Eliana Willis

Image: Armis
Security researchers at Armis have detailed a trio of vulnerabilities in so-called Smart-UPS devices sold by Schneider Electric subsidiary APC that allow for unnoticeable remote code execution, replacing of firmware, and potentially burning out the entire unit. Naturally in 2022, the flaws in the system stem from a combination of bad TLS implementation and being able to be controlled through a cloud-based system in newer devices. “Since the TLS attack vector can originate from the internet, these vulnerabilities can act as a gateway to the internal corporate network. Bad actors can use the TLS state confusion to identify themselves as the Schneider Electric cloud and collect information about the UPS behind the corporate firewall,” Armis said. “They can then remotely update the UPS firmware and use the UPS as the entry point for a ransomware attack or any other type of malicious operation.” If a TLS connection has an error, rather than closing the connection as recommended by Mocana nanoSSL library writers, APC ignores some of the errors, which leaves the connection open and the library in a state it is not built to handle. “Ignoring the nanoSSL library errors causes the UPS to cache the TLS key in its uninitialized state,” Arris said. “When an attacker uses the TLS resumption functionality, the uninitialized key (all zero) is fetched from the cache and the attacker can communicate with the device as if it was a genuine Schneider Electric server. As a seemingly verified server, the attacker can issue a firmware upgrade command and remotely execute code over the UPS device.” Additionally, all Smart-UPS devices use the same symmetric key for encryption and decryption, and it can be extracted from the devices. As a bonus, the devices do not check if any firmware is signed, allowing attackers to remain persistently on the device. In the words of the Bloodhound Gang: We don’t need no water.
Image: Armis
On the extreme physical end of the equation, replacing the firmware allows an attacker bypass software-based physical protections, such as a short circuit alert turning off the UPS. “By using our RCE vulnerability we were able to bypass the software protection and let the current spike periods run over and over until the DC link capacitor heated up to ~150 degrees celsius (~300F), which caused the capacitor to burst and brick the UPS in a cloud of electrolyte gas, causing collateral damage to the device,” the researchers state in a white paper [PDF]. “The exploitation risk is no longer limited to the IT world — an attacker can turn the UPS to a physical weapon. From a cyber security point of view, these kinds of systems must be handled as a flammable substance that sits in the heart of an organization.” Armis recommends users install the patches from Schneider Electric, and use access control lists to restrict and encrypt communications with the UPS to management devices and Schneider Electric Cloud. If the device has a network management card, Armis recommends changing the default password from “apc” to something else, and installing a publicly-signed certificate to prevent password sniffing. The security company said it believes 80% of organisations are vulnerable, with healthcare organisations hitting over 92% with a vulnerable device and retail just behind on 89%. Updated at 3:52pm AEST, 9 March 2022: Clarified technical information. Related Coverage More

Cloudflare and Akamai have each confirmed they will continue to operate in Russia, despite being urged to do otherwise.Both companies have argued that if they were to pull their services, they would be hurting Russian citizens who are trying to access information from outside of the country, but said they condemn Russia’s unprovoked invasion of Ukraine. Cloudflare CEO Matthew Prince wrote in a blog post acknowledging that the company has received “several calls to terminate” all of its services inside Russia, including by government. “Our conclusion … is that Russia needs more internet access, not less,” he said.”As the conflict has continued, we’ve seen a dramatic increase in requests from Russian networks to worldwide media, reflecting a desire by ordinary Russian citizens to see world news beyond that provided within Russia.”He continued: “Indiscriminately terminating service would do little to harm the Russian government, but would both limit access to information outside the country, and make significantly more vulnerable those who have used us to shield themselves as they have criticized the government”.Prince also claimed that if Cloudflare were to stop operating in Russia, the Russian government would “celebrate us shutting down”. “We absolutely appreciate the spirit of many Ukrainians making requests across the tech sector for companies to terminate services in Russia. However, when what Cloudflare is fundamentally providing is a more open, private, and secure Internet, we believe that shutting down Cloudflare’s services entirely in Russia would be a mistake,” he said.A similar sentiment was echoed by Akamai, saying that deliberately choosing to maintain its network presence in Russia means it can continue to support customers. “This supports our global customers, including many of the world’s largest news services, social networks, and democratic government institutions, as they endeavor to provide vital and accurate information to all corners of the globe, including to the citizens of Russia,” the company said. Despite the decision to stay, Akamai outlined that it will suspend all sales efforts in Russia and Belarus; terminate business with state-majority-owned Russian and Belarusian customers; comply with all application sanctions; and address humanitarian needs through the Akamai Foundation. The company said it has also made it products and cybersecurity teams available to Ukrainian government agencies to help “keep the country’s citizens protected and connected to the information they need to defend their country”. See also: Ukraine crisis: Russian cyberattacks could affect organisations around the world, so take action nowMeanwhile, Cloudflare has joined forces with Crowdstrike and Ping Identity to launch what is being dubbed as a critical infrastructure defense project where the trio will provide free cybersecurity services support for four months to help eligible organisations in the US — hospitals, energy utilities, and water utilities — ramp up cybersecurity defence. Under the project, organisations will have access to the full suite of Cloudflare Zero Trust solutions, endpoint protection and intelligence services from CrowdStrike, and Zero Trust identity solutions from Ping Identity. A roadmap featuring step-by-step security measures to help businesses defend themselves from cyber attacks will also be available to all business in any industry as part of the project. “We rely on our infrastructure to power our homes, to provide access to water and basic necessities, and to maintain critical access to healthcare. That’s why it’s more important than ever for the security industry to band together and ensure that our most critical industries are protected and prepared,” Prince said. The move to ramp up cybersecurity defences is in response to the US Department of Homeland Security’s Cybersecurity and Infrastructure Agency issuing a “Shields Up” advisory last month urging all US businesses to prepare for heightened cyber risk activity in light of the Russian invasion of Ukraine. In further updates by Meta regarding its response to the Ukrainian invasion, the social media giant said it will now be hiding information about people’s followers, who they’re following, and people who are following each other for private Instagram accounts based in Ukraine and Russia.  “This means that people following private accounts based in Ukraine and Russia will no longer be able to see who those accounts are following, or who follows them. We’re also not showing these accounts in other people’s follower or following lists, or in our ‘mutual follows’ feature,” the company said. Instagram stories that contain a link sticker pointing to a Russian state-controlled media website will also be demoted and labelled to let people know that they lead to Russian state-controlled media websites, Meta said. These steps are in addition to a range of efforts the company announced last week to limit news spread by Russian state-backed media outlets.

Ukraine Crisis More

Microsoft’s latest round of Patch Tuesday fixes includes a fix for a bug that could result in some user data not being erased after a Windows 10 or Windows 11 PC reset. That issue, originally discovered by Microsoft Most Valuable Professional Rudy Ooms in late February, resulted in some user data still being readable in the “Windows.old” folder after completing a remote or local wipe of a Windows 10 or 11 device. This issue affected Windows 11, version 21H2; Windows 10, version 21H2; Windows 10, version 21H1; and Windows 10, version 20H2. Microsoft published a suggested workaround, which involved signing out from or unlinking OneDrive before resetting a Windows device. But today’s patches for Windows 11 and Windows 10 fix the issue outright.

Microsoft’s note about the fixes for this failure-to-erase-data issue says “some devices might take up to seven (7) days after you install this update to fully address the issue and prevent files from persisting after a reset. For immediate effect, you can manually trigger Windows Update Troubleshooter using the instructions in Windows Update Troubleshooter.”Microsoft also rolled out today, March 8, an update for the Windows Subsystem for Android on Windows 11. This update — version 2203.40000.1.0 from the Microsoft Store — is available to Insiders in all channels (Dev, Beta, and Release Preview). The Windows Subsystem for Android, along with the Amazon Android app store, is what enables users to run a selection of Android games and apps on Windows 11. Today’s update includes support for H.264 video hardware decoding; various networking changes; better integration between the subsystem and various Windows email clients; improved scrolling in the Amazon Appstore and Kindle apps and more.Today’s Patch Tuesday fixes and updates also should bring to Windows 11 users some of the new features that Microsoft began rolling out in preview a couple of weeks ago, including the aforementioned Android apps on Windows. Mainstream (non-Insider tester) customers could manually download the handful of new Windows 11 features as of February 15.

Windows 11 More

Last week, the Utah House of Representatives unanimously passed a consumer privacy bill — the Utah Consumer Privacy Act — moving it one step closer to becoming the fourth state to enact privacy legislation in the US. The bill will head back to the Utah Senate, where it was passed earlier this year. Officials there need to decide whether they will accept the amendments added by House members before it heads to the desk of Utah Governor Spencer Cox. Cox did not respond to requests for comment about whether he will sign the bill if it makes it to his desk.  

The Utah Consumer Privacy Act applies to companies with an annual gross revenue of $25 million and those that conduct business in Utah or produce goods for Utah residents. The bill also only applies to businesses that “control or process” the personal information of 100,000 Utah residents or “derive over 50% of its gross revenue from the sale of personal data and controls or processes personal data of at least 25,000 residents.”The bill would take effect in December 2023 and would offer Utah residents the right to notice, access, portability, and deletion — but does not offer people the right of correction. There are also exemptions for certain businesses. It includes an opt-out section that allows people to deny companies the right to target them with advertising or sell their personal information. But the bill still allows companies to conduct automated profiling and largely excludes employee data as well as any data shared between businesses. There is an opt-out provision for “sensitive” information that forces companies to also notify customers if they are collecting biometric or genetic data, health information, citizenship data, sexual orientation, racial origin, and religious beliefs.  Like other US privacy laws, enforcement is managed by the Utah Attorney General’s office but controversially does not allow for a private right of action. The Utah Department of Commerce Division of Consumer Protection will investigate companies based on customer complaints before handing the cases off to the Attorney General’s office. Dan Clarke, a US privacy law expert who has been consulted by lawmakers in multiple states on potential privacy legislation, told ZDNet that the Utah bill is modeled after Virginia’s law, even though it does not include a requirement for assessments and is silent on following the Global Privacy Control signal. 

“Laws like Utah that follow in the footsteps of Virginia are a good step towards consumer privacy at the state level, but they are generally more business-friendly and less restrictive. Many of the laws have a predominately opt-out mindset and have lower penalties, especially for non-compliance by companies that are endeavoring to try their best,” Clarke said. “There is nothing really groundbreaking in the Utah Consumer Privacy Act. UCPA’s passage really just cements the trend that’s been proliferating across legislatures in 2022, most of which follow Virginia as a template. One element that is unique is a provision for the attorney general to propose changes after an ‘enforcement assessment,’ but that won’t happen until 2025.”Consumer Reports senior policy analyst Maureen Mahoney said the bill is “far too weak to protect consumers” and added that Consumer Reports has urged the Governor to veto the measure. “It’s important that any privacy law is workable for consumers — that at the very least, as in California, they can opt out of the sale of their personal information at all companies in a single step, rather than having to hunt through hundreds if not thousands of sites one-by-one, looking for a way to opt out,” Mahoney said. “And the definitions should cover targeted advertising ,so that consumers can meaningfully opt out. Unfortunately, Utah’s bill is even weaker than Virginia’s industry-friendly measure, which lacked these key elements. Utah’s measure does not have opt-in rights for sensitive data, has a weaker opt-out, and an even weaker enforcement scheme.”Mahoney added, “All of this means that consumers won’t be able to control their data. It’s a victory for companies like Google and Facebook.”

Lisa Sotto, head of the global privacy and cybersecurity practice at law firm Hunton Andrews Kurth, explained that the Utah law differs from the Virginia law because it lacks a correction right — which she said is out-of-step with global data protection laws — and an opt-out, rather than opt-in, right for the use of sensitive data, which also is defined more narrowly than in the Virginia law.  “The Utah law is privacy protective but also reasonably business friendly. This is a welcome development in light of the current plethora of comprehensive privacy laws in the US, with a high likelihood of more to come,” she said. “Companies that have complied with the other three state privacy laws, whose effective dates precede that of the Utah law, are well-positioned to readily comply with the Utah requirements. It should be a relatively simple exercise to comply with the Utah law once a framework is in place for California, Virginia, and Colorado compliance.”The Utah legislation follows recent privacy laws enacted in Virginia and Colorado in 2021, as well as multiple laws in California over the last three years. Several states have spent years attempting to pass their own privacy laws due to the lack of any movement on privacy legislation at the federal level. New York, Texas, Washington, and dozens of other states have faced issues in pushing through their own privacy laws through due to backlash from businesses that complain the bills will create a significant amount of extra work for effectively any business with a website. Clarke, president at privacy company IntraEdge, said Washington just narrowly advanced their privacy law from the House appropriations committee, while laws in Indiana, Wisconsin, Oklahoma, and Florida are all currently cross-chamber and advancing rapidly.”I think Utah’s quick movement is more a result of off-screen negotiation to level the bill and unify after the 2021 debates with consumer advocate groups for a more comprehensive bill with private right of action, and opt-in didn’t yield the results they wanted,” Clarke said.  “The key stakeholders that wanted a more comprehensive law joined a collation deciding that something is better than nothing. This bill is a compromise between aggressive consumer privacy advocates and business-friendly supporters that was pre-wired.” More

Microsoft has released 71 security fixes for software, including 41 patches for Microsoft Windows vulnerabilities, five vulnerabilities in Microsoft Office and two in Microsoft Exchange. 

Two of the vulnerabilities are rated critical — CVE-2022-22006 and CVE-2022-24501 — while the rest are rated important.In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems including remote code execution (RCE) vulnerabilities, denial of service bugs, privilege escalation bugs, spoofing issues, information leaks, and policy bypass exploits. None of the vulnerabilities are being actively exploited, but Sophos noted that a public proof-of-concept has been released for CVE-2022-21990.March’s security update impacted products include Exchange, Visual Studio, the Xbox app for Windows, Intune, Microsoft Defender, Express Logic, Azure Site Recovery, and the Chromium-based Microsoft Edge browser, which had 21 vulnerabilities. 

They released updates for the following products:o Microsoft Windows: 41 vulnerabilitieso Microsoft Office: 5 vulnerabilitieso Microsoft Exchange: 2 vulnerabilities 3/11 pic.twitter.com/kBSg5r08FC— SophosLabs (@SophosLabs) March 8, 2022

Some of the other vulnerabilities of interest in this update are: CVE-2022-24502: Internet Explorer Security Feature Bypass VulnerabilityCVE-2022-24508: SMB Server Remote Code Execution VulnerabilityCVE-2022-24512: .NET and Visual Studio Remote Code Execution VulnerabilityCVE-2022-21990: Remote Desktop Client Remote Code Execution VulnerabilityCVE-2022-23277: Microsoft Exchange Server Remote Code Execution VulnerabilityCVE-2022-24459: Windows Fax and Scan Service Elevation of Privilege VulnerabilityMicrosoft also announced a slate of updates to Windows 11 on Tuesday. Recorded Future’s Allan Liska noted that Microsoft labeled CVE-2022-21990 as “Exploitation More Likely” because there is Proof of Concept code publicly available. “In order to exploit this vulnerability, the attacker must control the Remote Desktop Server that the client is connected to and launch the attack from there,” Liska said. “We have seen a number of similar vulnerabilities against the Remote Desktop Client over the last few years, none of which have been widely exploited in the wild. Even though previous vulnerabilities of this type have not been widely exploited, that doesn’t mean this one won’t be.”Liska added that CVE-2022-24501 and CVE-2022-22006 can be exploited if an attacker convinces a victim to download a “specially crafted file” which would crash and exploit the vulnerability when it is opened.”This is the kind of attack that a sophisticated phishing campaign could easily carry out,” Liska explained. Also: Microsoft is working on these new Windows 11 features hidden in test buildsIn February, the tech giant released 48 security fixes for software, including a patch for a zero-day bug but no critical-severity flaws.Cisco and Google also published security updates on Tuesday.   More

Like a cybersecurity version of “The Bachelor,” Mandiant gives its final rose to Google. The idea of a standalone Mandiant, re-obtaining the prestige it once held in the cybersecurity industry, made for a great story but an unlikely proposition long term.

ZDNet Recommends

 M&A was always the destiny for Mandiant, the only question being the winning bidder. The long and unproductive marriage to FireEye sees both companies making some interesting choices after their public, corporate divorce. FireEye combined with McAfee to become Trellix. And today, Mandiant announced an engagement to a suitor with deep pockets in Alphabet via GCP.   If we were browsing our ex-significant other’s social media sites, we would definitely say that Mandiant found a more attractive and compelling match. But that raises the question: “What if Google is just the rebound acquirer?” Let’s take a dive into what each company gets from this pairing.  Rebuilding Mandiant will take time. And lots of money.   Mandiant spent too long tied to an all- FireEye ecosystem for its MDR offerings and other associated security services and only just diversified in the last year or two to support a more open ecosystem. Because of this, Mandiant forfeited some of the prestige of its once elite Incident Response practice primarily to CrowdStrike, and watched its competitor rocket ahead of it in terms of market valuation, stock price, attach rate, and customer penetration.   Mandiant does have a strong portfolio of services and intellectual property in areas such as MDR, attack surface management (ASM), and Security Validation (its breach and attack simulation offering). However, expanding that stable of intellectual property is a capital-intensive process — requiring substantial commitment to research and development — or deep pockets to make acquisitions. And valuations for public and private cybersecurity companies are sky-high at the moment.   Google is playing catch up by spending its way to portfolio parity  Google’s cybersecurity efforts began with internal initiatives like Project Zero and relatively early adoption of Forrester’s Zero Trust approach to cybersecurity via Beyondcorp. The VirusTotal acquisition did signal Google’s interest in commercializing cybersecurity years ago. However, GCP pivoted towards an enterprise-focused commercial capability somewhat late, with X launching Chronicle in 2018 and Google Cloud acquiring it in 2019. That late start demands a premium to catch up; one Alphabet appears willing to pay.Mandiant expertise will accelerate the expansion of the Google Cybersecurity Action Team led by GCP’s CISO Phil Venables. This acquisition comes just after GCP added Siemplify to its arsenal, making its primary offerings a combination of Security Analytics and SOAR capabilities with Chronicle and Siemplify, and now Mandiant’s services heavy portfolio of solutions. GCP will also need to sort out the impact on the rest of its ecosystem. For now, GCP relies on partnerships for a complete XDR offering, and Mandiant’s MDR service coupled up with direct Google competitor Microsoft via Defender.This acquisition also augments Google Project Zero with an infusion of sophisticated practitioners in forensics, malware analysis, threat intelligence, and security research. Now two well-regarded research teams get to mix and match information and expertise, which could lead to interesting advancements and discoveries in attacker activity and techniques to defend enterprises. Mandiant’s Incident Response expertise coupled with VirusTotal data and Project Zero caliber talent could launch a new era of cybersecurity discoveries as the two teams come together. Google and Microsoft compete extensively for enterprise business, and if Google severs the information sharing that occurs between Mandiant and Microsoft. Google needs to commit to extending these relationships for this era of discoveries to materialize. Not doing so would be a mistake and a loss of epic proportions for the entire industry. Cloud competition becomes a contest for cybersecurity dominance  Forrester predicted the Tech Titans would next fight over cybersecurity. This acquisition spree is not over. GCP still has major portfolio gaps in endpoint, which it’s tried to solve via partnerships… for now.   Given that GCP needs EDR to gain full ownership of the technologies that comprise its XDR offering, its next shopping list likely includes an EDR tool. GCP wants to become a top-tier cybersecurity player, and its acquisitive actions match its goals.   Mandiant brings more to GCP than vice versa in capabilities and prestige, which gives us pause. Mandiant needed an acquirer with a complete cybersecurity product portfolio, deep pockets, and strong relationships with enterprise buyers. GCP brings one of those while it continues to pursue the others. Both companies place a premium on expertise as part of their culture, which does set this up as a better pairing than Mandiant’s prior matchup.   This post was written by VP, Principal Analyst Jeff Pollard, and it originally appeared here. More

A prolific and likely state-backed hacking group repeatedly targeted several US state governments by using software vulnerabilities in web applications and then later scanning for Log4j vulnerabilities within hours of the vulnerability coming to light in order to maintain their access.  Cybersecurity researchers at Mandiant have detailed how APT41, a state-sponsored cyber espionage and hacking group working out of China compromised at least six US government networks, as well as other organisations, sometimes repeatedly, between May 2021 and February 2022. The US Department of Justice indicted APT41 hackers in September 2020, but it doesn’t appear to have had an impact on the persistent nature of the attacks. According to analysis of the attacks, many of the initial compromises came in June 2021 via targeting insecure web applications. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Then in December 2021, a zero-day vulnerability in the widely used Java logging library Apache Log4j was disclosed, and the researchers at Mandiant say APT41 began exploiting the Log4j vulnerability almost immediately.”Within hours of the advisory, APT41 began exploiting the vulnerability to later compromise at least two U.S. state governments as well as their more traditional targets in the insurance and telecommunications industries,” Mandiant said.While a patch was released when the vulnerability was disclosed, the ubiquitous nature of Log4j means that many organisations did not know it was part of their tech infrastructure.No matter which vulnerability was being used, once inside the networks, APT41 tailored malware to the victim’s environment in order to make the attacks as effective as possible. When a new vulnerability which could be exploited appeared, the attackers didn’t abandon their previous compromise, but rather exploited the new vulnerability to gain additional persistence on the network. While the focus of the campaign was around compromising US government networks, APT41 attacks also targeted other industries, including insurance and telecommunications. It’s still uncertain what the overall goals of this particular APT41 campaign is because these hackers also often dabble in moonlighting for their own personal gain.  “APT41’s recent activity against U.S. state governments consists of significant new capabilities, from new attack vectors to post-compromise tools and techniques. APT41 can quickly adapt their initial access techniques by re-compromising an environment through a different vector, or by rapidly operationalizing a fresh vulnerability,” the report said. This recent campaign is another reminder that state level systems in the US are under pressure from nation-state actors like China, as well as Russia said Geoff Ackerman, principal threat analyst at Mandiant. “A preference for utilizing web exploits to target public-facing web applications, along with the ability to quickly shift targets based on available capabilities indicates that APT41 continues to pose a significant threat to public and private organizations alike around the world,” he added. State-backed hacking groups, as well as cyber criminals are quick to exploit unpatched vulnerabilities. One of the key things which organisations can do in an effort to avoid falling victim to attacks exploiting software vulnerabilities is to apply any patches or security updates as quickly as possible. MORE ON CYBERSECURITY More