Monthly archives for July, 2017

Bitdefender: Organisations must empower IT staff to mitigate cyber threats

Despite two large cyber attacks making headlines in the first six months of 2017, the security firm is still finding cybersecurity responsibility lies solely with the underfunded IT team.

With the WannaCry ransomware and Petya malware attack recently causing damage to organisations worldwide, even halting chocolate production at Cadbury’s Hobart factory, security firm Bitdefener has urged organisations to assist IT teams in preparing for, and mitigating against, future attacks.

According to Bogdan Botezatu, senior e-threat analyst at Bitdefender, organisations need to have mitigation in mind as it’s a matter of when an attack happens, not if.

Speaking with ZDNet while visiting Sydney from Romania, Botezatu said organisations first need to understand what type of security they need and not overlook any aspect, while also trying to see through the noise, such as marketing buzzwords and an over-saturated cybersecurity industry.

“An enterprise has a diverse range of technologies … all these are potential threats,” he explained. “It’s no use for you to have the best end-point security solution if your payment processor in the cloud is left open.”

Botezatu said a standard IT team finds itself constantly under fire, and it’s important that the responsibility doesn’t just lie with them.

“They have external attacks, they have users inside who need technical support — the IT team needs to always be on the lookout to help non-tech savvy departments ensure they don’t shoot themselves in the foot by opening [an executable] promising kittens,” he explained.

“They don’t have time to monitor 60 security solutions … because everything is on fire around them and their time needs to go to good use.”

With organisations, particularly in Australia, relying heavily on cloud-centric applications, it results in most of an organisation lying outside of the physical boundaries of the HQ. As a result, Botezatu said many organisations are running security solutions built for on-premises protection, noting the solutions don’t translate well into the virtualised world.

Despite claims that some organisations have employed services from over 80 security vendors, Botezatu said the majority of attacks start with some form of social engineering targeting an organisation’s employees.

To Botezatu, education is an organisation’s greatest defence mechanism.

“You need to encourage the user to adopt security best practices and to stay aware about what they’re allowed to do with company property,” he explained, noting it’s better to speak with them in order to prevent, rather than to punish.

“This is probably the most basic security measure … make them understand what you’re trying to achieve.”

Botezatu said that while educating the people within an organisation is free, in many organisations, the sentiment is falling on deaf ears.

“That’s one of the issues with the industry, that most of the IT workforce is mobilised to plugging phones into the infrastructure rather than getting some coffee time with people to understand what they are trying to protect the organisation against,” he said.

“Very few people would hazard to do stupid stuff on company resources if they knew they were harming the company, with the exception of disgruntled employees.

“People will lend you a helping hand to protect your organisation if you told them your organisation needs protecting, but usually, the IT guy comes among the masses saying, ‘hey guys, you know nothing about security, you need to do that, that, and that — otherwise I’m suspending you’.”

He said as an employee, individuals need to be a part of the cybersecurity effort, not trying to outsmart the IT guy who has disallowed access to Facebook.

“I’m still waiting for when the CIO will have a solid place at the board table,” he added. “It’s not happening and the finance department is pulling all the strings.”

Although estimations suggest an organisation should be spending 20 percent of its yearly revenue on cybersecurity-related initiatives or products, Botezatu said it’s rarely the case.

It’s a trend experienced globally, he added, especially in the public sector where the lowest bid always wins.


No more ransomware: How one website is stopping the crypto-locking crooks in their tracks

No More Ransom launched a year ago: here’s the story of how cybersecurity firms and law enforcement are working together to bring down ransomware.

Ransomware is a huge problem. While the recent WannaCry and Petya attacks brought the file-encrypting malware to the attention of a global audience twice in as many months, ransomware has been rising up the list of corporate cybersecurity headaches for years.

During 2016 alone, ransomware attacks cost victims over $1bn thanks to simple the fear tactics it employs: pay up, or we delete all your data. In many instances, organisations are willing to give in and pay the cybercriminals.

Law enforcement organisations and cybersecurity companies around the world have attempted to do what they can to disrupt ransomware — whether through takedowns of cybercriminal gangs by the authorities or security companies finding and providing decryption keys.

But this disjointed approach can only get so far in the modern hyper-connected world in which criminals cooperate across international borders and time zones.

It’s why the No More Ransom initiative was launched a year ago, with the idea of bringing together law enforcement and private industry to combine efforts in the fight against cybercrime.

“It’s the idea of everyone bringing what they’re best at to the table to jointly try and tackle the biggest threat that we see out there,” says Steve Wilson, head of Europol’s Cybercrime Centre (EC3).

Launched jointly by Europol, the Dutch National Police, McAfee (then Intel Security), and Kaspersky Lab on July 25 2016, No More Ransom provided keys to unlocking encrypted files, as well as information on how to avoid succumbing to ransomware in the first place.

The portal initially provided decryption tools for four ransomware families: Shade, Rannoh, Rakhn, and CoinVault. It was collaborative work on decrypting CoinVault that led to the creation of a precursor to No More Ransom.
“We were working on CoinVault and did a lot of work with the Dutch police, and we were able to identify the command and control servers the cybercriminals were using,” says David Emm, principal security researcher, Kaspersky Lab.

The operation led to Kaspersky uploading free-to-use decryption keys to a website and it took off from there. “It was really successful and this was just one and part of a wider trend, so we wanted to establish wider involvement,” he says.

McAfee agreed that this collaboration — both between competing private firms and the authorities — was the way forward in the fight against the escalation of ransomware.

“There was just a sense that what would be nice would be to have an initiative to collaborate and work together on. But also to have a single point that people could go to when we create free decryption tools,” says Raj Samani, chief scientist at McAfee.

That single place was the No More Ransom portal, which since its launch has been hosted by Amazon Web Services and Barracuda Networks — and if it wasn’t for cloud-hosting, the website would have been overwhelmed on its first day.

“Part of my responsibility was to find a hosting provider and I remember at the time I was asked how many HTTPs requests do you think you’ll get a day and I thought 12,000 a day would be reasonable,” says Samani.

“On day one we had 2.7 million — then during one day, the weekend of WannaCry, we had eight million hits in a single day, so it’s much bigger than we ever thought.”

Following the initial success of the initiative, seven more cybersecurity firms have since joined as associate partners — Bitdefender, Check Point, Trend Micro, Emisoft, ElevenPaths, Avast and Cert.PL — each contributing to the development of decryption keys.

Dozens of law enforcement agencies — including Interpol, Enisa and the NCA — have also become actively involved in the scheme, which also receives additional support from dozens of security firms. There’s now 109 partners in total and for Wilson, the more involved, the merrier: “The more people we get to contribute, the better this resource is going to be,” he says.

Cybercrime is a global problem, but while there is more international cooperation between law enforcement agencies than there’s been before, rules and regulations mean that sometimes the authorities can’t act as quickly as they’d like.

That’s a disadvantage against global crime gangs, but private cybersecurity firms can be more flexible, enabling the No More Ransom operation to take the fight to cybercriminals at a faster pace by releasing decryption tools as and when they’re developed.

“Law enforcement agencies have restrictions that criminals don’t — they have the logistics of paperwork. Whereas at least under the umbrella of a project like this, there’s nothing to slow it down,” says Emm.

It’s difficult to quantify the exact number of decryptions which have occurred thanks to downloads from No More Ransom — the portal just provides links, it doesn’t monitor what happens next — but it’s thought that over 28,000 decryptions have taken place using the tools, saving millions from being paid to cybercriminals in the process.

“It really strongly justified a single response to this rather than over each country trying to develop something themselves,” says EC3’s Wilson.

No More Ransom doesn’t discriminate about what decryption tools are added to the portal — sometimes these come in batches, sometimes individual decryptors are uploaded as and when they’re made available — but how does this happen?

There are a number of ways. The first is if encryption keys simply get leaked. Indeed, an example of this occurred just hours after the launch of No More Ransom when the cybercriminal gang behind the Petya ransomware — long before it caused a global incident — leaked 3,500 decryption keys for a competing form of ransomware, Chimera. “We were able to grab them and create a tool,” says Samani.

But most of the time, decrypting ransomware comes down to hard work, with cybersecurity firms and the authorities working together in order to identify ransomware variants and crack codes.

“Working with law enforcement, we identify the infrastructure, go through the proper legal process to seize the key server and extract the decryption keys,” says Samani. That’s how Shade ransomware was decrypted, resulting in 165,000 decryption keys being made available.

That’s where the aid of law enforcement especially comes in — a cybersecurity firm can’t walk in and seize a botnet, but they can aid in its takedown, as was the case with Operation Avalanche, which took down a prominent malware botnet.

“On the offensive side from us, tackling the actual business model of ransomware-as-a-service and very much going after the large scale perpetrators of cybercrime is very much what we’re trying to do,” says Wilson.

Naturally, the very existence of No More Ransom has irked malicious actors. “Analysis of the chatter on underground forums shows how angry they are,” says McAfee’s Samani. “We even had a ransomware variant named after us — there’s an extension that had been encrypted as NoMoreRansom.”

So the portal is required to have the best defences possible in order to prevent attacks against it.

“We’ve got to do all the normal housekeeping things to keep it secure. We’ve got to pen test it to ensure that it’s as secure as we can make it. People are going to want to stop it, we need to make it as resilient as we can,” says David Emm.

That’s where Barracuda Networks and Amazon Web Services come in — both powering the portal and keeping it safe from attackers — in the spirit of cooperation on which No More Ransom is based.

“I’m blown away by how open and collaborative we’ve been. AWS, for example, hosting it for free, it’s incredible, it’s probably the most targeted website in the world and they’ve said OK, no arguments,” says Samani.

A year on from the launch of No More Ransom, what’s the project’s future? An anniversary update includes more decryption tools and the website translated into even more languages to reflect the global interest in the project and to help users and businesses around the world.

The platform is now available in 26 languages, with the most recent additions Bulgarian, Chinese, Czech, Greek, Hungarian, Indonesian, Malay, Norwegian, Romanian, Swedish, Tamil and Thai.

Ransomware is a major problem and while no one is under any illusion that the project is going to eliminate the problem, those behind it are doing all they can to educate against the dangers of ransomware and provide aid against it.

“We totally accept that this isn’t a panacea; there’s always going to be a lag time between us being able to assist, but we’re trying to make that difference,” says Wilson.

That’s no small task, given ransomware is ever-evolving – and things are likely to get worse before they get better.


Singapore government uncovers lapses in IT systems control

Numerous oversights have been found in how the country’s government agencies managed its IT systems, including unapproved administrative changes and unauthorised access by external vendors.

Numerous lapses have been uncovered over how Singapore government ministries and agencies managed their IT systems, which include unapproved administrative changes and unauthorised third-party access.

These oversights were highlighted by the Auditor-General’s Office (AGO) in its annual audit of government accounts for the fiscal year, ended March 31, 2017. The assessment covered eight areas including procurement and payment, financial controls, IT controls, and contract management. All 16 government ministries, 12 statutory boards, and five government-owned companies were among those audited.

The AGO said it identified weaknesses in IT controls across several public sector entities, some of which were similar to those highlighted in previous audits.

“The lack of attention to these areas observed in some entities is of concern in view of the public sector’s high dependency on IT systems and data for government operations, and the fast-evolving IT security threats,” it noted in its report released Tuesday.

The office added that IT was widely used across Singapore’s public sector to manage financial transactions, engage with citizens and businesses, as well as enhance work productivity. These government bodies also manage large volumes of data containing personal and other sensitive information.

Amidst a landscape where cybersecurity threats were increasing, the AGO underscored the need for Singapore’s public sector to adopt effective measures to safeguard their IT systems and data.

In its report, it noted several lapses in IT controls under the purview of the Central Provident Fund Board (CPFB), Singapore Corporation of Rehabilitative Enterprises (SCORE), the National Parks Board (NParks), and the Ministry of Social and Family Development (MSF).

The CPFB, for example, failed to monitor its IT security systems and unauthorised changes to its databases and systems. During test checks of system logs over three months, the AGO determined that 88.7 percent of changes made by CPFB administrators were not pre-approved. Alert reports generated for review by an IT security monitoring system also were incomplete.

In addition, 14 user accounts were not removed promptly after employees had left the board. Of these, six accounts were used after the staff’s last working day and the identities of those who accessed the accounts could not be determined.

Similar lapses were found at NParks, which did not remove access rights of 104 suspended user accounts after the employees had left the organisations, some as far back as a decade ago.

Over at MSF, which was monitored over 11 months, 595 instances of access by its IT vendor team were found to be inappropriate and should have required further investigation. In fact, 560 instances involved the IT vendor’s use of a privileged system user account–that did not belong to the vendor–to access the MSF systems.

“These violations of IT controls could compromise the confidentiality and integrity of the data in the systems, resulting in leakage of information or corruption of data used for computation of bonuses or subsidies under the schemes [processed by MSF],” the AGO said.

In its response, Singapore’s Ministry of Finance said the government’s “overall system of managing public funds remains sound”, but it acknowledged there was room for improvements as identified by the AGO report, including in IT controls.

“While we recognise it is not possible to completely eliminate individual human lapses, errors or misjudgement, the public service is taking a concerted effort to address the issues identified… Heads of the agencies responsible have reviewed each case and where warranted, appropriate actions have been or will be taken against those responsible,” the ministry said.

In the its audit last year, the AGO rapped the Ministry of Law for not properly monitor and review logs containing activities carried out by external IT vendors, specifically, those involving IPTOBis servers. These systems were used by the law ministry to manage cases pertaining to its insolvency, public trustee, and related regulatory functions. Proper reviews of the activity log would have enabled the ministry to detect any unauthorised system access or change, the AGO said, adding that 44 user accounts temporarily provided to IT vendors had not been removed after these were no longer required.

The AGO report followed a week after the Singapore government unveiled its draft cybersecurity bill, outlining new legislations that would require operators of local critical information infrastructures to take steps to safeguard their systems and swiftly report threats and incidents. Released by the Ministry of Communications and Information (MCI) and Cyber Security Agency (CSA), the proposed new laws also would facilitate information sharing across critical sectors and require selected service providers as well as individuals to be licensed.

Last week, the Government Technology Agency (GovTech) announced that all government employees from July 25 would be able to use only authorised USB storage drives. A pool of portable storage devices that catered to the government’s security requirements would be made available to public servants on a “working need basis”, the government’s CIO office told local media. It added that other tools such as file transfer devices also would be provided to government agencies.

GovTech said: “USB storage devices continue to be a means to introduce malware and exfiltrate data, especially as they have the potential to be easily misplaced.”

The latest move came more than a year after the government said it would restrict internet access amongst its 143,000 public servants, allowing them to access only the intranet and work e-mail via their workstations.

Full online access would only be provided via designated terminals, though, the government employees still would be allowed to browse the web via their own personal mobile devices, which would have no access to work e-mail systems.


Cybercrime and cyberwar: A spotter’s guide to the groups that are out to get you

Security threats can come from a variety of different individuals and groups. Here’s a field guide to the major players.

Cybercriminals are as varied as other internet users: just as the web has allowed businesses to sell and communicate globally, so it has given fraudsters the ability to plunder victims anywhere and set up crime networks that, previously, would have been impossible.

The web has become central to the smooth running of most developed economies, and the types of cybercrime have changed too. While 15 years ago the majority of digital crime was effectively a form of online vandalism, most of today’s internet crime is about getting rich. “Now the focus is almost entirely focused on a some kind of pay-off,” says David Emm, principal security researcher at Kaspersky Lab.

That’s causing significant costs to businesses and consumers. IBM and Ponemon Institute’s 2016 Cost of Data Breach Study found that the average cost of a data breach for the 383 companies participating increased from $3.79m to $4m over 2015: the average cost paid for each lost or stolen record containing sensitive and confidential information increased from $154 in 2015 to $158. All the organisations in the survey had experienced a data breach ranging from 3,000 to 101,500 compromised records, and the majority of the leaks were down to malicious attacks (as with many types of crime, the costs of cleaning up can be vastly higher than the loot that the hackers manage to get away with).

Data breaches aren’t the only costs to business of online criminals: the FBI calculates that CEO email scams — where criminals pose as senior execs and persuade finance managers to transfer huge sums to phoney bank accounts — have hit tens of thousands of companies and cost over $3.1bn since January 2015.

There’s a significant cost to business of protecting against attacks, too: according to analyst firm Gartner, worldwide spending on security products and services will reach $81.6bn (£62.8bn) this year, up eight percent year-on-year thanks to increasingly sophisticated threats and a shortage of cybersecurity professionals.

Most internet crime is motivated by a desire for profit — stealing banking credentials or intellectual property, or via extortion for example. But as online crime has grown it has also evolved — or mutated — into a set of occasionally overlapping groups that pose distinct threats to organisations of different sizes.

These groups have different tools, objectives and specialities, and understanding this can help defend against them.

Disorganised crime
“The bulk of cybercrime is the equivalent of real-world opportunist thieves,” says Emm. These are the crooks you’re most likely to come across, or at least feel the impact of, as an individual — the petty criminals of the online world. They may spew out spam or offer access to a botnet for others to run denial-of-services attacks, or attempt to fool you into an advance-fee scams where the unwary are promised a big payday in return for paying (often a substantial) sum of money up-front.
One big growth area here is ransomware: “The return on investment in the criminal ecosystem is much better if you can get your victims to pay for their own data,” said Jens Monrad, global threat intelligence liaison for FireEye.

Still, basic IT security is often enough to keep this sort of crime at bay: encrypting data, using anti-malware technologies and keeping patching up to date means “you’re going to be in fairly good shape,” according to Kaspersky’s Emm.

Organised crime
“The twenty-first century digital criminal is best characterised as a ruthlessly efficient entrepreneur or CEO, operating in a highly developed and rapidly evolving dark market…they are a CEO without the constraints of regulation or morals,” warned a recent report from KPMG and BT entitled Taking the Offensive.

These groups will have a loose organisation and may utilise many contractors — some expert at developing hacking tools and vulnerabilities, others who will carry out the attack and yet others who will launder the cash. At the centre of the web is a cybercrime boss with the ideas, the targets and the contacts.

These are the groups with the capability to mount attacks on banks, law firms and other big businesses. They might execute CEO frauds, or simply steal vital files and offer to sell them back again (or sell them on to unscrupulous business rivals).

According to European law enforcement agency Europol in its 2015 Internet Organised Crime Threat Assessment, there is now some overlap between the tools and techniques of organised crime and state-sponsored hackers, with “both factions using social engineering and both custom malware and publicly available crimeware”. Organised cybercrime groups are also increasingly performing long-term, targeted attacks instead of indiscriminate scatter-gun campaigns, said the agency.

When nation states use a technique it usually takes around 18 to 24 months for that to filter down to serious and organised crime.

“One of the challenges for the ordinary company is the level of the adversary continues to get more sophisticated because they are able to get access to more of the technologies than they would have been able to do in the past”, said George Quigley, a partner in KPMG’s cyber security division.

And it’s not just the big companies that may be at risk. “You could be forgiven as a small business for thinking ‘I’m not one of those guys, why would somebody want my network?’ — but you are part of somebody’s supply chain,” said Kaspersky’s Emm.

These may be individuals or groups driven by a particular agenda — perhaps a particular issue or a broader campaign. Unlike most cybercriminals, hacktivists aren’t out to make money from their exploits, rather to embarrass an organisation or individual and generate publicity. This means their targets may be different: rather than a company’s accounts system or customer database, they may well want to access embarrassing emails from the CEO or other company officials.

Despite the hype, the threat from cyber terrorism remains low, largely because these groups lack the skills, money and infrastructure to develop and deploy effective cyber weapons, which only the largest nations can hope to build. “Terrorist sympathizers will probably conduct low-level cyber attacks on behalf of terrorist groups and attract attention of the media, which might exaggerate the capabilities and threat posed by these actors,” said US director of national intelligence James Clapper in his assessment of worldwide cyber threats in September last year.

State-backed hackers
While standard criminality accounts for the vast majority of cyber threats, the use of the web by state-sponsored hackers has been widely publicised in recent years. Much of this takes the form of cyber espionage — attempts to steal data on government personnel or on expensive defence projects. Governments will spend millions on developing all-but-undetectable ways of sneaking onto the systems of other nations — or those of defence contractors or critical national infrastructure — and these projects may take years of development.

“Networks that control much of our critical infrastructure  –  including our financial systems and power grids  —  are probed for vulnerabilities by foreign governments and criminals,” warned President Obama last year, blaming Iranian hackers for targeted American banks and North Korea for the attack on Sony Pictures that destroyed data and disabled thousands of computers.

Like hacktivists, state-sponsored groups aren’t usually seeking financial gain. Rather, they are looking to support the policies of their government in some way — by embarrassing another government by revealing secrets, or by gaining a potential strategic advantage, for example.

Worse, nation-state hackers may be interested in creating physical effects by digital means — bringing down a power grid or forcing open the doors of a dam at the wrong time, for example. This is where cybercrime tips over into cyberwarfare.

“The management and operation of critical infrastructure systems will continue to depend on cyber information systems and electronic data. Reliance on the power grid and telecommunications will also continue to increase, as will the number of attack vectors and the attack surface due to the complexity of these systems and higher levels of connectivity due to smart networks. The security of these systems and data is vital to public confidence and safety,” says Europol.

With the emergence of the Internet of Things (IoT) — where everyday objects from thermostats to home security systems — can be controlled online, the risk of well-funded groups attempting to hack into these devices increases. If your organisation is being attacked by state-sponsored groups, keeping them out is likely to be extremely difficult: you should consider how to limit the damage, by segmenting networks and encrypting sensitive data, for example. Concentrating on blocking at the perimeter will not be enough.

Insider threats
With all the focus on external threats, is it possible that companies are forgetting a danger much closer to home?

“There’s been an awful lot more issues being driven from insiders of late. One of the challenges is that when people think cyber they automatically think external,” says KPMG’s Quigley. Confidential company documents stored on shared drives and weak internal controls on who can access data mean that the disgruntled or greedy insider could still be one of the biggest risks to businesses. “They should have insiders much higher on the radar than they do,” Quigley warns.

Blurred lines
In reality there’s a lot of overlap between these groups, in personnel, the tools they use and the targets they choose. “The cyber threat landscape is becoming a much more complicated environment to do attribution or explain attacks,” says FireEye’s Monrad.

However, most breaches start in the same way, says Kaspersky’s Emm: “What they have in common is how they get their initial foothold through tricking individuals into doing something that jeopardises security: click on a link, open an attachment, give out some confidential information.” It’s vital to educate staff and close obvious holes: through to 2020, 99 percent of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year, according to Gartner.

What’s certain is that, as the internet becomes even more essential to our day-to-day lives, the potential for cyber criminals to make money will only increase.


Hackers are using this new attack method to target power companies

Phishing emails, used to steal credentials from critical infrastructure firms, can silently harvest data without even using macros, researchers have warned.

Hackers are targeting energy companies, including those working in nuclear power and other critical infrastructures providers, with a technique that puts a new spin on a tried-and-tested form of cyberattack.

Phishing has long been a successful method of attack, with cybercriminals crafting a legitimate-looking email and sending it to the intended victim along with a malicious attachment. Once executed, it runs code for dropping malware, which can be used for ransomware, stealing data, or another form of attack.

But now attackers can run phishing campaigns without malicious code embedded in an attachment, instead downloading a template file injection over an SMB connection to silently harvest credentials, according to researchers at Talos Intelligence.

While the attack method is currently only used to steal data, researchers warn it could be employed to drop other malware.

It’s the latest in a string of attacks which have exploited SMB flaws — although, unlike Petya or WannaCry, there’s no known relation between this and EternalBlue, the leaked NSA windows exploit which has been used to carry out global ransomware attacks.

Cyberattacks against critical infrastructure are not a new phenomenon, and since May 2017 hackers have been using this new technique to target energy companies around the world, predominately in Europe and the US, with the goal of stealing the credentials of those working in critical infrastructure. It’s not yet known who is behind the attacks or where they’re based.

Like other phishing campaigns, this attack uses emails relevant to the targets as a lure. In this instance, the emails often claim to be environmental reports or a CV, and come with an attached Word document that attempts to harvest data when opened.

Researchers say these documents initially contained no indications of compromise or the malicious macros associated with this sort of campaign. However, the attachments instead look to download a template file from a particular IP address which researchers found, instead of code, contained instructions for a template injection, establishing the connection to an external server over SMB.

However, while the attack is performed by exploiting SMB, the phishing itself is handled over HTTPS, and the user credentials are harvested via Basic Authentication with a prompt for the credentials.

Talos has responded to the attacks by contacting affected customers and ensuring “they were aware of and capable of responding to the threat”.

The researchers also say this threat “illustrates the importance of controlling your network traffic and not allowing outbound protocols such as SMB except where specifically required for your environment”.

However, Talos says it is unable to share all indicators of compromise or who specifically has been targeted due to the “the nature in which we obtained intelligence related to these attacks”.


Singapore firms recognise cybersecurity importance, but not armed for it

Majority of local companies seek expert help in cybersecurity, but 56 percent do not have systems to trigger alerts of unusual activities and 40 percent do not have incident response plans.

The majority of organisations in Singapore recognise the importance of cybersecurity, but fewer are adequately prepared to deal with incidents or have the necessary response plan in place.

Some 91 percent said they sought guidance from cybersecurity experts, but 75 percent did not have dedicated IT security budgets and planning processes, according to a survey released by local security vendor Quann, and jointly conducted with IDC. The study polled 150 senior IT professionals from medium to large companies in Singapore, Hong Kong, and Malaysia. Of this, 57 were from Singapore, while 52 were from Malaysia, and 41 from Hong Kong.

Some 56 percent in Singapore did not have security intelligence systems that could trigger alerts for any unusual activities, and 54 percent did not have a security operations centre or dedicated team to monitor and respond to incidents flagged by systems.

Some 32 percent had security support only during work hours, while 25 percent had this only during the work week. Another 40 percent did not establish any incident response plans in case of cybersecurity attacks and 33 percent required all employees including the CEO to participate in awareness training.

Furthermore, 16 percent would invite executives to board meetings and involve them in risk assessment.

IDC’s Asia-Pacific vice president of IT security practice, Simon Piff, said: “Not all C-suites in Asia are fully conversant with the fundamentals of a robust cybersecurity strategy and the appropriate investments. Cybersecurity investments are akin to military spending–we do it in the hope that we would never have to use the tools.

“They need to understand that this is not a business ROI (returns on investment) with immediate, visible returns. However, the consequences of not taking a proactive approach now could lead to legal disputes, customer dissatisfaction, and even loss of jobs and careers at all levels in the organisation,” Piff said.

Quann’s managing director Foo Siang-tse added that many companies, despite the obvious threats, were not investing enough in IT security, leaving them vulnerable. “The recent WannaCry and Petya ransomware incidents are just the tip of the iceberg. Companies need to recognise that having a comprehensive security plan, comprising detection systems, robust processes, and equipped individuals are critical in enabling them to detect threats early and mitigate their impact,” Foo said.


Linux malware: Leak exposes CIA’s OutlawCountry hacking toolkit

OutlawCountry malware sends traffic from Linux machines to the CIA’s servers.

WikiLeaks’ latest Vault7 release of leaked CIA documents detailing its hacking tools reveals malware called OutlawCountry that targets Linux systems.

OutlawCountry is described in documents dated June 4, 2015 as a kernel module for Linux 2.6 that allows CIA operators to redirect outbound traffic to a server they control by creating an hidden netfilter or iptables table. Netfilter is a packet-filtering framework within the Linux kernel’s networking stack.

OutlawCountry creates a hidden netfilter table with an “obscure name”, which the operator can use to create new rules that override existing netfilter rules. The new rules can only be seen by an admin if the table name is known, which, according to the documents, is ‘dpxvke8h18’.

The malware is designed for Red Hat Enterprise Linux 6.x and CentOS 6.x systems with the 6.4-bit 2.6.32 version of the Linux kernel. However, the operator needs to have already compromised the target to load a malicious module and must have gained root privileges to operate the malware.

WikiLeaks notes that an “operator will have to rely on the available CIA exploits and backdoors to inject the kernel module into a target operating system”.

RedHat’s advisory for OutlawCountry describes the command to use to determine if the CIA’s kernel module has been loaded.

WikiLeaks dumped over 8,000 CIA documents when it launched Vault 7 in March and has released several documents a month detailing specific CIA malware programs.

OutlawCountry is the 14th malware program detailed in the series. Earlier this month it released details of ‘Elsa’ for tracking the location of Windows PCs, ‘Brutal Kangaroo’ for hopping across air-gapped networks via an infected USB stick, the ‘CherryBlossom’ router malware, and ‘Pandemic’, which targeted Windows file-sharing.


FedEx’s TNT Express deliveries disrupted by virus attack

TNT Express deliveries hit by virus attack at the same time as the Petya ransomware is causing problems around the globe.

FedEx’s delivery subsidiary TNT Express has warned that its systems have been significantly affected by a computer virus.

The company said in a note on its website: “Like many other companies and institutions around the world, we are experiencing interference with some of our systems within the TNT network,” which has lead to speculation that the problems were linked to the Petya ransomware which has been infecting PCs globally.

FedEx briefly halted trading in its shares for almost an hour yesterday as it announced its operations at its European subsidiary TNT Express operations had been “significantly affected” by a computer virus. FedEx warned investors that the disruption could have a material impact on its finances.

The notification came amid the Petya file-encrypting malware outbreak, which hammered Windows systems in the Ukraine, but also caused infections in 63 other countries.

“While TNT Express operations and communications systems have been disrupted, no data breach is known to have occurred,” the firm said.

No other FedEx business was affected by the attack. TNT Express’s domestic and regional network services were “largely operational, but slowed”, it said, with delays in TNT Express’s inter-continental services. FedEx Express services were deployed as alternatives.

A message still on TNT’s website today notes that it had to suspend myTNT online services due to the attack.

“We are implementing remediation steps as quickly as possible to support customers who experience limited interruption in pick-up and delivery operations and tracking systems access.”

The company hasn’t provided further updates.

As more details emerge about the Petya/NotPetya malware, several security researchers have concluded the attack was not intended to make money but rather to destroy infected computers, making this an example of so-called wiper malware, such as Shamoon.

“If this well engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options,” wrote operational security expert, the Gruqq.

“This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ‘ransomware’.”

Researchers at Kaspersky found that the malware’s unique installation ID, which would normally be used by the attacker to generate a recovery key for each infection, was just random data.

“That means that the attacker cannot extract any decryption information from such a randomly generated string displayed on the victim, and as a result, the victims will not be able to decrypt any of the encrypted disks using the installation ID,” Kaspersky researchers wrote.


System Requirements

Both OsMonitor Server and Client can work on Windows XP, Windows Server 2003/08/12/2016, Windows 7, Windows 8/8.1, Windows 10. Include 32 bit and 64 bit.

Customer Review

We are now using your monitoring software, OsMonitor. It is a great software, we are able to block non-business website, monitor activities of our users, website visited and even snap shots. Majority of our need is provided by your software.