Information Technology

CrowdStrike on Wednesday announced that it will acquire Preempt Security, providers of zero trust and conditional access technology, for approximately $96 million. 

CrowdStrike, which offers endpoint and cloud protection solutions, said it plans to use the deal to bolster its Falcon platform with conditional access technology. The Falcon platform includes threat detection, incident response, and enterprise architecture visibility tools, and is CrowdStrike’s flagship offering. 
CrowdStrike said the acquisition will also the company to offer enhanced zero trust security capabilities to customers. 
“With the addition of Preempt Security’s capabilities, the CrowdStrike Falcon platform will provide enhanced protection against identity-based attacks and insider threats,” said CrowdStrike CEO George Kurtz. “Combining Preempt’s technology with the CrowdStrike Falcon platform will help customers achieve end-to-end visibility and enforcement through identity, behavior and risk-based decisions to stop attacks in real time.”
As a somewhat newer player in the cybersecurity space, CrowdStrike went public in 2019 and is attempting to stand against established firms including McAfee, Symantec, Kaspersky, and others. Earlier this month the company reported strong second quarter financial results thanks to ongoing distributed work trends and the move to cloud. However, CrowdStrike has poured funding into expansion and is not yet making a profit. More

Two weeks after cyber-security agencies from France, Japan, and New Zealand published warnings about an uptick in Emotet activity, new alerts have been published this past week by agencies in Italy and the Netherlands, but also by Microsoft.
These new warnings come as Emotet activity has continued to increase, dwarfing any other malware operation active today.
“It has been very heavy for [Emotet] spam lately,” Joseph Roosen, a member of Cryptolaemus, a group of security researchers who track Emotet malware campaigns, told ZDNet during an interview today.
“I received about 400 emails at my [dayjob] Monday when it is normally only about a dozen or less than 100 on a good day,” Roosen said, putting the recent spike in perspective.
“This has been the case the last two weeks.”
Emotet returned in July but is now spamming at full capacity
Emotet, by far today’s largest malware botnet, has been dormant for most of this year, from February until July, when it made its comeback.
The Emotet crew was hoping for a quick return to full capacity, but its comeback was spoiled and delayed for almost a month by a vigilante who kept hacking into Emotet’s infrastructure and replacing its malware with animated GIFs.
Unfortunately, that didn’t last long, and Emotet operators eventually found a way to stop the hacker and are now back in full control over their botnet, which they are now using to churn out more and more spam every day.
These spam emails come with malicious files attached, which infect the host with the Emotet malware. The Emotet gang then sells access to these infected hosts to other cybercrime gangs, including ransomware operators.
Many times, and especially in large corporate environments, an Emotet infection can turn into a ransomware attack within hours.
That’s why cyber-security agencies and CERT teams in France, Japan, New Zealand, Italy, and the Netherlands are treating Emotet spam campaigns with so much fear and respect, and why they’re releasing alerts to the companies in their respective countries to bolster defenses for Emotet’s spam trickery.
And Emotet has a large bag of tricks when it comes to its spam operations.
Roosen, who’s been tracking the botnet for years now, says that Emotet is currently favoring the use of a technique called “email chains” or “hijacked treads.”
The technique relies on the Emotet gang first stealing an existing email chain from an infected host and then answering the email chain with its own reply (using a spoofed identity), but by also adding a malicious document, hoping to trick existing email chain participants into opening the file and infecting themselves.
Emotet has been using this technique since October 2018 and has favored it across the years, using it many times before.
The technique is quite clever and effective and has also been detailed in a report published today by Palo Alto Networks.

Image: Palo Alto Networks
But the alerts from Microsoft and Italian authorities also warn of another recent change in Emotet spam campaigns, which are now also leveraging password-protected ZIP files instead of Office documents.
The idea is that by using password-protected files, email security gateways can’t open the archive to scan its content, and won’t see traces of Emotet malware inside.
Roosen told ZDNet that Emotet has been using this technique sparingly since mid-2019, but recently they started to increase its prevalence among the Emotet spam campaigns, hence why Microsoft and others are now reacting to its sudden appearance.

Emotet joined the password-protected attachment bandwagon with a campaign starting Friday. The campaign slowed down over the weekend (typical of Emotet) but was back today in even larger volumes of emails in English, as well as in some European languages. pic.twitter.com/POppQ51uMX
— Microsoft Security Intelligence (@MsftSecIntel) September 22, 2020 More

Chronicle, a cybersecurity company within Google Cloud, announced a new real-time threat detection tool on Wednesday called Chronicle Detect. 

The tool is the culmination of Chronicle’s efforts to build a rules engine that can handle complex analytic events, flesh out a new threat detection language tuned for modern attacks and take advantage of the security advantages offered by Google’s scale. Additionally, Chronicle Detect is designed to make it easy for enterprises to move from legacy security tools, or to better analyze data collected with endpoint security solutions like CrowdStrike. 
“We see this as giving customers the tools they need not only investigate things at Google scale but also to attack those things early enough in ways they couldn’t do before,” Rick Caccia, head of marketing for Google Cloud Security, said to ZDNet. “It allows our customers to write rules that describe behaviors of attackers, and we can detect those things at massive scale, and do it in real-time.”
Chronicle Detect customers can use advanced out-of-the-box rules or build their own, or migrate rules over from legacy tools. The rules engine incorporates YARA, a widely used, open-source language for writing rules to detect malware. 
YARA-L, a language for describing threat behaviors, is the foundation of the Chronicle Detect rules engine. The Chronicle team created YARA-L and debuted it earlier this year to apply to security logs and other telemetry, like EDR data and network traffic. YARA-L (L for logs) allows security analysts to write rules better suited for detecting the types of modern threats described in Mitre ATT&CK (a platform that organizes and categorizes the types of tactics and techniques used by bad actors). 
Chronicle Detect also includes a Sigma-YARA converter, so customers can port their Sigma-based rules to the platform. 
The new tool also includes threat intelligence and detection rules from Uppercase, Chronicle’s dedicated threat research team. Uppercase researchers have access to a variety of novel tools, techniques, and data sources (including Google Threat Intelligence and a number of industry feeds) that help them uncover the latest crimeware, APTs, and unwanted malicious programs.
Meanwhile, security teams can send their security telemetry to Chronicle at a fixed cost, giving them a way to leverage the reams of data collected by tools like CrowdStrike. Chronicle Detect maps that data to a common data model across machines, users, and threat indicators so that users can quickly apply powerful detection rules to a unified data set.
Enterprises have more data than ever before to analyze and help them understand threats, Caccia said. “The bad news is, most can’t make sense of terabytes of information flowing at them. And a lot of these attacks are pretty complex.” More

Facebook has eradicated two separate networks that have covertly spread content concerning hot political topics and propaganda.

On Tuesday, Facebook Head of Security Policy Nathaniel Gleicher said in a blog post that the networks, one originating in China and the other in the Philippines, violated the firm’s coordinated inauthentic behavior (CIB) policies, which ban accounts, pages, and groups from “misleading others about who they are or what they are doing.”
“When we investigate and remove these operations, we focus on behavior rather than content, no matter who’s behind them, what they post, or whether they’re foreign or domestic,” Gleicher commented.
See also: Facebook will now warn you if you’ve interacted with fake, dangerous coronavirus posts
The first network was a Chinese operation involving at least 115 accounts, 11 pages, 9 groups, and 6 Instagram accounts. 
Focusing primarily on the Philippines, the US, and the Southeast Asia region, members of the scheme posed as locals in targeted countries in order to spread information concerning the political situation surrounding Beijing and the South China Sea, Hong Kong, the current plight of overseas Filipino workers, and both praise and criticism of China. 
Content both for and against US presidential candidates Pete Buttigieg, Joe Biden, and Donald Trump was also spread, commented on, and liked. An example of the content spread by the network is below:

To try and stay hidden, the network used VPNs and Facebook says this is not the first time the operation has been spotted — as pages belonging to the group have previously been removed for inauthentic behavior and spreading spam. 
The network focused on organic and social movement, spending only $60 on advertising. 
CNET: Twitter faces class-action privacy lawsuit for sharing security info with advertisers
In addition, Facebook wiped out a second campaign connecting 57 Facebook accounts, 31 pages, and 20 Instagram accounts. Based in the Philippines, this network was taken down for violating “our policy against foreign or government interference which is coordinated inauthentic behavior on behalf of a foreign or government entity,” according to the tech giant. 
Posts in both Filipino and English relating to local news and events were spread and commented on by members of the network, including content focused on politics, military activities, terrorism, and communism. 
A news organization and civil society group alerted Facebook to these activities, and upon investigation, the company found “links to Philippine military and Philippine police” who had also paid roughly $1,100 for advertising purposes. 
Facebook publishes regular CIB reports that can be accessed here. 
TechRepublic: How to create a secure username
Back in April, Facebook began a site-wide crackdown on coronavirus-related fake news, treatment claims, and unfounded conspiracy theories including 5G links and mass vaccination plots. 
The social media giant has now gone a step further when it comes to anti-vaxxers by removing related pages and content, as well as making it more difficult to find anti-vax groups. Adverts and fundraisers linked to anti-vaccination messages are now also being rejected. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Almost two-thirds of information security professionals believe that cyberwarfare is a threat to their organisation as nation-state-backed cyberattacks become more common and larger in scale – and the concerns are even higher for chief information security officers, with almost three-quarters considering cyberwar a threat to their organisations.
But there’s still a significant proportion who don’t believe that cyberwarfare is a threat to their businesses and over a quarter of companies don’t have any strategy for how to protect themselves from cyberattacks launched using tools developed by nation states.

More on privacy

The attitudes of thousands of information security professionals have been detailed in Bitdefender’s global 10 in 10 Study, which set out what the security industry thinks about the challenges that businesses are facing – and a significant number of professionals believe cyberwarfare represents an imminent threat.
“Dependency on technology is at an all-time high and if someone were to take out the internet connection at home or at the office, no one would be able to get anything done. And with that in mind, that’s why CIOs believe cyberwarfare is a threat to their organisations,” said Liviu Arsene, global cybersecurity researcher at Bitdefender.
SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) 
Security professionals polled in the research said the consequences of falling victim to an attack launched as part of a cyberwarfare campaign that worried them ranged from loss of information or loss of reputation, to business interruptions, fines and job losses.
And in the majority of cases, it’s likely that the organisations that fall victim to cyberattacks conduced by nation states might not even be the intended targets at all.
For example, the NotPetya cyberattack shut down networks around the world after doing billions of dollars of damage in an attack that was mostly likely launched by the Russian military intelligence and that spiralled out of control. The intended target was in Ukraine, but the interconnected nature of the web meant that the malware caused damage far beyond what was intended.
“Cyberwarfare is interesting because unlike kinetic weaponry — which is used in traditional warfare — it hasn’t become more precise. It’s actually become harder to put boundaries around and to control,” said Dr Jessica Barker, socio-technical lead at Cygenta and chair of ClubCISO.
“Something that is born of a nation-state attack can then morph and be used in other kinds of attacks. I think that’s a lot of the reason why organisations and professionals now understand that they can be caught up in cyberwarfare in many different layers, for many different reasons,” she added.
But while many organisations understand the potential risks posed by being caught in the crossfire of a cyberwarfare campaign, some executives don’t see it as a problem or don’t have a plan on how to deal with it.
“The reason that a quarter of security professionals don’t really have a strategy to protect against cyberwarfare is likely to do with complacency. They’ve never had to deal with an attack or seen one at wide-scale, so haven’t invested the time in protecting against it,” said Arsene.
“They probably think they’re too small to be targeted or they haven’t had an incident they’ve had to recover from,” he added.
SEE: Cybersecurity: This is how much top hackers are earning from bug bounties
However, incidents like NotPetya, the WannaCry ransomware and others have demonstrated that organisations of all sizes can find themselves the unwitting victim of a nation-stated-developed cyber operation.
In many cases, even nation-state-backed cyberattacks look to take advantage of known vulnerabilities, so ensuring that patches and security updates are applied as soon as possible can go a long way to protecting against attacks.
It’s also recommended that organisations keep a firm grip on the threat landscape, so they’re aware of the potential threats and attacks they could be facing – and are prepared for them if they do become real.
MORE ON CYBERSECURITY More

Need a high-performance security router for your business? The new Netgear BR200 has been specifically designed to create a secure site-2-site VPN and firewall rapidly.
The Netgear BR200 Insight Managed Business Router has been designed to be easy to set up, and features a built-in firewall, VLAN management, and remote cloud monitoring, and can be managed from anywhere you have an internet connection.
The firewall brings with it everything you need to protect your network — Includes stateful packet inspection (SPI), port/service blocking, DoS prevention and more.
At the core of the BR200 is a 1.7GHz dual-core processor, offering enough power to drive up to 256 VLANs.
Must read: Five iOS 14 and iPadOS 14 security and privacy features you need to know about

1 WAN and 4 LAN gigabit Ethernet ports
LAN-to-WAN throughput: 924Mbps
Remote cloud management and monitoring all from a single pane of glass
IPSec site-2-site VPN configuration through the mobile app and web portal
OpenVPN remote VPN from the device GUI
Firewall capabilities to protect against intrusion and secure your business
VLAN Configurations
$140 at Amazon
“Today’s businesses need powerful and secure networking solutions that are also easy to set up and manage,” said Richard Jonker, vice president of product line management for SMB products at Netgear. “Netgear Business is leveraging the intuitive simplicity of the Insight Management solution to implement the industry’s easiest to manage and most affordable router, with full VLAN and IPSec VPN set up.”
The router can be controlled using Netgear’s Insight Remote Management solution, which works via an app on iOS or Android, or using any web browser, and there are three subscription plan levels: Insight Pro, Insight Premium and Insight Basic.
The BR200 comes with a year’s free Insight subscription for remote management, and no additional hardware or cloud keys are required.
And a high-performance security router does not need to break the bank! The Netgear BR200 is priced at $139.99, which, for the package, is very reasonable considering what you are getting for the money. More

The Netgear BR200 Insight Managed Business Router has been designed to be easy to set up, and features a built-in firewall, VLAN management, and remote cloud monitoring, and can be managed from anywhere you have an internet connection.
Read More Read Less More

Security firm Group-IB says it identified a new cybercrime group that, for the past six months, has repeatedly and intentionally targeted Russian businesses with malware and ransomware attacks.
Named OldGremlin, Group-IB says the hackers are behind targeted attacks with a new strain ransomware called TinyCryptor (aka decr1pt).
“They have been trying to target only Russian companies so far,” Oleg Skulkin, Group-IB’s senior DFIR analyst, told ZDNet this week.
“This is very unusual for Russian-speaking gangs who have this unspoken rule about not working within Russia and post-Soviet countries.”
How attacks unfold
OldGremlin attacks usually begin with spear-phishing emails carrying malware-laced ZIP files, which will usually infect the victim org with a backdoor trojan named TinyNode. This grants the attackers an initial foothold on the company’s network, where the hackers spread laterally to other systems and then deploy the ransomware in the final stage of their attacks.
Once a network is encrypted, the OldGremlin crew usually asks for around $50,000 in ransom payments using messages left on infected systems and leading back to a ProtonMail address.
Skulkin says Group-IB has identified the OldGremlin group in August, but the group’s attacks date back to March, with their phishing emails using a wide variety of lures, ranging from posing as journalists looking for an interview to using the anti-government rallies in Belarus as a conversation starter.
Image: Group-IB
As Skulkin noted, attacks against Russian entities are rare but have happened before. Usually, groups like Silence and Cobalt started small in Russia before expanding operations outward, to nearby countries first, and then to targets all over the world.
“If they are Russian, then it’d be unusual but not unheard of. Just a few weeks ago, we noticed an Initial Access Broker offering an RCE for a Russian bank on a Russian-speaking forum, and MagBo offers multiple webshells on Russian websites,” KELA product manager Raveed Laeb, told ZDNet in an interview this week.
“There is also a possibility that they’re not Russian but do operate out of CIS countries – for example, anti-Russian Ukrainian nationals probably have a double incentive for attacking Russian entities, both financial and ideological,” Laeb added. More