Netgear BR200 small-business router
The
Netgear
BR200
Insight
Managed
Business
Router
has
been
designed
to
be
easy
to
set
up,
and
features
a
built-in
firewall,
VLAN
management,
and
remote
cloud
monitoring,
and
can
be
… More
A new strain of Python-based malware has been used in a “sniper” campaign to achieve encryption on a corporate system in less than three hours.
The attack, one of the fastest recorded by Sophos researchers, was achieved by operators who “precision-targeted the ESXi platform” in order to encrypt the virtual machines of the victim. On Tuesday, Sophos said the malware, a new variant written in Python, was deployed ten minutes after threat actors managed to break into a TeamViewer account belonging to the victim organization. TeamViewer is a control and access platform that can be used by the general public and businesses alike to manage and control PCs and mobile devices remotely. As the software was installed on a machine used by an individual who also owned domain administrator access credentials, it took only ten minutes — from 12.30 am to 12.40 am on a Sunday — for attackers to find a vulnerable ESXi server suitable for the next stage of the assault. VMware ESXi is an enterprise-grade, bare-metal hypervisor used by vSphere, a system designed to manage both containers and virtual machines (VMs). The researchers say the ESXi server was likely vulnerable to exploit due to an active shell, and this led to the installation of Bitvise, SSH software used — at least, legitimately — for Windows server administration tasks.
In this case, the threat actors utilized Bitvise to tap into ESXi and the virtual disk files used by active VMs. “ESXi servers have a built-in SSH service called the ESXi Shell that administrators can enable, but is normally disabled by default,” Sophos says. “This organization’s IT staff was accustomed to using the ESXi Shell to manage the server, and had enabled and disabled the shell multiple times in the month prior to the attack. However, the last time they enabled the shell, they failed to disable it afterwards.” Three hours in, and the cyberattackers were able to deploy their Python ransomware and encrypt the virtual hard drives. The script used to hijack the company’s VM setup was only 6kb in length but contained variables including different sets of encryption keys, email addresses, and options for customizing the suffix used to encrypt files in a ransomware-based attack. The malware created a map of the drive, inventoried the VM names, and then powered each virtual machine off. Once they were all disabled, full database encryption began. OpenSSL was then weaponized to encrypt them all quickly by issuing a command to a log of each VM’s name on the hypervisor. Once encryption is complete, the reconnaissance files were overwritten with the word f*ck and were then deleted. Big game ransomware groups including DarkSide — responsible for the Colonial Pipeline attack — and REvil are known to use this technique. Sophos says the sheer speed of this case, however, should remind IT administrators that security standards need to be maintained on VM platforms as well as standard corporate networks. “Python is a coding language not commonly used for ransomware,” commented Andrew Brandt, principal researcher at Sophos. “However, Python is pre-installed on Linux-based systems such as ESXi, and this makes Python-based attacks possible on such systems. ESXi servers represent an attractive target for ransomware threat actors because they can attack multiple virtual machines at once, where each of the virtual machines could be running business-critical applications or services.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More
[embedded content]
Today sees YubiKey security keys become even better with Yubico’s launch of the YubiKey Bio — biometric authentication built right into a security key, allowing for quick, simple, and streamlined passwordless authentication for desktop-based FIDO-supported services and applications. The YubiKey Bio uses a three-chip architecture that stores the biometric fingerprint in a separate secure element, offering protection from physical attacks. This, according to Yubico, allows the YubiKey Bio to “act as a single, trusted hardware-backed root of trust which allows the user to authenticate with the same key across multiple desktop devices, operating systems, and applications.” For when biometrics are not supported, users can enter a PIN entered during the initial setup.
By having everything built into the key, it means that authentication mechanisms are protected from tampering even if the host systems are compromised. The keys can be managed using the Yubico Authenticator for Desktop, an app that is available for Windows, macOS, and Linux. This is used to enroll new fingerprints and add or delete fingerprints when native platform and browser capabilities are limited.
[embedded content]
Customers should choose the YubiKey Bio if they are: Securing an account with a service that supports only FIDO U2F or FIDO2/WebAuthn protocolsAuthenticating using a desktop deviceIn cloud-first environmentsUsing shared workstations and are in mobile-restricted environments
However, there are situations where users will be better off using the
YubiKey Series 5 keys
: They require broader form factors and NFC supportThe users need to work across desktop and mobile devicesUsers need to support applications and services using a range of protocols such as OTP, FIDO U2F and FIDO2/WebAuthn, and Smart card/PIVThey are securing legacy and modern environments offering a bridge to passwordless, utilizing non-FIDO protocols
I’ve had my hands on the YubiKey Bio for the past few days, and I have to say that they are an impressive bit of technology. The biometric reader is fast and super reliable, and the whole robust package is everything I’ve come to expect from Yubico.The YubiKey Bio enables biometric login on desktop with all applications and services that support FIDO protocols, as well as offering out-of-the-box support for Citrix Workspace, Duo, GitHub, IBM Security Verify, Microsoft Azure Active Directory and Microsoft 365, Okta, and Ping Identity.The YubiKey Bio Series is available in USB-A and USB-C form factors, and keys are priced at $80 and $85, respectively. They are available for purchase from Yubico. More
Getty Images/iStockphoto
VMware has used its virtual VMworld 2021 event to introduce VMware Edge, a portfolio that will cater specifically to help enterprises run, manage, and secure edge-native apps across multiple clouds. According to VMware Edge and Service Provider SVP Sanjay Uppal, the company wants to help address two main problems that organisations face when deploying software stacks. “There’s a challenge of real-time access and there’s a challenge in terms of scale in terms of the number of locations — and we will be addressing both of them,” he told media. He also took the opportunity to define what the “edge” means to VMware, acknowledging the definition in the industry can mean something different to everyone. “The edge is distributed digital infrastructure … for running workloads across a number of locations, and these locations are placed close to endpoints that are producing and consuming data,” Uppal said. Read also: What is edge computing? Here’s why the edge matters and where it’s headed Solutions to help make up the new portfolio will include VMware Edge Compute Stack. Uppal described it as a purpose-built, integrated VM and container-based stack that will enable organisations to run their workloads all the way into the customers’ premise, as well as near the edge.
VMware Edge Compute Stack will be available in standard, advanced, and enterprise editions. The company added there are plans to develop a lightweight version of Edge Compute Stack to support more lightweight apps at the edge. The company’s VMware Secure Access Service Edge (SASE) offering will also be added. In addition to being the software service that combines SD-WAN with cloud-delivered security, VMware has expanded it to include cloud web security, zero trust network access, and firewalling, which will be delivered as-a-service at the edge. “Secure access will mean all those endpoints that are coming in without the need for a hardware edge but are coming in and getting terminated at the points of presence, which increases agility and flexibility for the enterprise, but also allows the service provider to migrate away from legacy VPNs,” Uppal said. VMware Edge will also feature VMware Telco Cloud Platform, which has been delivering near edge solutions to telco providers from their 4G/5G core to the radio access network. As part of the latest update, Uppal said, its capabilities will also be extended into the network. “This is where it’s being used for RAN disaggregation, as an example, in 4G and 5G cases where this common software stack using telco cloud platform, is being used,” he said.
More VMWare More
Another new form of Android malware is being spread via text messages with the aim of luring victims into clicking a malicious link, and inadvertently allowing cyber criminals to gain full control of the device to steal personal information and bank details. Dubbed TangleBot, the malware first appeared in September and once installed gains access to many different permissions required for eavesdropping on communications and stealing sensitive data, including the ability to monitor all user activity, use the camera, listen to audio, monitor the location of the device, and more. Currently, it’s targeting users in the US and Canada.
ZDNet Recommends
The campaign has been detailed by cybersecurity researchers at Proofpoint who note that while the initial lures came in the form of SMS messages masquerading as information about Covid-19 vaccination appointments and regulations, more recent efforts have falsely claimed local power outages are about to occur. SEE: A winning strategy for cybersecurity (ZDNet special report) In each case, the potential victim is encouraged to follow a link referencing the subject of the lure for more information. If they do, they’re told that in order to view the content on the website they’re looking for, Adobe Flash Player needs to be updated. Adobe stopped supporting Flash in December 2020 and it hasn’t been supported on mobile devices since 2012, but many users probably won’t know this. Clicking the link leads victims through a series of nine dialogue boxes requesting acceptance of the permissions and installation from unknown sources that, if accepted, provide cyber attackers with the ability to setup and configure the malware. TangleBot provides the attackers with full control over the infected Android device, allowing them to monitor and record all user activity, including knowing websites visited, stealing usernames and passwords using a keylogger, while also allowing the attackers to record audio and video using the microphone and camera.
The malware can also monitor data on the phone including messages and stored files, as well as monitoring the GPS location, allowing what researchers describe as a “full range of surveillance and collection capabilities”. SEE: Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakesSMS messages have become a common vector for spreading malware with FluBot malware being particularly prominent in recent months. FluBot often spreads via text messages claiming the victim has missed a delivery and, like TangleBot, tricks users into downloading malware that allows cyber criminals to steal sensitive information. The two forms of malware are unlikely to come from the same cyber-criminal group, but the success and potency of both demonstrates how SMS has become an attractive means of spreading campaigns. “If the Android ecosystem has shown us anything this summer, it is that the Android landscape is rife with clever social engineering, outright fraud, and malicious software all designed to deceive and steal mobile users’ money and other sensitive information,” said Proofpoint researchers in a blog post. “These schemes can appear quite convincing and may play on fears or emotions that cause users to let down their guard,” they added. MORE ON CYBERSECURITY More
It took about six hours, a new record for Facebook downtime, but Facebook is finally back up. What happened? Here’s what we know so far. The old network troubleshooting saying is, when anything goes wrong, “It’s DNS.” This time Domain Name Server (DNS) appears to be the symptom of the root cause of the Facebook global failure. The true cause is that there are no working Border Gateway Protocol (BGP) routes into Facebook’s sites. BGP is the standardized exterior gateway protocol used to exchange routing and reachability information between the internet top-level autonomous systems (AS). Most people, indeed most network administrators, never need to deal with BGP.
Many people spotted that Facebook was no longer listed on DNS. Indeed, there were joke posts offering to sell you the Facebook.com domain. Cloudflare VP Dane Knecht was the first to report the underlying BGP problem. This meant, as Kevin Beaumont, former Microsoft’s Head of Security Operations Centre, tweeted, “By not having BGP announcements for your DNS name servers, DNS falls apart = nobody can find you on the internet. Same with WhatsApp btw. Facebook have basically deplatformed themselves from their own platform.” Whoops. As annoying as this is to you, it may be even more annoying to Facebook employees. There are reports that Facebook employees can’t enter their buildings because their “smart” badges and doors were also disabled by this network failure. If true, Facebook’s people literally can’t enter the building to fix things.
In the meantime, Reddit user u/ramenporn, who claimed to be a Facebook employee working on bringing the social network back from the dead, reported, before he deleted his account and his messages, that “DNS for FB services has been affected and this is likely a symptom of the actual issue, and that’s that BGP peering with Facebook peering routers has gone down, very likely due to a configuration change that went into effect shortly before the outages happened (started roughly 1540 UTC).” He continued, “There are people now trying to gain access to the peering routers to implement fixes, but the people with physical access is separate from the people with knowledge of how to actually authenticate to the systems and people who know what to actually do, so there is now a logistical challenge with getting all that knowledge unified. Part of this is also due to lower staffing in data centers due to pandemic measures.” Ramenporn also stated that it wasn’t an attack, but a mistaken configuration change made via a web interface. What really stinks — and why Facebook is still down hours later — is that since both BGP and DNS are down, the “connection to the outside world is down, remote access to those tools don’t exist anymore, so the emergency procedure is to gain physical access to the peering routers and do all the configuration locally.” Of course, the technicians on site don’t know how to do that and senior network administrators aren’t on site. This is, in short, one big mess. Facebook was not immediately forthcoming about what had gone wrong and how it was fixed. Hours after Facebook and all its related services went down, Facebook CTO Mike Schroepfer tweeted: “We are experiencing networking issues and teams are working as fast as possible to debug and restore as fast as possible.” Afterward, as Facebook started to come up, he added, “Facebook services coming back online now – may take some time to get to 100%. To every small and large business, family, and individual who depends on us, I’m sorry.” As a former network admin who worked on the internet at this level, I anticipated Facebook would be down for hours. I was also right that it would prove to be Facebook’s longest and most severe failure to date. I do wonder about exactly what went wrong and how it was fixed. Stay tuned. We’ll report on that as soon as know more details.
Related Stories: More
A new ransomware operator is targeting Confluence servers by using a recently-disclosed vulnerability to obtain initial access to vulnerable systems.
According to Sophos cybersecurity researchers Sean Gallagher and Vikas Singh, the new threat actors, dubbed Atom Silo, are taking advantage of the flaw in the hopes that Confluence server owners are yet to apply the required security updates to resolve the bug. Atlassian Confluence is a web-based virtual workplace for the enterprise, allowing teams to communicate and collaborate on projects. Sophos described a recent attack conducted by Atom Silo over a period of two days. The vulnerability used in the attack, tracked as CVE-2021-08-25, allowed the cybercriminals to obtain initial access to the victim’s corporate environment. The Confluence vulnerability is being actively exploited in the wild. While fixed in August, the vendor warned that Confluence Server and Confluence Data Center are at risk and should be patched immediately. If exploited, unauthenticated threat actors are able to perform an OGNL injection attack and execute arbitrary code. CVE-2021-08-25 was used to compromise the Jenkins project in September. US Cybercom said in the same month that attacks were “ongoing and expected to accelerate.”
In the case examined by Sophos, Atom Silo utilized the vulnerability on September 13 and was able to use the code injection bug to create a backdoor, leading to the download and execution of a second, stealthy backdoor. To stay under the radar, this payload dropped a legitimate and signed piece of software vulnerable to an unsigned DLL sideload attack. A malicious .DLL was then used to decrypt and load the backdoor from a separate file containing code similar to a Cobalt Strike beacon, creating a tunnel for remotely executing Windows Shell commands through WMI. “The intrusion that made the ransomware attack possible made use of several novel techniques that made it extremely difficult to investigate, including the side-loading of malicious dynamic-link libraries tailored to disrupt endpoint protection software,” the researchers say. Within a matter of hours, Atom Silo began moving laterally across its victims’ network, compromising multiple servers in the process and executing the same backdoor binaries on each while also conducting additional reconnaissance. 11 days after its initial intrusion, ransomware and a malicious Kernel Driver utility payload, designed to disrupt endpoint protection, were then deployed. Separately, another threat actor noticed the same system was vulnerable to CVE-2021-08-25 and quietly implanted cryptocurrency mining software. The ransomware is “virtually identical” to LockFile. Files were encrypted using the .ATOMSILO extension and a ransomware note demanding $200,000 was then dropped on the victim’s system. “Ransomware operators and other malware developers are becoming very adept at taking advantage of these gaps, jumping on published proof of concept exploits for newly-revealed vulnerabilities and weaponizing them rapidly to profit off them,” Sophos says. “To reduce the threat, organizations need to both ensure that they have robust ransomware and malware protection in place, and are vigilant about emerging vulnerabilities on Internet-facing software products they operate on their networks.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More
Facebook blamed its six-hour outage on Monday on a faulty configuration change that affected its vast social media platforms and internal systems. Facebook, alongside WhatsApp and Instagram, suffered a global outage on Monday, October 4 that began at approximately 11:44 EDT and dragged on well into the afternoon.
ZDNet Recommends
The best cloud storage services
Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.
Read More
The social media giant’s services were back online as of 17:28 EDT. SEE: A cloud company asked security researchers to look over its systems. Here’s what they found In a subsequent blog post, Facebook’s VP of infrastructure, Santosh Janardhan, said the outage had been caused by a technical issue affecting its Border Gateway Protocol (BCP) routing system, which had “a cascading effect on the way our data centers communicate, bringing our services to a halt.” Monday’s outage also affected internal tools at Facebook that made diagnosing and fixing the problem more difficult, said Janardhan. According to the New York Times, the outage rendered engineers’ access cards useless, meaning staff couldn’t get into the buildings where the affected servers were housed. “Our engineering teams have learned that configuration changes on the backbone routers that coordinate network traffic between our data centers caused issues that interrupted this communication,” said Janardhan.
“Our services are now back online and we’re actively working to fully return them to regular operations. We want to make clear at this time we believe the root cause of this outage was a faulty configuration change.” BGP was originally designed to interconnect internet service providers across the globe. It now forms the routing backbone of the internet. Facebook also uses BGP as a foundation for its data center routing design. In a blog post published in May 2021, Facebook researchers said the routing design was aimed to allow the company to “build our network quickly and provide high availability of our services, while keeping the design itself scalable.” SEE: Why Facebook is the AOL of 2021 However, the researchers also note that BGP “requires tight codesign with the data center topology, configuration, switch software, and data center–wide operational pipeline.” Ironically, Facebook’s data centre routing configuration was designed specifically to minimize the impact of failures. No user data was compromised in Monday’s outage, Facebook said. More
