Eliana Willis

Cyber criminals are increasingly targeting Linux servers and cloud infrastructure to launch ransomware campaigns, cryptojacking attacks and other illicit activity – and many organisations are leaving themselves open to attacks because Linux infrastructure is misconfigured or poorly managed. Analysis from cybersecurity researchers at VMware warns that malware targeting Linux-based systems is increasing in volume and complexity, while there’s also a lack of focus on managing and detecting threats against them. This comes after an increase in the use of enterprises relying on cloud-based services because of the rise of hybrid working, with Linux the most common operating system in these environments. 

ZDNet Recommends

That rise has opened new avenues that cyber criminals can exploit to compromise enterprise networks, as detailed by the research paper, including ransomware and cryptojacking attacks tailored to target Linux servers in environments that might not be as strictly monitored as those running Windows. SEE: A winning strategy for cybersecurity (ZDNet special report)These attacks are designed for maximum impact, as the cyber criminals look to compromise as much as the network as possible before triggering the encryption process and ultimately demanding a ransom for the decryption key. The report warns that ransomware has evolved to target Linux host images used to spin up workloads in virtualised environments, enabling the attackers to simultaneously encrypt vast swathes of the network and make incident response more difficult. The attacks on cloud environments also result in attackers stealing information from servers, which they threaten to publish if they’re not paid a ransom. Ransomware families that have been seen targeting Linux servers in attacks include REvil, DarkSide and Defray777 and it’s likely that new forms of ransomware will appear that also target Linux.   

Cryptojacking and other malware attacks are also increasingly targeting Linux servers. Cryptojacking malware steals processing power from CPUs and servers in order to mine for cryptocurrency.  The attacks against all operating systems often go undetected. While cryptojackers are using up energy and potentially slowing down systems, it’s usually not a noticeable enough drain to cause significant disruption.The most common application used to mine for Monero is the open-source XMRig miner and many of these are being placed on Linux servers. If the Linux environment isn’t being correctly monitored, cryptojacking can easily go undetected and cyber criminals know this. “Cyber criminals are dramatically expanding their scope and adding malware that targets Linux-based operating systems to their attack toolkit in order to maximize their impact with as little effort as possible,” said Giovanni Vigna, senior director of threat intelligence at VMware. Rather than infecting a PC and then navigating to a higher value target, cyber criminals have realised that compromising a single server can deliver a massive payoff. Many of the cyberattacks targeting Linux environments are still relatively unsophisticated when compared with equivalent attacks targeting Windows systems – that means that with the correct approach to monitoring and securing Linux-based systems, many of these attacks can be prevented. That includes cybersecurity hygiene procedures such as ensuring default passwords aren’t in use and avoiding sharing one account across multiple users. “Focus on the basics. The fact is that most adversaries are not super advanced,” said Brian Baskin, manager of threat research at VMware. “They’re not looking for unique exploits, they’re looking for the general open vulnerabilities and misconfigurations. Focus on those before you start focusing on zero-day attacks and new vulnerabilities – make sure you’ve got the basics covered first,” he added. MORE ON CYBERSECURITY More

Critical remote code execution (RCE) vulnerabilities in a popular WordPress plugin have been made public. 

The RCE bugs impact PHP Everywhere, a utility for web developers to be able to use PHP code in pages, posts, the sidebar, or anywhere with a Gutenberg block – editor blocks in WordPress – on domains using the content management system (CMS). The plugin is used on over 30,000 websites.  According to the WordFence Threat Intelligence team, the three vulnerabilities in PHP Everywhere all lead to remote code execution in versions of the software below 2.0.3. The first vulnerability is tracked as CVE-2022-24663 and has been issued a CVSS severity score of 9.9. WordPress allows authenticated users to execute shortcodes via the parse-media-shortcode AJAX action. In this case, if users who are logged in – even if they have almost no permissions, such as if they are a subscriber – a crafted request parameter could be sent to execute arbitrary PHP, leading to full website takeover.  CVE-2022-24664, also issued a severity score of 9.9, is the second RCE vulnerability disclosed by the security researchers. This vulnerability was found in how PHP Everywhere manages metaboxes – draggable edit boxes – and how the software permits any user with the edit_posts capability to use these functions.

“Untrusted contributor-level users could use the PHP Everywhere metabox to achieve code execution on a site by creating a post, adding PHP code to the PHP Everywhere metabox, and then previewing the post,” WordFence says. “While this vulnerability has the same CVSS score as the shortcode vulnerability, it is less severe, since it requires contributor-level permissions.” The third vulnerability is tracked as CVE-2022-24665 and has also been issued 9.9 on the severity scale. All users with edit_posts permissions can use PHP Everywhere Gutenberg blocks, and attackers could tamper with a website’s functionality by executing arbitrary PHP code through these functions.  It was possible to set this function to administrators only, but in versions of the software below 2.0.3, this could not be implemented by default.  WordFence disclosed the vulnerabilities to the developer on January 4, who rapidly developed a set of fixes. On January 10, a patched version of the plugin, v.3.0.0, was rolled out.  The developer, Alexander Fuchs, says that the update has caused a “breaking change” due to the necessary removal of some Block editor functionality, and so users facing problems – such as if they are relying on the Classic Editor – will need to also upgrade old code to Gutenberg blocks or find another solution to run PHP.  At the time of writing, just over 30% of users have upgraded, and so many websites are still running vulnerable versions of the plugin.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australia’s parliamentary body tasked with analysing the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP) has come out in full support of extending the pact’s membership to Taiwan. In a report about expanding CPTPP membership, the Joint Standing Committee on Foreign Affairs, Defence and Trade said the Australian government along with other pact members should facilitate Taiwan’s accession to the pact. The committee explained it supported Taiwan’s accession, in spite of China’s disapproval, as it is one of the “very few major markets” that Australia has not entered a free trade agreement with. In light of the lack of a free trade agreement between Australia and Taiwan, the committee said Australia should also consider concurrently negotiating a bilateral with the Taiwanese government. The committee made this recommendation as Australia has seen benefits from adopting a similar approach with the UK previously. The committee also said that such agreements would allow the Australian government to learn from Taiwan when it comes to how to both counter disinformation campaigns and build a better cybercapacity in countering illegitimate or unsolicited attacks. When it came to China’s potential accession into the CPTPP, the committee did not give the same glowing review. It said that any support for China to enter the pact would require the country to re-establish full trading relations with Australia, including “ending its coercive trade measures and reengaging in ministerial dialogue, and to demonstrate an ability and willingness to commit to the CPTPP’s high standards”.

“The ball is in their court,” said Ted O’Brien, Liberal MP and committee member. “It’s up to China if it wishes to re-engage with Australia and I hope it does because that would enable the discussions that are necessary to determine whether an accession process should commence.” Currently, Beijing has measures in place that limit Australia’s export of goods such as barley, coal, copper ores and concentrates, cotton, hay, logs, rock lobsters, sugar, and wine to China. Tensions between Australia and China has grown steadily over the past two years, with Australia, alongside the UK and US, in September announcing a trilateral security pact — AUKUS — aimed at addressing the defence and security concerns posed by China within the Indo-Pacific region. At the time, although China was not mentioned when announcing AUKUS, Australian Prime Minister Scott Morrison said the Indo-Pacific region was increasingly becoming “more complex”.  For the inquiry’s report, much like Morrison’s AUKUS announcement, the committee stressed the federal government should prioritise supporting an “open, transparent and stable trading environment in the Indo-Pacific” when considering whether to allow states such as China to accede into the pact. Current members of the CPTPP include Australia, Brunei, Canada, Chile, Japan, Malaysia, Mexico, New Zealand, Peru, Singapore, and Vietnam. Outside of China and Taiwan, the United Kingdom has also submitted a formal request to join the CPTPP, and a working group for that accession application has been established. South Korea is also considering joining the trade pact.Related Coverage More

Image: Getty Images
The federal government has officially introduced the highly-publicised anti-trolling Bill into Parliament.The Bill, Social Media (Anti-Trolling) Bill 2022, was first announced by Australian Prime Minister Scott Morrison in November as a mechanism that would “unmask anonymous online trolls” and address toxic content existing on social media platforms.  The anti-trolling Bill has since been touted by the Liberal Senator and Attorney-General Michaelia Cash as one of her party’s primary items that it wants to push out before the federal election. Introduced by Communications Minister Paul Fletcher on Thursday morning, the Bill remains largely unchanged from the exposure draft version released in December.Despite being called an anti-troll Bill, the proposed laws do not contain any sections addressing troll or harmful content. At its core, the Bill is focused on empowering people to raise lawsuits for online defamation rather than explicitly preventing cyberbullying and online abuse. Last week, Australia’s eSafety Commissioner Julie Inman outlined her concern about this, specifically on how it may be misused due to the lack of these elements addressing troll and harmful content.”I think [the anti-trolling Bill] can lend itself to a lot of retaliation, a lot of vigilante-style justice,” said Inman Grant.

The other focus of the Bill, according to its explanatory memorandum, is to overturn a recent Australian legal precedent set in the Voller case, which made individuals and organisations liable for defamatory material that exists on their social media pages.The Bill, if passed, would result in administrators of social media pages no longer being liable to defamation for third-party material posted on those pages. That liability would shift to social media service providers instead. Looking at the Bill’s details, much like its exposure draft, it is still seeking to formally classify social media service providers as publishers of any comments made on their platforms in Australia. To avoid defamation under the Bill, social media service providers would need to have a complaints scheme in place that allows victims of defamatory comments to both make complaints and request the personal information of the maker of those comments.Complaints scheme that satisfy the Bill’s requirements would also have to ensure that an accused commenter is notified that they are the subject of a complaint within 72 hours of it being made. If the accused commenter gives consent for their personal information to be provided, social media platforms must then disclose that information to complainants and assist them in relation to potentially raising any defamation lawsuits.This personal information would include contact details such as name, email address, phone number as well as country location data to determine if the user is in Australia. Geolocation data provided under the Bill would be limited to whether or not the material was “posted in Australia” by reference to geolocation technology deployed by the social media provider.The disclosure mechanism can also only be enlivened where there is reason to believe that there may be a right for the complainant to obtain relief against the poster in a defamation proceeding.As parliamentarians deliberate over the Bill, Australia’s federal inquiry into the practices of major technology companies is set to provide its findings later this month. The social media probe was approved by the federal government with the intention of building on the anti-trolling Bill’s initial goal of unmasking trolls.RELATED COVERAGE More

Security automation technology firm Rapid7 beat Wall Street estimates on Wednesday, reporting strong growth throughout 2021.Rapid7 delivered fourth quarter revenue of $151.6 million, up 34% from a year ago. For the fourth quarter, Rapid7’s non-GAAP earnings of -$0.16 a share were above expectations. 

ZDNet Recommends

Wall Street was expecting Rapid7 to report fourth quarter earnings of -$0.17 a share on revenue of $145.88 million. For 2021, Rapid7 reported a total revenue of $535.3 million and a products revenue of more than $500 billion. The company grew its customer base last year from 8,718 to 10,283. “We ended 2021 on a high note, delivering strong fourth quarter results across our security transformation and vulnerability management solutions,” said Corey Thomas, chairman and CEO of Rapid7.”We grew ARR by 38% during the year while eclipsing 10,000 customers globally, highlighting our team’s strong execution and the growing need for customers to manage increasingly complex security environments.”Product revenue in Q4 2021 was up 35% compared to Q4 2020 at $141.2 million. Professional services revenue was $10.3 million for the fourth quarter, an increase of 18% compared to the same quarter of 2020.

The company is predicting a Q1 revenue in the range of $153 million and $155 million and a non-GAAP net loss in the range of $0.18 and $0.15.For the full year, the company is expecting a revenue between $682 million and $690 million as well as an EPS between $0.05 and $0.16. In July 2021, Rapid7 announced it was spending $335 million in cash and stock to buy New York-based, privately held cybersecurity company IntSights to add “outside the wire” capabilities. 

Tech Earnings More

Image: Getty Images
Telstra is going after the government’s cyber dollars with the launch of specialist compliance, detection and response capabilities, along with a team aimed specifically at the sector. One of the reasons the telco is for moving in this direction is the recent federal government announcement that all services would be digital by 2025. “As we recover from the pandemic, reliance on digital services will remain critical, so it’s important that we secure and protect our digital environment, as disruptions due to cyber attacks could significantly impact the economy and its’ recovery,” Telstra Enterprise group owner for government Nicole McMahon said. “Telstra’s capability to protect, detect and respond to cyber threats, coupled with the unparalleled visibility of threats we have from operating the largest and most complex network in Australia, uniquely positions us to be able to act on cyber issues in real time.” The telco is offering detection and response out of its current security operations centres, which it said integrates with government systems to monitor threats with the help of analytics from its managed security service platform. Under compliance, which Telstra is dubbing Sovereign SecureEdge, it is using a cloud-based solution to “reduce latency and limitations that often come with more complex perimeter-based security solutions”. The telco said governments will be able to purchase its solutions in the coming months.

See also: How Vodafone Australia changed its 5G plans after the Huawei ban Earlier in the week, Telstra was crowing over taking out the Ookla Speedtest over the latter half of 2021. Telstra recorded median download speeds of 78Mbps, against 70Mbps for Optus, and 60Mbps for Vodafone. On the median upload front, Telstra led the way with 11.7Mbps, followed by Vodafone with 10.3Mbps, and Optus on 9Mbps. For median latency, Telstra lagged on 24 milliseconds, with both Optus and Vodafone on 21 milliseconds. In further good news for the telco, the Telecommunications Industry Ombudsman (TIO) said on Wednesday that it saw complaints about Telstra halve year-on-year. For the quarter to the end of 2021, Telstra had 9,660 complaints against it recorded by the TIO, with Optus having 3,800, and Vodafone having 1,155 and stablemates TPG and iiNet with a further 685 and 490 complaints respectively. Over the past year, complaints involving mobile has become the clear leading category for Telstra, making up 3,800 complaints, while the number of complaints involving multiple internet, landline, or mobile categories has shifted from north of 5,200 complaints to just over 1,930. Overall, total industry complaints have continued to trend downwards, with 18,386 complaints filed, compared to almost 30,500 a year ago. Last week it was announced that Cynthia Gebert was appointed as the Telecommunications Industry Ombudsman for a period of five years due to begin on May 2. Current TIO Judy Jones is set to leave the post next month. Related Coverage More