IT NEWS

An international operation that monitored an encrypted device company under control of the Federal Bureau of Investigation (FBI) and the Australian Federal Police (AFP) has led to a massive, coordinated string by law enforcement in several countries.

The setup

Law enforcement agencies around the world have long campaigned for encryption backdoors, so they can see what criminals are saying to each other. Unable to break the encryption of existing messaging apps, the FBI and the AFP came up with an ingenious plan to get criminals to use a device for encrypted communication that they could eavesdrop on.

The FBI created an app called AN0M, to fill the void left behind by dismantling several encrypted platforms used by criminals. Custom cellphones with the FBI-controlled platform installed were sold on underground markets and grew in popularity. Of course, not all the users interested in these devices were necessarily criminals, but the phones turned out to be very popular among criminals of all kinds, including outlawed motor gangs, Italian organized crime, Asian crime syndicates, and international drug traffickers.

As a result, law enforcement officials have been monitoring what they had to say for nearly three years.

The operation

The name of the operation was different depending on who you ask. The AFP refers to it as Special Operation Ironside, Europol ran an Operational Task Force to support the sting and called it Greenlight, and the FBI (and many others) call it Operation Trojan Shield. Which is very fitting as it pretended to offer the criminals a shield to hide their messages, but that shield was in fact a Trojan horse.

The goal of the new platform was to target global organized crime, drug trafficking, and money laundering organizations, regardless of where they operated, with an encrypted device that had features that would appeal to organized crime networks, such as remote wipe and duress passwords, to persuade criminal networks to pivot to the device.

The service is said to have provided over 12,000 encrypted devices to over 300 criminal syndicates operating in more than 100 countries.

The cooperation

The FBI had the lead in the investigation aided by the AFP which provided the systems needed to decrypt the messages. Europol supported the  operation by coordinating the international law enforcement community that was involved, by enriching the information picture and bringing the criminal intelligence into ongoing operations to target organized crime and drug trafficking organizations. The following countries participated in the international coalition: Australia, Austria, Canada, Denmark, Estonia, Finland, Germany, Hungary, Lithuania, New Zealand, the Netherlands, Norway, Sweden, the United Kingdom, and the United States.

Is it legal?

Of course it was you would say, since it was run by law enforcement. But listening in on the conversations of people that you have no evidence against is not allowed in many countries. The AFP’s prominent role may be related to Australia’s Telecommunications and other Legislation Amendment (TOLA), passed in 2018. The TOLA provides Australian law enforcement with the ability to make technical assistance requests (TARs) that oblige companies providing technical services in Australia to help them decrypt messages with technical assistance or new capabilities.

Providing a service after taking down the real enablers

It is ironic in a way that the need for a encrypted device company has arisen after the EncroChat system had been compromised so that law enforcement could eavesdrop, and the Sky ECC communication service was unlocked. After these events ANOM was welcomed in criminal circles and passed on by word-of-mouth advertising. Australian Federal Police Commissioner Reece Kershaw:

“Essentially, they have handcuffed each other by endorsing and trusting AN0M and openly communicating on it — not knowing we were watching the entire time.”

You had to know a criminal to get hold of one of these customized phones and you could only communicate with someone on the same platform. This probably helped to limit the number of customers to the “target audience” of the agencies that ran the sting operation.

The results

To say that the operation was a success would be an understatement. Law enforcement agencies report that around 800 suspects have been arrested. Searches of more than 700 houses have resulted in the seizure of over eight tons of cocaine, 22 tons of cannabis and cannabis resin, two tons of synthetic drugs, six tons of synthetic drugs precursors, 250 firearms, 55 luxury vehicles and over $48 million in cash and cryptocurrencies.

Why stop now?

Given the operation was so successful, questions have been raised about why its use wasn’t continued. The decision to stop the operation was reportedly made jointly by all the international partners. But commissioner Kershaw is reported to have hinted of “a legal time frame on this operation” about which more details might be revealed later on. We’ll keep you posted.

The post 800 arrests after police dupe crime groups into using backdoored phones appeared first on Malwarebytes Labs.

The US Department of Justice announced Monday that it recovered much of the ransomware payment that Colonial Pipeline paid to free itself from the attack that derailed the oil and gas supplier’s operations for several days last month.

The seizure of 63.7 of the initial 75 paid bitcoins represented the first success of the Justice Department’s Ransomware and Digital Extortion Task Force, a team formalized just months ago, according to reporting from The Wall Street Journal. The value of the recovered bitcoins stands at roughly $2.3 million.

Some commentators have speculated that the discrepancy between what was paid and what was recovered may be accounted for by the fact that Darkside ransomware is sold under the Ransomware-as-a-Service (RaaS) model. The missing money (about 15% of the total) may be the fee the attackers paid the Darkside creators for using their malware.

In statements prepared Monday, US Deputy Attorney General Lisa Monaco characterized the operation as a victory and a representation of the Justice Department’s full powers.

“Following the money remains one of the most basic, yet powerful tools we have,” Monaco said. “Ransom payments are the fuel that propels the digital extortion engine, and today’s announcement demonstrates that the United States will use all available tools to make these attacks more costly and less profitable for criminal enterprises. We will continue to target the entire ransomware ecosystem to disrupt and deter these attacks.”

Monaco added that the Department of Justice’s actions showcased the “value of early notification to law enforcement”—a clear signal that the federal government is now operating in lockstep to curb the threat of ransomware. In mid-May, the White House emphasized the importance of cyberattack notification when President Joe Biden signed an Executive Order that requires such warnings from technology companies that sell their products to the federal government, and weeks later, the Transportation Security Administration (TSA) rolled out a new cybersecurity directive for all US pipeline companies that will require pipelines to notify the government of any cyberattacks.

According to a sworn affidavit in support of a “seizure warrant” that was revealed Monday, Monaco’s statement about “following the money” was surprisingly literal. According to the affidavit, law enforcement tracked Colonial Pipeline’s payment across the public Bitcoin ledger until much of the payment landed in one specific Bitcoin address, which the outlet The Record identified here. After the funds arrived at the Bitcoin address—which law enforcement referred to as the “Subject Address”—they were not touched for days.

Then, a bit of mystery happened.

According to the affidavit, the Justice Department was able to retrieve funds from the Subject Address because the FBI obtained that address’s related “private key.”

Private keys are somewhat like passwords, in that they not to be shared, but they are also more complex than that. Private keys are randomized strings of letters and numbers that are cryptographically related to the Bitcoin address that they access. Reverse engineering a private key is technically infeasible, which means that somehow, the FBI obtained an example of possibly the most closely guarded secret for any cryptocurrency user today.

Some users keep their private keys on exchanges (websites for trading bitcoins). If the Colonial Pipeline attackers kept their key on a US-based exchange it would be an easy matter for the FBI to seize it. However, security-conscious Bitcoin users tend to keep their keys where they can see and secure them, on computers they own.

How the FBI managed managed to get the key is unclear, but a week after the Colonial Pipeline attack, Darkside said it lost control of some of its servers. In the same announcement, the threat actors also said they lost some ransom payments.

Whether the US government removed Darkside’s server access is not known, but the FBI’s ability to obtain a Bitcoin address private key still reveals a new attitude in America’s fight against cybercrime—a fierce, antagonistic approach that potentially crosses ethical lines.

In April, the Department of Justice revealed that the FBI had obtained the somewhat extraordinary authority to access servers it did not own or control so that it could remove web shells placed by cybercriminals who exploited zero-day vulnerabilities in on-premises versions of Microsoft Exchange Server software. These web shell removals were performed with no notification to the servers’ owners.

Similarly, in January, after the international law enforcement agency Europol announced that it had taken control of the Emotet botnet, cybersecurity researchers spotted something hidden. The law enforcement agencies responsible for the takedown had already planned to deploy an update to remove Emotet from infected machines, and law enforcement agencies themselves wrote the code for the deployment.

In speaking on our podcast Lock and Code, Malwarebytes Security Evangelist Adam Kujawa said this was a new tactic from government authorities.

“I’ve seen people maybe misuse or abuse or modify how a particular malware Command & Control infrastructure would work, but I’ve never seen law enforcement deploy brand new code, and that’s kind of worrying a lot of folks,” Kujawa said. “A lot of people might consider it illegal.”

The post DOJ recovers pipeline ransom, signals more aggressive approach to cybercrime appeared first on Malwarebytes Labs.

This week on Lock and Code, we’re presenting you something a little different. We’re telling you a story—with no guest interview included—that involves the use of VPNs.

In 2016, a mid-20s man began an intense, prolonged harassment campaign against his new roommate. He emailed her from spoofed email accounts. He texted her and referenced sensitive information that was only stored in a private, online journal. He created new Instagram accounts, he repeatedly made friend requests through Facebook to her friends and family, he even started making bomb threats. And though he tried to sometimes mask his online activity, two of the VPNs he used while registering a fake account eventually gave his information to the FBI.

This record-keeping practice, known as VPN logging, is frowned upon in the industry. And yet, it helped lead to the capture of a dangerous criminal.

Can two VPN “wrongs” make a right? Find out today on Lock and Code, with host David Ruiz.

https://feed.podbean.com/lockandcode/feed.xml

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

The post Can two VPN “wrongs” make a right? Lock and Code S02E10 appeared first on Malwarebytes Labs.

Last week on Malwarebytes Labs, we looked at an interesting trend in facial recognition technology—hint: it’s a slow fade, the latest ransomware attacks on JBS and Steamship Authority, Cobalt Strike, a Coronavirus phishing campaign, WhatsApp’s decision to not limit app functionalities for non-compliant users after all, and a cyber threat report compiled by the National Crime Agency (NCA) in the UK.

We also analyzed Kimsuky, the APT that continues to attack the South Korean government, and the NSIS crypter along with its evolution.

Lastly, we recognized the cybersecurity challenges in SMBs and were in awe after the US Attorney’s office decided to investigate ransomware attacks the same way as terrorist attacks.

Other cybersecurity news

• A phishing campaign launched off of the back of the recent ransomware attack against Colonial Pipeline weeks ago. The email, purporting to originate from a company’s “Help Desk”, is encouraging recipients to download a “ransomware system update” that’d prevent the company from getting attacked by ransomware. (Source: Inky)
• Organizers of the Tokyo Olympics found themselves on the receiving end of a data breach. (Source: The Japan Times)
• Fujifilm fell victim to a ransomware attack. (Source: InfoSecurity Magazine)
• Those returning to the office were welcomed by—drumroll, please—phishing emails! (Source: Avanan)
• According to researchers, a new ransomware variant called Epsilon Red is said to be hunting for unpatched Microsoft Exchange servers to exploit. (Source: Computing)
• The UK government faced a backlash and legal challenge over its plan to share health service data with a third-party as part of its digitization effort. (Source: Computing)
• A threat report from Thales revealed that, although the pandemic has transformed how we do work, cybersecurity is sadly not keeping up. (Source: TechRepublic)
• Mustang Panda, a Chinese espionage campaign, is gaining access to official Southeast Asian government websites via a novel Windows backdoor. (Source: The Record)
• JBS, the world’s largest meat supplier, is back to normal operations after a ransomware attack. (Source: Bleeping Computer)

Stay safe, everyone!

The post A week in security (May 31 – June 6) appeared first on Malwarebytes Labs.

Amazon smart device owners only have until June 8 to opt out of a new program that will group their Echo speakers and Ring doorbells into a shared wireless network with their neighbors, a new feature that the shopping giant claims will provide better stability for smart devices during initial setup and through possible Internet connectivity problems.

The program is the latest example of yet another multibillion-dollar company rolling out significant changes without meaningfully notifying users beforehand, making it increasingly difficult for users to choose how their data is used, or how their products function. In March, Google changed how Google Chrome users would be tracked across the web, and in May, WhatsApp threatened to remove basic messaging functions from the apps of users who refused to share some of their data with parent company, Facebook.

With all these company decisions, user choice has diminished.

This week, Amazon announced that many of its smart devices would be incorporated into what it is calling “Amazon Sidewalk,” a shared network of devices within neighborhoods that will, according to the company, “help simplify new device setup, extend the low-bandwidth working range of devices to help find pets or valuables with Tile trackers, and help devices stay online even if they are outside the range of their home WiFi.”

Amazon Sidewalk will create a mesh network between smart devices that are located near one another in a neighborhood. Through the network, if, for instance, a home WiFi network shuts down, the Amazon smart devices connected to that home network will still be able to function, as they will be borrowing internet connectivity from neighboring products. Data transfer between homes will be capped, and the data communicated through Amazon Sidewalk will be encrypted.

Amazon smart device owners will automatically be enrolled into Amazon Sidewalk, but they can opt out before a June 8 deadline. That deadline has irked many cybersecurity and digital rights experts, as Amazon Sidewalk itself was not unveiled until June 1—just one week before a mass rollout.

Jon Callas, director of technology projects at Electronic Frontier Foundation, told the news outlet ThreatPost that he did not even know about Amazon’s white paper on the privacy and security protocols of Sidewalk until a reporter emailed him about it.

“They dropped this on us,” Callas said in speaking to ThreatPost. “They gave us seven days to opt out.”

Other experts have warned about the security and privacy implications of Amazon’s project, as Sidewalk will rely on an untested WiFi protocol to link together selected devices. Whitney Merrill, a privacy and information security attorney with Asana, said on Twitter: “Hello privacy nightmare.” 

Further, as reported by Ars Technica, the history of wireless connection technologies is littered with vulnerabilities. Researchers found flaws in the late-90s security algorithm Wired Equivalent Privacy (WEP)—after it had been widely used for years—and the technology that replaced it—WPA—is not without problems.

To its credit, Amazon’s white paper addresses how it plans to keep customers’ data secure and private when it travels through Sidewalk. According to that white paper, Amazon will limit the type and amount of metadata it receives, it will encrypt the contents of delivered packets so that the company cannot see what is inside, and customers themselves will also be prevented from seeing the content of packets sent to and from endpoints that they do not own.

Security and privacy aside, one issue still remains—weakened user choice.

The implementation of Amazon Sidewalk mirrors the more careless behavior showcased by Google earlier this year, when it decided to include millions of Google Chrome users in an experiment into how their web browsing behavior was tracked online. Google, like Amazon, did not individually notify users about the new program—called FLoC—and Google, like Amazon, automatically enrolled users into the program, forcing them to manually opt out.

Amazon’s approach to opt-out is clearer than Google’s, though. The company has developed a specific menu item in its Alexa and Ring apps that clearly denotes a new setting to enable or disable Sidewalk. Google, on the other hand, did not have a specific toggle to disable FLoC, and users were instead forced to turn off all third-party cookies if they wanted to opt out.

Certain aspects of Amazon’s rollout of Sidewalk also resemble decisions made this year by WhatsApp, the end-to-end encrypted messaging app owned by Facebook. Last month, the messaging app told users that if they did not agree to sharing some of their data with Facebook, they would see their apps become useless, unable to receive calls or messages. WhatsApp walked back this decision in late May.

Here, Amazon is implementing no such consequences for opting out—which is good—but it is still making a sweeping decision about how customers’ own products should function. And the company isn’t just changing the way already-purchased Amazon devices work, it’s also reaching beyond those devices to affect relationships that have nothing to do with Amazon, such as who gets to use your internet connection, how much of it they can use, and what you might be charged for that.

Amazon Sidewalk will work with the following devices in the US, according to Amazon: Ring Floodlight Cam (2019), Ring Spotlight Cam Wired (2019), Ring Spotlight Cam Mount (2019), Echo (3rd gen and newer), Echo Dot (3rd gen and newer), Echo Dot for Kids (3rd gen and newer), Echo Dot with Clock (3rd gen and newer), Echo Plus (all generations), Echo Show (2nd gen), Echo Show 5, 8, 10 (all generations), Echo Spot, Echo Studio, Echo Input, Echo Flex.

For users who want to opt out, they can find the solution in their Alexa and Ring apps. In the Alexa app, users can go to “Settings,” and then navigate to “Account Settings,” where they can find “Amazon Sidewalk.” Users can also disable Sidewalk in the “Control Center” of the Ring app or Ring website.

The post Amazon Sidewalk starts sharing your WiFi tomorrow, thanks appeared first on Malwarebytes Labs.

When you think of the world of ethical hackers (white hat), malicious hackers (black hat), and hackers that flirt with both sides (grey hat), you may envision people in shiny trench coats and dark glasses, whose computer skills are only matched by their prowess in martial arts.

The truth is that hackers are pretty different from their depiction in The Matrix. For example, most hackers can’t slow time down and jump across tall buildings. At least, not that we know of. In reality, a hacker usually keeps a low profile and concentrates on their work.

What’s a hacker?

The answer to “what’s a hacker?” depends on who you ask. We’d guess that most people who work with computers will tell you the answer is something close to this Wikipedia description: “a computer expert who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means.” Much to the annoyance of many of those people, outside of computing, people often understand “hacker” to mean something different and more negative.

To many, a hacker is someone that employs their expertise to breach a computer, smartphone, tablet, or network, regardless of intent. Although it is often used to refer to illegal activity, even within this narrower definition not all hackers are deemed criminal. They are often classified into three main categories: Ethical hackers have traditionally been known as “white hat”, malicious hackers as “black hat”, and “grey hats” are somewhere in the middle.

Ethical hackers

Ethical hackers look for security flaws and vulnerabilities for the purpose of fixing them. Ethical hackers don’t break laws when hacking. An ethical hacker can be someone who tests their own computer’s network defenses to develop their knowledge of computer software and hardware or a professional hired to test and enhance system security.

Security careers related to ethical hacking are in-demand. Malware analysts are a good example. An in-demand ethical hacker who has worked hard to develop their skillset can have a lucrative career.

Ethical hackers are sometimes referred to as white hat hackers. White hat hacker is an outmoded term for an ethical hacker. It comes from 20^th century Western films in which the good guys wore white hats. Modern experts refer to them as ethical hackers.

Malicious hackers

Malicious hackers circumvent security measures and break into computers and networks without permission. Many people wonder what motivates hackers who have had intentions. While some do it for cyber-adventure, others hack into computers for spying, activism, or financial gain. Malicious hackers might use tools like computer viruses, spyware, ransomware, Trojan horses, and more to further their goals. While there may be financial incentives to hacking, the risks are high too: A malicious hacker can face a long time behind bars and massive fines for their illegal activity.

Just as “white hat” is an older term for ethical hackers, conversely “black hat” is an older term for malicious hackers, also based on the old Western film practice of which hats the “good guys” and “bad guys” wore. Today, malicious hacker is a more apt description.

Grey hat hackers

A grey hat hacker skirts the boundaries between ethical and unethical hacking by breaking laws or using unethical techniques in order to achieve an ethical outcome. Such hackers may use their talents to find security vulnerabilities in a network without permission to simply show off, hone their skills, or highlight a weakness.

Tips on how to become an ethical hacker

You may have what it takes to become a highly rated ethical hacker if you’re patient, clever, have an affinity for computers, have good communication skills, and enjoy solving puzzles.

A degree in computer science or information security and a background in military intelligence can be useful but isn’t necessary. Thanks to the wide availability of information and open source code, and incentives like bug bounties, there are many routes into ethical hacking outside of traditional education. For more advice on how to become an ethical hacker, take a look at our interview with bug bounty hunter Youssef Sammouda.

How do I protect myself from a hacker?

An unethical hacker can use many techniques and tools to breach your computer or device’s network security. Your first line of defense is to make life hard for hackers by ensuring you: Use strong, unique passwords; keep your systems patched with security updates; install advanced antivirus protection that defends your computer against malicious software; enable the firewalls on your Internet router and computers. For an extra layer of defense, you can protect your network traffic from snooping and tampering with a VPN.   

Lastly, be on guard for phishing and social engineering attacks that try to trick you into doing something that’s bad for you, like downloading malware or giving out sensitive information.

The post White hat, black hat, grey hat hackers: What’s the difference? appeared first on Malwarebytes Labs.

The impact of recent ransomware attacks on vital infrastructure in the US has triggered a reaction from the US Attorney’s office. In an internal guidance it says that all ransomware investigations in the field should be centrally coordinated with a recently created task force in Washington.

According to Reuters, the internal communication states:

“To ensure we can make necessary connections across national and global cases and investigations, and to allow us to develop a comprehensive picture of the national and economic security threats we face, we must enhance and centralize our internal tracking.”

Terrorism model

This model of investigation and cooperation is used only in a few fields that touch upon national security, e.g. terrorism. According to US officials this shows how the issue of ransomware is being prioritized. According to Reuters, this means investigators will have to share updated case details and active technical information with leaders in Washington. It also means they will receive guidance from Washington on how to proceed. If implemented optimally this will surely result in a better understanding of the ransomware landscape.

In his recent executive order on improving the nation’s cybersecurity President Biden already pointed out that the US faces persistent and increasingly sophisticated malicious cyber-campaigns. Section two of the order it titled Removing Barriers to Sharing Threat Information, and this new cooperation seems to fall under that banner.

Ransomware Task Force

In April we reported about international cooperation in this field in the form of the Ransomware Task Force (RTF), a think tank composed of more than 60 volunteer experts who represent organizations encompassing industries and governments. In its report (PDF) the RTF recommended that ransomware be treated as a threat to national security.

“Ransomware attacks have shut down the operations of critical national resources, including military facilities. In 2019, a ransomware attack shut down the operations of a U.S. Coast Guard facility for 30 hours,  and in February 2020, a ransomware attack on a natural-gas pipeline operator halted operations for two days. Attacks on the energy grid, on a nuclear plant, waste treatment facilities, or on any number of critical assets could have devastating consequences, including human casualties.”

This was before the attack on Colonial Pipeline which prompted  President Biden to sign an executive order that broadly directs the Commerce Department to create cybersecurity standards for companies that sell software to the federal government.

Whether the RTF and the proposed task force in Washington will work closely together is unknown but perhaps unlikely given the international character of the RTF. Sharing information might be benificial for both though.

REvil is not impressed

In an interview published by cybersecurity blogger Sergey R3dhunt, a spokesperson for the REvil appears to indicate they are not worried by the new “terrorism approach.“

Translated, the transcript says:

Q: What happened as a result of the cyber attack?

A: As a result, the United States has put us on the agenda of the discussion with Putin. The question is, why there is such confidence that at the moment everyone is in the CIS, and even more so in the Russian Federation. In connection with the recent events with fuel [Colonial Pipeline], the United States are in every possible way avoided, as well as work inside CI.

Further inquiries seemed to indicate that it will only make matters worse, because if they are going to be prosecuted anyway, they may as well open the floodgates. When asked why they attacked JBS, this was the answer:

“Revenue. The parent company is located in Brazil, where the attack was directed. Why the US intervened is not clear. She was avoided by all means.”

History tells us the words of ransomware criminals should be taken with a heavy dose of salt.

Treated as or investigated like

Even though some gut reactions were indicating that ransomware attacks would be treated in the same way as terrorist attacks, this is not entirely true. Even though some ransomware attacks have had worse outcomes than terrorist attacks. It is the way in which the US Attorney’s office wants to organize the ransomware investigations that is similar to other national security issues. Not the severity of the punishments or the way convicted persons will be apprehended.

Ransomware infrastructure

Ransomware, especially Ransomware-as-a-Service (RaaS), has a similar organizational structure to some terrorist organizations. You have the enablers, that provide the software and the infrastructure for the ransomware itself and for receiving payments. And you have the executioners that go out and attack victims. These groups do not have to know each other’s true identities and usually communicate through encrypted channels.

A thorough knowledge of the ransomware landscape and successful infiltration of the communication platforms could provide methods to hinder operations. Maybe the inherent distrust between criminals can be used to launch successful misinformation campaigns to disrupt the cooperation between enablers and executioners. And maybe the fear of being tracked down by a strong dedicated task force will keep some potential participants away from the scene.

Tracking payments or making it illegal to pay ransom could make another dent in the severity of the threat. According to the report by the RTF, about 27 percent of victims choose to pay a ransom. With this, these victims are fuelling the ransomware industry. Not that they want to, but sometimes they feel it’s the only viable choice. This feeling is often strengthened by the additional threat to publicly disclose exfiltrated data.

All in all, a US centralized task force to investigate ransomware could contribute to the goals that the international RTF has set:

• Deter ransomware attacks
• Disrupt the ransomware business model
• Help organizations prepare
• Respond to ransomware attacks more effectively

Let’s hope so.

The post Ransomware to be investigated like terrorism appeared first on Malwarebytes Labs.

How about that Colonial Pipeline?

As troubling as this event may be, for those of us working in the world of cybersecurity it can be hard to convince others to take dangers like this seriously—regardless of how real and immediate they are.

“Sadly, the upper leadership team does not understand the stakes and why an investment is necessary to protect assets and tomorrow’s productivity,” said one beleaguered security professional we spoke to.

If this sounds like you, you’re not alone. There are plenty who share your pain.

Back in March, Malwarebytes released the SMB Cybersecurity Trust and Confidence Report 2021. For this report, we surveyed 704 cybersecurity professionals from all levels on the corporate ladder, from CISOs on the top rung down to the hardworking sysadmins. Participating small- and medium-sized businesses ranged from 50 to 999 employees. 

What did we find? Security professionals trust their endpoint protection to do its job—with some caveats.

Some 95 percent of respondents say they trust their cybersecurity vendor to provide effective endpoint protection. By that same token, more than 90 percent say their endpoint protection is effective and they’re confident it protects against dangerous threats.

So, what’s the catch?

Decision makers versus decision influencers

To get a better sense of who our survey-takers are and identify any potential difference of opinion, we asked them for their titles. You can see the full breakdown below, but just under half, 48 percent, of our respondents identify as IT directors.

Next, we grouped participants by those who “make the final decision” regarding endpoint protection purchases and those who have ”significant influence,” with 52 percent identifying as decision makers and 48 percent identifying as decision influencers.

Those who answered, “Yes, I’m a decision maker” generally have a somewhat rosier disposition when it comes to the dangers their organizations are facing and their ability to stop those dangers. 

We asked, “Has your endpoint protection product ever failed to detect a threat?” Those who make the final decision are more likely than those who influence decision making to say their endpoint protection provider hadn’t failed (64 percent versus 48 percent).

Coming at the issue from another angle, we also asked, “How frequently does your organization register a cybersecurity threat?” Those who make the final decision are far more likely than those who influence decision making to say their organization registers a threat “once a month” or “very often” (26 percent versus 13 percent).

We then asked “Agree or disagree? I believe it’s not a matter of if but when my organization suffers a successful attack or breach.” Just over half, 56 percent, said they agreed. Those who make the final decision agree to this statement significantly more than those who influence decision making (64 percent versus 49 percent).

So, what is the data telling us? Security professionals are confident in their endpoint protection, but they’re realistic about the threats they’re facing. Yes, there are some variations depending on an individual’s position within the org chart; otherwise, everyone is pretty much in agreement on the increasing sophistication and frequency of attacks.

The security ouroboros

Many of the survey respondents expressed frustration with leadership outside of the security org.

We asked, “What’s the biggest obstacle to security at your organization?”

“Buy-in from the leadership team that it is worth the investment versus other priorities,” said one respondent.

Another said, “Faced with a range of obstacles, from slowing budget growth to dissatisfied boards, business and security leaders are being challenged to change the way they approach cybersecurity and risk.”

No budget? No buy-in? Lack of investment? Sounds about right.

At risk of reading too deeply in to the data, the implication here is that while businesses get bigger, security orgs stay the same in terms of personnel and infrastructure. 

The numbers bear this out, 65 percent of respondents from SMBs with 500 to 999 employees identified as CIO, CISO, or IT director. 

Where one would expect to see a pyramid shape from the CISO or CIO on down, with more frontline level employees at the bottom than leaders at the top, the reality has gone all pear-shaped. As mentioned earlier, almost half of total survey respondents identified as IT directors.

Compounding the problem, a significant portion of our respondents believe that bigger organizations make for more frequent targets.

We asked “Agree or disagree? Hackers do not target small- and medium-sized organizations and attack only bigger organizations.” 

Some 39 percent of respondents agreed bigger organizations made for more frequent targets. Among survey respondents at organizations with more than 500 employees, a slightly larger 43 percent agree.

However, those who make the final purchasing decision on endpoint protection agree even more—bigger business, bigger target—than those who just influence decision making (48 percent versus 30 percent).

What does it all mean? For starters, security professionals across the board have faith in their endpoint protection, but they’re frustrated at the lack of support from senior leadership outside of the security org. 

When businesses find success and the dollars start rolling in it’s a given that many of those dollars are going to be earmarked for talent acquisition and IT infrastructure. Unfortunately, from a security perspective, growth at one end doesn’t translate to growth at the other end. Security pros just don’t get the additional resources that they’re expecting—that they need—to accommodate growth within the organization as a whole.

Like a snaking eating its own tail, growing businesses have more employees and more endpoints to protect, but security budgets and head count seem to remain stagnant. And the consequences for this security conundrum are dire. Look no further than the latest headlines.

The post Security pros agree about threats—convincing everyone else is the problem appeared first on Malwarebytes Labs.

After the attacks on Colonial Pipeline and JBS, many may have been wondering, as we did, what the next ransomware headline was going to be.

Well, here it is—another victim in the vital infrastructure of transport and logistics, although this time the impact may be less brutal.

Steamship Authority, the largest ferry service in Massachusetts, has fallen victim to a ransomware attack. The Steamship Authority informed the public on social media that it was the target of a ransomware attack early Wednesday, June 2, 2021.

Steamship Authority, the company

Steamship Authority is the largest ferry service to the islands of Martha’s Vineyard and Nantucket. They operate ferry transports between the mainland of the US and Martha’s Vineyard and Nantucket islands, including passengers, autos, and trucks. The ferry services and their safety have not been compromised, but it looks like the Steamship Authority offices have been disrupted in a severe way. The Steamship Authority’s website is currently unavailable. This also means that it is not possible to make new reservations, not even by phone.

 The impact

In a tweet, the company informed customers that while they were working through the consequences of the cyberattack, all ferries are operating at this time. They are keeping customers informed by posting the ferry schedules on their social media channels.

Which does not mean that it’s all business as usual. There is limited access to credit card systems at some terminal and parking locations but, to avoid delays, cash is likely the best option for ticketing and parking. Customers are currently unable to book or change vehicle reservations online or by phone. Existing vehicle reservations will be honored at Authority terminals, and rescheduling and cancellation fees will be waived.

The timing for the attack is painfully accurate as this marks the start of season where tourists start to visit this region and where a peak in traffic is to be expected.

Investigation

The Steamship Authority tweeted that it is working internally, as well as with federal, state and local authorities, to determine the extent and origin of the attack. Since this is an ongoing investigation it is unlikely that the authorities will share any information about the type or possible origin of the attack. But we will keep you informed if we should learn more.

A spokesperson for the U.S. Coast Guard stated that the U.S. Coast Guard 1st District is working in conjunction with the Massachusetts Cybersecurity Unit, and that the FBI is currently leading the investigation.

Recovery

Recovery from a ransomware attack can be a long and expensive process, even if the victim decides to pay the ransom. It can take weeks to months to get the server infrastructure back up and running. If the possibility to make new bookings stays offline it will only take so long before the number of existing bookings starts to dwindle. We can only hope that the Steamship Authority manages to get back into an operational state as soon as possible. Getting stuck on one of the islands is not the worst thing one could imagine, but it’s different if you didn’t necessarily plan it.

Stay safe, everyone!

The post Steamship Authority answers question: Who’s the next ransomware victim? appeared first on Malwarebytes Labs.

Since the initial lockdown, we have seen the rise of certain types of cybercrime, including scams and fraud campaigns that either bank on the global COVID-19 pandemic or take advantage of potential victims that adhere to work-from-home measures.

In the UK, the National Crime Agency (NCA) has determined that many types of cybercrime, such as ransomware attacks, digital fraud, and insider threats—with a specific mention of child sexual abuse—have increased because of more users in the UK logging online to do work, attend online classes, and (at the first few months of lockdown) alleviate boredom.

The agency also noted the resilience and adaptability of serious and organized crimes (oddly labeled as “SOCs,” despite the same acronym meaning “security operation center” in the cybersecurity field) in their use of technology and well-established tools to avoid detection. For example, budding and professional criminals are using commercially available encryption, Secure Messaging Applications (SMAs), and decentralized messaging apps, which usually comes with a crypto wallet, to manage their own data and mask their identities and communications. They also use cryptoassets to buy and sell illegal commodities in the underground or to launder money. Because of this, the NCA has assessed that by disrupting the technology, including the capabilities that enable them, they can end criminal schemes in an efficient manner.

SOCs are categorized as “significant and established national security threat that endangers the integrity, legitimacy, and sovereignty of the UK and its institutions, both at home and overseas.” It is no surprise to see SOCs being conducted over the internet by crime groups. And the NCA has been monitoring them year on year.

Organized crime: Ransomware-as-a-service (RaaS)

The growing threat of ransomware continues to loom over organizations across industries worldwide. In the UK, the estimated direct and indirect cost of ransomware is, at most, billions of pounds per year. However, determining the exact figure has always been a challenge seeing that underreporting and inaccurate cost estimates were and have been pretty much a problem in 2020. Underreporting is primarily caused by lack of awareness of who to report an attack to and, in some cases, the general reluctance to report for fear of reputational damage and/or uncertainty.

The NCA has observed a dramatic increase in demand for Remote Desktop Protocol (RDP) credentials. This is because of the increased use of such software following remote working. Criminals gaining these credentials could no doubt also access corporate networks.

Lastly, cybercriminals use current events in their spam and phishing emails—another way to get into corporate networks. They have themed their campaigns around COVID-19 and the end of the financial year for the business.

Organized crime: Online fraud

COVID-19 themes are also common in fraud campaigns. According to Action Fraud, the UK’s go-to reporting center for fraud and cybercrime, between January to December 2020, victims lost an estimated total of 3 billion GBP to fraudsters. 

The increased reliance on online services has encouraged fraudsters to target and take advantage of the more vulnerable and less security-savvy UK citizens, giving rise to shopping fraud, auction fraud, and, of course, sophisticated phishing campaigns. If criminals couldn’t find a way to their potential victims, online advertising has served as the perfect means for their victims to come to them. Fraudsters have been observed to use social media and online service platforms to post up fraudulent ads.

The NCA cited other fraud campaigns, such as romance scams and misinformation campaigns surrounding Brexit, the UK’s departure from the European Union. 

What’s the difference between ‘catfishing’ and ‘catfishing’? Find out here.

Organized crime: Insider threats 

In the financial sector, working from home shined a light on the problem of reduced ability to monitor staff, thus missing signs of unusual behaviour and other signs that give away employee struggles. This opens the possibility of an insider threat, a threat that businesses hardly mention, let alone prepare for.

Disgruntled employees and those struggling financially could more likely be tempted to engage in bribery and corruption when opportunity presents itself. Incidents involving these would be difficult to trace or pinpoint as they are usually presented as genuine payments for goods with increased market rates. There is also a realistic possibility that such engagements will only increase as businesses in the UK begin recovery measures from the impact of the pandemic and Brexit.

Future cybercrimes in the UK and beyond

Whether or not these online organized crimes will continue to be noteworthy in the next year is yet to be seen. However, notice that these online crimes have already been present, pre-pandemic and pre-Brexit. More often than not, when everyone starts living in “the new normal,” it’s highly likely that the possible turnout will all just be differences in numbers: Ransomware, for example, may or may not have higher victim rates after a year. Or, perhaps, romance scams will dramatically scale down to nonexistence. Perhaps.

However cybercrime will look like in the future, what remains constant is the continued vigilance of groups like the NCA and businesses in the public and private sectors on effectively educating and training UK employees on cybercrimes that affect them and how they should respond. As a business, they should know what steps to take to further improve their security posture and who to contact in the event of a cybercrime incident they may encounter. Lastly, much stress should also be placed in reporting to spread awareness, help other organizations avoid being victimized, and for law enforcement to keep track of cybercriminals.

The post Cybercrime, fraud, and insider threats increased in 2020 in the UK, report says appeared first on Malwarebytes Labs.