Information Technology

Microsoft has released updates to address four previously unknown or ‘zero-day’ vulnerabilities in Exchange Server that were being used in limited targeted attacks, according to Microsoft. 
Microsoft is urging customers to apply the updates as soon as possible due to the critical rating of the flaws. The flaws affected Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. Exchange Online is not affected. 
“We strongly encourage all Exchange Server customers to apply these updates immediately,” it said. 

More on privacy

Microsoft attributes the attacks to a group it calls Hafnium, which it says is a state-sponsored threat actor that operates from China.  
SEE: Network security policy (TechRepublic Premium)
The attackers used the bugs in on-premise Exchange servers to access email accounts of users. The four bugs are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. 
Washington DC-based security firm Volexity said in its analysis that the vulnerability CVE-2021-26855 was being used to steal the full contents of several user mailboxes. The bug didn’t require authentication and could be exploited remotely. 

“The attacker only needs to know the server running Exchange and the account from which they want to extract e-mail,” Volexity analysts noted. 
Velocity said the attacks appear to have started as early as January 6, 2021.
Exchange email servers are an attractive target due to the volume of email information they hold about an organization.
Last year, Microsoft warned Exchange server customers to patch a different critical flaw (CVE-2020-0688) that multiple advanced persistent threat actors were quick to exploit. Yet months after Microsoft warned organizations to urgently patch this flaw, tens of thousands of Exchange servers remained unpatched.  
Microsoft is concerned it could see the same scenario play out again with this set of Exchange server vulnerabilities. 
“Even though we’ve worked quickly to deploy an update for the Hafnium exploits, we know that many nation-state actors and criminal groups will move quickly to take advantage of any unpatched systems. Promptly applying today’s patches is the best protection against this attack,” said Tom Burt, Microsoft’s corporate vice president of Customer Security & Trust.
SEE: Cybercrime groups are selling their hacking skills. Some countries are buying
Hafnium mainly target US entities in infectious disease research, law firms, higher education institutions, defense contractors, policy thinktanks, and NGOs, according to Microsoft. The group also primarily operates from leased virtual private servers (VPS) in the United States, it added. 
Microsoft provided the following summary of each vulnerability for customers to assess: 
CVE-2021-26855 is a server-side request forgery (SSRF) vulnerability in Exchange that allowed the attacker to send arbitrary HTTP requests and authenticate as the Exchange server.
CVE-2021-26857 is an insecure deserialization vulnerability in the Unified Messaging service. Insecure deserialization is where untrusted user-controllable data is deserialized by a program. Exploiting this vulnerability gave Hafnium the ability to run code as SYSTEM on the Exchange server. This requires administrator permission or another vulnerability to exploit.
CVE-2021-26858 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server, then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
CVE-2021-27065 is a post-authentication arbitrary file write vulnerability in Exchange. If Hafnium could authenticate with the Exchange server, then they could use this vulnerability to write a file to any path on the server. They could authenticate by exploiting the CVE-2021-26855 SSRF vulnerability or by compromising a legitimate admin’s credentials.
After comprising the affected Exchange servers, the attackers deployed web shells on them, allowing for potential data theft and further compromise. Web shells are small scripts that provide a basic interface for remote access to a compromised system. Microsoft warned in February that between August 2020 and January 2021, it had seen twice as many web shell attacks than in the same period last year.    More

The US Securities and Exchange Commission (SEC) has charged seven individuals in connection to an alleged pump-and-dump stock scheme. 

On March 2, SEC said that investors in a technology company were defrauded out of $45 million through the scam, in which Kalistratos “Kelly” Kabilafkas secretly controlled Simi Valley, Calif.-based Airborne Wireless Network, a publicly-traded company. 
Kabilafkas quietly purchased “essentially all the outstanding stock” of a shell company, Ample-Tee, which became Airborne Wireless in 2016. 
Shares were then distributed to other parties. In total, “millions” of shares were carved up and brokerages were “deceived” into transferring shares into other participants’ names, dumping them into brokerage accounts, and then selling them on to other investors. 
SEC has named other alleged participants in the scheme. Timoleon “Tim” Kabilafkas is Kelly’s father; Chrysilios Chrysiliou allegedly provided the funds for Kelly to purchase the Ample-Tee shell; Panagiotis Bolovis is Kelly’s brother-in-law, and Moshe Rabin has been connected to the alleged deposit and sale of Airborne Wireless stock. Eric Scheffey, another claimed share recipient, was also named in the complaint. 
The group operated a scheme between August 2015 and roughly May 2018, together with the help of Airborne Wireless executive Jack Daniels, to inflate the share price of Airborne Wireless and promote the stock — all while hiding the firm’s true control structure. 
Daniels is described by SEC as a “nominee” chief executive, while Kabilafkas truly held the power in the company.

According to the complaint (.PDF), millions of dollars were spent on advertisements to push up share prices — before the defendants allegedly dumped their stock on an unwitting market. SEC says they were able to make $23 million in profit. 
SEC alleges that “much” of the profit “was kicked back to benefit the Kabilafkas family.” The proceeds were allegedly used to purchase Californian real estate to generate a rental income, resolve tax liabilities, and to purchase luxury cars.
At the same time, the company also raised $22.8 million in funds from investors, through public and private offerings, based on allegedly “false and misleading statements.” 
“At no time during the scheme did Kabilafkas, Airborne, or Daniels disclose Kabilafkas’s role as a control person or the fact that, while Airborne was raising money from investors, he and his associates were dumping millions of shares into the public market,” US prosecutors claim. 
The complaint has been filed in the US District Court for the Southern District of New York and charges each alleged participant with antitrust violations within federal securities laws. 
SEC is pursuing civil penalties, the disgorgement of any financial gains considered fraudulent — as well as interest — and injunctions. 
One of the defendants, Rabin, has agreed to settle without admitting or denying the agency’s claims. If approved by the court, Rabin faces a $125,000 penalty and a penny stock bar. 
“Kabilafkas orchestrated a wide-ranging scheme to deceive gatekeepers, conceal from investors the true ownership of a public company, and then manipulate the company’s stock,” said Jennifer Leete, Associate Director of the SEC’s Enforcement Division. “The SEC is committed to unraveling frauds to protect investors.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new version of Ryuk ransomware is equipped with an additional worm-like capability to spread itself around infected networks, potentially making it even more dangerous than it was before.
Ryuk is one of the most prolific forms of ransomware, with its cyber-criminal operators thought to have made over $150 million in Bitcoin ransom payments from victim organisations around the world.

More on privacy

Like other forms of ransomware, Ryuk encrypts a network, rendering systems useless and the cyber criminals behind the attack demand a payment in exchange for the decryption key. This demand can stretch into millions of dollars.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
Ryuk has become one of the one most successful families of ransomware – and it’s regularly updated in order to maintain its effectiveness.
Now France’s national cybersecurity agency – Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI), translated into English as National Agency for the Security of Information Systems – has detailed how the latest version of Ryuk is able to self-replicate itself over a local network.
The ransomware can propagate itself across the network using Wake-on-LAN, a feature that enables Windows computers to be turned on remotely by another machine on the same network. By spreading to every reachable machine on the network, the Ryuk attack can be much more damaging.

This capability was discovered while ANSSI was responding to an unidentified Ryuk ransomware incident earlier this year.
The ANSSI paper warms that Ryuk remains particularly active and that “at least one of its operators attacked hospitals during a pandemic”.
Hospitals appear to have been a particular target for Ryuk ransomware attacks, despite the – or perhaps because of – the ongoing COVID-19 pandemic, with access to networks vital for patient care. And given the ongoing situation, some hospitals are giving in to ransom demands, perceiving that approach to be the simplest way to keep treating patients – although even paying the ransom doesn’t guarantee a smooth restoration off the network.
Ryuk is commonly delivered to victims as the final stage of multi-stage attacks, with networks initially compromised with Trickbot, Emotet or BazarLoader – often by phishing attacks. Those compromised networks are then passed on or leased out to the Ryuk gang in order to infect them with ransomware.
SEE: Phishing: These are the most common techniques used to attack your PC
Often, the initial compromise of networks to install malware takes of advantage of organisations not applying patches against known vulnerabilities.
Therefore, one of the key things an organisation can do to help protect itself against cyberattacks is to ensure the latest security updates are applied across the network as soon as possible after release, particularly when it comes to critical vulnerabilities.
Organisations should also regularly backup the network – and store those backups offline – so that in the event of falling victim to a ransomware attack, the network can be recovered without giving into the demands of cyber criminals.

MORE ON CYBERSECURITY More

The New South Wales government has announced the state-wide rollout of a new app designed to help frontline child protection caseworkers reduce paperwork so they can spend more time supporting vulnerable children.
The ChildStory Mobile is the modified version of the ChildStory desktop system used by the Department of Communities and Justice for child protection and out-of-home care. It enables caseworkers to complete home visit records and upload files, access client information, complete safety assessments, and instantly create digital safety plans that can be signed and instantly shared with families.
“This Australian-first app will provide caseworkers with real-time access to vital information, allowing faster responses and better outcomes for vulnerable kids,” Minister for Families, Communities and Disability Services Gareth Ward said.
In addition, the department has signed a four-year deal with the CSO Group, valued at AU$16 million, for the delivery of new cybersecurity solutions for the cloud, endpoint, and email.
Under the deal, CSO Group will deliver an integrated managed security service designed to deliver insights and protection for the department.
Meanwhile, New South Wales Police has signed New York-based Mark43 to become what it has dubbed its “designated” technology partner that will see it provide and implement the call-taking, dispatch, records, investigations, and forensics components of the new Integrated Policing Operations System (IPOS) for the force.
The partnership between the pair was initially forged last April when the force said it would adopt the company’s cloud-based records management software and its computer-aided dispatch system, through Unisys Australia.

At the end of last year, the force, together with Mark43 and Unisys, said it would be kicking off its mainframe modernisation project that will see the force’s central database, which is used for everyday operations, including logging criminal incidents to intelligence gathering, and pressing charges, be replaced with the new IPOS. The project is expected to take five years to complete and will be carried out in three phases. 
Related Coverage More

Community Linux distributions are easygoing with updates and patches. Yes, they’d like you to update, but they don’t insist on it. Now, though, the popular Linux Mint distribution has had enough of people running out-of-date distributions and programs. In the future, Mint’s Update Manager may “insist” you make important security updates.  

ZDNet Recommends

The best cyber insurance
The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.
Read More

This all started because Mint’s maintainers found many Mint users were not keeping their software up-to-date. Mint researchers found less than a third of its users updated their web browser within a week of a new version’s release, and as many as 30% of users may still be still running Linux Mint 17.x. That specific distribution hasn’t been supported since April 2019. This, in turn, meant they haven’t received security updates for close to two years. 
Yes, Linux tends to be more secure than other operating systems, but that doesn’t mean there have been no serious security bugs. For example, a decade-old sudo bug has recently been patched, and the ancient — but always troublesome — memory addressing tool set_fs() was finally removed. As lead Mint maintainer Clement “Clem” Lefebvre wrote, you must update not just because an outdated system is vulnerable, “it is known to be vulnerable.”
Besides, Update Manager doesn’t just patch Linux bugs, it also updates and patches all software on your Linux system. So, for example, when you update Linux Mint, you’re also updating the default Firefox web browser. 
It’s not like it’s hard to do either. Clem said: “Linux Mint comes with one of the best update managers available. It’s very easy to use, it’s configurable, and it shows a lot of information.” He’s right. “All you need to do is use it.”
Unfortunately, even after warning users that they need to keep their Mint systems up to date, people still aren’t doing it. 
Why? Clem explained in a note: “Many users think updates should be applied but don’t do it often, either because they haven’t gotten around to automate the process, or they thought they’d do it often but they don’t, or for some, they even got used of that little orange dot in their system tray and don’t really pay attention to it anymore. Giving these users a reminder after a while is something they might appreciate, they’re the people we’re doing this for.”

Therefore, Mint developers are working on Update Manager improvements. Besides looking for available updates, the Manager will also track cases where updates are overlooked. This will include metrics on when updates were last applied; when were packages last upgraded; and how many days have passed since a particular update was made available. 
Armed with this data, “in some cases, the Update Manager will be able to remind you to apply updates. In a few of them, it might even insist.”
The developers don’t want to get in your way. As Clem wrote, “We have key principles at Linux Mint. One of them is that this is your computer, not ours.” 
This also means that this data won’t be sent to the Linux Mint organization. Clem explained, “Under no circumstances will the data be sent anywhere.” Instead, the Update Manager only keeps the data it needs to make sure you’re at least looking at available patches. If you are, it then deletes the local data. 
At the same time, they don’t want users continuing to run potentially dangerously out-of-date setups. So, at this point, “We’re still forming strategies and deciding when and how the manager should make itself more visible so it’s too soon to speak about these aspects and get into the details which probably interest you the most here. So far we worked on making the manager smarter and giving it more information and more metrics to look at.”
Eventually, Mint may be more aggressive about insisting you secure your system, but for now, its developers are trying to strike a balance between keeping users safe and not annoying them. Stay tuned for more developments.
Related Stories: More

Image: iStock/Drazen Zigic
Once upon a time, remote work was something only tech startups considered to be an option for staff members scattered across the globe. Then a pandemic struck, forcing businesses everywhere to reconsider the possibility that allowing employees to work from home might be the only way to keep the company from failing.

According to a TechRepublic survey, 61% of businesses have gone out of their way to make remote work possible for most employees. That’s not a blip on the radar. Given that an overwhelming majority of respondents (61%) would rather work from home than in an office, it’s safe to say the remote work option is here to stay.
For employees, it’s a change in routine and locale, but for businesses, it’s much more than that — every company has far more to consider. Let’s dive into five considerations that your company must understand for a smooth and productive work-from-home experience.
SEE: Speed up your home office: How to optimize your network for remote work and learning (free PDF) (TechRepublic)
Remote office tools
No matter where your employees work, they need the right tools. When those employees are working in the office, you provide them with everything necessary to get the job done: Computers, printers, mobile devices, desks, chairs, network devices, software, white boards, and more. If you believe employees working from home should be on their own for equipment, you’re doing remote work wrong. If you’re not willing to directly pay for the tools your employees need, you should at least consider allowing them to expense those costs. But all purchases must be approved — otherwise, you’ll wind up with employees buying extravagant chairs and laptops. 
According to our survey, 56% of respondents said that their company had done a poor job of supplying the necessary hardware (computers, printers, and so on) and 52% of respondents said their company had done a poor job supplying them with the necessary office equipment (desks, chairs, etc.) to work remotely. Unless this improves, staff will either be incapable of doing their jobs with any level of productivity (at best) or they’ll burn out and quit (at worst).
At a bare minimum, your company should supply remote workers with:
A computer or laptop for work only
A printer (if needed)
All software necessary to do their jobs
A VPN (if security is a concern)
Managing burnout

Burnout is a serious issue with employees who are not accustomed to working from home. Why does this happen? The biggest reason is the inability to separate work from home. When this happens, the lines blur so much that employees can begin to feel as though they’re working 24/7/365. On top of that, people no longer get a much-needed break from family life. That one-two punch makes burnout happen faster and on a more profound level.
How do you manage this? The most important thing you can do is keep the lines of communication open. You’ll need to have someone (or multiple people) on hand to talk to staff in order to help them through these periods.
You’ll need to educate your staff to:
Create a routine such as scheduled work times that clearly define ‘work time’ and ‘home time’.
Set boundaries like, “When the office door is closed, I’m at work.”
Communicate with family — make sure your employees are doing a good job of communicating with their loved ones.
Practice self-care. Your employees will need, on some level, to learn how to take care of themselves to avoid stress.
Understand priorities so your staff always know what work takes priority and what work can be put off.
According to our survey, 78% of respondents indicated they were working from home five days a week. If those staff members don’t work smart, they’ll suffer burnout fast. Feeling like you’re ‘in the office’ day in and day out can be exhausting. To that end, you’ll need to consider allowing staff to work a flexible schedule.
Managing a flexible schedule
This one is a challenge for most businesses because nearly every company works on the assumption that business hours are universal. There’s a reason why Dolly Parton’s “9 to 5” resonates so well with a majority of the population around the world. 
However, with remote workers, the idea of a set work schedule needs to be thrown out the door. You must remember that people are working at home, which can throw a major wrench in the works. What am I talking about?
Tending to children who aren’t in school
The possibility of burnout
Family responsibilities
Less reliable networks
Equipment failure
The single most important thing to consider is that your employees do prefer to work from home, and can be even more productive working in that comfortable environment. But that improved productivity might come with a price for your company in the form of allowing for flexible schedules. 
Remember: As long as work is getting done in a timely fashion, it shouldn’t matter when it’s getting done.
Security is key
One thing your business must consider is security, and how to help your remote workers do their jobs without compromising company data. This might mean you’ll need to purchase enterprise-class VPN services for those who must transmit sensitive data from their home networks. Those employees who deal with very sensitive data might also need to be trained on how to use encryption.
Another issue that must be addressed is passwords. You probably have password policies in place for office-based staff, but you can’t enforce those policies on their home networks, which means you’ll need to train your remote workers to change all network passwords (such as those for wireless routers) to be strong and unique. Even if you also have to get those employees up to speed on using a password manager (which they should anyway), this cannot be stressed enough.
SEE: How to manage passwords: Best practices and security tips (free PDF) (TechRepublic)
KPIs to monitor
You need to know which Key Performance Indicators (KPIs) to monitor, and I suggest these KPIs as a good starting point.
Self-discipline: An employee’s ability to work independently.
Effective communication: An employee’s ability to communicate effectively and efficiently with teams and clients.
Learning skills: An employee’s ability to not just follow a known instruction set, but also to learn new things efficiently.
Remote vs. local tasks: Are there tasks that can or cannot be performed remotely? You must know the difference.
Accountability: Employees must learn to hold themselves accountable to get their tasks done with less supervision.
Self-discipline: Employees must be capable of staying on-task with less supervision.
Collaboration: Employees must be capable of working with other teammates efficiently via video/audio chat and email.
Availability: Managers must be available to discuss work-related matters during business hours. Although employees might work a flexible schedule, they must also be available during business hours.
Conclusion
Your company’s transition from a standard work environment to a full remote or hybrid (remote and in-house) environment doesn’t have to be a challenge. Given that nearly every business across the globe has been practically forced into this new world order, the hard part is already taken care of. With just a bit of extra planning and work, you can make this new reality not only seamless but even more productive. 
Also see More

Malaysia Airlines has suffered a data security “incident” that compromised personal information belonging to members of its frequent flyer programme, Enrich. The breach is purported to have occurred at some point during a period that spans almost a decade and involves a third-party IT service provider. 
The airline had sent out an emailer to Enrich members this week, stating it was notified of a “data security incident” at the third-party IT supplier. The breach involved “some personal data” and occurred some time between March 2010 and June 2019, it said, adding that these details included members’ name, date of birth, contact information, and various frequent flyer data such as number, status, and tier level. 

Travel data such as itineraries, reservations, ticketing, and ID card, as well as payment details were not compromised, according to Malaysia Airlines. Its own IT infrastructure or systems also were not affected, the carrier said.  
It noted that there was “no evidence” any personal data had been misused and the breach did not expose any account passwords, though, it urged Enrich members to change their passwords as a precaution. The airline also directed customers to pose any queries they might have directly via email to its data privacy officer. 
At press time, Malaysia Airlines had yet to make a public statement on the security breach or post a notice on its website. It did, however, appear to confirm the incident on Twitter in its replies to customers. 
In one of several such responses, the national carrier said: “The data security incident occurred at our third-party IT service provider and not Malaysia Airlines’ computer systems. However, the airline is monitoring any suspicious activity concerning its members’ accounts and in constant contact with the affected IT service provider to secure Enrich members’ data and investigate the incident’s scope and causes.”
It reiterated its stance that there was no indication the breach impacted any account passwords, but advised members to change their passwords as a precautionary measure. 

The airline just in January had announced plans to introduce a fare-based earning programme and new tier qualification framework for Enrich, slated to commence in April 2021. 
Singapore telco Singtel also recently suffered a data security breach that involved a third-party IT vendor, which file-sharing system had contained vulnerabilities that were unsuccessfully patched. 
RELATED COVERAGE More

Two very different forms of ransomware with different methods targeting two different operating systems likely to have started off as one kind of ransomware, before those working on it split apart, demonstrating how ransomware is constantly evolving and how new threats continue to pose a risk to potential victims.

ZDNet Recommends

Cybersecurity researchers at Intezer analysed two forms of ransomware — QNAPCrypt and SunCrypt — and have concluded that one evolved from the other.
QNAPCrypt first emerged in mid-2019 and targets network-attached storage devices running on Linux. Meanwhile. SunCrypt ransomware first appeared in October 2019 and targets Windows systems, but it didn’t really gain notoriety until attacks increased in the middle of 2020, following an update.
At first glance, QNAPCrypt and SunCrypt appear unrelated — they’re two different forms of ransomware, distributed by two different groups and they target two forms of operating system.
The two ransomware-as-a-service operations are also run in different ways, with the distributor behind QNAPCrypt rarely posting about their ransomware on underground forums.
Meanwhile, the operator behind SunCrypt appears to be purely focused on advertising their product, repeatedly posting messages to recruit affiliates in order to make as much money from receiving percentages of ransom payments as possible. The operators of SunCrypt also favour the double extortion technique, threatening to leak stolen data of victims which don’t pay ransom demands — as well as targeting hospitals.
But while it’s clear that the two campaigns are very different and operated by different individuals, analysis of both forms of ransomware reveals that QNAPCrypt and the early version SunCrypt share identical code logic for file encryption, leading researchers to conclude with “high certainty” that both forms of ransomware were compiled from the same source code.

SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)  
Researchers also identified similarities in key generation and how the code is written and deployed for checking the geographic location of the infected victim. Both QNAPCrypt and SunCrypt will cease encryption operations if running on a Belarusian, Russian or Ukrainian machine — while SunCrypt also adds Kyrgyzstan and Syria to the list.
SunCrypt has evolved since being released and is more distinct now, but the analysis of the older code makes it clear that the two forms of ransomware started life as one and the same thing — although how this ended up as two distinct variants and two different campaigns remains a mystery.
“They may have collaborated with the initial version of SunCrypt and the collaboration fell apart and they went their separate ways. Another theory is that the QNAPCrypt actor was hired to create the initial ransomware to launch the first version of the service,” Joakim Kennedy, security researcher at Intezer told ZDNet.
What the discovery of the two forms of ransomware being related does teach us, however, is that ransomware is constantly evolving and just because one family of ransomware is related to another, they don’t necessarily act in the same way — and that could be in ways which make it more dangerous.
“If a malware is exchanged, whether to an affiliate or over the dark web, then the new operators may choose different procedures, attack vectors, and targets. They might invest considerably in the new malware, adding features and evasion techniques,” said Kennedy.
Both QNAPCrypt and SunCrypt remain active in 2021, with QNAPCrypt in particular targeting systems with which haven’t had security patches applied for are secured with weak passwords. Applying the appropriate security patches and applying strong passwords — and multi-factor authentication — can go a long way towards protecting against falling victim to ransomware attacks.
MORE ON CYBERSECURITY More