Eliana Willis

Microsoft has announced new “scenario-based” awards for its Dynamics and Power Platform Bounty Program and the Microsoft 365 Bounty Program. Microsoft says the scenario-based awards are designed to encourage researchers to focus their work on “vulnerabilities that have the highest potential impact on customer privacy and security”.

ZDNet Recommends

The best cloud storage services

Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

Read More

The new scenario-based awards are on top of existing general awards for security bugs, such as remote code execution and elevation of privilege bugs in products – and amount to up to $26,000 on offer in new awards. SEE: Windows 11 security: How to protect your home and small business PCsThe new scenario-based award for Dynamics 365 and Power Platform is a cross-tenant information disclosure bug, which carries a maximum award of $20,000. Microsoft has patched similar bugs to this affecting some Azure APIs and another similar cross-tenant information disclosure bug affecting the Azure Automation service in March.   Microsoft is also adding bonuses of between 15-30% on top of the general Microsoft 365 bounty for Office 365 products and Microsoft Account pages for Outlook, Teams, SharePoint Online, OneDrive, Skype, and more. The Microsoft 365 bounty highest general award is $20,000 for a critical remote code execution flaw. The new high-impact scenarios award a 30% bonus for remote code execution (RCE) through untrusted input (CWE-94 “Improper Control of Generation of Code” (‘Code Injection’)); and 30% for for RCE through untrusted input (CWE-502 “Deserialization of Untrusted Data”). There are also 20% awards for unauthorized cross-tenant and cross-identity sensitive data leakage for both (CWE-200 “Exposure of Sensitive Information to an Unauthorized Actor”) and (CWE-488 “Exposure of Data Element to Wrong Session”). Finally, there’s a 15% award for “Confused Deputy” vulnerabilities that can be used in a practical attack that accesses resources in a way that bypasses authentication (CWE-918 “Server-Side Request Forgery (SSRF)”). Microsoft offered similar scenario-based awards for its Teams bug bounty last year on top of its general awards in that program. in December, it also added six scenario-based awards of up to $60,000 for high-impact bugs to its Azure bounty. More

Lenovo has patched a trio of bugs that could be abused to perform UEFI attacks.

Discovered by ESET researcher Martin Smolár, the vulnerabilities, assigned as CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, could be exploited to “deploy and successfully execute UEFI malware either in the form of SPI flash implants like LoJax or ESP implants like ESPecter” in the Lenovo Notebook BIOS.In UEFI cyberattacks, malicious operations are loaded on a compromised device at an early stage of the boot process. This means that malware can tamper with configuration data, establish persistence, and may be able to bypass security measures that are only loaded at the OS stage. On Tuesday, ESET said the vulnerabilities impact “more than one hundred different consumer laptop models with millions of users worldwide” and were caused by drivers only meant to be used during Lenovo’s product development stage. The impacted product list includes IdeaPads, Legion gaming devices, and both Flex and Yoga laptops. The first vulnerability, CVE-2021-3970, impacts the SW SMI handler function. This SMM memory corruption issue, caused by improper input validation, permits attackers to read/write into SMRAM, which, in turn, could allow malicious code with SMM privileges to execute — and for SPI flash implants to be deployed.”SMM is a highly privileged execution mode of x86 processors […],” the researchers explained. “SMM code is written within the context of the system firmware and is usually used for various tasks including advanced power management, execution of OEM proprietary code, and secure firmware updates. It provides an independent execution environment completely invisible to the running operating system.”The other two vulnerabilities, CVE-2021-3971 and CVE-2021-3972, relate to drivers named SecureBackDoor and SecureBackDoorPeim. Lenovo has described the first security flaw as a “potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify [the] firmware protection region by modifying an NVRAM variable.” The second issue is a “potential vulnerability by a driver used during [the] manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated [and] may allow an attacker with elevated privileges to modify secure boot setting[s] by modifying an NVRAM variable.”The drivers, when they are queried by Lenovo software, could be compromised to disable flash protections and UEFI Secure Boot. Attackers with a high enough privilege level can exploit CVE-2021-3971 to change UEFI firmware settings, and CVE-2021-3972 requires tampering with NVRAM variables to deploy malicious implants.ESET reported the three vulnerabilities to Lenovo on October 11, 2021. The security flaws were triaged and confirmed in November. Patches have now been released, leading to April’s public disclosure.It is recommended that users patch their firmware immediately. Lenovo has published an advisory and alternative mitigation options for users who can’t accept fixes at this time. However, not every device on the list will be updated with fixes as legacy products. When it comes to out-of-support devices, ESET recommends using TPM-aware full-disk encryption software to make information inaccessible if UEFI Secure Boot configurations are tampered with.”All of the real-world UEFI threats discovered in the last years — LoJax, MosaicRegressor, MoonBounce, ESPecter, FinSpy — needed to bypass or disable the security mechanisms in some way in order to be deployed and executed,” Smolár commented. “Our discovery demonstrates that in some cases, deployment of the UEFI threats might not be as difficult as expected, and the larger amount of real-world UEFI threats discovered in the last years suggests that adversaries are aware of this.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Consumers in Singapore and Australia share more personal information now than they did two years ago, but more in the two Asian markets will ditch service providers that suffer a data breach than their global counterparts. The former also are disgruntled about having to provide their data to use online services.Some 67% of respondents across Singapore and Australia felt they had little choice but to divulge their personal information in order to use online services. In fact, 54% said they shared their data with so many organisations online each day that they could not verify each company’s ability to safeguard personal data, according to a survey commissioned by security vendor Imperva. Conducted by YouGov, the online study polled 6,773 consumers in the two Asian markets as well as the US and UK, with 1,079 respondents from Singapore and 1,004 from Australia. 

More in Singapore and Australia, at 46%, said they shared more personal information now than they did two years ago, compared to the global average of 33%. Feeling compelled to share their personal data, 37% in the Asian markets said their trust in digital services providers’ willingness to safeguard their personal data had dipped over the past five years. The global average for this was 41%. Specifically, retailers and online games services providers were deemed the least trustworthy in protecting confidential information, with just 5% of respondents in Asia expressing trust in these companies. Another 8% trusted social media platforms such as Facebook and Twitter. Government and financial organisations were amongst the most trusted. Some 44% had complete trust in the former, while 41% trusted financial business would keep their personal data private.Some 50% in the two Asian markets would stop or had stopped using services from companies that suffered a serious data breach, higher than the global average of 43%. Despite their lack of trust in some businesses, respondents appeared more willing to reveal personal data on cloud-based messaging platforms. Some 23% admitted to having said something via these services to a colleague, friend, or family member that could damage a relationship. Another 18% acknowledged to uttering offensive, such as homophobic and racist, statements while 16% had intentionally lied on these messaging platforms.Across the board, 37% in Singapore and Australia had discussed private topics via a cloud messaging app or service, despite 93% acknowledging they could face serious consequences if these conversations were leaked. Some 45% would feel violated if this happened, while 29% said they could lose their job if their conversations on cloud messaging platforms were leaked. Imperva’s Asia-Pacific Japan regional vice president, George Lee, said: “Consumers face a disheartening Catch-22 scenario: they need digital services to operate in modern life, but their trust in these services is deteriorating. Businesses need to focus on who is accessing their data and protecting the paths a cybercriminal might exploit to get to the data. Taking a data-centric security approach must be part of every organisation’s strategy as consumers grow increasingly cynical of the services they use.”According to Forrester’s 2021 State of Enterprise Breaches, 68% of respondents in Asia-Pacific revealed they suffered at least one security breach last year, higher than the global average of 63%. Businesses in this region took a median of 33 days to identify and eradicate an attack and 11 days to recover from an attack. They lost a median of $2.2 million per breach. Globally, organisations spent a median of 27 days identifying and eradicating an attack as well as 10 days to recover from a breach. It cost businesses a median of $2.4 million in total per breach.RELATED COVERAGE More

The US Treasury Department on Thursday linked a notorious North Korean hacking group to a massive $600 million cyber breach last month. The connection was clear when the Treasury Department updated its sanctions listing for the hacking group, called Lazarus Group. The federal agency added a cryptocurrency address that was used to steal $600 million from the Ronin network, a blockchain network created by the Vietnamese game company Sky Mavis.  

The Ronin network powers the play-to-earn game Axie Finity. Sky Mavis created the network to get around Ethereum network congestion. Last month, the company revealed it had 173,600 in Ethereum (ETH) and 25.5 million USD coins drained from the Ronin network. At the time, the crypto assets were valued at over $600 million.Sky Mavis on Thursday acknowledged the new Treasury Department listing. “We are still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk. Expect the bridge to be deployed by end of month,” the company said. “We would like to extend a thank you to all law enforcement agencies who have supported us in this ongoing investigation.”To put the $600 million heist in context, hackers from North Korea stole nearly $400 million worth of cryptocurrency in 2021, according to blockchain analysis firm Chainalysis. Lazarus is among the most prolific and sophisticated of the hacking groups with links to North Korea. The group was responsible for the destructive wiper attack on Sony Pictures Entertainment in 2014. More

Over half of all ransomware attacks reported during the first three months of this year are the work of just two cyber criminal outfits. According to analysis of recorded ransomware attacks between January and March 2022 by cybersecurity researchers at Digital Shadows, LockBit 2.0 and Conti were the two most active ransomware gangs during the three-month reporting period, accounting for 58% of all incidents. And of the two, LockBit is by far the most prolific, accounting for 38% of ransomware attacks. That’s almost twice the number of recorded attacks by the Conti ransomware group, which accounted for 20% of campaigns in the same period.  Both groups steal data from their victims and threaten to publish it on leak sites if the ransom isn’t paid. According to Digital Shadows, LockBit leaked the information of over 200 victims during the first quarter of the year – the most leaks thus far.While these two gangs were the busiest, other threats included Hive ransomware, Vice Society ransomware and Blackbyte ransomware, among others. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Conti ransomware has remained a major threat, despite February’s Conti Leaks, which revealed much about the inner workings of the ransomware group. Internal chat logs and other information got leaked after Conti publicly posted a message of support for Russia’s invasion of Ukraine. But this setback doesn’t seem to have dissuaded those behind Conti, who continue to conduct ransomware attacks. “While the Conti chat leak is likely to have some impact on the group, it is unlikely that this will significantly affect the group’s market share. Conti has shown no signs of slowing down since the chat logs and source code leak,” Ivan Righi, senior cyber threat intelligence analyst at Digital Shadows told ZDNet.”However, the leak is a blow to the group’s reputation, and could therefore affect its ability to attract new affiliates and have a long-term impact on its ability to grow,” he added.One ransomware group does seem to have disappeared. Researchers note that PYSA ransomware, which was the third most active ransomware group during the final three months of 2021 appears to have dropped off the radar. Another previously prolific ransomware group, Revil, also appears to have stopped operating.But while some ransomware groups seem to disappear, other new ransomware threats continue to appear. Some new ransomware groups which have appeared since January 2022 which have been listed by Digital Shadows include Stormous, Night Sky, Zeon, Pandora, Sugar, and x001xs. It’s likely that individuals involved in groups which shut down simply find new work with other ransomware gangs. “New ransomware groups are created at a similar rate to groups being shut down. This is likely because affiliates frequently move from groups that are no longer active to those that are emerging,” said Righi.”Regardless of the external factors and shifts in targeting, ransomware is likely to remain one of the biggest threats to organizations worldwide over the next quarter,” he added. There are several steps which businesses can take to avoid falling victim to ransomware. These include applying security patches to software and operating systems as quickly as possible, so cyber criminals can’t exploit known vulnerabilities to enter and exploit networks.  Organisations should also roll out multi-factor authentication to all users to provide an extra barrier to attacks and if it’s suspected that a password has been hacked, it should be changed immediately. MORE ON CYBERSECURITY More

A new type of information stealer has been added to the Haskers Gang malware portfolio. On Thursday, researchers from Cisco Talos said that the malware, dubbed ZingoStealer, is being offered for free to Haskers Gang Telegram group members.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Active since at least 2020, the Haskers Gang group isn’t your typical, small collective of cybercriminals. Instead, the ‘community’ comprises of a few founders — likely based in Eastern Europe — and thousands of casual members. Haskers Gang communicates via Telegram and Discord to share ‘community’ updates, tools, and its latest activities. The Telegram group has just under four thousand subscribers who share tips on cracks, crypters, bypassing security measures and hacking software. Telegram is also abused to manage the malicious executables and exfiltrated data packages.According to the researchers, the attackers target gamers through cheat codes, pirated software and tend to focus on Russian-speaking victims. The new ZingoStealer information stealer can harvest account credentials, Chrome and Firefox browser data, and Discord tokens, among other datasets. In addition, the malware will try to tap into any cryptocurrency wallet credentials held by browser extensions from services including BitApp, Coinbase, Binance, and Brave. ZingoStealer may also be used in conjunction with other malware strains, including RedLine Stealer. RedLine Stealer contains your typical stealer functions alongside the ability to harvest VPN account credentials and login details, impacting vendors including NordVPN, OpenVPN, and ProtonVPN. In January, Fortinet observed the malware being spread in a phishing campaign taking advantage of the COVID-19 pandemic. Furthermore, ZingoStealer can also be used to deploy a cryptocurrency miner on infected systems. Also known as cryptojacking, cybercriminals may quietly execute a cryptocurrency miner in attacks that steal computing power to mine for coins — and these virtual assets are sent to wallets controlled by threat actors. In this case, a custom version of XMRig, a Monero (XMR) miner, is deployed. The hackers internally refer to this miner as “ZingoMiner.” ZingoStealer was first released in March this year. Even though it is a new form of malware, its code has already undergone extensive development, and there are multiple versions in the wild. However, while a free version of ZingoStealer has been released, the threat group is also attempting to cash in with a subscription version, also known as malware-as-a-service (MaaS), which costs roughly 300 roubles ($3). This variant also contains a crypter called ExoCrypt. It is possible multiple threat groups will adopt the stealer in the future, especially as a free option is available.”While the malware is new, Cisco Talos has observed that it is undergoing consistent development and improvement and that the volume of new samples being observed in the wild continues to increase as more threat actors attempt to leverage it for nefarious purposes,” the researchers said. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has carried out another legal-technical takedown against cyber criminals, this time to dismantle the ZLoader botnet’s infrastructure.ZLoader malware has infected thousands of organizations, mostly in the US, Canada and India, and is known to have distributed the Conti ransomware.      

Microsoft has now received a court order from the US District Court for the Northern District of Georgia that allowed it to seize 65 domains the ZLoader gang had been using for command and control (C&C) for its botnet built from malware that infected businesses, hospitals, schools, and homes.SEE: Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned upThose domains now direct to a Microsoft sinkhole, outside of the control of the ZLoader gang. Microsoft also gained control over the domains ZLoader used for its domain generation algorithm (DGA), which are used to automatically create new domains for the botnet’s C2.”Zloader contains a domain generation algorithm (DGA) embedded within the malware that creates additional domains as a fallback or backup communication channel for the botnet. In addition to the hardcoded domains, the court order allows us to take control of an additional 319 currently registered DGA domains. We are also working to block the future registration of DGA domains,” said Amy Hogan-Burney, general manager of Microsoft’s Digital Crimes Unit. Microsoft led the action against ZLoader in partnership with researchers from ESET, Lumen’s Black Lotus Labs, and Palo Alto Networks Unit 42. Avast also assisted in Microsoft’s DCU European investigation. According to ESET, Zloader had about 14,000 unique samples and more than 1,300 unique C&C servers.Microsoft acknowledges ZLoader is not finished and is also working with ISPs to identify and remediate infections on infected systems. It’s also referred the case to law enforcement. Microsoft in 2020 used a similar legal-technical approach to taking down the Trickbot botnet.  Microsoft in its technical analysis of ZLoader notes that the group used Google Ads to distribute Ryuk ransomware, allowing it to bypass email security and have it appear in the browser instead. Malicious ads and email were its primary delivery mechanisms. Each campaign impersonated known tech brands, including Java, Zoom, TeamViewer, and Discord.   “The actors would purchase Google Ads for key terms associated with those products, such as “zoom videoconference.” Users who performed Google searches for those terms during a specific time would be presented with an advertisement that led to the form grabbing malicious domains,” Microsoft explains. For email delivery, the group often used Microsoft Office attachments and abused macros to infect machines. The lures to trick victims into opening a document and enable macros included COVID-19 alerts, overdue invoice payments and fake resumes.  It is probably not the end of the story yet, though. “Our disruption is intended to disable ZLoader’s infrastructure and make it more difficult for this organized criminal gang to continue their activities. We expect the defendants to make efforts to revive ZLoader’s operations,” Microsoft said. More

Hackers have developed custom tools to gain full system access to a number of industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices, according to the US Cybersecurity and Infrastructure Security Agency (CISA). The warning comes in a joint cybersecurity advisory released by the Department of Energy (DOE), CISA, the NSA, and the FBI that urges all critical infrastructure operators to immediately bolster the security of their ICS/SCADA devices and networks. 

ZDNet Recommends

The custom-made tools have been developed for programmable logic controllers (PLCs) from Schneider Electric and OMRON Sysmac NEX, as well as Open Platform Communications Unified Architecture (OPC UA) servers.SEE: This sneaky type of phishing is growing fast because hackers are seeing big paydaysCISA says the tools allow for “highly automated exploits” against targeted devices.  ICS security firm Dragos, which has studied the tools, dubs it Pipedream, the seventh-known piece of ICS-specific malware following Stuxnet, Havex, BlackEnergy, Crashoverride, and Trisis. It attributes the malware to an advanced persistent threat (APT) actor it calls Chevronite. “Pipedream is a modular ICS attack framework that an adversary could leverage to cause disruption, degradation, and possibly even destruction depending on targets and the environment,” Dragos explains. Mandiant calls the malware INCONTROLLER. In early 2022, it worked with Schneider Electric to analyze the malware.  The APT group can disrupt ICS devices after gaining a foothold in a target’s operational technology (OT) network, which should be isolated from the internet. The attackers can also compromise Windows workstations used by engineers with an exploit for known vulnerabilities in ASRock motherboard drivers, according to CISA. One known ASRock vulnerability is tracked as CVE-2020-15368 and affects the AsrDrv103.sys. The exploit for it can be used to execute malicious code in the Windows kernel, which is below the visibility of anti-malware technology.The agencies stress that energy sector organizations in particular need to implement detections and mitigations detailed in the alert. “By compromising and maintaining full system access to ICS/SCADA devices, APT actors could elevate privileges, move laterally within an OT environment, and disrupt critical devices or functions,” CISA notes. Devices known to be targeted by the APT group include: Schneider Electric MODICON and MODICON Nano PLCs, including (but may not be limited to) TM251, TM241, M258, M238, LMC058, and LMC078;OMRON Sysmac NJ and NX PLCs, including (but may not be limited to) NEX NX1P2, NX-SL3300, NX-ECC203, NJ501-1300, S8VK, and R88D-1SN10F-ECT; and OPC Unified Architecture (OPC UA) servers.   Schneider Electric notes in a security bulletin about the malware that it is not aware of any confirmed or potential use of the malware, but notes: “The framework has capabilities related to disruption, sabotage, and potentially physical destruction.”   The agencies are urging organizations to “isolate ICS/SCADA systems and networks from corporate and internet networks using strong perimeter controls, and limit any communications entering or leaving ICS/SCADA perimeters.” They also recommend using multi-factor authentication for remote access to ICS networks and devices, to change all passwords to them regularly, and remove all default passwords.   The alert for the energy sector follows multiple warnings from the US government for all organizations to bolster cybersecurity amid rising tensions after Russia’s invasion of Ukraine. Satellite operator Viasat recently confirmed wiper malware knocked out thousands of end-user modems in Europe on the day Russia invaded Ukraine. More