Information Technology

Ransomware has become a major threat to the manufacturing industry as cyber-criminal groups increasingly take an interest in targeting the industrial control systems (ICS) that manage operations.
According to analysis by cybersecurity researchers at security company Dragos, the number of publicly recorded ransomware attacks against manufacturing has tripled in the last year alone.

More on privacy

While a lot of manufacturing relies on traditional IT, some elements of manufacturing relies on ICS when mass-producing products – and that’s an area that several hacking groups are actively looking to target.
SEE: Network security policy (TechRepublic Premium)
That’s potentially very troubling because the interconnected nature of the manufacturing supply chain means that if one factory gets taken down by a cyberattack, it could have wide-ranging consequences.
For example, if a manufacturing facility that mass produces medicines or other health products was hit by a ransomware attack, that could have knock-on impacts for the healthcare sector as a whole.
It’s this level of threat that has led cybersecurity researchers at Dragos to describe ransomware with the ability to disrupt industrial processes as the “biggest threat” to manufacturing operations – and at least five hacking groups are actively targeting or demonstrating interest in manufacturing.

For cyber criminals, manufacturing makes a highly strategic target because in many cases these are operations that can’t afford to be out of action for a long period of time, so they could be more likely to give in to the demands of the attackers and pay hundreds of thousands of dollars in bitcoin in exchange for getting the network back.
“Manufacturing requires significant uptime in order to meet production and any attack that causes downtime can cost a lot of money. Thus, they may be more inclined to pay attackers,” Selena Larson, intelligence analyst for Dragos, told ZDNet.
“Additionally, manufacturing operations don’t necessarily have the most robust cybersecurity operations and may make interesting targets of opportunity for adversaries,” she added.
The nature of manufacturing means industrial and networking assets are often exposed to the internet, providing avenues for hacking groups and ransomware gangs to gain access to the network via remote access technology such as remote desktop protocol (RDP) and VPN services or vulnerabilities in unpatched systems.
As of October 2020, the company said there were at least 108 advisories containing 262 vulnerabilities impacting industrial equipment found in manufacturing environments during the course of this year alone, many of which potentially leave networks vulnerable to ransomware and other cyberattacks.
“Unfortunately, unpatched vulnerabilities that can enable initial access will always be an issue. Testing and applying patches as soon as practicable is very important for preventing exploitation,” said Larson.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
Cyber criminals are deploying ransomware because it’s often the quickest and easiest way to make money from compromising a large network. But by gaining enough control of the network to deploy ransomware, hackers will often also be able to access intellectual property and sensitive data that also resides within the network.
That could potentially lead to hacking groups using ransomware as a smokescreen for cyberattacks designed to steal intellectual property, which could be extremely damaging to victims in the long run.
“Gaining visibility into the OT environment is very crucial – you can’t protect what you don’t know exists,” said Larson.
That means taking steps such as conducting regular architecture reviews to identify assets, ensuring devices and services are kept up to date, and conducting “crown jewel analysis” to identify potential weaknesses that could disrupt business continuity.
MORE ON CYBERSECURITY More

Flying in the face of claims by President Donald Trump of voting fraud, the US Department of Homeland Security says the 2020 presidential election was in fact the most secure in US history. 
In a statement, the DHS’s Cybersecurity and Infrastructure Security Agency (CISA) said it is aware of “many unfounded claims” and “opportunities for misinformation” about the election process.

“[But] we can assure you we have the utmost confidence in the security and integrity of our elections, and you should too,” CISA said.
“The November 3 election was the most secure in American history.”
SEE: Managing AI and ML in the enterprise 2020: Tech leaders increase project development and implementation (TechRepublic Premium)
CISA said election officials are reviewing and double-checking the entire election process before finalizing the result.
“When states have close elections, many will recount ballots. All the states with close results in the 2020 presidential race have paper records of each vote, allowing the ability to go back and count each ballot if necessary. This is an added benefit for security and resilience. This process allows for the identification and correction of any mistakes or errors,” it said. 

“There is no evidence that any voting system deleted or lost votes, changed votes, or was in any way compromised.”
The DHS issued the statement following a report from Reuters that CISA director Chris Krebs said he expects to be fired by the White House. 
Trump, who has yet to acknowledge Joe Biden’s victory, on Thursday tweeted without evidence that 2.7 million votes for him had been deleted, Associated Press reported.
Krebs in a tweet today repeated the CISA line that, “We have confidence in the security of your vote, you should too.”
In the days leading up to the election, Krebs released a message warning Americans not to overreact to bogus claims about election security.
“The election experience is designed to ensure that technology is not a single point of failure and there are measures in place to ensure that that you can vote and that your vote is counted correctly,” he said. 
“You should have confidence in the integrity of the process and don’t overreact to claims that exaggerate the importance of insignificant events,” said Krebs.
SEE: Technology’s next big challenge: To be fairer to everyone
CISA noted that the US had implemented pre-election testing and state certification of voting equipment, while the US Election Assistance Commission had a certification process for vetting voting equipment. 
“When you have questions, turn to elections officials as trusted voices as they administer elections,” the agency said. 

CISA director Chris Krebs: “We have confidence in the security of your vote, you should too.”
Image: CISA More

Chainalysis has launched a program designed to manage and store cryptocurrency seized during criminal investigations. 

Announced on Thursday, the blockchain analysis firm said the “asset realization program” will handle, hold, and track seized assets, which could include cryptocurrencies such as Bitcoin (BTC), Ethereum (ETH), and alternative tokens. 
While traditional bank accounts can be frozen when criminal conduct is suspected, cryptocurrencies represent more of a challenge. There is a gray area when it comes to virtual coins — usually stored in either hot wallets with online connectivity or cold wallets, offline — and how to both seize and secure funds until an investigation is complete. 
See also: KuCoin CEO says 84% of stolen cryptocurrency has been recovered
This is the niche business opportunity that Chainalysis is attempting to enter. “When law enforcement discovers and investigates illicit cryptocurrency assets, they need to seize and store them until they can be legally forfeited,” the company says. “As such, government agencies and insolvency practitioners — licensed professionals who advise on insolvency matters — need a safe way to track, store, and ultimately sell seized cryptocurrency assets for fiat currency.”
Chainalysis is also partnering with Asset Reality to develop advisory services for clients in how to sell seized funds, as well as provide training and education to officers in cryptocurrency matters. 
CNET: Rules for strong passwords don’t work, researchers find. Here’s what does

“As cryptocurrencies become more mainstream, they will increasingly be used by good and bad actors alike,” said Jason Bonds, CRO of Chainalysis. “Chainalysis is dedicated to building trust in digital assets, and that means helping to detect and investigate illicit activity. As our government partners become more successful in rooting out bad actors, assisting them with asset recovery and realization is a natural next step.”
The announcement was made a week after the US government announced the seizure of BTC worth $1 billion in the largest confiscation of digital coins recorded. The cryptocurrency was allegedly stolen by an unnamed threat actor from Ross Ulbricht, the operator of the underground Silk Road marketplace, prior to his arrest. 
TechRepublic: New survey details IT challenges, shadow IT risks, 2021 outlook, and more
Operating from 2011 to 2013, Silk Road generated an estimated revenue of 9.5 million Bitcoin, together with 600,000 BTC in commission. 
The US Department of Justice (DoJ) is seeking forfeiture of the seized cryptocurrency. Chainalysis says the company assisted law enforcement during this investigation, as well as in other recent probes into North Korean hacking activities and terrorism financing. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Amazon has filed a lawsuit against Instagram and TikTok personalities for allegedly participating in a scheme to sell counterfeit luxury goods. 

Filed in the United States District Court for the Western District of Washington and made public on Thursday, the complaint alleges that 13 individuals and businesses ran a scam to lure followers into buying fake luxury products — and deceive Amazon in the process. 
The influencers, Kelly Fitzpatrick and Sabrina Kelly-Krejci, allegedly peddled counterfeit items listed on Amazon — but disguised — by sellers they conspired with. Amazon claims that Fitzpatrick and Kelly-Krejci used social media platforms, such as Instagram, Facebook, and TikTok — as well as their own websites — to advertise fake products. 
According to the lawsuit, the influencers posted side-by-side photos of generic, unbranded items and a luxury — but counterfeit — product. The text “Order this/Get this” was posted alongside the photos, with “Order this” referring to a generic product listed on Amazon, and “Get this” referring to a fake luxury good, also referred to as a dupe. 
See also: Inexpensive gifts: Best tech and gadgets for under $100
As shown in the court filing example below, a generic black wallet would be listed on Amazon, but customers would receive a dupe of a branded product. The generic item, therefore, was nothing more than a placeholder. 

Videos describing the “high quality” of the fake products were also published by the influencers. 

“By posting only generic products on Amazon, Fitzpatrick and Kelly-Krejci — and the sellers they coordinated with — attempted to evade our anti-counterfeit protections while using social media to promote the true nature of these counterfeit products,” Amazon says. 
Fitzpatrick, a former member of the Amazon Influencer Program, has now been booted out of the program. 
Amazon says dupes are still being advertised on her personal website. At the time of writing, the domain is inaccessible, as is her Instagram profile, now made private. 
CNET: Rules for strong passwords don’t work, researchers find. Here’s what does
The e-commerce giant says that Kelly-Krejci’s scheme was also “detected and blocked.”
The social media influencer pool can be a valuable tool for marketers and legitimate, sponsored product placements, listings, and shout-outs do exist. However, as the lawsuit may show, social media platforms can also be abused to conduct fraud and to peddle counterfeit items. 
Amazon has attempted to crack down on fake goods and dupes in recent years, investing over $500 million to combat such alleged scams in 2019 alone. In June this year, Amazon launched its Counterfeit Crimes Unit to investigate and launch legal action against “bad actors” involved in the sale of counterfeit goods. 
TechRepublic: New survey details IT challenges, shadow IT risks, 2021 outlook, and more
Cristina Posa, Director of Amazon’s Counterfeit Crimes Unit, described the alleged scam and defendants as “brazen.” 
“This case demonstrates the need for cross-industry collaboration in order to drive counterfeiters out of business,” Posa commented. “Amazon continues to invest tremendous resources to stop bad actors before they enter our store and social media sites must similarly vet, monitor, and take action on bad actors that are using their services to facilitate illegal behavior.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Vertafore blames incident on human error after user data was stored on an unsecured external storage service. The files were accessed by an external party. More

The ACSC says it has seen an uptick in attacks targeting the health sector with SDBBot, a known precursor of the Clop ransomware. More

BlackBerry’s security team has published details today about a new hacker-for-hire mercenary group they discovered earlier this year, and which they tied to attacks to victims all over the world.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

The group, which BlackBerry named CostaRicto, is the fifth hacker-for-hire group discovered this year after the likes of:
BellTrox (aka Dark Basin) [1, 2, 3]
DeathStalker (aka Deceptikons) [1, 2]
Bahamut [1, 2]
Unnamed group [1]
CostaRicto’s discovery also comes to retroactively confirm a Google report from May, when the US tech giant highlighted the increasing number of hacker-for-hire mercenary groups, and especially those operating out of India.
However, while BellTrox has been linked to an Indian entity and Bahamut is suspected of operating out of India as well, details about CostaRicto’s current origins and whereabouts still remain unknown.
What is currently known is that the group has orchestrated attacks all over the globe across different countries in Europe, the Americas, Asia, Australia, and Africa.
However, BlackBerry says the biggest concentration of victims appears to be in South Asia, and especially India, Bangladesh, and Singapore, suggesting that the threat actor could be based in the region, “but working on a wide range of commissions from diverse clients.”
As for the nature of the targets, the BlackBerry Research and Intelligence Team said in a report today that “the victims’ profiles are diverse across several verticals, with a large portion being financial institutions.”

Furthermore, BlackBerry says that “the diversity and geography of the victims doesn’t fit a picture of a campaign sponsored by a particular state” but suggests that they are “a mix of targets that could be explained by different assignments commissioned by disparate entities.”
CostaRicto group linked to new sophisticated Sombra malware
BlackBerry also adds that while the group is using custom-built and never-before-seen malware, they are not operating using any innovative techniques.
Most of their attacks rely on stolen credentials or spear-phishing emails as the initial entry vector. These emails usually deliver a backdoor trojan that BlackBerry has named Sombra or SombRAT.
The backdoor trojan allows CostaRicto operators to access infected hosts, search for sensitive files, and exfiltrate important documents.
This data is usually sent back to CostaRicto command-and-control infrastructure, which BlackBerry says it is usually hosted on the dark web, and accessible only via Tor.
Furthermore, the infected hosts usually connect these servers via a layer of proxies and SSH tunnels to hide the malicious traffic from the infected organizations.
All in all, BlackBerry says these practices “reveal better-than-average operation security,” when compared to your usual hacking groups.
All the CostaRicto malware samples that BlackBerry discovered have been traced back to as early as October 2019, but other clues in the gang’s servers suggest the group might have been active even earlier, as far back as 2017.
Furthermore, researchers said they also discovered an overlap with past campaigns from APT28, one of Russia’s military hacking units, but BlackBerry believes the server overlap may have been accidental.
Hacker-for-hire groups — the new landscape
For many years, most hacking groups have operated as stand-alone groups, carrying out financially-motivated attacks, stealing data, and selling for their own profit.
The public exposures of BellTrox, DeathStalker, Bahamut, and CostaRicto this year show a maturing hacker-for-hire scene, with more and more groups renting their services to multiple customers with different agendas, instead of operating as lone wolfs.
The next step in investigating these groups will need to look at who their clients are. Are they private corporations or foreign governments. Or are they both? More

Back in 2008, Domain Name System (DNS) server cache poisoning was a big deal. By redirecting the results from DNS with misleading Internet Protocol (IP) addresses, hackers could redirect your web browser from the safe site you wanted to a fake one loaded with malware. Fixes were discovered and DNS cache poisoning attacks became rare. Now, thanks to a discovery by the University of California at Riverside researchers, a new way has been found to exploit vulnerable DNS caches: Sad DNS.

Here’s how it works: First, DNS is the internet’s master address list. With it, instead of writing out an IPv4 address like “173.245.48.1,” or an IPv6 address such as “2400:cb00:2048:1::c629:d7a2,” one of Cloudflare’s many addresses, you simply type in “http://www.cloudflare.com,” DNS finds the right IP address for you, and you’re on your way.
With DNS cache poisoning, however, your DNS requests are intercepted and redirected to a poisoned DNS cache. This rogue cache gives your web browser or other internet application a malicious IP address. Instead of going to where you want to go, you’re sent to a fake site. That forged website can then upload ransomware to your PC or grab your user name, password, and account numbers. In a word: Ouch!
Modern defense measures — such as randomizing both the DNS query ID and the DNS request source port, DNS-based Authentication of Named Entities (DANE), and Domain Name System Security Extensions (DNSSE) — largely stopped DNS cache poisoning. These DNS security methods, however, have never been deployed enough, so DNS-based attacks still happen.
Now, though researchers have found a side-channel attack that can be successfully used against the most popular DNS software stacks, SAD DNS. Vulnerable programs include the widely used BIND, Unbound, and dnsmasq running on top of Linux and other operating systems. The major vulnerability is when the DNS server’s operating system and network are configured to allow Internet Control Message Protocol ICMP error messages. 
Here’s how it works: First, the attacker uses a vice to spoof IP addresses and a computer able to trigger a request out of a DNS forwarder or resolver. Forwarders and resolvers help work out where to send DNS requests. For example, with a forwarder attack, when the attacker is logged into a LAN managed by a wireless router such as a school or library public wireless network. Public DNS resolvers, such as Cloudflare’s 1.1.1.1 and Google 8.8.8.8, can also be attacked. 
Next, the researchers used a network channel affiliated with, but outside of, the main channels used in the DNS requests. It then figures out the source port number by holding the channel open long enough to run 1,000 guesses per second until they hit the right one. With the source port derandomized, the group inserted a malicious IP address and successfully pull off a DNS cache poisoning attack.

In their study, they found just over 34% of the open resolver population on the internet is vulnerable. They found that 85% of the most popular free public DNS services are open to attacks. 
You can check to see if you’re open to attack simply by going to this Sad DNS web page and following the instructions. I’ll add that I’m both very security and network conscious and my systems were vulnerable. 
There are ways to stop these attacks. Indeed, we already have these methods. DNSSEC would help, but it’s still not deployed enough. If you used the relatively new RFC 7873 DNS cookie that would help as well. 
The simplest mitigation, though, is to disallow outgoing ICMP replies altogether. This comes at the potential cost of losing some network troubleshooting and diagnostic features. 
Another easy fix is to set the timeout of DNS queries more aggressively. For example, you should set it so that’s less than a second. This way the source port will be short-lived and disappear before the attacker can start injecting rogue responses. The downside, however, is the possibility of introducing more retransmitted queries and overall worse performance.
Whichever method you use, one thing though is clear. If you run a DNS server or forward you must do something. This attack is too easy. It will soon be used by criminal hackers. And, while I certainly recommend the quick and easy fixes, would it really kill you to finally start using DNSSEC? It’s way past time for everyone to adopt it. 
As for users, you must be more careful than ever that when you go to a commerce site like Amazon or your local bank that the site really is the one you think it is. If you don’t, you can kiss your online identity and a lot of money goodbye.
Related Stories: More