such as images, CSS files, and JavaScript files.
The idea is that when a user revisits the same site or visits another website where the same files are used, Chrome will load them from its internal cache, rather than waste time re-downloading each file all over again.
This component has been present not only inside Chrome but inside all web browsers since the early days of the internet, where it served as a bandwidth-saving feature.
In all browsers, the cache system usually works in the same way. Each image, CSS, or JS file saved in the cache receive a storage key that is usually the resource’s URL.
For example, the storage key for an image would be the image URL itself: https://x.example/doge.png.
When the browser loads a new page, it would search for the key (URL) inside its internal cache database and see if it needed to download the image or load it from the cache.
The old HTTP Cache system was open to abuse
Unfortunately, across the years, web advertising and analytics firms realized that this very same feature could also be abused to track users.
“This mechanism has been working well from a performance perspective for a long time,” said Eiji Kitamura, Developer Advocate at Google.
“However, the time a website takes to respond to HTTP requests can reveal that the browser has accessed the same resource in the past, which opens the browser to security and privacy attacks.”
These include the likes of:
Detect if a user has visited a specific site: An adversary can detect a user’s browsing history by checking if the cache has a resource that might be specific to a particular site or cohort of sites.
Cross-site search attack: An adversary can detect if an arbitrary string is in the user’s search results by checking whether a ‘no search results’ image used by a particular website is in the browser’s cache.
Cross-site tracking: The cache can be used to store cookie-like identifiers as a cross-site tracking mechanism.
Cache partitioning activated in Chrome 86
But with Chrome 86, released earlier this week, Google has rolled out important changes to this mechanism.
Known as “cache partitioning,” this feature works by changing how resources are saved in the HTTP cache based on two additional factors. From now on, a resource’s storage key will contain three items, instead of one:
The top-level site domain (http://a.example)
The resource’s current frame (http://c.example)
The resource’s URL (https://x.example/doge.png)

Image: Google, ZDNet
By adding additional keys to the cache pre-load checking process, Chrome has effectively blocked all the past attacks against its cache mechanism, as most website components will only have access to their own resources and won’t be able to check resources they have not created themselves.
There are, however, some scenarios where the cache might intersect, but the attack surface is far smaller than before. (See here for all the edge cases)
Coming to other browsers
Google has been testing cache partitioning since Chrome 77, released in September 2019, and said the new system wouldn’t have any impact on users or developers.
The only ones who will see a change are website owners who are most likely to observe an increase in network traffic by around 4%.
Cache partitioning is currently active only in Chrome but is also available to other browsers based on the Chromium open-source code, all of which are most likely to deploy it as well in the upcoming months. This includes the likes of Edge, Brave, Opera, Vivaldi, and others.
Mozilla has also announced similar plans to implement Chrome’s cache partitioning mechanism, but there’s no deadline when this will land in Firefox just yet.
Apple, the other major browser vendor, has been using a limited cache partitioning system since early 2019. However, Safari’s cache partitioning system only uses two checks (#1 and #3), instead of Chrome’s more thorough three checks.
“Cache partitioning is a good practice that most of the browsers created by major companies should be utilizing,” John Jackson, an Application Security Engineer at Shutterstock, told ZDNet today.
“It’s been repeatedly proven over the years that side-channel attacks occur as a result of a unified cache. Side-channel attacks have resulted in attackers acquiring tokens, email addresses, credit card numbers, phone numbers, browsing history, etc.
“It’s good to see that Google is getting the ball rolling on a security practice that should have already been implemented,” Jackson added. More

Tracking the work of malware writers has given security researchers a window into the complicated and largely hidden world of buying and selling Windows exploits.
The researchers from security company Check Point focused on two of the most prolific creators of Windows exploits, who between them were responsible for at least 16 different Windows Kernel Local Privilege Escalation exploits, many of which were zero-days at the time of development.
MUST READ: What is cyberwar? Everything you need to know about the frightening future of digital conflict
These exploits – weaponised security flaws –  are an important part of how malware achieves its aims.
While the report aims shows how it’s possible to track the fingerprints of malware writers – one known as Volodya and another known as PlayBit in this case –  through their habits and practices in developing exploits, it also gives an insight into the complicated economics of the hidden world of malware.
Each piece of malware is often thought of as a single piece of code created by a single person or team. Yet in reality, creating the malware – especially the sophisticated stuff used by nation-states or criminals – involves many different groups.
In this example, discovering a particular software flaw and turning that into an exploit, which can then be bolted onto an existing piece of malware to enhance its capabilities, requires coordination between groups. Exploit writers and malware developers – either state-backed or criminals – will agree on an API to allow the different components to connect.
“This integration API isn’t unique to state actors, but is a common feature in the ‘free market’ of exploits. Whether it involves underground forums, exploit brokers, or offensive cyber companies, they all provide their customers with instructions on how to integrate the exploit in their malware,” the Check Point report said.
These developers – who may themselves either be individuals or teams working together – will sell the exploits they develop both to ransomware gangs and to state-backed groups, who will then incorporate them into their own malware projects. While it’s hard to know how much they sell for, they’ve certainly put some high price tags on exploits in the past.
As the Check Point researchers note, the client list for one of the exploit developers includes banker trojan authors such as Ursnif, ransomware authors such as GandCrab, Cerber and Magniber, and APT groups such as Turla, APT28 and Buhtrap (which started in cyber-crime before moving into cyber-espionage).
Zero-day exploits are more likely to be sold to APT groups, in this case Russia ones.
“The APT customers, Turla, APT28, and Buhtrap, are all commonly attributed to Russia and it is interesting to find that even these advanced groups purchase exploits instead of developing them in-house. This is another point which further strengthens our hypothesis that the written exploits can be treated as a separate and distinct part of the malware,” the report said.
While state-sponsored groups are willing to pay a premium for zero-day exploits, criminal gangs are also willing customers for less state-of-the-art attacks, and are more likely to buy so-called ‘1-days’  (vulnerabilities which have been reported). These are in some cases the same zero-days being resold later down the line.
“Without further intel, we can only assume that once a 0-day is detected by the security industry, the exploit is then recycled and sold at a lower price as a non-exclusive 1-day,” the report said.
The two exploit writers (or groups) tracked by the researchers are likely to account for a significant share of the market for Windows Windows Kernel Local Privilege Escalation exploits, though of course there may be many more zero-day exploits in use, as the whole point of a zero-day is that nobody knows about it, as the researchers note.
“It is impossible to tell the overall number of Windows kernel zero-day vulnerabilities that are being actively exploited in the wild,” the report said.
“Nation-state actors are less likely to get caught and thus the infosec community does not have clear visibility to their ammo crate.” More

US officials have outlined how criminal applications of blockchain technologies and cryptocurrency should be responded to through a new framework. 

While the possibilities of the blockchain are considered “breathtaking” prospects that could allow humans to “flourish,” the new “cryptocurrency enforcement framework” focuses on darker applications — such as the use of virtual assets in criminal enterprises. 
The US Department of Justice (DoJ), together with Attorney General William Barr, announced the public release of the framework on Thursday. 
The report is based on the efforts of the Attorney General’s Cyber-Digital Task Force, tasked with investigating “emerging threats and enforcement challenges associated with the increasing prevalence and use of cryptocurrency,” according to the department. 
The document outlines DoJ and law enforcement response strategies to blockchain and cryptocurrency-related crimes. Split into three main sections, the 83-page framework document (.PDF) first outlines the applications of blockchain and cryptocurrencies, ranging from smart contracts, wallets, Initial Coin Offerings (ICOs), and the exchange of virtual coins themselves. 
The report then examines today’s “illicit” uses of cryptocurrency, separating them into three categories: financial transactions associated with the commission of crimes; money laundering and the shielding of legitimate activity from tax, reporting, or other legal requirements; and direct crimes including theft. 
See also: Cryptocurrency exchange Kraken obtains approval to launch a US bank
In particular, the framework says that cryptocurrency can be linked to organized crime outfits and terrorist activities. 
“They can avoid large cash transactions and mitigate the risk of bank accounts being traced, or of banks notifying governments of suspicious activity,” the report says. “Criminals have used cryptocurrency, often in large amounts and transferred across international borders, as a new means to fund criminal conduct ranging from child exploitation to terrorist fundraising. Cryptocurrency also has been used to pay for illegal drugs, firearms, and tools to commit cybercrimes, as well as to facilitate sophisticated ransomware and blackmail schemes.”
Examples cited in the document include the use of fundraising platforms and encouraging donors on social media to contribute cryptocurrency to groups such as ISIS, a practice US prosecutors often describe as “providing material support” to a criminal or terrorist organization.
The second section of the report outlines the legal and regulatory tools currently used against criminal crypto activities. These include the wide range of charges that can be brought against a suspect — such as wire fraud, securities fraud, money laundering, intrusion in connection to computers, and the operation of an unlicensed money transmitting business — as well as the power to seize virtual assets and the ability to confiscate website domains. 
CNET: Google is giving data to police based on search keywords, court docs show
The US Treasury’s Office of Foreign Assets Control (OFAC), too, has recently laid out guidelines for businesses that may be tempted to pay out a ransomware blackmail demand, as such activities could violate US sanctions.  
Finally, the report outlines the present and future challenges that the criminal usage of cryptocurrencies present to regulators and law enforcement. Cryptocurrency and peer-to-peer exchanges, for example, are said to have a duty to assist law enforcement in investigations. 
“Given their potential to facilitate criminal activity, these entities have a heightened responsibility to safeguard their platforms and businesses from exploitation by nefarious actors and to ensure that customer data is protected and secured,” the task force says. 
TechRepublic: COVID-19 budgets, data security, and automation are concerns of IT leaders and staff
Bitcoin ATMs, cryptocurrency casinos are also mentioned as legitimate businesses that may be exploited for criminal gain. 
“Cryptocurrencies and distributed ledger technology present tremendous promise for the future, but it is critical that these important innovations follow the law,” commented Task Force member Brian Rabbitt. “The Cryptocurrency Enforcement Framework provides the public with important information intended to help them understand and comply with their obligations under the legal regimes that govern these new and fast-developing technologies.”
A 2018 report published by the task force focused on cyberthreats on a more general basis, including the emergence of critical infrastructure attacks, threats to national security, and cross-border and nation-state campaigns.  

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Facebook

Social media behemoth Facebook launched today Hacker Plus, the first-ever loyalty program for a tech company’s bug bounty platform.
Designed after the loyalty programs used by airlines and hotels, Facebook said Hacker Plus would provide extra bonuses and special perks to bug hunters based on their past reports.
Any researcher who submitted or submits bugs to Facebook’s bug bounty program is automatically included and ranked inside the Hacker Plus loyalty program.
Facebook said it plans “regularly evaluate” security researchers’ performance based on the cumulative quantity, score, and signal-to-noise ratio of their bug submissions over the last year.
Based on the scores, bug hunters will be placed inside one of five tiers (leagues): Bronze, Silver, Gold, Platinum, and Diamond.
Each tier comes with its own benefits. The most common benefit is an added bonus for successful bug submissions.
“Starting at 12:00 a.m. UTC on October 9, 2020, bounty awards will include the relevant Hacker Plus bonus on top of the original bounty award total,” Facebook said today.
“Researchers in our Bronze league will receive a 5% bonus on top of each bounty they receive. Diamond league members will earn a 20% bonus on top of each bounty award they receive,” the company added.
“Researchers in our higher tier leagues — Gold, Platinum, and Diamond — will receive exclusive invites to stress-test new features and products before launch.
“Diamond and Platinum league members will also receive invites to bug bounty events with travel and accommodations provided (event travel subject to change according to company policies around COVID-19),” Facebook said.
Bug hunters are eligible to move up across tiers, and they can track their loyalty program tier ranking on their Facebook bug bounty program profile page.
Additional details are available on the loyalty program’s official page.
Facebook launches FBDL
In addition, Facebook also launched today a new tool for bug hunters.
Named FBDL (Facebook Bug Description Language), Facebook said this tool would help bug hunters write better descriptions for the security flaws they find so Facebook’s staff can reproduce bugs easier when analyzing submitted reports.
Facebook said that bug hunters who use FBDL can expect their bug submissions to be resolved faster, but the company is also willing to add a monetary bonus for verified bugs that come with an FBDL description — just to get the tool’s adoption going.
The bonus will be 5% of the base bounty award, but no more than $500, Facebook said.
Additional details are available on the FBDL official page. More

A new strain of mobile ransomware abuses the mechanisms behind the “incoming call” notification and the “Home” button to lock screens on users’ devices.
Named AndroidOS/MalLocker.B, the ransomware is hidden inside Android apps offered for download on online forums and third-party websites.
Just like most Android ransomware strains, MalLocker.B doesn’t actually encrypt the victim’s files but merely prevents access to the rest of the phone.
Once installed, the ransomware takes over the phone’s screen and prevents the user from dismissing the ransom note — which is designed to look like a message from local law enforcement telling users they committed a crime and need to pay a fine.

Image: Microsoft
Ransomware posing as fake police fines has been the most popular form of Android ransomware for more than half a decade now.
Across time, these malware strains have abused various functions of the Android operating systems in order to keep users locked on their home screen.
Past techniques included abusing the System Alert window or disabling the functions that interface with the phone’s physical buttons.
MalLocker.B comes with a new variation of these techniques.
The ransomware uses a two-part mechanism to show its ransom note.
The first part abuses the “call” notification. This is the function that activates for incoming calls to show details about the caller, and MalLocker.B uses it to show a window that covers the entire area of the screen with details about the incoming call.
The second part abuses the “onUserLeaveHint()” function. This function is called when users want to push an app into the background and switch to a new app, and it triggers when pressing buttons like Home or Recents. MalLocker.B abuses this function to bring its ransom note back into the foreground and prevent the user from leaving the ransom note for the home screen or another app.
The abuse of these two functions is a new and never-before-seen trick, but ransomware that hijacks the Home button has been seen before.
For example, in 2017, ESET discovered an Android ransomware strain named DoubleLocker that abused the Accessibility service to re-activate itself after users pressed the Home button.
Since MalLocker.B contains code that is too simplistic and loud to make it past Play Store reviews, users are advised to avoid installing Android apps they downloaded from third-party locations such as forums, website ads, or unauthorized third-party app stores.
A technical breakdown of this new threat is available on Microsoft’s blog. More

Cybersecurity standards should be treated in the same way as legislative data protection rules in response to cyberattacks including ransomware incidents, a security expert has proposed. 

Ransomware has transitioned from a thorn in the side of individuals and a nebulous concern against organizations to a real, and frequent, threat that can result in catastrophic damage to corporate networks, the loss of client records, and the potential leak of confidential corporate information.
Ransomware variants include WannaCry, Petya, Ryuk, and Gandcrab — but there are many, many others. Once a computer system has been compromised, this form of malicious code will encrypt disks and files and will demand a ransom payment in return for a decryption key.  According to Check Point, the number of daily ransomware attacks worldwide has increased by half over the past three months — close to doubling in the United States alone — as threat actors take advantage of the operational disruption and rapid shift to home working caused by COVID-19. Ezat Dayeh, Senior Engineer Manager UK&I at Cohesity, told ZDNet in an interview that the company has seen a recent and “dramatic” increase in the volumes of ransomware incidents.  As more people are working from home due to COVID-19, this may have introduced new risk factors — but the increasing sophistication of such attacks is of concern, too.  “When we think about two or three years ago, when people were hit with ransomware, nine out of ten times they would basically say, “it’s definitely impacted production, we’ve got issues, but we can go back to our backups,” and worst-case scenario, we will just do a restore,” Dayeh said. “But now, with that sophistication, the bad guys know this. Ransomware can come into a network [and] it won’t do anything but it will start looking around and see what it can access on the network.” After this period of reconnaissance, malware operators are now more likely to head straight to backups. If these can be successfully encrypted before IT administrators are alerted to an infection, this takes away the safety net and cyberattackers are more likely to succeed in their demands for payment.  The problem is, few ransomware victims choose to go to the police, and some organizations will simply pay up to brush the incident under the carpet, according to Europol. 
See also: US Treasury says some ransomware payments may need its express approval
The more victims pay up, the more lucrative the criminal enterprise, and the ransomware industry then continues to gain traction as more threat actors adopt these forms of attack. 
Combine underreporting, submission to blackmail, and adding fuel to a criminal industry and you have a problem. This challenge was recently raised by the US Treasury’s Office of Foreign Assets Control (OFAC), which published guidelines (.PDF) on cases where paying a ransom could violate US sanctions.  “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demandsbut also may risk violating OFAC regulations,” the department says. In cases where a “sanctions nexus” — a transaction between a US entity and a banned group, such as high-profile ransomware operators — may take place, OFAC says that the department must be contacted first.  However, few companies may be willing to reveal a ransomware incident, and with this in mind, the OFAC has sweetened the pot by promising they will be looked upon “favorably” if paying a ransom does violate sanctions.   One of the issues with these guidelines, Dayeh says, is that pushing the agenda of a company committing a criminal offense when they pay up in order to save their business could inadvertently encourage them to remain silent when a cyberattack occurs — and it may also penalize smaller companies that can’t absorb the cost of remedying a ransomware attack that destroys all of their data. 
CNET: Amazon doubles down on Echo home security. What to know Potentially either pay up, salvage operations, and potentially face criminal charges, or wind down the company, in other words.  “I can see the rationale behind it because we don’t want to encourage these bad actors,” the executive commented. “If people are paying them, it’s easy money.” One solution, however, may be to go back to basics and “level the playing field,” Dayeh says, by enforcing security audits along the lines of how the EU’s General Data Protection Regulation (GDPR) treats data controllers.  “Everything needs to be audited,” Dayeh added. “You need to be audited to find out all you’re able. Because at least it gives the company a fighting chance and it gives them the ability to think about how they go to address problems. And if they still don’t address it, and they’ve been told “you are vulnerable,” then this should go all the way — in my mind — to the CEO.”
TechRepublic: Vulnerable supply chains introduce increasingly interconnected attack surfaces GDPR attempts to treat organizations and data controllers on an even playing field, and failures come with the possibility of fines based on a firm’s annual turnover. 
If security audits were handled in the same way, with rules for everyone to try and follow, this could promote a better basic cybersecurity standard as well as awareness of how organizations are expected to maintain a reasonable security posture — especially important at a time when potentially devastating attacks, including ransomware, are on the rise.  “We should come out with at least some sort of guideline for people to follow; tick these boxes and you should be alright,” Dayeh said. “But to leave it to the market and let businesses get on with it on their own [can be] dangerous.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Many Windows users don’t even bother looking at Microsoft’s Windows release notes, but those who do often pay close attention. 
For those users who do rely on information about Microsoft’s operating system, the company is preparing improvements to Windows release notes, the Windows update history pages, and informational articles. 

Windows 10

Reflecting Microsoft’s shift to the Microsoft 365 bundle for Windows 10, Office 365 and management tools, Microsoft is now merging the support.office.com and support.microsoft.com sites into a unified support site. 
Users should be able to find support and troubleshooting resources for Microsoft 365 more easily when using a search engine, according to Microsoft. Additionally, consolidating the two sites helps Microsoft quickly publish new articles and update existing ones. 
These changes will be rolling out in the coming weeks, the company says.    
Microsoft is also reformatting the structure of its URLs for Windows 10 release notes, giving the KB (knowledge base) article number a more prominent position in the URL and on the page itself. 
This change is designed to help users distinguish between two pages with similar-looking titles and make it easier to search for support articles by KB ID number. 
As Microsoft notes, the existing URL structure also includes the KB ID that users can copy from the address bar and append to the root URL, https://support.microsoft.com/help. However, sometimes KB IDs aren’t listed in the article and can only be seen in the URL. In these situations, it’s harder to use search engines to find an article by KB ID. 
“For greater consistency and to support improved search indexing, the URL structure moving forward will include both the GUID and the KB ID. Since many are familiar with appending the KB ID to the URL, we will continue to support this approach and use automatic redirects to ensure you land on the appropriate article,” Microsoft explains.   
The Windows 10 release notes pages currently only support sharing articles by email. Microsoft is updating sharing options to include Facebook and LinkedIn. The share controls will be at the bottom of each page.
There’s no change to Microsoft’s current release note content strategy, which includes Monthly security updates (B week releases), non-security updates (Preview releases), and out-of-band updates (OOB releases). 
It’s also tweaking the formatting, user interface and the type of metadata available, which may affect tools that admins use to organize Microsoft’s support and release notes. 
Articles on support.microsoft.com will no longer serve articles in a JSON format, which are then rendered on the client, but will rather render the articles in HTML. Also, metadata from each article won’t be served as JSON anymore and will instead be rendered in a block of meta tags.  
Microsoft is also paring back the metadata available in the page’s source and has provided a table of changes affecting KB numbers, release dates, last updated details, Windows versions the article applies to, heading details, and the locale of the article. More