Microsoft has unveiled a set of new features for its flagship Teams platform to appeal to what the company calls «firstline workers» in industries like medicine, retail and manufacturing.

Over the course of 2020, the major Slack rival will introduce a suite of tools, including features like an in-app walkie-talkie, shared device sign-out and off-shift access controls for IT administrators.

The news marks the company’s second major push around ramping up functionality for frontline-workers, hinting that Microsoft is aggressively trying to fill what it sees as a gap in the market.

Microsoft had previously revealed simple sign-in for Microsoft 365 and Teams at its Ignite conference in November. The previously announced SMS sign-in tool would allow frontline workers to log onto Teams using an SMS authentication code obtained by entering their phone number.

Companies in the retail industry, in particular, with high staff turnover, could be the main beneficiaries from this feature, as well as from new tools like off-shift access controls and shared device sign-out.

«Companies at the forefront of digital transformation recognize how critical it is to enable all of their people with the right technology and tools,» said Microsoft’s corporate vice president of modern workplace verticals Emma Williams.

«That’s why, in industries like retail, hospitality, and manufacturing, there’s a movement underway to digitally empower the Firstline Workforce – the more than two billion people worldwide who work in service- or task-oriented roles.

«Giving Firstline Workers the tools they need requires companies to address unique user experience, security and compliance, and IT management.»

Allowing workers to sign in using SMS, for instance, would allow IT departments to avoid the need to set up fully-fledged user accounts for individuals who may not stay in the job for very long.

One of the most eye-catching new features, the walkie-talkie tool, is aimed at supplanting the need to buy additional equipment like radios, with workers able to conduct voice conversations over Wi-Fi and mobile data.

Microsoft sees this walkie-talkie feature as a means to help companies ditch «analog devices with unsecure networks», with workers no longer having to worry about crosstalk or eavesdropping from third-parties.

Principal analyst for digital workplace at CCS Insight, Angela Ashenden, said frontline workers have become a growing area of focus for Microsoft, with this segment of the workforce historically unserved with any apps or tools.

«We’ve seen Microsoft target this group already with its collaboration solution Teams,» she said. «And with its mixed reality applications as part of Dynamics 365, and we’re now starting to see these two worlds coming together as the company focuses on key verticals like retail.»

«Today’s announcements of a new push-to-talk, walkie talkie feature in Teams will be hugely valuable for retail businesses, and SMS sign-in helps address the challenge of the high-turnover storefront workforce who aren’t always given an email address to use to sign in with (this is a feature we’ve also seen Workplace by Facebook rollout).»

The use of off-shift access controls, similarly, gives IT admins the capacity to limit worker access to the app on personal devices outside of working hours. This would ensure employees are not working longer hours than they’re supposed to and helps employers comply with employment regulations.

While these features don’t have fixed release dates, Microsoft has penned broad estimates that range from later this quarter, to over the course of the first half of the year. All capabilities are expected to have been released by midway through 2020 or earlier.

​Mozilla has patched a critical flaw in its Firefox browser that’s being actively exploited by criminals in targeted attacks.

The critical vulnerability, branded CVE-2019-17026, allows an attacker to seize control of an affected computer through a mechanism that leads to ‘type confusion’, according to an advisory released by Mozilla. 

The company confirmed that the critical flaw, which has now been patched, affects users running version 72.0.1 of Firefox and version 68.4.1 of Firefox ESR. The developer added that it’s «aware of targeted attacks in the wild abusing this flaw». 

The severity of the flaw is such that the US Cyber Security and Infrastructure Agency has issued a separate warning urging Firefox users to apply the necessary updates.

The attack works by causing ‘type confusion’, which is a potentially critical error that can lead to data being read from or written to locations of memory normally out of bounds. When triggered, this can lead to an exploitable crash because of issues caused when the browser attempts to manipulate JavaScript objects.

It’s the second time within seven months that Firefox has sustained a critical zero-day vulnerability being actively exploited in the wild.

A previous flaw, discovered in June 2019, gave attackers the tools to execute arbitrary code on flawed machines and in some cases take over users’ devices remotely.

The latest emergency fix follows a round of 11 CVE-rated bug fixes Mozilla has issued, five of which were rated ‘high’ and four rated ‘medium’. Among these highly-rated issues were memory safety bugs in Firefox 72, another type confusion issue, and a memory corruption flaw.

The second major security scare within a matter of months is a blow to a developer trying to forge a fresh identity for Firefox as a privacy-centric web browser. Mozilla has teased and rolled out a suite of changes to how Firefox functions in the last year, including tools like a virtual private network (VPN).

In September last year, Mozilla also instigated a change in Firefox that would block known third-party tracking cookies and cryptocurrency mining by default as part of its Enhanced Tracking Protection (ETP).

The foreign exchange company Travelex has confirmed the ongoing disruption to its services, which started on New Year’s Eve, are being caused by a successful ransomware attack.

The outage, which has lasted more than a week, has caused chaos for customers and partners alike who rely on these systems to conduct transactions.

Travelex had previously pinned disruption on a «software virus», in a statement released three days after the attack. The firm confirmed in an updated statement, however, the incident was indeed caused by a ransomware attack.

Additional reports suggest the perpetrators are demanding millions of dollars in exchange for the return of customer data.

Travelex first detected that a virus had compromised its services on 31 December and took all of its systems offline as a precaution to prevent the malware from spreading across its network any further.

Following days of speculation and media reports, the firm has finally confirmed the «software virus» that hit their systems was the ransomware known as REvil, with the name Sodinokibi also sometimes used.

The attack was a success, and the group behind the attack has demanded a ransom to the tune of $6 million (approximately £4.6 million), according to BBC News.

The attackers also claim they have taken approximately 5GB of customer data, and will only return this should the ransom be paid in full. This data is claimed to comprise dates of birth, national insurance numbers as well as credit card information.

The company says it’s taken steps to contain the spread of the ransomware, suggesting that although there has been some encryption, there remains no evidence that any customer data has been compromised.

Travelex also added in a statement that while it does not have a complete picture of all the data that has been encrypted, but «there is still no evidence to date any data has been exfiltrated».

These conflicting reports could suggest the attackers may be bluffing in claiming to have downloaded a cache of customer data. Many less well-resourced firms unable to conduct thorough assessments in the wake of such attacks, however, may deem these ‘bluffs’ as too risky to ignore, and pay any ransom demanded to secure safe return regardless.

«Our focus is on communicating directly with our partners and customers to protect them and their information from any further compromise,» said Travelex chief executive Tony D’Souza.

«We take very seriously our responsibility to protect the privacy and security of our partner and customers’ data as well as provide an excellent service to our customers and we sincerely apologise for the inconvenience caused.

«Travelex continues to offer services to its customers on a manual basis and is continuing to provide alternative customer solutions in the interim.»

A forensic analysis of the incident is underway, and the firm is working to fully recover its systems. Some internal systems have been restored, but disruption still remains on the customer and partner-facing side. This is reportedly affecting services of other firms such as HSBC and Tesco Bank.

Travelex says it’s in discussions with the National Crime Agency (NCA) and the Metropolitan Police, who are each conducting their own investigations into the breach.

There’s doubt as to whether Travelex has approached the Information Commissioner’s Office (ICO), however, despite the potential for data theft. The incident could constitute a violation of the General Data Protection Act (GDPR), should the attackers claims to have made away with customer data prove to be true.

«Organisations must notify the ICO within 72 hours of becoming aware of a personal data breach unless it does not pose a risk to people’s rights and freedoms,» an ICO spokesperson said.

«If an organisation decides that a breach doesn’t need to be reported they should keep their own record of it, and be able to explain why it wasn’t reported if necessary.»

Principal security consultant and head of penetration testing at Bridwell Consulting, James Smith, told IT Pro that Travelex has handled the initial fallout badly. The company should also learn from this incident, as well as past incidents, and build these teachings into a proper cyber resilience plan.

«Transparency is key in maintaining customer trust, especially for firms like Travelex in the financial services industry,» Smith said.

«Travelex has taken a long time to inform customers about what’s taken place, and placing a press statement on the website days after the event simply isn’t enough.

«Financial services firms like Travelex have a responsibility to their customers to keep them informed even if no data has been lost. This is especially important in light of the 2018 breach the company suffered in which the personal details of 17,000 customers were exposed.»

Ransomware is highly common, with this particular form of attack blighting countless numbers of businesses routinely each year.

Many companies and professionals, meanwhile, believe that, actually, paying the ransom is often a cheaper and simpler way to secure data and restore systems.

A Canadian laboratory, for example, was advised in late 2019 to pay hackers in order to retrieve 85,000 stolen data records, despite this action being against the general consensus among security experts.

Asked whether Travelex should pay the ransom, Smith added there is a debate to be had, but the negatives always outweigh the positives.

«If you pay, in theory, you regain access to your data and systems and business can continue. However, there’s no guarantee you’ll actually get access restored.

«There’s also no guarantee that the data hasn’t been stolen already, before it was encrypted. This is happening more and more in the industry and the likelihood that the data will be sold or stored by the hacker is great.

«Then, of course, there are the wider ethical considerations about paying attackers who could use the money to fund other criminal enterprises.

«If organisations have the right plans in place, such as replicating their data, having off-site backups and segregated networks, for example, the likelihood of having to answer the «pay or not pay» question is greatly reduced.»

​The most widely-used cyber attack method used to breach large companies in 2019 was cross-site scripting (XSS), according to research. 

The hacking technique, in which cyber criminals inject malicious scripts into trusted websites, was used in 39% of cyber incidents this year.

This was followed by SQL injection and Fuzzing, which were used in 14% and 8% of incidents respectively. Among other widely-used methods are information gathering, and business logic, although both were used in less than 7% of incidents.

With 75% of large companies targeted over the last 12 months, the report by Precise Security also revealed the key motivation behind cyber crime has been the opportunity for hackers to learn.

Almost 60% of hackers conducted cyber attacks in 2019 due to the fact it presents a challenge. Other prominent reasons for hacking a company’s systems include to test the security team’s responsiveness, and to win the minimum bug bounty offered. ‘Recognition’ ranked sixth in the list of motivations, and was cited by just 25% of hackers. Bizarrely, 40% also said that they preferred to target companies that they liked.

Digging into industry-specific insights, additional research published this month also revealed the most prominent attack method faced by sectors within the UK economy.

The most prevalent hacking technique in the business, finance and legal sectors, for example, was macro malware embedded into documents, according to statistics compiled by Specops Software. 

Retail and hospitality firms, meanwhile, suffered mostly from burrowing malware, present in 51% of attacks, as did governmental organisations, registering 37% of incidents.

The healthcare industry was susceptible mostly to man-in-the-middle attacks, in which communications between two computer systems are intercepted by a third-party. 

Distributed denial of service (DDoS) attacks were the most common form of attack faced by the technical services industry, with 58% of incidents using this method.

As for how these attacks are conducted specifically, the Precise Security report showed that 72% of platforms used as a springboard for cyber crime are websites. WordPress, for example, is a prime target due to the massive userbase, with 90% of hacked CMS sites in 2018, for instance, powered by the blogging platform.

Application programme interfaces (APIs) were the second-most targeted platforms in 2019, being at the heart of 6.8% of incidents, with statistics showing Android smartphones are usually involved in such attacks.

Google Cloud Platform (GCP) has developed a software service to help organisations handle massive data transfers between on-premise locations and the cloud faster and more efficiently than existing tools.

The tool has been designed for organisations that need to undergo large-scale data transfers in the region of billions of files, or petabytes of data, between physical sites to Google Cloud storage in one fell swoop.

GCP’s Transfer Service for on-premises data, released in beta, is also a product that allows businesses to move files without needing to write their own transfer software or invest in a paid-for transfer platform.

Google claims custom software options can be unreliable, slow and insecure as well as being difficult to maintain.

Businesses can use the service by installing a Docker container, with an agent for Linux, on data centre computers, before the service co-ordinates the agents to transfer data safely to GCP storage.

The system makes the transfer process more efficient by validating the integrity of the data in real-time as it gradually shifts to the cloud, with an agent using as much available bandwidth to reduce transfer times.

The data transfer service is a larger-scale version of tools such as gsutil, a cloud transfer service also developed by Google, which is unable to cope with the scale of data that Transfer Service has been designed to handle.

The firm has recommended that only businesses with a network speed faster than 300Mbps use its Transfer Service, with gsutil sufficing for those with slower speeds.

Customers also need a Docker-supported 64-bit Linux server or virtual machine that can access the data to be transferred, as well as a POSIX (Portable Operating System Interface)-compliant source.

The product is aimed squarely at enterprise users, and comes several weeks after the company announced a set of migration partnerships aimed at customers running workloads with the likes of SAP, VMware and Microsoft.

Members of an online forum have developed a tool that could be used to bypass eligibility checks for Windows 7 extended support and receive free updates after the OS reaches end-of-life.

Only a handful of Windows 7 users can continue to receive updates from Microsoft through its paid-for Extended Support Updates (ESU) programme after 14 January, through to January 2023.

This scheme was first introduced for enterprise customers in August and later extended to SMB users after Microsoft identified “challenges in today’s economy”.

The ESU programme is not available to all businesses, however. Users on tech support platform My Digital Life have therefore developed a prototype tool that could theoretically allow ineligible businesses to continue to receive free updates beyond 14 January.

Before ESU patches are beamed to eligible machines, Windows 7 performs a check to determine whether or not users can receive these updates. This involves the installation and activation of an ESU license key. The created tool bypasses this eligibility check, which is only performed during installation, so users would, in theory, continue to receive Windows 7 updates for free through the ESU scheme without paying an ESU subscription.

The bypass was tested on the Windows 7 update KB4528069, a dummy update which was issued to users in November so they could verify whether or not they were eligible for extended support after 14 January.

Although the tool has worked on the test patch, its creators urged My Digital Life forum members to consider this as a prototype, and not a fully-fledged workaround, as things may change by February 2020.

Microsoft will be keen to ensure there aren’t any ways to undermine the ESU scheme once Windows 7 reaches end-of-life due to the sums it’s charging eligible businesses, and an ultimate desire to shift machines to Windows 10.

The firm is likely to change the way the eligibility check is performed given how simple it’s been proven to bypass.

It’s certainly not a tool that Microsoft is likely to condone, but it does demonstrate the extent to which Windows 7 is still popular as users are trying to retain undisrupted access to the legacy OS.

Businesses have just weeks to upgrade their devices running Windows 7 and Windows XP or face restrictions on accessing critical security updates.

Microsoft has devised a phishing campaign dashboard for its Office 365 Advanced Threat Protection (ATP) module to give customers a broader overview of phishing threats beyond just individual attacks.

The newly-announced ‘campaign views’ tool provides additional context and visibility around phishing campaigns. This aims to give businesses under constant threat from phishing attempts a fuller story of how attackers came to target an organisation, and how well attempts were resisted. 

Security teams with access to the dashboard can see summary details about a broader campaign, including when it started, any activity patterns and a timeline, as well as how far-reaching the campaign was and how many victims it claimed. 

The ‘Campaign views’ tool also provides a list of IP addresses and senders used to orchestrate the attack, as well as the URLs manifested in the attack. Moreover, security staff will be able to assess which messages were blocked, delivered to junk or quarantine, or allowed into an inbox.

“It’s no secret that most cyberattacks are initiated over an email. But it’s not just one email – it’s typically a swarm of email designed to maximize the impact of the attack,” said Microsoft group program manager with Office 365 security Girish Chander. 

“The common pattern or template across these waves of email defines their attack ‘campaign’, and attackers are getting better and better at morphing attacks quickly to evade detection and prevention. 

“Being able to spot the forest for the trees – or in this case the entire email campaign over individual messages – is critical to ensuring comprehensive protection for the organization and users as it allows security teams to spot weaknesses in defenses quicker, identify vulnerable users and take remediation steps faster, and harvest attacker intelligence to track and thwart future attacks.”

Office 365’s ATP tool is an email filtration system that safeguards an organisation against malicious threats posed by email messages, links and any collaboration tools. 

With the additional information at hand, Microsoft is hoping that security teams within organisations can more effectively help compromised users, and improve the overall security setup by eliminating any configuration flaws. 

Related campaigns to those targeting the organisation can also be investigated, and the teams can help hunt down threats that use the same indicators of compromise.

The ‘campaign views’ dashboards are available to customers with a suite of Office 365 plans including ATP Plan 2, Office 365 E5, Microsoft 365 E5 Security, and Microsoft 365 E5.

These new features have started rollout out into public preview, with Microsoft suggesting the features are expected to be available more generally over the next few days and weeks.

Although most businesses have adopted a multi-cloud strategy, there are significant challenges in the way these are being implemented including security and lack of expertise.

The adoption of multi-cloud approaches are on the rise, with the majority of companies across the world, approximately two-thirds, having deployed enterprise applications on two or more public clouds, according to findings by the Business Performance Innovation (BPI) Network, in partnership with A10 Networks.

Meanwhile, 84% of companies expect to increase their reliance on public or private clouds over the next two years.

The growth in multi-cloud adoption, however, has led to a rise in significant challenges facing businesses. Ensuring security, for example, across all clouds, networks, applications and data is the biggest concern for businesses.

This crucial challenge is followed by the need to acquire the necessary skills and expertise, as well as dealing with increased complexity in managing cloud environments. There’s also a key challenge in achieving centralised visibility and management across cloud portfolios.

“Multi-cloud is the de facto new standard for today’s software- and data-driven enterprise,” said the head of thought leadership and research for the BPI Network, Dave Murray.

“However, our study makes clear that IT and business leaders are struggling with how to reassert the same levels of management, security, visibility and control that existed in past IT models.

“Particularly in security, our respondents are currently assessing and mapping the platforms, solutions and policies they will need to realise the benefits and reduce the risks associated of their multi-cloud environments.”

To highlight the scale of the challenge businesses face, just 11% of respondents suggested their companies have been ‘highly successful’ in realising the benefits of multi-cloud, despite a significant increase in adoption in recent years.

Businesses suggest they would prioritise centralised visibility and analytics, embedded into security and performance as a requirement for improving this, as well as automated tools to speed response times and reduce costs.

Other aspects needed include a centralised management portal from a single point of control and greater security scale and performance to handle increased traffic.

The individual tools businesses require included centralised authentication, centralised security policies, web application firewalls, and protection against DDoS attacks.

“The BPI Network survey underscores a critical desire and requirement for companies to reevaluate their security platforms and architectures in light of multi-cloud proliferation,” said vice president of worldwide marketing at A10 Networks, Gunter Reiss.

“The rise of 5G-enabled edge clouds is expected to be another driver for multi-cloud adoption. A10 believes enterprises must begin to deploy robust Polynimbus security and application delivery models that advance centralised visibility and management and deliver greater security automation across clouds, networks, applications and data.”

Support for sideloaded extensions in the Firefox browser will be discontinued from next year following concerns that the function could be exploited to install malware onto devices.

Sideloading is a method of installing a browser extension that adds the file to a specific location on a user’s machine through an executable application installer. These are different from conventional add-ons, which are assigned to profiles, and are also available to download outside official Firefox channels.

From 11 February 2020, the Firefox browser will continue to read sideloaded files, but will copy these over to a user’s individual profile and install them as regular add-ons. Then from 10 March, sideloaded extensions will be phased out entirely.

Mozilla argues that for some users it’s difficult to remove sideloaded extensions completely, as these cannot be fully removed from Firefox’s Add-ons Manager. This has also proved a popular method of installing malware, the firm said.

«Sideloaded extensions frequently cause issues for users since they did not explicitly choose to install them and are unable to remove them from the Add-ons Manager,» said Firefox’s add-ons community manager Caitlin Neiman.

«This mechanism has also been employed in the past to install malware into Firefox. To give users more control over their extensions, support for sideloaded extensions will be discontinued.»

The transition period between February and March has been put in place to ensure that no pre-installed sideloaded extensions will be lost from users’ profiles, given they will have been copied over as conventional add-ons.

Developers have also been urged to update install flows, and direct users to download extensions through either their own web pages or the Firefox Add-Ons hub.

One prominent example of malware installed via side-loading, albeit not on Firefox itself, was a Pokemon Go clone released in 2016 that allowed cyber criminals to gain full control to victims’ smartphones.

Before Pokemon Go was available in Europe, the cyber criminals publicised a non-official version of the app that could be downloaded from sources beyond the Google Play Store.

Cyber criminals are stealing the login credentials of Microsoft Office 365 users using a phishing campaign that tricks victims into believing they’ve been left voicemail messages.

In the last few weeks, there’s been a surge in the number of employees being sent malicious emails that allege they have a missed call and voicemail message, along with a request to login to their Microsoft accounts.

The phishing emails also contain an HTML file, which varies slightly from victim to victim, but the most recent messages observed include a genuine audio recording, researchers with McAfee Labs have discovered.

Users are sent fake emails that inform them of a missed call and a voicemail message

When loaded, this HTML file redirects victims to a phishing website that appears to be virtually identical to the Microsoft login prompt, where details are requested and ultimately stolen.

«What sets this phishing campaign apart from others is the fact that it incorporates audio to create a sense of urgency which, in turn, prompts victims to access the malicious link,» said McAfee’s senior security researcher Oliver Devane.

«This gives the attacker the upper hand in the social engineering side of this campaign.

This Office 365 campaign has made great efforts to appear legitimate, such as through designing the phishing site to resemble the Microsoft login page. Another trick the cyber scammers use to look real is by prepopulating victims’ email addresses into the phishing site and requesting just the password.

The phishing site appears virtually identical to the actual Microsoft login prompt and preloads victims’ emails

Users are presented with a successful login message once the password is provided, and are then redirected to the office.com login page.

Researchers found three different phishing kits being used to generate malicious websites, Voicemail Scmpage 2019, Office 365 Information Hollar, and a third unbranded kit without attribution.

The first two kits aim to gather users’ email addresses, passwords, their IP addresses and location data. The third kit uses code from a previous malicious kit targeting Adobe users in 2017, the researchers said, and it’s likely the old code has been reused by a new group.

A wide range of employees across several industries, from middle management to executive level, have been targeted, although the predominate victims are in the financial and IT services fields. There’s also evidence to suggest several high-profile companies have been targeted.

McAfee has recommended as a matter of urgency that all Office 365 users implement two-factor authentication (2FA). Moreover, enterprise users have been urged to block .html and .htm attachments at the email gateway level so this kind of attack doesn’t reach the final user.

«We urge all our readers to be vigilant when opening emails and to never open attachments from unknown senders,» the researchers added. «We also strongly advise against using the same password for different services and, if a user believes that his/her password is compromised, it is recommended to change it as soon as possible.»

The use of audio in this campaign points to a greater tenacity among cyber fraudsters, who are adopting more sophisticated social engineering techniques. For example, earlier this year artificial intelligence (AI) combined with voice technology was used to impersonate a business owner and fool his subordinate into wiring £200,000 to a hacker’s bank account.