Information Technology

Image: Cyrus Crossan
A Texas-based CCTV technician pleaded guilty this week to illegally accessing the security cameras of hundreds of families to watch 

people in their homes get naked and engage in sexual activities.
According to a criminal complaint [PDF], Telesforo Aviles, a 35-year-old, committed his crimes between November 2015 and March 2020 while working as a support technician for ADT, a provider of home security services.
Aviles’s job involved installing home video surveillance cameras at customer premises and configuring the devices to work with the company’s proprietary ADT Pulse app.
But prosecutors said that Aviles strayed from company policy and started adding his personal email address to customers ADT Pulse app during the installation and testing process.
Investigators said the technician usually targeted attractive women, and he used the backdoor account to access the camera’s real-time video feed and spy on customers in intimate moments in their homes and with their partners.
The technician’s scheme was discovered in January and February 2020 when several customers discovered Aviles’ email address in their app’s configuration panel and reported the incidents to ADT, which later referred the case to authorities.

Aviles was charged in April 2020 and pleaded guilty [PDF] this week, on Thursday.
Prosecutors said Aviles accessed more than 200 customer CCTV systems on more than 9,600 occasions.
The former ADT technician now faces a sentence of up to five years in prison and a fine of up to $250,000, according to court documents. He was conditionally released earlier this week [PDF].
ADT notified its customers of the incident in April 2020. The New York Post reported at the time that the company tried to convince customers to sign a confidentiality agreement in exchange for a monetary payment so Aviles’ actions wouldn’t leak online.
Their efforts didn’t work, and the company is currently facing three class-action lawsuits[1, 2, 3] as a result of its former employee’s actions. More

Networking device maker SonicWall said on Friday night that it is investigating a security breach of its internal network after detecting what it described as a “coordinated attack.”
In a short statement posted on its knowledgebase portal, the company said that “highly sophisticated threat actors” targeted its internal systems by “exploiting probable zero-day vulnerabilities on certain SonicWall secure remote access products.”
The company listed NetExtender VPN clients and the Secure Mobile Access (SMA) gateways as impacted:
NetExtender VPN client version 10.x (released in 2020) utilized to connect to SMA 100 series appliances and SonicWall firewalls.
Secure Mobile Access (SMA) version 10.x running on SMA 200, SMA 210, SMA 400, SMA 410 physical appliances, and the SMA 500v virtual appliance.
SonicWall said that the newer SMA 1000 series is not impacted as that particular product series is using a different VPN client than NetExtender.
Patches for the zero-day vulnerabilities are not available at the time of writing.
To help keep its own customers’ networks safe, the vendor has included a series of mitigations in its knowledgebase article, such as deploying a firewall to limit who can interact with SMA devices or disabling access via the NetExtender VPN client to its firewalls.
SonicWall also urged companies to enable two-factor authentication options in its products for admin accounts.

The networking device maker, whose products are often used to secure access to corporate networks, now becomes the fourth security vendor to disclose a security breach over the past two months after FireEye, Microsoft, and Malwarebytes.
All three previous companies were breached during the SolarWinds supply chain attack. CrowdStrike said it was targeted in the SolarWinds hack as well, but the attack did not succeed.
Cisco, another major vendor of networking and security devices, was also targeted by the SolarWinds hackers. The company said last month it was investigating if attackers escalated their initial access from the SolarWinds products to other parts of its network.
Multiple sources in the threat intel community told ZDNet after the publication of this article that SonicWall might have fallen victim to a ransomware attack. More

Vladimir_Timofeev, Getty Images/iStockphoto
The Russian government has issued a security alert on Thursday evening warning Russian businesses of potential cyberattacks launched by the United States in response to the SolarWinds incident.
The Russian government’s response comes after comments made by the new Biden administration earlier in the day.
Also: Best VPNs • Best security keys • Best antivirus     
Answering questions about their plans on the SolarWinds hack, new White House officials said they reserved the right to respond at a time and manner of their choosing to any cyberattack.

At first White House press briefing @PressSec says on SolarWinds breach: “we’ve spoken about this previously…of course we reserve the right to respond at a time and manner of our choosing to any cyberattack”
— Shannon Vavra (@shanvav) January 21, 2021

Moscow’s response to this comment came hours later in the form of a security bulletin published by the National Coordination Center for Computer Incidents (NKTSKI), a security agency founded by the Russian Federal Security Service (FSB), Russia’s internal security and intelligence agency.
The short statement cited the Biden administration’s comments, interpreted as threats, and provided a list of 15 security best practices that businesses should adhere to in order to remain safe online.

(Text translated with Google Translate)
The best practices included in the alert are run of the mill security advice and nothing that companies or even the lowest skilled security practitioner wasn’t aware of already.

The security alert was published more as a response to the Biden administration’s aggressive statements earlier in the day.
The White House’s comments follow a tone set two weeks ago when US officials from the FBI, CISA, ODNI, and NSA formally blamed Russia for orchestrating the wide-reaching SolarWinds supply chain attack.
Kremlin officials denied multiple times of having had any hand in the SolarWinds incident.
During yesterday’s press conference, the Biden administration also promised to commit $9 billion towards cybersecurity in the aftermath of the SolarWinds hack.

SolarWinds Updates More

Image via PIRO4D
Extortion groups that send emails threatening companies with DDoS attacks unless paid a certain fee are making a comeback, security firm Radware warned today.
In a security alert sent to its customers and shared with ZDNet this week, Radware said that during the last week of 2020 and the first week of 2021, its customers received a new wave of DDoS extortion emails.
Extortionists threatened companies with crippling DDoS attacks unless they got paid between 5 and 10 bitcoins ($150,000 to $300,000).
Radware said that some of the emails it seen were sent by a group that was active over the 2020 summer when the extortionists targeted many financial organizations across the world.
Companies that received this group’s emails last summer also received new threats over the winter, Radware said.
The security firm believes that the rise in the Bitcoin-to-USD price has led to some groups returning to or re-prioritizing DDoS extortion schemes.
But Radware said that the Bitcoin price surge was so sudden and unexpected that it caught even some groups by surprise. Extortionists also had to adapt and reduce their demands over time, going from requesting 10 BTC to 5 BTC, as in some cases, the extortion fee would have been too large for some companies to pay, as the Bitcoin price tripled since August 2020.

And just like in the summer of 2020, Radware said that these DDoS extortion groups had the firepower to deliver on their threats.
Radware said it saw some organizations being targeted with DDoS attacks after receiving the extortion emails. Attacks typically lasted around nine hours and ranged around 200 Gbps, with one attack peaking at 237 Gbps.

Image: Radware
But this resurgence in DDoS extortion tactics was also documented by Lumen’s Black Lotus Labs, which reported on their comeback last week.
The former CenturyLink division, now part of Lumen, said these schemes never actually stopped, although the frequency of these email threats died down over the fall, compared to their prevalence over the summer.
Just like before, the DDoS extortion gangs also kept using the names of more famous hacking groups to send their threats, hoping to intimidated victims. Attackers used names such as Fancy Bear, Cozy Bear, Lazarus Group, and Armada Collective.
But towards the end of the year, Black Lotus Labs reported that some of these extortion emails were also signed using the name of Kadyrovtsy, the name of an elite Chechen military group that has also been associated with DDoS gangs and extortionists in the early 2010s.
Both Black Lotus Labs and Radware recommended that companies not pay the ransom as this merely invites more extortions in the future. Instead, companies are advised to request additional protection against any potential attacks from their security providers. More

Image: ZDNet
A security researcher launched this month a web portal that lists vulnerabilities in the code of common malware strains. The researcher hopes other security professionals will use the bugs to crash, disable, and uninstall malware on infected hosts as part of incident response operations.
Created and launched by bug hunter John Page, the new MalVuln portal is available at malvuln.com.
The site itself is your typical vulnerability disclosure portal. It lists the software’s name (in this case, the malware’s name), describes the vulnerability in technical detail, and provides proof-of-concept (PoC) exploit code so others can reproduce the issue.
Page tells ZDNet he created the site out of boredom during the recent COVID-19 lockdown.
“It’s out of the norm, there’s never been a dedicated website for this type of thing,” the researcher told ZDNet in an email interview.

Currently, MalVuln lists 45 security flaws. Some are for current threats like Phorpiex (Trik) but also for old malware strains like Bayrob.
Page said all the vulnerabilities listed on MalVuln right now are of his discovery.

“There have been no outside submissions, and I am not currently accepting them,” Page said. However, a PGP key is listed on the site, and the plan is to allow others to submit their findings sometime in the future.
Controversy brewing?
But the site also touches on a sensitive topic in the cyber-security industry. For decades, security researchers have been secretly hacking back against malware operators.
Just like malware sometimes uses bugs in legitimate apps to infiltrate systems, security firms have also used bugs in malware code to infiltrate the attacker’s infrastructure.
Security firms will often hack a malware’s command and control server to retrieve data about victims, or they’ll use bugs in malware to disable and remove it from infected systems.
This practice has been a closely guarded secret, primarily due to the legal ramifications that come with the practice of “hacking back,” and the benefits that come with secretly abusing malware bugs to track threat actors.
For example, for years, security firm Fox-IT used a bug in Cobalt Strike, a legitimate tool abused by cybercrime gangs, to track the location of possible malware command and control servers. The company disclosed that it had done so only after the bug was reported and fixed in 2019.
It is so with no wonder that when a website like MalVuln launched earlier this month, there were quite a few grumblings about how MalVuln was giving away these closely guarded secrets and indirectly helping malware operators by pointing out bugs in their code, effectively taking away valuable tools from security firms and incident responders.
But Page told ZDNet that he doesn’t care about this aspect.
“I do my own thing and I don’t respond. These are usually the same people who think vulnerabilities should not be public because it helps attackers,” he said.
And Page is not the only one sharing this opinion, with other security researchers demanding more openness about this practice and more sharing of such details in the cyber-security community.

Im very happy someone has dome this. Mamy times when discussing attacking malware, c2s, etc… people lose their shit or shut up and refuse to talk about it. I think this is a big move forward for infosec as a whole, even the dreaded “hacker turf war” comes of it https://t.co/XQh5fHVYOE
— Célia Catalbas (@MaraAnn333) January 11, 2021

Either way, the topic will remain controversial, but MalVuln has touched on a real issue — that malware also contains bugs just as bad as regular software.
“Lots of self-hating malware out there,” Page said, promising to release more malware bugs in the future. More

Cisco is warning customers to update its networking software immediately, flagging four critical security vulnerabilities affecting SD-WAN, DNA, and the Smart Software Manager Satellite. 
The Cisco SD-WAN has three command injection vulnerabilities that are tracked as CVE-2021-1260, CVE-2021-1261, and CVE-2021-1262. Collectively, they have a severity score of 9.9 out of 10. In other words, these are serious flaws and require immediate action. And that rating comes despite an attacker on the internet actually needing a valid password. 

More on privacy

“Multiple vulnerabilities in Cisco SD-WAN products could allow an authenticated attacker to perform command injection attacks against an affected device, which could allow the attacker to take certain actions with root privileges on the device,” Cisco notes. 
SEE: Network security policy (TechRepublic Premium)
That severity rating could be due to its impact: “A successful exploit could allow the attacker to gain root-level access to the affected system,” Cisco notes. 
This issue affects Cisco’s SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage Software, and SD-WAN vSmart Controller Software.
Cisco SD-WAN suffers from two other bugs with a severity score of 9.8, which are tracked as CVE-2021-1300 and CVE-2021-1301. 

These nasties allow “an unauthenticated, remote attacker to execute attacks against an affected device”, according to Cisco. 
They affect IOS XE SD-WAN Software, SD-WAN vBond Orchestrator Software, SD-WAN vEdge Cloud Routers, SD-WAN vEdge Routers, SD-WAN vManage Software, and SD-WAN vSmart Controller Software. 
With a severity rating of 9.6, the Command Runner tool of Cisco DNA Center “could allow an authenticated, remote attacker to perform a command injection attack.” It’s tracked as CVE-2021-1264. 
Again, the attacker needs a correct login, but leaky input validation by the Command Runner tool could “allow the attacker to execute arbitrary CLI commands on devices managed by Cisco DNA Center,” according to Cisco. 
Finally, the Cisco Smart Software Manager Satellite Web user interface has a 9.8 severity bug because remote attackers can inject malicious commands into it even without a password.
The advisory consists of three distinct bugs, tracked as CVE-2021-1138, CVE-2021-1139, and CVE-2021-1140. These are bad bugs and warrant an immediate update, according to Cisco. 
“An attacker could exploit these vulnerabilities by sending malicious HTTP requests to an affected device. A successful exploit could allow the attacker to run arbitrary commands on the underlying operating system,” Cisco explained. 
SEE: How do we stop cyber weapons from getting out of control?
The good news is that Cisco engineers found all but one of the critical vulnerabilities, while one was found by a customer that reported an issue. Cisco was not aware of any of the flaws being actively exploited.
Cisco published advisories for a total of 19 bugs in January, 2021. Besides the four critical vulnerabilities, there were nine high severity flaws, and 18 medium severity flaws. 
Some customers may already be protected from these vulnerabilities because Cisco regularly pushes out releases with security fixes before it discloses security flaws.  More

Cybersecurity should be on every organization’s mind these days, because if the US government can be hacked, so can anyone else. This means there’s plenty of opportunities for cybersecurity professionals to shine. If you’re interested in learning about network security and computers in general, you might enjoy a career in IT, and this 8-course bundle can get you started for $34.99.

ZDNet Recommends

The best VPNs
VPNs aren’t essential only for securing your unencrypted Wi-Fi connections in coffee shops and airports. Every remote worker should consider a VPN to stay safe online. Here are your top choices for best VPNs in 2020 and how to get set up.
Read More

The Ultimate Cybersecurity & IT Career Certification Pathway Training Bundle is packed with 169 hours of study material on some of the most in-demand Cisco and CompTIA certifications. 
The Cisco course is led by David Bombal, a Cisco Certified Systems Instructor who has taught Cisco courses for over 15 years. He’s also a top-rated Udemy instructor who has taught over 600 thousand students to date. His Cisco CCNA 200-301 Exam course serves as an introductory course to networking that uses real-world scenarios to teach you how to configure routers and switches, secure a network, and much more.
The CompTIA courses are provided by Total Seminars, an e-learning platform that produces the #1-selling CompTIA A+ and Network+ Certification books in the world. In these courses, you’ll find in-depth video courses that will guide you through CompTIA’s entry-level ITF+ and A+ certifications all the way up to CySA+ and PenTest+.
As mentioned, ITF+ and A+ are the easiest CompTIA certifications you can earn, and these Total Seminars courses are ideal if you’re interested in IT but still unsure if you want to make a career out of it yet. Here, you’ll learn how to set up and configure networking devices, basic scripting, command-line tools, and even introductory security concepts. 
If you enjoy what you’ve learned, you can earn your certifications, build up work experience, and make your way down CompTIA’s cybersecurity learning path, and the rest of the courses will guide you along the way. 
Joining the front lines against cybercrime requires skills in network security and threat management, all of which you’ll learn in The Ultimate Cybersecurity & IT Career Certification Pathway Training Bundle, which is on sale today for just $34.99. More

The hackers behind the ransomware attack on the Scottish Environment Protection Agency (SEPA) have published thousands of stolen files after the organisation refused to pay the ransom.
Scotland’s government regulator for protecting the environment was hit with a ransomware attack on Christmas Eve, with cybercriminals stealing 1.2 GB of data in the process. Almost a month on from the attack, SEPA services remain disrupted – but despite this, the agency has made it clear it won’t engage with those behind the attack.
Also: Best VPNs • Best security keys • Best antivirus     

More on privacy

SEPA hasn’t confirmed what form of ransomware it has fallen victim to, but the Conti ransomware gang claimed responsibility for the attack.
As a result of the non-payment, Conti has published all of the stolen data on its website, posting over 4,000 documents and databases related to contracts, commercial services and strategy. The latest update from SEPA confirms that at least 4,000 files have been stolen and published.
“We’ve been clear that we won’t use public finance to pay serious and organised criminals intent on disrupting public services and extorting public funds,” said Terry A’Hearn, chief executive of SEPA.
“We have made our legal obligations and duty of care on the sensitive handling of data a high priority and, following Police Scotland advice, are confirming that data stolen has been illegally published online. We’re working quickly with multi-agency partners to recover and analyse data then, as identifications are confirmed, contact and support affected organisations and individuals,” he added.

SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)    
Agencies SEPA is working with in continued efforts to investigate the attack and fully restore the network include the Scottish Government, Police Scotland and the National Cyber Security Centre (NCSC).
Despite the impact of the attack, SEPA is still able to provide flood forecasting and warning services, as well as regulation and monitoring services.
Stealing data and threatening to make it public if a ransom isn’t paid in exchange for the decryption key has become an increasingly common tactic for the most successful ransomware gangs, with that extra leverage helping them to make millions of dollars in bitcoin per attack.
SEE: How do we stop cyber weapons from getting out of control?
In some cases, victims who have the capability to restore the network without the decryption key are still paying ransoms just to prevent hackers from leaking stolen data.
Ransomware has become one of the most disruptive and damaging cyberattacks an organisation can face and criminals show no signs of slowing down campaigns because, for now at least, ransomware gangs are still successfully extorting large payments from a significant percentage of victims.

MORE ON CYBERCRIME More