Information Technology

Image: QNAP

Taiwanese hardware vendor QNAP urged customers last week to update the firmware and apps installed on their network-attached storage (NAS) devices to avoid infections with a new strain of ransomware named AgeLocker.
The ransomware has been active since June this year when it first began making victims.
It was named AgeLocker for its use of the Actually Good Encryption (AGE) algorithm to encrypt files. The AGE encryption algorithm is considered cryptographically secure, which means encrypted files can’t be recovered without paying the ransom demand.
Techniques like brute-forcing the encryption key or identifying weaknesses in the encryption scheme are not reliable against AGE.
The impossibility of recovering encrypted files without paying the ransom demand is why users should take care to secure QNAP NAS devices.
Last week, QNAP said it identified two sources of how AgeLocker gains access to QNAP devices. The first is the QNAP device firmware (known as QTS), while the second is one of the default apps that come preinstalled with recent QNAP systems (named PhotoStation).
“QNAP’s initial investigation showed that no unpatched vulnerabilities are [currently] found in QTS. All known [AgeLocker-]affected NAS are running older, unpatched QTS versions,” the company said in a blog post.
“[The] QNAP Product Security Incident Response Team (PSIRT) has found evidence that the ransomware may attack earlier versions of Photo Station,” the company also said in an alert on September 25.
Older versions of the PhotoStation app are known to contain security flaws.
Its two discoveries are why the company is now recommending and providing instructions on how users can update both QTS and the PhotoStation app.
“Once again, QNAP urges users to periodically check and install product software updates to keep their devices away from malicious influences,” QNAP said.
This is the same advice QNAP gave to NAS owners earlier this year when devices were also targeted by another ransomware strain known as eCh0raix. More

The Australian government has announced it will expand its digital identity system, touting that the move will allow more businesses to securely access government services online as part of its newly announced AU$800 million Digital Business Package.
The opt-in service allows users to verify their identity once before gaining access to over 70 government services, rather than having to continually be verified by each Commonwealth entity. It is currently being used by 1.6 million Australians and 1.16 million businesses.
“We need our businesses to be online, we need them to be digital businesses,” Prime Minister Scott Morrison said on Tuesday.
“In recent months we have seen through COVID a rapid acceleration produced by necessity of businesses really engaging and upgrading their digital capability. What we’re announcing today, will build on that. It will strengthen it and it will accelerate it.”
The package also includes AU$28.5 million dedicated towards rolling out the Consumer Data Right (CDR) in the banking and energy sectors. There are also plans for that investment to be used for applying the CDR to mortgages and personal loans by the end of the year.
The Commonwealth has also vowed that all government agencies will adopt e-invoicing by 1 July 2022 to allow small businesses transacting with government to be paid faster. In addition, it has proposed to pay e-invoices within five days.  
“90% of small and medium businesses today still use paper-based invoices, and if you take the Commonwealth together with the states, governments are responsible for around 10% of all business invoices,” Treasurer Josh Frydenberg said.
“It is hoped that the Commonwealth by taking the lead in e-invoicing will lead to states … to follow in the Commonwealth’s lead in this respect.”
Read more: New Australian cybersecurity strategy will see Canberra get offensive
Other elements of the package include implementing a modern business register program, with the biggest single component of the package being valued at AU$420 million. The idea is to allow businesses to view, update, and maintain their business register in one location.
Additionally, AU$29 million has been allocated toward accelerating the rollout of 5G, which includes running trials in sectors such as agriculture, mining, logistics, and manufacturing.
The federal government also announced initiatives aimed at cutting regulatory red tape, such as placing AU$7 million in two blockchain pilots that aims to reduce business regulatory compliance costs and nearly AU$11.5 million for regtech commercialisation.
The decision to make temporary reforms that were introduced during the peak of the COVID-19 pandemic, such as enabling annual general meetings to be held virtually and for documents to be executed electronically, permanent were also a part of the federal government’s announcement on Tuesday.
The rest of the funding as part of the package will be allocated to helping businesses adapt to technology, government said. This includes just over AU$22 million for expanding the small business advisory program, AU$9.6 million for promoting Australian fintechs overseas and attracting inward investment, and a AU$2.5 million injection into digital skills training for small and medium-sized businesses.
“We should see all see digital transformation as an opportunity, not as a threat … we want new businesses in Australia to be born digital,” Frydenberg said.
The AU$800 million package will be included in next week’s federal budget, which Morrison said would be the “most important budget since the Second World War”.
“The budget will confirm the strong plan we have for recovery for economic recovery from the COVID-19 recession and to build our economy for the future, to continue to cushion the blow to continue to recover what has been lost … that’s what this budget is about,” he said.
See also: Backflip to the home: NBN to upgrade FttN areas with fibre
Shadow Assistant Minister for Treasury Andrew Leigh agreed that while technology is “incredibly important”, he warned about the need to consider the flow-on effects.
“There’s going to be some level of job displacement that comes from technologies such as automated checkout within retail or greater use of robots within factories. So that’ll have impacts on the labour market, and I don’t see from the government a sense that they’ve really thought this through for the long term,” he said on Tuesday.
Leigh also raised concerns about the government’s ability to deliver the initiatives announced in the package.
“You’ve just got to look back at the census fail and the robo-debt disaster to worry about the government’s ability to really get it right when it comes to technology,” he said.
“Rationalising business registers is something that Parliament passed previously, getting a director identification number is something that should have been done years ago. Some of these measures are re-announcements to the extent that they’re fresh. We’ll obviously look through them carefully.
“But the best way of getting Australians engaged with technology is to expand education, and right now you’re not seeing that with universities. You’re not seeing an expansion of universities, which should take place at an economic moment like this.”
Related Coverage More

Emergency services across at least 14 US states have reported outages of their 911 lines on Monday.
Issues were reported by police departments in counties across Arizona, California, Colorado, Delaware, Florida, Illinois, Indiana, Minnesota, Nevada, North Carolina, North Dakota, Ohio, Pennsylvania, and Washington.
Impacted counties reported losing connectivity for 911 phone and SMS services, but did not provide any technical details about the source of the outage.
“ATTENTION: The 911 lines are not operational nationwide. This is for phone calls and text messaging,” the Minneapolis police department wrote on Twitter earlier today at the start of the outage.

ATTENTION: The 911 lines are not operational nationwide. This is for phone calls and text messaging. If you need police, fire or emergency medical assistance in Minneapolis, please call 612-348-2345. We will advise when this issue is fixed.
— Minneapolis Police (@MinneapolisPD) September 28, 2020

911 services are down in the City of Tucson. If you need to make an emergency call, dial 520-372-8011. We will let you know when 911 is back online. pic.twitter.com/aDfAIX3yDU
— Tucson Police Dept (@Tucson_Police) September 28, 2020

Multiple U.S. cities are reporting 911 outages at this time.
— Outage Alert ⚠️ (@OutageAlert2020) September 28, 2020

The outage impacted all emergency services simultaneously, and 911 services were restored within 30 and 60 minutes for most affected counties.
A clue of the source of the outage comes from the city of Redmond, Washington, home of tech giant Microsoft, which also reported a similar phone line outage and blamed the incident on “a larger Microsoft 365 outage.”

As of 5 p.m., City phones and emails are experiencing intermittent outages related to a larger Microsoft 365 outage. We are hoping the issue is resolved shortly. Sorry for any inconvenience.
— City of Redmond #MaskUpRedmond (@CityOfRedmond) September 29, 2020

On Monday, Microsoft reported a massive outage after a recent infrastructure change took down services like Office.com, Outlook.com, Teams, Power Platform, and Dynamics365. The company fixed the issue earlier today by rolling back the problematic change.
However, the Microsoft outage only impacted Office and email-related services.
Other sources suggest the 911 outage may not be related to the Microsoft Office 365 outage at all, and most likely originated at a provider of PSAPs (Public Safety Answering Points).
PSAPs are telephony systems where 911 (or 112) emergency calls are terminated before reaching the actual emergency service call centers. They’re choke points in 911 traffic, which explains why multiple emergency services across different states had issues. According to reports on Twitter, a PSAP provider named Intrado was most likely behind the 911 outage today.

Intrado and TCS are the biggest players in the E911 routing and interconnection space. They make it possible for CLECs, wireless providers, voip providers, etc to route E911 calls to PSAPs nationally without having a relationship with each.
— Matthew Hardeman (@mdhardeman) September 29, 2020

News of the 911 outage comes on the same day that a major ransomware attack took down multiple Universal Health Services (UHS) hospitals across the US. Many users have suggested that the two are connected; however, there is no evidence to support this theory, at the moment. More

Image: Dimitry Anikin

With today’s news that French shipping giant CMA CGM has been hit by a ransomware attack, this now means that all of the four biggest maritime shipping companies in the world have been hit by cyber-attacks in the past four years, since 2017.
Previous incidents included:
APM-Maersk – taken down for weeks by the NotPetya ransomware/wiper in 2017.
Mediterranean Shipping Company – hit in April 2020 by an unnamed malware strain that brought down its data center for days.
COSCO – brought down for weeks by ransomware in July 2018.
On top of these, we also have CMA CGM, which today took down its worldwide shipping container booking system after its Chinese branches in Shanghai, Shenzhen, and Guangzhou were hit by the Ragnar Locker ransomware.
This marks for a unique case study, as there is no other industry sector where the Big Four have suffered major cyber-attacks one after the other like this.
But while all these incidents are different, they show a preferential targeting of the maritime shipping industry.
“I’m not so sure it’s that they’re any more or less vulnerable than other industries,” said Ken Munro, a security researcher at Pen Test Partners, a UK cyber-security company that conducts penetration testing for the maritime sector.
“It’s that they are brutally exposed to the impact of ransomware.
“After Maersk was hit by the NotPetya crytper, I believe criminals realized the opportunity to bring a critical industry down, so payment of a ransom was perhaps more likely than other industries,” Munro said.
It’s not the ships! It’s the shore-based networks
Over the past year, incidents where malware landed on ships have intensified. This included sightings of ransomware, USB malware, and worms; all spotted aboard a ship’s IT systems.
Maritime industry groups have responded to these increasing reports of malware aboard ships by publishing two sets of IT security guidelines to address maritime security aboard ocean-bound vessels.
But Munro points out that it’s not the ships that are usually getting attacked in the major incidents.
Sure, malware may land on a ship’s internal IT network once in a while, but the incidents where malware gangs have done the most damage were the attacks that targeted shore-based systems that sit in offices, business offices, and data centers.
These are the systems that manage personnel, receive emails, manage ships, and are used to book container transports. There is nothing particularly different from these systems compared to any other IT systems sitting inside other industry verticals.
“That said, if you can’t book a container, there’s no point in having the ship,” Munro added.
For all intents and purposes, it appears that despite efforts to protect ships from external hacking, the maritime industry has failed to treat its shore-based systems with the same level of attention.
While the rare ship hacking incidents are the ones that usually grab headlines, it’s the attacks on a shipping company’s shore-based systems that are more common these days, and especially the attacks on their container booking applications.
These systems have often been hacked by sea pirate groups looking for ship manifests, container ID numbers, and ship sea routes so they can organize attacks, board ships, and steal containers transporting high-value goods like electronics and jewelry [1, 2, 3, 4].
These waves of “cyber pirates,” as these groups have been often named, along with the recent attacks on the Big Four shipping giants, are a clear sign that the shipping industry needs to stop prioritizing the less likely ship hacking scenarios and focus more on its shore-based systems, at least, for the time being. More

The past few years of Alexa-related product launches have seen rise to some of the most unusual devices launched by a major tech company. (OK, Google, we’ll give you Google Clips.) There’s been the Alexa ring, the Alexa glasses, the Alexa wall clock, and the Alexa microwave. This year, though, as Amazon released the biggest upgrade to Alexa since the agent first showed up in its cylindrical house called Echo, its developer brought forth a smaller range of Alexa devices. That may be in part because the company has been doing such a good job of getting third parties to spread the cyan-accompanied conversationalist far and wide as well as the company’s commitment to sustainability, which not only favors fewer, more durable devices, but those using sustainable materials that may not be so easily leveraged in niche forays.

In contrast to the Echo proliferation slowdown, Amazon’s Ring product line continued to expand well beyond its signature video doorbell with a new premium service offering and a move into vehicles with a car alarm and camera connection service that showed more thoughtfulness than the dashboard screen invasions of Apple CarPlay and Android Auto. The division also showed off a small mailbox sensor that can alert you of new postal mail and address mail theft. It raised the most eyebrows by far, though, with the Always Home Cam, a self-docking drone designed to autonomously fly through one unoccupied floor of a home, capturing footage of what it sees.
Also: Prime Day 2020: Amazon reveals when its annual sale takes place
Drones don’t have the best reputation when it comes to privacy, so it’s natural that the Always Home Cam has inspired skepticism. Stepping back, though, let’s consider the practicality of Ring’s ambitious sentry. For those who want to surveil their homes, the drone tackles the longstanding challenge of not only mounting security cameras but keeping them charged.
Plus, unlike stationary cameras, which can be used to capture parts of the home at any time, the Always Home Cam makes limited runs through the home and cannot capture video while docked. Amazon says that it can be activated only manually, not on a scheduled basis. And if the rooms you’d rather have the drone avoid, such as bedrooms, are on another floor of the home, one can take comfort in that the Always Home Cam is currently limited to patrolling only one floor at a time.
Still, based on some casual web research looking back at the early days of the Roomba, which debuted in 2002, the novelty of the Always Home Cam’s flight seems to give more pause than that pioneering robotic vacuum cleaner did. To combat this, Amazon could do a better job in providing assurances around privacy and hacking. For example, while it is likely the case that a homeowner can designate only the areas that the drone is allowed to fly, the Always Home Cam can theoretically capture more of a home than fixed cameras that can pan, tilt and zoom. Given this, small offices may have been a better initial market for what could have been called the Always There Cam.
Likewise, were a bad actor to take over the drone, its physical presence would likely be, at worst, a nuisance (albeit one that could frighten someone who was unaware). But Amazon could allay fears related to this by clarifying the drone’s maximum speed and whether it is programmed to avoid human contact should it be detected. A secret “kill word” that could be spoken to the drone and cause it to immediately softly land and turn off would also offer some assurance.

More Alexa More

Universal Health Services (UHS), a Fortune 500 company and one of the largest healthcare providers in the US, has been impacted by a ransomware attack over the weekend.
UHS hospitals have been operating without internal IT systems since Sunday morning, according to employees and patients who took to social media today.
Some patients have been turned away and emergencies have been redirected to other hospitals after UHS facilities were unable to carry out lab work.

Spring Valley Hospital Las Vegas NV CANT TREAT PATIENCE EFFECTIVELY OR EFFICIENTLY because Computer System went Down about 11:00 pm 09/26/2020 Still down it’s 6:10 pm 09/27/2020 their excuse for not giving me Blood Transfusion I needed Yesterday Oh Lordy Please Say a Prayer
— Sassy Jacks (@jacks_sassy) September 28, 2020

According to UHS employees, the ransomware attack took place on the night between Saturday and Sunday, September 26 to 27, at around 2:00 am CT.
Employees said computers rebooted and then showed a ransom note on the screen. Computers were then shut down, and IT staff asked hospital personnel to keep systems offline.
ZDNet has confirmed IT issues with UHS hospitals and care centers in North Carolina and Texas.
Similar IT issues were also reported in Arizona, Florida, and California, according to a Reddit thread started today.
The Reddit thread also contains first-hand accounts from multiple users claiming to be UHS employees.
“I work at a UHS facility in Tucson and our [EXPLETIVE] is definitely down. They won’t even let us turn the computers on for going on over 24 hours. We’re a psych hospital so no one is dying from not getting their lab results back in time,” wrote a user named chickenismurder.
“I work at an inpatient psych site in Philly PA. The nurses told me they asked the patients what they take for morning meds and then didn’t even distribute evening meds bc they have no record of their medications. I had to hand write all my notes from photocopies of the note format and look through the charts for each treatment goal. It was a nightmare,” wrote another user named rebeIduckling.
On its website, UHS claims to manage more than 400 hospitals and care centers in the US and UK. The true extent of the attack remains to be determined.
Despite early reports today that UHS’ entire network was impacted, several hospitals denied having issues in phone calls with ZDNet today.
While UHS hospitals were willing to confirm IT issues to ZDNet today, a UHS spokesperson from its corporate offices did not return a request for comment. The company did, however, issue a formal statement admitting to the incident after this article’s publication.
Employees from the same Reddit thread have told ZDNet the incident was caused by a ransomware strain named Ryuk, but could not provide any evidence to support their claims except what they heard from fellow workers. Ryuk is a ransomware operation that has been recently quiet for months, but has returned to normal operations last week.

There are different groups using the Ryuk ransomware. But yes, the OG group that disappeared around April has popped up again about a week ago and we are seeing cases again. The fringe splinter groups however never really disappeared.
— Fabian Wosar (@fwosar) September 24, 2020

Article updated at 12:20am ET with link to UHS official statement. More

Cyber criminals are lowering the prices they are charging for access to corporate networks
 compromised remote desktop protocol (RDP) logins in a move which indicates how  leaked usernames and passwords are becoming an increasingly more available to hackers as a means gaining access to corporate networks – and demonstrates how poor passwords continue to plague enterprise security.
Remote desktop protocol (RDP) enables employees to securely connect to the servers of their organisation remotely – a practice which has grown during 2020 as employees have increasingly worked from home. RDP is also regularly used by administrator accounts, enabling IT and security teams to perform updates and provide assistance to users.
However, while extremely useful, an improperly secured RDP account or server can provide cyber criminals with easy access to a corporate network with either stolen or easily cracked passwords.
Cybersecurity researchers at Armor analysed 15 different dark web markets and underground cyber criminal forums and found that the average price for RDP credentials has dropped to between $16 and $25, compared with an average of over $20 during 2019. Some dark web vendors are advertising these credentials as “non-hacked”, claiming that they haven’t been used before.
In many cases, the reason why stolen RDP login credentials have become available in the first place is because they’re poorly secured with commonly used and weak passwords, as well as simple-to-guess user names such as ‘administrator’.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Often an automated brute force attack will uncover these usernames and passwords, providing the access required to the network – or giving an underground vendor with the opportunity to quickly make money by selling the credentials on.
Attackers buying the credentials could use the login details for anything from performing reconnaissance on the network, to using them as a gateway for stealing additional usernames and passwords, confidential information or intellectual property. They could also use the RDP credentials as the first stage of a major malware or ransomware attack against the organisation.
And the way in which the cost of RDP credentials is going down suggests that the problem is getting worse, implying that prices are declining as the underground market gets saturated with more and more remote login details.
“Any time access used to compromise an organization gets cheaper – in this case RDP credentials – this increases the threat for businesses because there is a lower price to entry for the fraudsters,” Chris Stouff, CSO of Armor told ZDNet.
It’s potentially the case that more login credentials have become available because of the rise in remote working during this year.
However, it’s possible for organisations to boost the security of corporate RDP services by following two simple steps. First of all, default credentials should never be used to secure accounts and instead organisations should encourage users to set up a strong password for their account.
Secondly, organisations should apply multi-factor authentication when possible as it provides a substantial barrier to cyber criminals being able to take advantage of accounts – even if the username and password have been leaked.
READ MORE ON CYBERSECURITY More

Customers of Tyler Technologies, one of the biggest software providers for the US state and federal government, are reporting finding suspicious logins and previously unseen remote access tools (RATs) on their networks and servers.
The reports come days after Tyler Technologies admitted last week to suffering a ransomware attack.
The Texas-based company said that an intruder gained access to its internal network on the morning of Wednesday, September 23.
The intruder installed ransomware that locked access to some of the company’s internal documents.
Tyler initially played down the incident
Tyler played down the incident and said that only its internal corporate network and phone systems were impacted.
Its cloud infrastructure, where the company hosts its customer-facing applications, was not impacted, the company said in a statement published on its website and via emails sent to customers last week.
But over the weekend, the situation changed as Tyler made headway investigating the incident. The company changed its statement on Saturday.
“Because we have received reports of several suspicious logins to client systems, we believe precautionary password resets should be implemented,” the company said.
“If clients haven’t already done so, we strongly recommend that you reset passwords on your remote network access for Tyler staff and the credentials that Tyler personnel would use to access your applications, if applicable.” [emphasis Tyler’s]
Customers report remote access tools on their servers
At the same, some of Tyler’s customers also reported seeing new software installed on their systems.
“If you’re a Tyler customer check your servers for Bomgar that they installed,” wrote one of many users on Reddit over the weekend.
A similar report followed on Monday from cyber-security training outfit SANS.
“One of our readers, a Tyler Technologies’s customer, reported to us that he found this morning the Bomgar client (BeyondTrust) installed on one of his servers,” said Xavier Mertens, one of the SANS ISC handlers.
According to users, Tyler uses the Bomgar client to manage its servers, but some reports claim the software was not installed prior to this weekend, prompting some to panic.
While Tyler insists in its updated statement that the attack was aimed at its internal system, customers now believe attackers might have gained access to passwords for Tyler’s web-hosted infrastructure that were stored on the company’s local network — and attackers are now escalating access to Tyler’s client networks.
While the Tyler Technologies name might not say anything to the regular American, the ransomware attack on this company’s network might quietly become one of the biggest cyber-attacks of the year, if indeed attackers gained access to passwords for customer networks and the Reddit and SANS reports aren’t isolated cases.
According to its website, Tyler provides more than 50 types of web-based applications to the US public sector, such as student and school management software, public transport management solutions, jail management, courts and jury management systems, cyber-security solutions, tax and billing software, fire and EMS solutions, and entire city staff management systems, known as “Munis,” just to name a few.
According to Reuters, which first broke the story about the ransomware attack, some of Tyler’s software is also scheduled to be used in the upcoming US presidential election — for aggregating voting results from other sources into central dashboards.”
The gang behind the Tyler attack was identified as the RansomExx group. More