Eliana Willis

Google has kicked off a special three-month bug bounty targeting flaws in the Linux kernel with triple the rewards for security researchers.The new bounty, announced this week, looks to harden the Linux kernel in specific edge cases. It’s offering up to $31,337 (Leet) to security researchers who can exploit privilege escalation in Google’s lab environment with a patched vulnerability; and $50,337 for anyone who can finds a previously undisclosed or zero-day flaw, or for discovering a new exploit technique. 

ZDNet Recommends

“We are constantly investing in the security of the Linux Kernel because much of the internet, and Google – from the devices in our pockets, to the services running on Kubernetes in the cloud – depend on the security of it,” said Eduardo Vela from the Google Bug Hunters Team.SEE: Ransomware: It’s a ‘golden era’ for cyber criminals – and it could get worse before it gets betterThe Linux kernel — hatched as a hobby by Linus Torvalds in Helsinki 30 years ago — now powers most of the top websites and internet infrastructure, from AWS to Microsoft Azure, Google, Facebook and Wikipedia.   Google’s base rewards for each publicly patched vulnerability is $31,337, capped at one exploit per vulnerability. However, the reward can go up to $50,337 if the bug was otherwise unpatched in the Linux kernel (a zero-day); or if the exploit uses a new attack or technique in Google’s view.”We hope the new rewards will encourage the security community to explore new Kernel exploitation techniques to achieve privilege escalation and drive quicker fixes for these vulnerabilities,” Vela said.

He adds that “the easiest exploitation primitives are not available in our lab environment due to the hardening done on Container-Optimized OS.” This is a Chromium-based OS for Google Compute Engine virtual machines that’s built to run on Docker containers. However, since this three month bounty complements Android’s VRP rewards, exploits that work on Android could also be eligible for up to $250,000 (that’s in addition to this program).The Google environment has some specific requirements that were demonstrated by Google security engineer, Andy Nguyen, who found the 15-year-old BleedingTooth bug (CVE-2021-22555) in Linux’s Bluetooth stack. SEE: Cloud security in 2021: A business guide to essential tools and best practicesThat bug was a heap out-of-bounds write vulnerability in Linux Netfilter that could bypass all modern security mitigations, achieve kernel code execution, and could break the Kubernetes pod isolation of the kCTF (capture the flag) cluster used for security competitions. Nguyen details his work in a writeup on GitHub. Vela recommends that participants also include a patch if they want extra cash via its Patch Reward Program.Given the nature of open-source software development, Google notes that it doesn’t want to receive details about unpatched vulnerabilities before they’ve been publicly disclosed and patched. Researchers need to provide exploit code and the algorithm used to calculate the identifier. It would, however, like to receive a rough description of the exploit strategy.  More

Organisations need to have better plans in place to prevent cyberattacks – but they should be more transparent about when they do fall victim to hackers in order to prevent others from meeting the same fate, according to the former head of the US National Security Agency (NSA). As director of the NSA and Commander of US Cyber Command from 2014 to 2018, Admiral Michael S Rogers oversaw cybersecurity during a period of time when the threat of cyberattacks from criminals and foreign government-backed hacking operations grew significantly.

ZDNet Recommends

And while companies can act individually to improve their own cybersecurity, Rogers believes that – for the best possible benefit – companies need to share strategies, techniques and best practices for defending against common cyber threats, particularly when attackers seem to be able to deploy the same techniques again and again to go after different targets.SEE: A winning strategy for cybersecurity (ZDNet special report)”One thing that really frustrates me – and I used to say this when I was in government with the senior leadership of our nation – I wanted that the pain of one should lead to the benefit of many,” said Rogers, now an operating partner at Team8, a cybersecurity venture group, in an interview with ZDNet Security Update.”Why do the same techniques keep working over and over and over again? We’re talking years – the same techniques literally used for years. One of my takeaways was because we don’t talk or acknowledge this activity. Most companies do not want to publicly acknowledge a cyber penetration,” he said.It’s still uncommon for organisations that are hit by cyberattacks to go into detail about what happened, such as by explaining how cyber criminals were able to enter their network or what needed to be done to secure it after an attack.

That means that there isn’t the opportunity for other companies to learn useful information about the incident that they can then use to prevent attacks. That’s something Rogers says has to change – and he believes there’s already a successful model to follow in the collaborative nature of how the aviation industry investigates incidents.”In the US, we use a structure that says any time there is an aviation accident, the government steps in and there is a formal investigation,” he said. “We determine the causes and the mitigating factors, we publish them and then we say, given that, what changes do we need to make?”It’s an indicator of the effectiveness of that methodology, they tend not to continue to recur, the same cause repeatedly over time, because we’re able to address problems” Rogers continued”That is not the case in cyber, so I’d like us to learn from some others,” he said.

By learning from the mistakes of others, organisations can be provided with the information and guidance necessary to make their networks more resistant and more resilient to attacks. Because ultimately, if carrying out successful campaigns is more difficult for cyber criminals, they’re going to find it harder to make money.SEE: Ransomware: It’s a ‘golden era’ for cyber criminals – and it could get worse before it gets better”We’ve got to become much more resilient and able to continue to operate, because if we can continue to operate it buys us more time and, quite frankly, it also reduces disposition on the part of many companies to pay a ransom,” said Rogers.”If we make this less lucrative for criminals, you won’t see as much criminal activity,” he added.For Rogers, the challenge now is for organisations to focus not just on keeping malicious intruders from gaining access to their network, but also on having plans in place to ensure they are able to continue operating in some capacity, even if hackers have breached the network.”Cybersecurity needs to include, not only cyber defence, but we need to spend a whole lot more time thinking about cyber resilience. So if, despite my best efforts, an adversary is going to be able to penetrate my network structure, what are the tools, what are the methodologies, what are the capabilities, what can I do to try to maximize my ability to continue to operate?” he said.MORE ON CYBERSECURITY More

A cryptocurrency project based on Squid Game has allegedly pulled an exit scam, with millions of dollars stolen from investors. 

Popular trends, whether they are meme coins, desired products, or popular television shows — including the Netflix Squid Game series — can all be hijacked by criminals who want to jump on the bandwagon and take advantage of consumer interest. The same can be said for the Squid Game cryptocurrency scheme, a project which promised investors a pay-to-play online game based on the television series, in which contestants were made to play lethal games for prize money.  It should be noted that the Squid Game cryptocurrency project is not associated with the television series, Netflix, or its creators.  The online game was set to launch in November and would cost SQUID tokens to play. However, less than two weeks after the SQUID token was launched — having reached a peak of over $2,850 — the coin has now completely crashed by over 99.99% and is currently worth $0.003028. On November 1, investors who had previously enjoyed seeing the coin rise in value from $0.01 to levels far beyond its original price on PancakeSwap found out they were unable to sell their tokens.  According to CoinMarketCap, an “anti-dumping mechanism that was imposed by the project’s developers meant they could not sell.”

Investors were unable to move their tokens and then the development team went silent. As of now, the project’s website, squidgame.cash, is inaccessible and Twitter now displays a warning on the SQUID Twitter account, citing “unusual activity” as a reason for its temporary suspension.  This is known as a rug pull or an exit scam, in which investor funds are moved elsewhere and developers vanish — often leading to a coin’s value to tank and to become worthless. In a Telegram channel linked to the project, an administrator said: “Someone is trying to hack our project these days. Not only the Twitter account @GoGoSquidGame but also our smart contract. We are trying to protect it but the price is still abnormal. Squid Game Dev does not want to continue running the project as we are depressed from the scammers and is overwhelmed with stress.” Gizmodo estimates that investor losses have reached $3.3 million, In other Squid Game news, TA575 threat actors have been linked to a campaign exploiting the popularity of the television show to spread Dridex malware.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cybercriminals are offering initial access for networks belonging to key players in global supply chains, researchers warn.

On Tuesday, Intel 471 published an analysis of current black market trends online, revealing instances of initial access brokers (IABs) offering access to international shipping and logistics companies across the ground, air, and sea. Global supply chains have faced serious upheaval since the start of the COVID-19 pandemic. The problems go beyond chip shortages — lockdowns and closures have caused backlogs worldwide, and as we slowly emerge from the pandemic, demand for everything from food to electronics remains high.  This may be why organizations that provide the backbone of cargo transport and good deliveries have captured the interest of cybercriminals including ransomware operators.  Access is normally obtained through vulnerabilities in Remote Desktop Protocol (RDP), virtual private networks (VPN), Citrix, SonicWall, misconfigurations, and brute-force attacks, as well as credential theft.  While already in a volatile and precarious position — especially as we head into winter — “a cybersecurity crisis at one of these logistics and shipping companies could have a calamitous impact on the global consumer economy,” according to the researchers. With this in mind, Intel 471 examined Dark Web listings over the past few months to see how prevalent IAB listings relating to the global supply chain are.

There are several cases of note from both well-known IABs and newcomers. In July, two traders claimed to have secured access to a Japanese shipping firm’s networks, alongside working, stolen account credentials. This offer was included in a wider dump of roughly 50 organizations.  In August, a trader and associate of the Conti ransomware group said they had infiltrated networks belonging to a US transport and trucking software supplier, as well as a commodity transport giant.  According to the cybersecurity firm, this actor had previously given Conti access to a botnet including a virtual network computing (VNC) function, allowing them “to download and execute a Cobalt Strike beacon on infected machines, so group members in charge of breaching computer networks received access directly via a Cobalt Strike beacon session.” A posting published in September by an IAB linked to the FiveHands ransomware group offered access to “hundreds” of companies, including a logistics company in the United Kingdom, whereas in other postings on cybercriminal forums, access to a shipping firm in Bangladesh — secured through a PulseSecure VPN security flaw — local admin rights in a US freight organization, and a pack of credentials including account access for a logistics company in Malaysia were also on offer.  “The logistics industry is constantly targeted, and the ramifications of a cyberattack can have a crippling ripple effect on the global economy [..] It’s extremely beneficial that security teams in the shipping industry monitor and track adversaries, their tools and malicious behavior to stop attacks from these criminals,” the researchers say. “Proactively addressing vulnerabilities in times of high alert avoids further stress on already constrained business operations.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Facebook parent company Meta has granted the Kazakhstan government direct access to its content reporting system, as part of a joint agreement to work on removing content that is deemed harmful on social network platforms like Facebook and Instagram. In a joint statement, the Ministry of Information and Social Development of the Republic of Kazakhstan and the social media giant said the agreement, which is the first of its kind in Central Asia, would help increase the efficiency and effectiveness to counter the spread of illegal content. Giving the Kazakhstan government access to its content reporting system will allow the government to report content that may violate Facebook’s global content policy and local content laws in Kazakhstan, Facebook said.Under the agreement, both parties will also set up regular communication, including having an authorised representative from Facebook’s regional office work with the Ministry on various policy issues. “Facebook is delighted to work with the government of Kazakhstan together, particularly in the aspect of online safety for children,” Facebook regional public policy director George Chen said in a statement. “To make the first step for our long-term cooperation with the government, we are delighted to provide the ‘content reporting system’ to the government of Kazakhstan, which we hope can help the government to deal with harmful content in a more efficient and effective manner. The Facebook team will also continue to provide training to Kazakhstan to keep its cyberspace safe.” According to the pair, in preparation for giving the ministry access to its content reporting system, Facebook provided training for the ministry’s specialists last month on how to use the content reporting system, as well as Facebook’s content policy and community standards.

Aidos Sarym, one of the deputies who introduced a Bill into the Kazakhstan parliament in September to protect children from cyberbullying, described the agreement as a “win-win” situation. “During these negotiations, everyone came to consensus. It’s basically a classic win-win situation where our citizens will get more effective opportunities to protect their rights, and companies to grow their business,” he wrote on his Facebook page. “At the same time, we were and will be consistent. We are ready to remove the toughest wording and together with the government to develop and introduce formulas that will work will not infringe on user interests or the interests of tech companies themselves.” Just last week, Facebook whistleblower Frances Haugen warned the UK Parliament about social media platforms that use opaque algorithms to spread harmful content should be reined in. She said these algorithms could trigger a growing number of violent events, such as the attacks on the US Capitol Building that occurred last January.Haugen was speaking in London as part of an investigation into the draft Online Safety Bill that was put forward by the UK government earlier this year. This Bill proposes to force companies to protect their users from harmful content ranging from revenge porn to disinformation, through hate speech and racist abuse.    Parliamentarians were taking evidence from Haugen because it was recently revealed that she was the whistleblower behind bombshell leaked internal documents from Facebook.  Now known as the Facebook Files, the leaks were published by The Wall Street Journal and explored a variety of topics, including the use of different content moderation policies for high-profile users, the spread of misinformation, and the impact of Instagram on teenagers’ mental health. The disclosures became a catalyst for a US Senate inquiry into Facebook’s operations. Related Coverage More

Facebook announced on Monday that it shut down a “troll farm” allegedly run by the government of Nicaragua and the Sandinista National Liberation Front (FSLN) party. Nicaraguan President Daniel Ortega is vying for a fourth consecutive term in an election on Sunday.The company — which recently adopted the new name of “Meta” — made the announcement in its “October 2021 Coordinated Inauthentic Behavior Report.”Facebook says that in October, it removed 937 Facebook accounts, 363 Instagram accounts, 140 pages and 24 groups connected to the campaign. All of the accounts, pages and groups were allegedly connected to people in Nicaragua. They called it “one of the most cross-government troll operations we’ve disrupted to date,” and said multiple state entities were involved.”This operation targeted domestic audiences in that country and was linked to the government of Nicaragua and the Sandinista National Liberation Front (FSLN) party. We found one portion of this network through our internal investigation into suspected coordinated inauthentic behavior in the region, and another portion — as a result of reviewing public reporting about some of this activity,” Facebook said. “Our teams continue to focus on finding and removing deceptive campaigns around the world — whether they are foreign or domestic. We know that influence operations will keep evolving in response to our enforcement, and new deceptive behaviors will emerge. We will continue to refine our enforcement and share our findings publicly. We are making progress rooting out this abuse, but as we’ve said before — it’s an ongoing effort and we’re committed to continually improving to stay ahead.”Facebook defines “coordinated inauthentic behavior” as attempts to “manipulate public debate” through fake accounts. 

The company claims it is working to stop campaigns run by governments and non-governmental groups, adding that it watches for “efforts to re-establish a presence on Facebook by networks we previously removed.” They use manual and automated tools to detect the campaigns. “The use of government employees and infrastructure to run large-scale, cross-platform troll operations is an especially troubling trend: this year alone, we have taken down government-linked CIB networks in Ethiopia, Uganda, Sudan, Thailand and Azerbaijan,” Facebook said. Facebook did not respond to questions about why they identified and spotlighted this specific campaign considering the many similar campaigns run by government actors in dozens of countries. The Nicaraguan government and FSLN also did not respond to requests for comment. Facebook’s IO Threat Intelligence Team, led by Luis Fernando Alonso and Ben Nimmo, claimed in a report that the campaigns began in April 2018. “It was primarily operated by employees of the Nicaraguan Institute of Telecommunications and the Post (TELCOR), working from the headquarters of the postal service in Managua.”Additional smaller clusters of fake accounts were run from other government institutions, including the Supreme Court and the Nicaraguan Social Security Institute. This campaign was cross-platform as well as cross-government. It ran a complex network of media brands across Facebook, Tiktok, Instagram, Twitter, YouTube, Blogspot and Telegram, as well as websites tied to these news entities. They posted positive content about the government and negative commentary about the opposition, using hundreds of fake accounts to promote these posts.”The Facebook team noted that this campaign was “distinct from financially-motivated clickbait content farms which don’t necessarily rely on fake accounts, but rather use Pages and Groups to post clickbait to drive people to off-platform websites and other channels to monetize.”The campaign purportedly began in response to student-led nationwide protests and allegedly involved spreading information that “focused on discrediting the protesters, dissemination of false information and mass reporting of people opposing the government.”According to Facebook, the effort switched from criticizing protesters to promoting the government’s work in the country. The pages involved in the campaign had about 585,000 followers and nearly 74,500 joined the groups involved. About 125,000 accounts followed the Instagram accounts involved, according to Facebook. The campaign also involved coordinated attempts to report the posts and pages of government critics to Facebook as a way to have them taken down. “These included activists, independent media outlets and regular members of the public who had criticized government policies. Our review of these reports suggests that the great majority were rejected,” Facebook said. “In at least one case, the network tried to get a series of posts that exposed its activity taken down, including photos of an apparent troll facility inside the TELCOR building in Managua. This attempt, too, failed. Despite being mostly unsuccessful, this tactic highlights how the organization sought to control the information environment of everyday Nicaraguan citizens. Although the operators posed as regular citizens of Nicaragua, our investigation found that much of the activity was operated from government-linked entities in Managua, including TELCOR.”Facebook continues to face withering backlash for its failure — or in some cases complicity — in relation to government campaigns using the platform for nefarious purposes. Former Facebook employee Frances Haugen leaked thousands of documents showing that Facebook has markedly different moderation policies in different parts of the world and that CEO Mark Zuckerberg specifically made decisions based on politics as opposed to the best interest of users and the public, like censoring anti-government posts in Vietnam and opposing publishing Spanish-language voting information in the US. More

CrowdStrike announced on Monday that it acquired SaaS-based cybersecurity service SecureCircle in an all-cash deal expected to close during the company’s fiscal fourth quarter.Terms of the deal were not disclosed, but CrowdStrike said the acquisition will allow them to “extend Zero Trust security to data on the endpoint.”George Kurtz, co-founder and chief executive officer of CrowdStrike, said data loss prevention has suffered from a lack of innovation and he noted that legacy tools have failed to live up to the promise of preventing breaches. “At the same time, the endpoint has become the focal point for how data is accessed, used, shared and stored,” Kurtz said. “CrowdStrike will be setting a new standard for endpoint-based data protection by connecting Zero Trust enforcement to the device, the user identity and, with this acquisition, the data users are accessing and using.”CrowdStrike explained in a statement that SecureCircle’s technology will help them “modernize data protection and enable customers to enforce Zero Trust at the device level, the identity level, and at the data level.”The company specifically cited the effect SecureCircle’s tools will have on CrowdStrike’s Falcon agent when securing the endpoint. SecureCircle’s technology helps customers enforce encryption on data in transit, at rest and in use, and CrowdStrike called data loss prevention a “failed technology” as companies continue to deal with data breaches on a daily basis. 

The combination of tools, according to the two companies, will allow users to control usage policies for data and access rules. “We are excited to join the CrowdStrike family, and integrate SecureCircle’s revolutionary data protection solutions with the industry leader in cloud-delivered endpoint protection,” said Jeff Capone, chief executive officer at SecureCircle. “The endpoint in today’s enterprise is everything, and coupling our cloud-native approach to protecting sensitive data with CrowdStrike’s industry leading Zero Trust endpoint security will enable customers to enforce Zero Trust on the endpoint across all levels.” More

The Cring ransomware group continues to make a name for itself through attacks on aging ColdFusion servers and VPNs after emerging earlier this year. 

Experts like Digital Shadows Sean Nikkel told ZDNet that what makes Cring interesting is that so far, they appear to specialize in using older vulnerabilities in their attacks. “In a previous incident, Cring operators exploited a two-year-old FortiGate VPN vulnerability to target end-of-life Microsoft and Adobe applications. This should be a wake-up call for system owners everywhere who are using end-of-life or otherwise unsupported systems that are exposed to the internet at large,” Nikkel said. “While Cring has operators that have used Mimikatz on systems to gain credentials, there’s also evidence of native Windows process usage, which potentially blends in with otherwise legitimate activity. This can often make it more tricky for network hunters and defenders to see anything malicious until it’s too late. This and previous attacks also showcase the continued adoption and use of Cobalt Strike beacons by various threat actors, which often make the post-exploit phase easier for attackers to manage.”Sophos released a report in September highlighting one specific incident where Cring operators exploited a vulnerability in an 11-year-old installation of Adobe ColdFusion 9 to take control of a ColdFusion server remotely. Sophos was able to tie the group using the Cring ransomware to hackers in Belarus and Ukraine that used automated tools to break into the servers of an unnamed company in the services sector. The hackers used their automated tools to browse 9,000 pathways into the company’s systems in 75 seconds. Three minutes later, they were able to exploit a vulnerability in the outdated Adobe program that allowed them to get their hands on files from servers that weren’t supposed to be publicly available. They grabbed a file called “password properties,” and wrote garbled code on top of their “footprints” to cover their tracks. Then, they waited two and a half days, came back into the company’s network, gave themselves Admin privileges and posted a sardonic ransom note. 

The hackers were also able to get access to timesheets and accounting data for payroll before breaching the internet-facing server in minutes and executing the ransomware 79 hours later.Andrew Brandt, principal researcher at Sophos, said the Cring ransomware isn’t new, but it’s uncommon. “In the incident we researched, the target was a services company, and all it took to break in was one internet-facing machine running old, out-of-date and unpatched software. The surprising thing is that this server was in active daily use. Often the most vulnerable devices are inactive or ghost machines, either forgotten about or overlooked when it comes to patching and upgrades,” Brandt said. “But, regardless of what the status is — in use or inactive — unpatched internet-facing servers or other devices are prime targets for cyberattackers scanning a company’s attack surface for vulnerable entry points. This is a stark reminder that IT administrators benefit from having an accurate inventory of all their connected assets and cannot leave out-of-date critical business systems facing the public internet. If organizations have these devices anywhere on their network, they can be sure that cyberattackers will be attracted to them. Don’t make life easy for cybercriminals.”The attack identified by Sophos found that the hackers scanned the victim’s website with automated tools and gained easy access once they found the unpatched ColdFusion on a server. Sophos researchers noted that the Cring operators “used fairly sophisticated techniques to conceal their files, inject code into memory, and cover their tracks by over-writing files with garbled data or deleting logs and other artifacts that threat hunters could use in an investigation.” After getting around security features, the hackers left a note saying, “ready to leak in case we can not make a good deal.”Pavel Kuznetsov, deputy managing director for cybersecurity technologies for Positive Technologies, told ZDNet that Cring operators are routinely interested in conducting sufficiently deep reconnaissance inside the network before direct infection by their ransomware. “Among the targets are often the infrastructures of industrial organizations. Moreover, ICS segments are selected for infection by the ransomware, obviously with the aim of endangering the associated processes (production, etc.),” Kuznetsov said. Positive Technologies head of malware detection Alexey Vishnyakov added that the group gets its primary consolidation through the exploitation of 1-day vulnerabilities in services at the perimeter of the organization like web servers, VPN solutions and more, either through buying access from intermediaries on shadow forums or other methods. “The group uses Mimikatz to move inside an organization. It uses the Cobalt Strike pentesting tool to secure it within the network to the hosts. After taking over the network, it downloads and distributes the ransomware,” Vishnyakov said. Vishnyakov echoed Kuznetsov’s analysis that Cring was focused on attacking industrial companies, hoping to force suspensions of production processes and financial losses as a way to push victims into paying ransoms. “It is far from the first and won’t be the last criminal group that acts according to the scheme of compromising an unpatched vulnerability and encrypting data,” Vishnyakov said. “Particularly dangerous is a series of successful penetrations and production infections. Risks include not only blackmail and financial consequences — these attacks could also possibly lead to accidents and death. More