Eliana Willis

F-Secure
HP has patched critical flaws impacting approximately 150 printer models.  Printers are usually connected to business networks — and potentially forgotten when it comes to security — so they can easily provide an avenue of attack. Highlighting this issue is PrintNightmare, CVE-2021-34481, a Windows Print Spooler service vulnerability that permits attackers to escalate privileges to system level, which was patched in August. In addition, HP patched a separate, 16-year-old privilege escalation driver flaw in July.

Also: Microsoft just revealed another Print Spooler bug Now, researchers from F-Secure have documented “Printing Shellz,” a set of vulnerabilities impacting multifunction printers (MFPs).  On Thursday, the research team said that their tests involved the HP MFP M725z. However, the vulnerabilities — dating back to 2013 — impact an estimated 150 products. These include models in the HP Color LaserJet Enterprise, HP LaserJet Enterprise, HP PageWide, HP OfficeJet Enterprise Color, and HP ScanJet Enterprise 8500 FN1 Document Capture Workstation ranges. The first issue the researchers discovered was CVE-2021-39238. Assigned a CVSS severity score of 9.3, this potential buffer overflow issue could allow the creation of a “self-propagating network worm capable of independently spreading to other vulnerable MFPs on the same network,” according to F-Secure researchers Alexander Bolshev and Timo Hirvonen.  The second issue, CVE-2021-39237 (CVSS 7.1), is described by HP as an information disclosure bug. F-Secure says this flaw was caused by exposed physical ports, so local access is required as an avenue for attack. 

It’s possible to exploit these flaws locally via physical access to the device, such as by printing from USB. And when it comes to CVE-2021-39238, another potential attack vector involves sending an exploit payload directly from a browser via cross-site printing (XSP).  “These vulnerabilities give attackers an effective way to steal information: defenders are unlikely to proactively examine the security of a printer, and so the attacker can simply sit back and steal whatever information it comes across (via employees printing, scanning, etc),” F-Secure comments. “They could also use the MFP as a pivot point to move through the corporate network.” HP was informed of F-Secure’s discoveries on April 29 and has since released two advisories (1,2), detailing the vulnerabilities. Patches and firmware updates were released in November. There is no evidence of exploitation in the wild.  “Any organizations using affected devices should install the patches as soon as they’re available,” the researchers say. “While exploiting these issues is somewhat difficult, the public disclosure of these vulnerabilities will help threat actors know what to look for to attack vulnerable organizations.”
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

By urbans/Shutterstock
Queensland government-owned energy generator CS Energy said on Tuesday it was responding to a ransomware incident that occurred over the weekend. First reported by Energy Source & Distribution, the company said the incident has not impacted electricity generation at Callide and Kogan Creek power station, and it was looking to restore its network. “We immediately notified relevant state and federal agencies, and are working closely with them and other cybersecurity experts,” CEO Andrew Bills said. “We have contacted our retail customers to reassure them that there is no impact to their electricity supply and we have been regularly briefing employees about our response to this incident.” In response to the incident, ANZ regional director at Claroty, Lani Refiti, said critical infrastructure has been increasingly targeted by ransomware gangs since the infrastructure firms cannot afford any disruptions or downtime. “The usual vector for ransomware is via corporate systems/networks and most organisations in the power sector will segment their operational technology systems from their corporate networks to avoid an attack via this route,” Refiti said. “Hopefully this is the case for CS Energy, who are one of Queensland’s three main power generation companies along with Stanwell Corporation and Cleanco.”

Refiti’s hope is likely dashed thanks to Bills pointing out that segregation occurred after the incident began. “CS Energy moved quickly to contain this incident by segregating the corporate network from other internal networks and enacting business continuity processes,” Bills said. Earlier in the year, Callide suffered a fire in its turbine hall that led to outages across Queensland. Speaking earlier this month, Telstra energy head Ben Burge said the telco was able to keep the lights on for 50,000 families during that event, thanks to the telco being able to utilise standby power assets, including batteries, used in its telecommunication infrastructure to stabilise the grid and address market shortages.”The physical assets we have already activated would be enough to cover nearly 50,000 customers. In the next few years we expect to grow that coverage to over 200,000 customers,” Burge said. Telstra has gained authorisation to operate in New South Wales, Queensland, and South Australia and is looking to enter the energy market during 2022. Last month, the Australian government has announced a new set of standalone criminal offences for people who use ransomware under what it has labelled its Ransomware Action Plan, including a new criminal offence has for people that target critical infrastructure with ransomware. “The Ransomware Action Plan takes a decisive stance — the Australian Government does not condone ransom payments being made to cybercriminals. Any ransom payment, small or large, fuels the ransomware business model, putting other Australians at risk,” Minister for Home Affairs Karen Andrews said at the time. The plan will also roll out a new mandatory ransomware incident reporting regime, which would require organisations with a turnover of over AU$10 million per year to formally notify government if they experience a cyber attack. Last week, the Critical Infrastructure Bill passed both houses of federal parliament and is currently waiting for Royal Assent. Related Coverage More

Eftpos has switched on a new AI anti-fraud online capability as the Australian debit payments provider continues to expand its security features.The new capability is underpinned by a fraud detection engine that uses AI and machine learning to predict individual behaviour in real time. The feature was developed as part of a partnership with UK-based financial crime prevention firm Featurespace. “The anti-fraud capability has widespread support from banks and fintechs across the country and will scale quickly in the Australian market next year to provide real benefits for merchants and consumers as Eftpos online market penetration grows,” Eftpos CEO Stephen Benton said.Introducing the anti-fraud capability follows Eftpos going live last week with its two-factor authentication functionality, ahead of a full rollout next year.The rollout of these features is part of Eftpos’ five-year, AU$100 million investment it’s making on digital upgrades to its network, designed to enhance the level of protection up-front for consumers and merchants, rather than retrofitting security to legacy systems. Other security capabilities that exist in Eftpos’ security kit include tokenisation, disputes and chargebacks capability, and its digital identity solution, connectID.

The company added that Eftpos payments are already available online for some card-on-file payments where banks have implemented the service for their merchant customers. Since launching the Eftpos digital service that enables Least Cost Routing last year, Eftpos said it has thus far been subject to zero fraud.”Eftpos’ extension further into online payments will quickly drive much needed large-scale competition and place downward pressure on transaction costs. Currently we are well known as the lowest cost debit payments provider for retailers and small businesses at physical shops, and we want to develop the same reputation in the online environment,” Benton said. LATEST FINANCE NEWS FROM AUSTRALIA More

Tech manufacturing giant Panasonic has confirmed that it’s network was accessed illegally this month during a cyberattack.In a statement released on Friday, the Japanese company said it was attacked on November 11 and determined that “some data on a file server had been accessed during the intrusion.” “After detecting the unauthorized access, the company immediately reported the incident to the relevant authorities and implemented security countermeasures, including steps to prevent external access to the network,” Panasonic said in a statement. “In addition to conducting its own investigation, Panasonic is currently working with a specialist third-party organization to investigate the leak and determine if the breach involved customers’ personal information and/or sensitive information related to social infrastructure.”While no other information was provided in the statement, Japanese outlets Mainichi and NHK said the breach actually started on June 22 and ended on November 3. Panasonic did not respond to requests for comment but confirmed that date in an interview with TechCrunch and said the November 11 date actually refers to when the breach was first discovered.NHK reported that the attacked servers stored information about Panasonic business partners and the company’s technology, noting a ransomware incident last November involving a subsidiary of the company that also leaked business information.  

“We cannot predict whether it will affect our business or business performance, but we cannot deny the possibility of a serious incident,” the company told Mainichi on Friday, which according to The Record reported that the breach may have also involved employee information. Panasonic signed a pact with McAfee in March to create a vehicle security operations center focused exclusively on cyberattacks.  More

Over 300,000 Android smartphone users have downloaded what have turned out to be banking trojans after falling victim to malware which has bypassed detection by the Google Play app store.  Detailed by cybersecurity researchers at ThreatFabric, the four different forms of malware are delivered to victims via malicious versions of commonly downloaded applications, including document scanners, QR code readers, fitness monitors and cryptocurrency apps. The apps often come with the functions which are advertised in order to avoid users getting suspicious.  In each case, the malicious intent of the app is hidden and the process of delivering the malware only begins once the app has been installed, enabling them to bypass Play Store detections.  The most prolific of the four malware families is Anatsa, which has been installed by over 200,000 Android users – researchers describe it as an “advanced” banking trojan which can steal usernames and passwords, and uses accessibility logging to capture everything shown on the user’s screen, while a keylogger allows attackers to record all information entered into the phone.  Anasta malware has been active since January, but appears to have received a substantial push since June – researchers were able to identify six different malicious applications designed to deliver the malware. These include apps which posed as QR code scanners, PDF scanners and cryptocurrency apps, all of which deliver the malware.  One of these apps is a QR code scanner which has been installed by 50,000 users alone and the download page features a large number of positive reviews, something which can encourage people to download the app. Users are directed to the apps via phishing emails or malicious ad campaigns.  After the initial download, users are forced to update the app to continue using it – it’s this update which connects to a command and control server and downloads the Anatsa payload onto the device, providing attackers with the means to steal banking details and other information. 

The second most prolific of the malware families detailed by researchers at ThreatFabric is Alien, an Android banking trojan which can also steal two-factor authentication capabilities and which has been active for over a year. The malware has received 95,000 installations via malicious apps in the Play Store.  SEE: A winning strategy for cybersecurity (ZDNet special report) One of these is a gym and fitness training app which when comes with a supporting website designed to enhance the legitimacy, but close inspection of the site reveals placeholder text all over it. The website also serves as the command and control centre for the Alien malware.  Like Anasta, the initial download doesn’t contain malware, but users are asked to install a fake update – disguised as a package of new fitness regimes – which distributes the payload.   The other two forms of malware which have been dropped using similar methods in recent months are Hydra and Ermac, which have a combined total of at least 15,000 downloads. ThreatFabric has linked Hydra and Ermac to Brunhilda, a cyber criminal group known to target Android devices with banking malware. Both Hydra and Ermac provide attackers with access to the device required to steal banking information.  ThreatFabric has reported all of the malicious apps to Google and they’ve either already been removed or are under review. Cyber criminals will continually attempt to find ways to bypass protections to deliver mobile malware, which is becoming increasingly attractive to cyber criminals.  “The Android banking malware echo-system is evolving rapidly. These numbers that we are observing now are the result of a slow but inevitable shift of focus from criminals towards the mobile landscape. With this in mind, the Google Play Store is the most attractive platform to use to serve malware,” Dario Durando, mobile malware specialist at ThreatFabric told ZDNet.  The convincing nature of the malicious apps means that they can be hard to identify as a potential threat, but there are steps users can take to avoid infection  “A good rule of thumb is to always check updates and always be very careful before granting accessibility services privileges – which will be requested by the malicious payload, after the “update” installation –  and be wary of applications that ask to install additional software,” said Durando. ZDNet attempted to contact Google for comment but hadn’t received a response at the time of publication. 
MORE ON CYBERSECURITY  More

Police have arrested 1,003 individuals across 22 jurisdictions in the last few months as part of an Interpol-coordinated operation against online financial crimes, including the business email compromise (BEC) scams. 

ZDNet Recommends

Law enforcement across 20 nations made the arrests between June and September which involved various forms of online fraud crime, including romance scams, investment fraud and money laundering linked to online gambling. Some 2,350 bank accounts were seized as part of Interpol’s Operation HAECHI-II. “Far from the common notion of online fraud as a relatively low-level and low stakes type of criminality, the results of Operation HAECHI-II show that transnational organized crime groups have been using the Internet to extract millions from their victims before funneling the illicit cash to bank accounts across the globe,” the international criminal police organisation said.The operation specifically targeted BEC, or email fraud, which involves tricking staff into wiring large sums to supposed suppliers or contractors, often by using emails that appear to be sent by someone more senior in the organisation. The FBI estimated that BEC scams cost US businesses $1.8 billion in 2020, dwarfing the reported $29 million in losses attributed to ransomware. The scammers have also taken a leaf from the ransomware business by moving to a services-based model where components are rented out to different parties.  Interpol highlighted a case in Colombia where a textiles company lost more than $8 million to a BEC scam. “The perpetrators impersonated the legal representative of the company, giving the order to transfer more than $16 million to two Chinese bank accounts. Half of the money was transferred before the company uncovered the fraud and alerted the Colombian judicial authorities, which in turn quickly contacted Interpol’s financial crime unit through their National Central Bureau in Bogota,” Interpol said. 

To freeze the transferred funds, Interpol worked with its bureaus in Beijing, Bogota and Hong Kong.   “Intercepting the illicit proceeds of online financial crimes before they disappear into the pockets of money mules is a race against time, and we have worked closely with the Attorney General’s Office to move as decisively as possible,” said General Jorge Luis Vargas Valencia, Director General of the Colombian National Police.BEC is an international banking problem that is difficult for law enforcement to address across jurisdictions. The FBI set up the IC3’s Recovery Asset Team (RAT) in February 2018 to handle communications between banks and FBI field offices to freeze funds in cases where victims transferred funds to domestic accounts. However, IC3 has worked with US consulates in foreign territories, such as Hong Kong, to freeze multimillion-dollar transfers headed to bank accounts in China.Interpol notes that in another case, a company in Slovenia transferred $800,000 to money mule accounts in China. The transfer was stopped after Slovenian Criminal Police contacted Interpol and connected with peers at Interpol in Beijing. Operation HAECHI-II involved law enforcement from Angola, Brunei, Cambodia, Colombia, China, India, Indonesia, Ireland, Japan, Korea (Rep. of), Laos, Malaysia, Maldives, Philippines, Romania, Singapore, Slovenia, Spain, Thailand, and Vietnam. More

European Union members have a collective cybersecurity skills shortage that may be partially addressed by a surge in new graduates — but even that potential solution is not without its problems.Supply chain component strains are affecting all industries right now, but one supply chain problem that pre-existed the pandemic is the mismatch between supply and demand for cybersecurity staff.ENISA, the EU’s transnational cybersecurity agency, has now raised a flag about the enduring labor market supply problem and says it won’t be resolved despite a doubling of the number of graduates in the next two years.See also: Managers aren’t worried about keeping their IT workers happy. That’s bad for everyone.”The number of skilled and qualified workers is not enough to meet the demand, and national labour markets are disrupted worldwide, Europe included, as a consequence,” ENISA says in a new report. “The number of graduates in the next 2-3 years is expected to double. However, gender balance is still an issue with only 20% of female students enrolled.”Free market competition for security professionals also impacts the supply of expertise to the public sector and central banks, which don’t pay as much as banks and insurance companies. 

ENISA separates the terms cybersecurity “skills gap” and “skills shortage” in a new report that explores how to solve the problem. The former refers to a lack of appropriate skills in the workforce to perform cybersecurity tasks within a professional setting. The latter refers to “unfilled or hard-to-fill vacancies that have arisen as a consequence of a lack of qualified candidates for posts.”ENISA says there are 126 higher education programs from 25 countries that meet the EU’s definition of a cybersecurity program. For example, a master’s degree requires at least 40% of the taught modules to address cybersecurity topics. Using this definition, master’s-level qualifications constitute 77% of ENISA’s Cybersecurity Higher Education Database (CyberHEAD). Remote learning became the norm during the pandemic. Still, ENISA found that only 14% of higher education cybersecurity programs are purely online, while 57% are classroom-only, and 29% are a blend of face-to-face and online learning. Online may help reduce geographic barriers to entry, argues ENISA. The language was another barrier to entry. Of the EU programs included in the database, there were 16 languages, with 38% taught in English, 17% in Spanish, 11% in German, 7% in Italian, 5% in French, 4% in Greek, and 4% in Portuguese. ENISA argues that an “even higher percentage of English-based programs also presents additional benefits” by producing graduates who are confident at interacting in an international setting. University fees are another barrier to entry. Some 71% of programs required fees to enrol.  In terms of placing new graduates in the private and public sectors, ENISA found that compulsory internships were only part of 34% of EU programs. Only 23% of programs prepared students for specific professional certifications, such as CISSP, ISO 27001 and CompTIA Security+.See also: The secret to being more creative at work? Why timing could be the key.On the question of gender, women made up at least 20% of cybersecurity programs in only six EU nations: Romania (50%), Latvia (47%), Bulgaria (42%), Lithuania (31%), France (20%,) and Sweden (20%). “Unfortunately, these statistics mean that, overall, most HEI programmes in Europe have particularly low levels of gender diversity,” ENISA notes. ENISA made several recommendations to address the EU cybersecurity skills shortage and gap: Increase enrolments and graduates in cybersecurity programs by diversifying the content, levels and languages used in the higher education curriculaProvide scholarships, especially for underrepresented groups, and promote cybersecurity as a diverse field Adopt a common framework for cybersecurity roles, competencies, skills and knowledgePromote challenges and competitions in cybersecurity skillsIncrease collaborations between member states in sharing program results and lessons learntSupport the analysis of demographics (including the diversity) of new students and graduates in cybersecurity More