Information Technology

Industries and organizations critical to the fight against COVID-19 have faced a surge in cyberattacks due to their rapid transition to cloud platforms in light of the pandemic.

When the world first began to take notice of the global spread of COVID-19, organizations across the globe suddenly found themselves unable to maintain typical working practices. Offices were shut, stay-at-home orders imposed, and consumer demands could often only be met through deliveries, virtual services, and e-commerce platforms.  As a result, the wider enterprise and SMBs alike began making quick transitions from on-prem and legacy systems to the cloud, in order to facilitate remote working models and to pursue new business opportunities. Enterprise cloud spending is estimated to have increased by 28% in Q2 2020 alone, year-over-year. However, according to Palo Alto Networks’ latest cloud threat report, published on Tuesday, shifting workloads so quickly to the cloud has also meant that businesses are struggling, months later, to manage and automate cloud security — and have created chasms in company security that can be exploited. Industries critical to COVID-19 management have suffered a particular uptick in cloud security incidents. According to the report, retail, manufacturing, and government entities have been struck hardest with attack attempts increasing by 402%, 230%, and 205% respectively during the pandemic. Chemical manufacturing and science/research organizations, unsurprisingly, became key targets for cyberattackers due to COVID-19. Notable examples include attacks on vaccine manufacturers and the European Medicines Agency (EMA).

According to Unit 42 data and scans, the most common security issues present in COVID-19-related industries are:”This trend is not surprising; these same industries were among those facing the greatest pressures to adapt and scale in the face of the pandemic — retailers for basic necessities, and manufacturing and government for COVID-19 supplies and aid,” Unit 42 says. “[..] Although the cloud allows businesses to quickly expand their remote work capabilities, automated security controls around DevOps and continuous integration/continuous delivery (CI/CD) pipelines often lag behind this rapid movement.”However, not every industry is equal, and some are doing better than others in attempts to secure their cloud workloads. Access logging controls, access key rotation, and version control in cloud storage containers — a way to keep track of changes, implement them, and perform maintenance across cloud systems — are some of the methods that can be employed to increase cloud security.  The team did find, however, that publicly exposed cloud systems, which may leak personally identifiable information (PII) belonging to clients or employees — as well as sensitive corporate data — continues to be a problem. The numbers are high: an estimated 30% of organizations that utilize cloud hosting services are believed to be leaking some type of private content online, with access control issues blamed for such widespread exposure. Unit 42 recommends that businesses focus on gaining visibility into their cloud workloads, keeping an eye on storage configurations, and both adopting and enforcing security standards in DevOps can all mitigate the threat of attack or accidental data leaks.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A banking Trojan striking corporate targets across Brazil has been unmasked by researchers. 

On Tuesday, ESET published an advisory on the malware, which has been in development since 2018.Dubbed Janeleiro, the Trojan appears to be focused on Brazil as a hunting ground and has been used in cyberattacks against corporate players in sectors including healthcare, engineering, retail, finance, and manufacturing. Operators have also attempted to use the malware when infiltrating government systems.  According to the researchers, the Trojan is similar to others currently operating across the country — such as Casbaneiro, Grandoreiro, and Mekotio — but is the first detected that is written in .NET, rather than Delphi, which is usually favored.  Phishing emails, sent in small batches, are sent to corporate targets pretending to relate to unpaid invoices. These messages contain links to compromised servers and to the download of a .zip archive hosted in the cloud. If the victim unzips this archive file, a Windows-based MSI installer then loads the main Trojan DLL.  “In some cases, these URLs have distributed both Janeleiro and other Delphi bankers at different times,” ESET says. “This suggests that either the various criminal groups share the same provider for sending spam emails and for hosting their malware, or that they are the same group. We have not yet determined which hypothesis is correct.” The Trojan will first check the geolocation of the target system’s IP address. If the country code is other than Brazil, the malware will exit. However, if the check is passed, the malware will then collect a variety of operating system data and will grab the address of its command-and-control (C2) server from a dedicated GitHub page.  

Janeleiro is used to create fake pop-up windows “on-demand,” such as when banking-related keywords are detected on a compromised machine. These pop-ups are designed to appear to be from some of the largest banks across Brazil and they request the input of sensitive and banking details from victims.  The malware’s command list includes options for controlling windows, killing existing browser sessions — such as those launched in Google Chrome — capturing screens, keylogging, and hijacking clipboard data, among other functions.  The operator of the Trojan appears to prefer a hands-on approach and may control the windows remotely, in real-time.  Most malware operators at least make a token attempt to conceal their activities. In this case, code obfuscation is light but there is no attempt to circumvent existing security software and no custom encryption.The operator uses GitHub, a code repository, to host files containing C2 server lists to manage Trojan infections. These repositories are updated on a daily basis.  As of March, four variants of Janeleiro have been detected in the wild, although two share the same internal version number. Some samples have been packaged together with a password stealer in attacks, which suggests “the group behind Janeleiro has other tools in their arsenal,” according to the team. ESET says that GitHub has been made aware of the threat actor’s account and abuse of the platform. The page has now been disabled and the owner suspended.”GitHub values the contributions of our security research community and is committed to investigating reported security issues,” a GitHub spokesperson told ZDNet. “We disabled the page in accordance with our Acceptable Use Policies, following the report that it was using our platform maliciously.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

US agencies have warned that advanced persistent threat (APT) groups are exploiting Fortinet FortiOS vulnerabilities to compromise systems belonging to government and commercial entities.

Last week, the FBI and US Cybersecurity and Infrastructure Security Agency (CISA) issued a joint alert (.PDF) warning that cyberattackers are actively scanning for systems that have not had patches applied to resolve three severe vulnerabilities. Fortinet FortiOS, an operating system underpinning Fortinet Security Fabric, is a solution designed to improve enterprise security, covering endpoints, cloud deployments, and centralized networks.  The agencies say that CVE-2018-13379, CVE-2020-12812, and CVE-2019-5591 are being exploited. Each of these vulnerabilities is known and patches have been issued by the vendor, but unless IT administrators apply the fixes, Fortinet FortiOS builds remain open to compromise.  CVE-2018-13379: Issued a CVSS severity score of 9.8, this path traversal vulnerability impacts the FortiOS SSL VPN portal and can permit unauthenticated attackers to download system files through malicious HTTP requests. FortiOS versions 5.4 – 5.4.6 to 5.4.12, 5.6 – 5.6.3 to 5.6.7, and 6.0 – 6.0.0 to 6.0.4 are affected.  CVE-2020-12812: This improper authentication issue, also found in FortiOS SSL VPN, has earned a CVSS score of 9.8 as it permits users to be able to log in without being prompted for second-factor authentication if they change the case of their username. FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below contain this bug.  CVE-2019-5591: With a CVSS score of 7.5, this vulnerability is a default configuration problem in FortiOS 6.2.0 and below that can allow unauthenticated attackers — on the same subnet — to intercept sensitive data by impersonating a LDAP server. 

According to the advisory, APTs are scanning with a particular focus on open, vulnerable systems belonging to government, technology, and commercial services.  “The APT actors may be using any or all of these CVEs to gain access to networks across multiple critical infrastructure sectors to gain access to key networks as pre-positioning for follow-on data exfiltration or data encryption attacks,” the agencies say. “APT actors may use other CVEs or common exploitation techniques — such as spear phishing — to gain access to critical infrastructure networks to pre-position for follow-on attacks.” CVE-2018-13379 was resolved in May 2019, followed by CVE-2019-5591 in July of the same year. A patch was issued for CVE-2020-12812 in July 2020.  “The security of our customers is our first priority,” Fortinet said in a statement. “[…] If customers have not done so, we urge them to immediately implement the upgrade and mitigations.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Personal details of 30,000 individuals in Singapore may have been illegally accessed, following a security breach that targeted a third-party vendor of job-matching organisation, Employment and Employability Institute (e2i). It was notified of the incident three weeks ago on March 12.  It added that the relevant authorities had been notified of the breach, including the police, Personal Data Protection Commission (PDPC), and Cyber Security Agency’s Singapore Computer Emergency Response Team. E2i’s platform brings together employers and workers, offering various services that include job-matching, skills training, and career guidance. The institute is an initiative of the National Trades Union Congress (NTUC), the country’s only trade union confederation that comprises, amongst others, 59 unions and five associations. NTUC’s core committee includes Members of Parliament Koh Poh Koon and Heng Chee How. 

Users affected by the breach had participated in events organised by e2i or used its services between November 2018 and 12 March 2021, including job fairs, employability workshops or career coaching. Their personal data were shared with appointed vendors for “relevant employability services purposes”, the institute said.  E2i did not elaborate on why it took more than three weeks to announce the breach, but said in its statement Monday that it had “taken time” to make an impact assessment given the “complexity” of investigations into the incident.  It noted that a malware had infected the email account of an employee at the third-party vendor, i-vic International, leading to the unauthorised access of the mailbox, which had personal data of the affected 30,000 individuals. These details included names, identification number, contact information, educational qualifications, and employment history. Affected individuals would be notified via email, SMS, or phone, it added. E2i said it had worked with i-vic to determine the extent and nature of the data breach, and deployed “mitigation measures” to beef up the security of the latter’s email and network systems. E2i added that “constant checks” would be carried out on both its system as well as the third-party vendor’s to identify any further potential vulnerabilities. 

“Although the malware did not target at e2i directly, cybersecurity threats are real and the protection of personal data is of top priority to us,” the institute’s CEO Gilbert Tan said in the statement.  It added that it would review the “cybersecurity standards of our vendors” to prevent further breaches. The latest incident was one of several third-party breaches to have impacted local organisations this year, compromising personal data of 580,000 Singapore Airlines’ frequent flyer members and 129,000 Singtel customers.  RELATED COVERAGE More

Now that the world has completed a full circuit around the Sun with COVID as a passenger, it is possible to see which jurisdictions responded well, and which are still struggling to come to grips with the virus.

Two of the nations held up as exemplars of how to fight COVID were Taiwan and New Zealand, but the approaches were very different: One has locked down parts of its population multiple times, and the other with more experience of respiratory viruses, has avoided such approaches. A recent academic paper published in the Journal of the Royal Society of New Zealand examined the two nations and raised a number of questions that deserve to be considered in light of a year of lockdowns, contact tracing, outbreaks, and other restrictions on the movement of people. The central push of the paper is that as New Zealand has kept individual privacy as a paramount concern, this has led directly to the use of city or nationwide lockdowns, which it has labelled as a blunt instrument. “An approach not much more advanced than techniques to mitigate the Spanish Flu pandemic over a century ago,” the paper states. By contrast, the paper contests that Taiwan was more successful because it embraced technology, particularly big data analysis, and was able to prepare the population, following SARS and MERS, so it could use such tactics for the coronavirus pandemic. “This new strategy aimed to link real-time medical information, location [from cell towers], and contact data of infected individuals (confirmed or suspected) to assist curbing the spread of future diseases,” the paper states.

When someone entered Taiwan, an “electronic digital fence” system which monitored a person’s cell phone location was used to enable people to quarantine at home, rather than in a hotel quarantine system. “If a person in quarantine left their home, or their phone died and thus stopped transmitting a signal, local police and health or civil affairs agencies would be notified,” the paper said. “This system was complemented by random health-checks, community policing and phone calls from health officials and public authorities to ensure compliance. Individuals who did not have a cell phone capable of sharing location data were provided with one at the border.” See also: Living with COVID-19 creates a privacy dilemma for us all The system allowed people to have a degree of autonomy during quarantine, the paper said, at a cost to having their location tracked by the government. This system sounds particularly attractive as someone living in a country that has seen secondary lockdowns put in place, sometimes lasting 112 days, after breaches in hotel quarantine. The retort that mobile phone location tracking is an imposition holds little water when under current systems, people are locked in a hotel room for 14 days precisely so that the authorities know exactly where they are. While Taiwan has the legislation in place to enable it to combine disparate datasets for the purposes of fighting a health emergency, New Zealand health authorities have “less freedom” in that respect and the nation’s Privacy Act reigns supreme. This has led to NZ relying on an opt-in model for its QR code and Bluetooth-driven COVID Tracer app. And while the app has 3 million downloads in a country of 5 million people, that does not mean it is being used. Last month, on the other side of the Tasman, the Australian Digital Transformation Agency revealed that it has spent AU$6.7 million on a similarly opt-in app, that has only found 17 cases, and currently costs AU$100,000 a month to keep running.

Coronavirus

If there is one thing the past year has shown, it is that thinking a population will install and use an opt-in app for contact tracing is misplaced. “The reliance upon opt-in models and a consent model of privacy will not resolve many of the limitations found in the current New Zealand approach, as evidenced by the COVID-19 response,” the paper argues. “In fact, there are few, if any, examples globally where such models have been able to provide the level of accuracy found in Taiwan where the benefits have been seen in less strict (but nevertheless long term) social distancing rules and improved freedom of movement and association at the expense of aspects of personal privacy.” The paper contrasted the approaches when each nation was faced with outbreaks. After a visit from the Diamond Princess, which would end up being quarantined in Yokohama, Taiwan pulled together payment information, positioning data of shuttle busses from the ship, and CCTV footage to identify residents who might have been in contact with infected cruise ship passengers. “The data collated was then compared with the data of Taiwanese residents who had carried a mobile phone within 500 metres of the possibly infected individuals,” the paper states. “If they had been in these locations for more than five minutes they were classified as people possibly infected by the passengers of the cruise ship.” Meanwhile in New Zealand in August, after 100 days without the virus in the nation, it escaped. “NZ was reliant on manual contact tracing efforts, and potentially the COVID Tracer app (although reports suggest that it was only used in a few cases) and then had to turn to the blunt instrument of a lockdown when the contact tracing system could not keep up,” the paper said. “This lockdown was effective, but at great cost economically (and to civil liberties). “Taiwan’s greater use of personal information and data sharing appears to have allowed for COVID-19 to be contained with less disruption than experienced in New Zealand, using more ‘traditional’ mechanisms.” In the months since this column raised the privacy dilemma at the heart of living with COVID, most of Australia’s capital cities have seen lockdowns of various lengths, sometimes lasting only a handful of days when case numbers did not rise, and often accompanied by states other than New South Wales throwing up hard borders at a moment’s notice. Travelling interstate has now become a gambling-style decision that Australians think about, and the thought of how to get back home quickly is one that demands consideration. As the paper highlights, there is another approach that needs to be considered by authorities. The Taiwanese approach is particularly draconian on the individual privacy front, and while it would fail to get off the mark in an American context, it might be useful in the Australian one, for instance. Thanks to a combination of authoritarian inclinations and political cowardice, Australia already has a store of the location of every resident for two years, and the general public doesn’t seem to care about the privacy imposition. Given that access to that store has not been used primarily for severe crimes like terrorism, unlike the sales pitch and promises it arrived with, why not use the data retention system to enhance and speed up the response to COVID outbreaks? If the privacy of Australians is already under the pump, we might as well get some public good from it. The balance between privacy and emergency measures will be different for everyone. There is too much culture, history, and acceptance of things in one place that are unacceptable to others. But after more than a year, the least each nation can do is look to improve how they respond to the virus, rather than dealing with the same situation with the same playbook we walked into early 2020 with. As vaccines deployments progress, the end of the pandemic could be near, but as Taiwan has shown, the time we have could be used to prepare for the next emergency, and discuss what works for our societies. ZDNET’S MONDAY MORNING OPENER  The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America. PREVIOUSLY ON MONDAY MORNING OPENER:   More

Data of 553 million Facebook users including phone numbers, Facebook IDs, full names, birth dates and other information have been posted online. The data dump was Tweeted by Alon Gal, CTO of security firm Hudson Rock. Gal posted a list of affected users by country. According to his list, the US had 32.3 million affected users and UK had 11.5 million. The data was accessed via a Telegram bot. Other data points in the posting included gender, location and job status. Catalin Cimpanu, at The Record, also reported that he reviewed samples of the leaked data. The data is reportedly broken up into download packages by country. With the Facebook data out in the public it’s safe to expect it to be used for cybercrime.  Also: More

Organisations have had to adapt quickly to the realities of staff working remotely and that has come with a number of challenges, particularly surrounding cybersecurity.Businesses that previously relied on employees using work-issued computers and being protected behind a corporate firewall have had to deal with staff using their personal devices and their home internet connection.

And with indications that many organisations believe that, post-pandemic, we will see a switch to a hybrid model with a balance between working at the office and working from home, it’s important that employees are equipped with the right training and tools to keep business data and networks secure against cyberattacks.SEE: Network security policy (TechRepublic Premium)Account hijacking is one of the most common means for cyber criminals to gain access to corporate networks. These attacks can involve phishing emails that attempt to trick victims into handing over their username and password, providing criminals with login credentials they can use to gain access to accounts and the wider network.But sometimes, there isn’t even the need for attackers to use phishing emails, with brute force attacks enough to breach accounts. These are attacks involve the automated submission of common or simple passwords against accounts, in the hope that accounts are secured with common, weak passwords that are easily breached.People are often told that they should secure their accounts with long, complex passwords – but they can be difficult to remember, especially if people have many accounts. That can lead to password re-use, the use of simple passwords – or both.

“Human beings can’t remember more than four to five passwords, we get cognitive overload. That’s the way our brains are wired, it is difficult for us to remember passwords, so we can’t just keep loading on different passwords that are increasingly complex and expect people to remember them,” says Daisy McCartney, cybersecurity culture and behaviour lead at PwC UK.So while telling people to use, lengthy, complex passwords is good cybersecurity practice, it’s just not possible for people to remember many different passwords for many different accounts – something that can lead to using weak passwords that cyber attackers can exploit.

One answer to this is for organisations to issue employees with a password manager – software that manages passwords for users, allowing them to use complex passwords for every different account without needing to remember them each time they login. Another tool that can be used to keep corporate accounts of remote workers secure is two-factor authentication. This requires additional verification to log into an account, commonly in the form of an an alert on an app. This pops up when there’s an attempt to login to the account and the user will gain access after confirming the login attempt was legitimate.Two-factor authentication provides an extra layer of defence for accounts – and their users – because it prevents cyber attackers being able to gain access even if they’ve hacked or stolen the correct credentials because they also need access to the second element of the authentication, too. Such is the extent of that protection, Microsoft says two-factor authentication prevents 99.9% of attempted attacks, so all businesses that have remote – and non-remote – workers should apply it for additional cybersecurity.One of the big changes the move towards remote working has brought about is removing employees from the protection of the corporate firewall. Working from inside the office provides people with anti-virus and other protections that can help to filter out some attacks.SEE: Phishing: These are the most common techniques used to attack your PCNow, instead of this, many people are working from their own computer from their homes, where they may not have anti-virus at all – and their home router won’t provide a robust defence against attackers like a corporate firewall would.Criminals know this and are looking to take advantage with cyberattacks, especially when people – rushed off their feet while balancing working from home with the rest of their life – might unintentionally click on a phishing link or respond to a request that appears to come from a colleague but is actually a cyber criminal. “Humans are are ultimately fallible. Unfortunately it’s the organic matter behind the keyboard, which is often the vulnerable part of the loop,” says Troy Hunt, creator of HaveIBeenPwned and digital advisor to Nord Security.A VPN – short for Virtual Private Network – provides a protected network connection for remote connections, to the extent that even an ISP provider can’t see what websites are visited or what data is sent. It ultimately acts as something of a corporate firewall for while the employee is working remotely.And by providing remote workers with access to a corporate VPN, not only does it help keep data and communications secure, an organisation can also configure it so that while the VPN is active, action can be taken to prevent potentially dangerous activity, such as visiting phishing pages and other malicious websites.But it isn’t fair to put all of the responsibility of staying secure on employees. Enterprise IT and information security departments must continue to play a role in helping the organisation stay safe.For example, if an employee is suddenly logging in from a strange location or at a strange time and then they’re attempting to access parts of the network that usually aren’t of interest to them, that could indicate suspicious activity that needs to be investigated or blocked.”We need to have that balance of the education and the training, with the technology to back it up and help us out when things do go wrong,” says Hunt.SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)For many people, the last year was the first time they’d had to work from home and it hasn’t been an easy transition, especially when it happened so quickly, under the pressures of a global pandemic. “Navigating this really complex topic can be quite scary for people, we need to help them not feel so fearful about it,” says McCartney.There are also other steps that businesses can take to protect their data. They can make sure that data is encrypted on laptops or other devices so that, if they are lost or stolen, the information is not accessible. On laptops this may simply be a case of enabling encryption; on smartphones it may be a case of introducing some form of mobile device-management software to protect the whole device or the business data on a personal device. Getting staff to use cloud services to store data may be more secure than using USB devices (which can be an easy route to delivering malware to laptops).Without the right tools and training to help them stay secure, employees may not be confident about keeping secure – but with the right help and support from an employer, it’s possible to adapt to remote work while also keeping safe from cyber threats.MORE ON CYBERSECURITY More

Sit me down and ask me to tell you what I think is wrong with the iPhone, and I’ll rattle off a long list. A really long list.

But there’s one thing that Apple has that’s spot on — and that’s delivering patches to older handsets. A very serious vulnerability was discovered recently that affected the iPhone and iPad (along with the Apple Watch and iPod touch). Apple quickly pushed out a patch, not only for the current iOS 14 release, but also for older devices stuck on iOS 12. Devices getting the update include the iPhone 5s, iPad Air, and iPod touch (6th generation). That’s support going back to September 2013. Devices stuck on iOS 12 have seen a number of updates over the past year, including security updates and also the framework for COVID-19 exposure notifications.

And that’s very impressive. Apple did not update iOS 13 because devices running this version are all able to update to iOS 14 (iPhone 6s and later). However, if I have one complaint here, I wish Apple had released a specific patch for iOS 13 users (as it did with iOS 13.7 in order to bring COVID-19 exposure notifications to the platform). According to Apple, some 12% of devices in use run iOS 13, with another 8% running iOS 12 or earlier. If you’re running iOS 13, I strongly recommend updating, as the risk is real running an unsupported platform, especially if you keep important data on the device or use it for financial transactions.

ZDNet Recommends More