Eliana Willis

An Akamai researcher has discovered an attempt to use Log4j vulnerabilities in ZyXEL networking devices to “infect and assist in the proliferation of malware used by the Mirai botnet.”Larry Cashdollar, a member of the Security Incident Response Team at Akamai Technologies, explained that Zyxel may have been specifically targeted because they published a blog noting they were impacted by the Log4j vulnerability. 

more Log4j

“The first sample I examined contained functions to scan for other vulnerable devices,” Cashdollar wrote in an Akamai blog post.”The second sample… did contain the standard Mirai attack functions,” he added. “It appears the… attack vectors had been removed in favor of Log4j exploitation. Based on the attack function names and their instructions, I believe this sample is part of the Mirai malware family.”Cashdollar concluded his blog post by writing that “if you have automated string extraction utilities for malware samples that log to a vulnerable Log4j instance, this payload could execute.” Zyxel released a security advisory about the issue, noting that it is aware of the vulnerability and that it only affects the NetAtlas Element Management System line of products. “After a thorough investigation, we’ve identified only one vulnerable product that is within its warranty and support period, and we will release a hotfix and a patch to address the issue, as shown in the table below,” they wrote.

Zyxel said a hotfix was released on December 20 and urged those in need to contact them for the file. A patch will be available by the end of February. Vulcan Cyber co-founder Tal Morgenstern said that by design, the Zyxel NetAtlas Element Management System provides extensive control of Zyxel enterprise network infrastructure and the services that run on it. In the right hands, the task automation provided by systems management tools allows IT and network operators to keep things running uninterrupted at massive scale, Morgenstern explained. In the wrong hands, threat actors can do extensive damage quickly to the vulnerable networks they get access to. “Unfortunately, vulnerabilities in systems and network management software tools are trending. SolarWinds, Open Management Infrastructure (OMI), Salt, VMware, and Zoho ManageEngine are just a few we’ve seen in the last few months. Considering the amount of access and control these tools have, it is critical IT security teams take immediate steps to fully mitigate the notable risk these vulnerable tools present to the companies that use them,” Morgenstern said. Bugcrowd founder Casey Ellis told ZDNet that this is one of the many vendors which include Log4j as an open-source library and that the attack “is a demonstration of the ubiquity of the Log4j library and the attack surface created as a result.””It’s one of the reasons the security community went a bit bananas about this issue when it first dropped, and I’d expect to see similar advisories from other vendors for some time to come,” Ellis said.  More

The UK’s security agency has told organizations of the steps to take to beef up their defenses “when the cyber threat is heightened” by zero-day software flaws or geopolitical tensions. The National Cyber Security Centre (NCSC) is not alone in warning companies to take action. Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) also warned all organizations to take “near, urgent steps” to mitigate critical cyber threats in response to last week’s cyberattacks on Ukraine government websites and IT systems. This advice comes amid growing fears of a Russian invasion of Ukraine.

ZDNet Recommends

CISA raised the alarm after Microsoft discovered wiper malware, dubbed “WhisperGate”, on several Ukraine systems. CISA reminded US businesses of NotPetya, the wiper malware that targeted Ukraine organizations in 2017 via a tainted update to a popular accounting software package, but that also infected worldwide IT networks of US and European businesses. The attack cost European and US businesses billions of dollars in the White House’s estimates.  SEE: A winning strategy for cybersecurity (ZDNet special report)Rafe Pilling, senior security researcher at Secureworks’ Counter Threat Unit, reckons US and European organizations could become casualties of WhisperGate in a similar fashion. “While it is unlikely that organizations outside of Ukraine will be directly targeted, customers should consider their exposure to collateral damage via service providers or business partners in Ukraine,” said Pilling.”Organizations should be extra vigilant and maintain current backups of business-critical systems and data, exercise restoration processes before they are needed, and ensure that backups cannot be impacted by ransomware-style or wiper malware attacks.”

So what should potentially affected businesses and public agencies in the UK and elsewhere do to mitigate the risk of becoming collateral damage? The UK’s NCSC says organizations need to balance cyber risks and defense and notes there “may be times when the cyber threat to an organisation is greater than usual.”  Triggers for heightened risk include a spike in adversary capability from new zero-day flaws in popular software, or something “more specific to a particular organisation, sector or even country, resulting from hacktivism or geopolitical tensions,” says the NCSC. The NCSC’s answer is to control what you can because you can’t control the threat level. And that means patching systems, checking configurations and shielding the network from password attacks. “It is rare for an organisation to be able to influence the threat level, so actions usually focus on reducing your vulnerability to attack in the first place and reducing the impact of a successful attack,” NCSC says.Like CISA, the NCSC has provided a checklist of fundamental cybersecurity actions that are “important under all circumstances but critical during periods of heightened cyber threat.” They’re important to do because organizations probably can’t quickly implement widespread changes when threat levels rise.  NCSC’s list includes:Check your system patching: Ensure your users’ desktops, laptops and mobile devices are all patched Verify access controls: Ask staff to ensure that their passwords are unique to your business systems and are not shared across other, non-business systems Ensure defences are working: Check antivirus and firewalls Logging and monitoring: Understand what logging you have in place, where logs are stored, and for how long Review your backups: Confirm that your backups are running correctly Incident plan: Check your incident response plan is up to date Check your internet footprint: Perform an external vulnerability scan of your whole internet footprint Phishing response: Ensure that staff know how to report phishing emails Third-party access: Have a comprehensive understanding of what level of privilege is extended into your systems, and to whom NCSC services: Register for the Early Warning service, so that the NCSC can quickly inform you of any malicious activity Brief your wider organisation: Ensure that other teams understand the situation and the heightened threat More

Microsoft has disabled Excel 4.0 macros by default in the latest release of its spreadsheet software to help customers protect themselves against related security threats.That setting, released as an optional configuration in Excel Trust Center setting in July, is now the default when opening Excel 4.0 macros (XLM), Microsoft said in a blogpost. 

A macro is a series of commands that you can use to automate a repeated task, and can be run when you have to perform the task. But unexpected macros can pose a significant security risk. You don’t have to enable macros to see or edit the file; only if you want the functionality provided by the macro. But crooks will try to trick the unwary into enabling macros and then using that functionality as part of their attacks.SEE: Windows 11: Here’s how to get Microsoft’s free operating system updateThe move to restrict Excel 4.0 macros is an attempt to counter a rise in ransomware and other malware groups using Excel 4.0 macros as part of an initial infection. State-sponsored and cybercriminal attackers started experimenting with legacy Excel 4.0 macros in response to Microsoft in 2018 cracking down on macro scripts written in Visual Basic for Applications (VBA).  The initial Excel Trust Center settings targeted organizations that wanted VBA and legacy macros to run via the setting “Enable Excel 4.0 macros when VBA macros are enabled”. This allowed admins to control the behavior of macros without impacting VBA macros.  Macros are now disabled by default in Excel in build 16.0.14427.10000 and later. Admins can still configure the setting in Microsoft 365 applications policy control. 

Microsoft has added some new policy settings options to the original Group Policy settings that were made available in July.  Now there is also the option to manage the policy setting in the Office cloud policy service, which is applied to users who access Office apps from any device with their Active Azure Directory (AAD) account. The policy can also be managed from Microsoft Endpoint Manager. To block XLM across the board, including new files created by users, admins can set Group Policy to “Prevent Excel from running XLM”. This can be done via Group Policy Editor or registry key.   This should help admins mitigate VBA and XLM malware threats using policy. Microsoft has addressed the antivirus side of defense via an integration between its Antimalware Scan Interface (AMSI) and Office 365 that Defender and third-party antivirus can integrate with. The AMSI-Office 365 integration allowed scanning of Excel 4.0 macros at runtime last year, bringing it in line with the same runtime scanning capability for VBA macros in 2018. Basically, when VBA runtime scanning for Excel arrived, attackers moved to older XL-based macros, which they knew organizations still used for legitimate purposes and were powerful enough to call Win32 interfaces and run shell commands.

Enterprise Software More

The Tor Project has filed an appeal against a Russian court’s decision to block the Tor website in the country. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

The Tor network is an open source system for anonymizing online communication. Also known as the onion router, the network is used to circumvent censorship and is widely accessed by civil rights activists, whistleblowers, lawyers, human rights defenders, and those under oppressive regimes.   On Monday, the network developers said an appeal has been filed regarding a decision by the Saratov District Court to impose a block on the torproject.org website in Russia.  The appeal has been filed between the Tor Project and RosKomSvoboda, a Russian digital rights protection outfit.  On December 6, 2021, the Tor Project was told that its website would be blocked in accordance with Article 15.1 of the Law on Information. Public proxy servers and some bridges were also blocked in the country, and Tor developers have noticed blocks across Russia in the past month.  According to Tor, the decision by the court was not based on any particular content. Instead, Russian authorities decided the website needed to be blocked as it permits “the download [of] an anonymizer browser program for subsequent visits to sites that host materials included in the Federal List of extremist Materials.” RosKomSvoboda lawyers are representing the Tor Project. According to the civil rights group, the ban “violates the constitutional right to freely provide, receive and disseminate information and protect privacy.” 

In addition, the decision may also be considered problematic as “the case was considered without the participation of Tor representatives, which violated their procedural rights and the competitiveness of the process.” Tor says that Russian users account for the second-largest user base by country, with over 300,000 daily users.  A mirror version of the Tor website has been launched by the Electronic Frontier Foundation (EFF).  “With the help of Roskomsvoboda lawyers Sarkis Darbinyan and Ekaterina Abashina, we will appeal the court decision and hope to correct this situation and help create a precedent for the protection of digital rights in Russia,” commented Isabela Bageros, executive director of The Tor Project. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The malware used to strike Ukrainian government websites has similarities to the NotPetya wiper but has more capabilities “designed to inflict additional damage,” researchers say.

Dubbed WhisperGate, the malware is a wiper that was used in cyberattacks against website domains owned by the country’s government. The spate of attacks led to the defacement of at least 70 websites and a further 10 subject to “unauthorized interference,” according to the Security Service of Ukraine, State Special Service and Cyber Police. The wave of attacks was made public on January 14. Websites impacted included the Ukrainian Foreign Ministry, the Ministry of Education and Science, and various state services.  The defacement and reported compromise of at least two government systems come at a time when there appears to be a growing threat of invasion by Russia into Ukraine, despite the country denying any such plans. The UK has recently pulled a number of UK embassy staff out of Kyiv in response. Microsoft has published an analysis of WhisperGate, which was discovered on January 13. In a follow-up, Cisco Talos said it was likely that stolen credentials provided the access point for the deployment of the wiper.  Cisco Talos says that two wipers are used in WhisperGate attacks. The first wiper attempts to destroy the master boot record (MBR) and to eradicate any recovery options.  “Similar to the notorious NotPetya wiper that masqueraded as ransomware during its 2017 campaign, WhisperGate is not intended to be an actual ransom attempt, since the MBR is completely overwritten,” the researchers say.

However, with many modern systems now moving to GUID Partition Tables (GPTs), this executable may not be successful, so an additional wipe has been included in the attack chain.   In the second stage, a downloader pulls the code required for the third step. After a base64-encoded PowerShell command is executed twice and an endpoint is requested to enter sleep mode for 20 seconds. A Discord server URL, hardcoded into the downloader, is then pinged to grab a .DLL file.  The .DLL, written in C#, is obfuscated with the Eazfuscator, a .NET platform obfuscator and optimizer. The .DLL is a dropper that deploys and executes the main wiper payload through a VBScript. In addition, Windows Defender settings are tampered with to exclude the target drive from scans. “The fourth-stage wiper payload is probably a contingency plan if the first-stage wiper fails to clear the endpoint,” Cisco Talos says.  The wiper seeks out fixed and remote logical drives to target in the fourth stage. Enumeration then occurs, and files are wiped in drives outside of the “%HOMEDRIVE%Windows” directory. Files with one of 192 extensions, including .HTML, .PPT, .JPG, .RAR, .SQL, and .KEY is destroyed.  “The wiper will overwrite the content of each file with 1MB worth of 0xCC bytes and rename them by appending each filename with a random four-byte extension,” Talos says. “After the wiping process completes, it performs a delayed command execution using Ping to delete “InstallerUtil.exe” from the %TEMP% directory. Finally, it attempts to flush all file buffers to disk and stop all running processes (including itself) by calling ExitWindowsEx Windows API with EWX_SHUTDOWN flag.” Following the cyberattack, the European Union said it was mobilizing “all its resources” to assist Ukraine, NATO has pledged its support, and US President Biden has warned Russia of a cyber ‘response’ if Ukraine continues to be targeted.  CISA has recommended (.PDF) that organizations in general, as well as those linked to Ukraine, implement multi-factor authentication for remote systems, disable ports and access points that are not business-critical, and that strong controls be implemented for cloud services to mitigate the risk of compromise.  “We assess with medium confidence that stolen credentials were used in the attack based on our investigation thus far,” Cisco Talos says. “We have high confidence that the actors had access to some victim networks in advance of the attacks, potentially for a few months or longer. This is a common trait of sophisticated APT attacks.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Hackers are abusing misconfigurations in smart contracts to launch token rug pulls, researchers say. 

Despite the current volatility in the cryptocurrency market, with prices for many popular coins including Bitcoin (BTC) plunging, interest in the crypto, token, and NFT spaces remains stable. 2021 was a record-breaking year for cryptocurrency-related theft and fraud. Cybercriminals netted an estimated $14 billion in cryptocurrency and fraudulent schemes involving digital assets continue to evolve. On Monday, Check Point Research (CPR) said that scammers are now turning their attention to smart contracts, with misconfigurations utilized to launch new crypto tokens — before an inevitable “rug pull” takes place.  Rug pulls occur when developers of a crypto or virtual asset project manipulate a token’s perceived worth and then abandon the project – taking investor funds with them. A recent example is the SQUID token which, at its peak, saw the token reach $2,850 in value. Once the developers rug pulled and prevented traders from selling, the coin crashed by over 99.99%, rendering it basically worthless while netting the developers millions of dollars.  There are some indicators of a potential token scam, including 99% buy fees and mechanisms that prevent investors from reselling. According to the researchers, flaws in smart contract code and vulnerabilities can also be harnessed by external attackers to increase the risk of a project losing investor money.

Fraudsters employ a range of tactics to conduct a rug pull including the use of scam services to create smart contracts which are then issued a new token name and symbol before becoming public. The manipulation of functions to create hidden triggers to launch a rug pull may also be included. Social media networks are then used to hype up a token — and its perceived value — before an exit scam occurs. In addition, timelocks are not usually imposed.  “Timelocks are mostly used to delay administrative actions and are generally considered a strong indicator that a project is legitimate,” the researchers noted.  Buy and sell fees are a common technique for rug pulls. In a smart contract examined by CPR, the firm discovered both “approve” and “aprove” functions. The former was a legitimate, standard function for contract transactions, whereas “aprove” was hidden and designed to allow the developers to impose 99% fees after a project took off.  “A legitimate token will not charge fees or will charge hardcoded values that can’t be adjusted by the developer,” CPR says.  Another example of potential scam mechanisms is a hidden function that allows developers to create more coins or control who can sell tokens. In the source code of a basketball-themed smart contract, the team found a transfer function that prevented reselling by average traders — a similar element used by SQUID.  A function found in a separate contract that allowed coin minting was exploited by an attacker after the contract’s private key was accidentally leaked online. A threat actor was able to use the key to fraudulently mint millions of virtual coins before withdrawing them. In the same contract, an error in emergency withdrawal functions was also exploited. Attackers may also burn tokens to ramp up the price of existing pools. A failure to limit external burns in the Zenon Network was exploited in 2021, leading to a pool drain and the theft of over $814,000 from the project.  “It’s hard to ignore the appeal of crypto,” CPR says. “It’s a shiny new thing that promises to change the world, and if prices continue on their upward trajectory, people have an opportunity to win a significant amount of money. However, cryptocurrency is a volatile market. Scammers will always find new ways to steal your money using cryptocurrency.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
A Liberal member of parliament has accused the Chinese government of foreign interference after Prime Minister Scott Morrison’s account on WeChat was hijacked. “It is a matter of record that the platform has stopped the Prime Minister’s access, while Anthony Albanese’s account is still active featuring posts criticising the government,” Liberal representative Gladys Liu said. “In an election year especially, this sort of interference in our political processes is unacceptable, and this matter should be taken extremely seriously by all Australian politicians.” As part of the accusations against the Chinese government, Liu said she would boycott using her official and personal WeChat accounts until an explanation was provided by the platform about the incident. Various Coalition members have also backed Liu’s accusations and boycott, with Parliamentary Joint Committee on Intelligence and Security chair and Liberal Senator James Paterson calling for Opposition Leader Anthony Albanese to follow suit in boycotting WeChat. Stuart Robert, the Minister responsible for digital transformation, told The Today Show on Monday morning that the Prime Minister’s office was seeking to contact the Chinese government about the account hijacking. “It is odd, and of course, the Prime Minister’s office is seeking to connect through to them to work out and get it resolved,” Robert said.  

First reported by NewsCorp Australia, the WeChat account was reportedly renamed and Morrison faced accessibility problems months ago, with the Prime Minister now unable to access the account at all. According to Australian Strategic Policy Institute senior analyst Fergus Ryan, Morrison’s account is registered to a Chinese national as WeChat’s policies at the time required for accounts to either be linked to the ID of a Chinese national or business registered in China. In China, WeChat has faced growing regulation, having been put on notice last year for collecting more user data than deemed necessary when offering services. Tencent, the company running WeChat, last year also implemented further restrictions for how much minors could play its flagship game Honour of Kings as part of efforts to appease government concerns. In that restriction, Honour of Kings gamers under the age of 18 are limited to playing time of one hour on regular days and two hours on public holidays.Related Coverage More

Image: Getty Images
The federal government has reappointed Julie Inman Grant as the country’s eSafety commissioner. The reappointment comes simultaneously with the Online Safety Act, which passed last year, officially coming into effect. “The Online Safety Act commences operation [on Sunday] and Ms Inman Grant’s reappointment provides certainty, particularly to community organisations and industry who have been working with the office of the eSafety Commissioner for some time,” said Paul Fletcher, the Minister for Communications, Urban Infrastructure, Cities and the Arts. Inman Grant was first put into the role in 2016, months after the Office of the eSafety Commissioner was established under the Australian Communications and Media Authority (ACMA). During her tenure, the eSafety commissioner has steadily expanded from initially only protecting children to a remit of providing supporting mechanisms for all Australians online. With the Online Safety Act now in effect, Inman Grant has even more substantial powers, such as being able to order social media platforms and other websites popular among children to remove cyberbullying content within 24 hours.If these entities fail to remove the content, the commissioner can issue fines of up to 500 penalty units, which equates to a maximum of AU$111,000 for individuals and AU$555,000 for companies. While Inman Grant could already order the removal of cyberbullying content aimed at children, the key change to the commissioner’s powers is that she can also issue orders for cyberbullying content targeted at adults too. In addition, the time allowed for online service providers to take down this type of content has also been cut in half, from 48 hours to 24 hours.

Beyond being able to order the removal of cyberbullying content, the eSafety commissioner can also order the takedown of intimate images of someone that was shared without their consent, abhorrent violent material, as well as restricted online content.Online safety has been high on the federal government’s agenda as late, with initiatives such as the Online Safety Youth Advisory Council, the proposal of anti-trolling and online privacy laws, and a federal probe into practices of major technology companies all coming in the past few months.RELATED COVERAGE More