Eliana Willis

Fortinet has warned that 87,000 sets of credentials for FortiGate SSL VPN devices have been published online. 

The California-based cybersecurity firm said on Wednesday that it is aware of the disclosure, and after investigating the incident, has come to the conclusion that the credentials have been obtained by exploiting CVE-2018-13379. CVE-2018-13379 is a known security flaw impacting the FortiOS SSL VPN web tunnel software’s portal. The bug was patched and a fix was released in 2019, including two-factor authentication mitigation. However, close to two years on, the vulnerability has now come back to the fore with the release of stolen credentials online.  Fortinet says that the stolen information was “obtained from systems that remained unpatched” at the time an attacker performed a web scan for vulnerable devices. If passwords for FortiOS SSL VPN builds have not been changed since this scan, Fortinet says they remain vulnerable to compromise. Furthermore, as FortiOS SSL VPN is popular with enterprise users, this could become an avenue for network attacks.  “Please note that a password reset following upgrade is critical to protecting against this vulnerability, in case credentials have already been compromised,” the company says.CVE-2018-13379 was reported by Meh Chang and Orange Tsai from DEVCORE. Described as a path traversal flaw, the bug permits unauthenticated attackers to download system files through special crafted HTTP resource requests. The critical vulnerability was awarded a CVSS score of 9.8.

FortiOS 6.0 – 6.0.0 to 6.0.4, FortiOS 5.6 – 5.6.3 to 5.6.7, and FortiOS 5.4 – 5.4.6 to 5.4.12 are impacted by the bug and are vulnerable when the SSL VPN service has been enabled.  As noted by AdvIntel, that the dump was posted by the Groove ransomware group on their leak site. The threat actors said, ‘everything checked as valid,’ (Russian, translated) but this has not been verified. 
via Kela
The company has previously warned customers that this vulnerability is being weaponized by hacking groups in the wild (1,2). In June, the FBI issued an advisory (.PDF) stating that CVE-2018-13379 had been successfully used to infiltrate a webserver hosting a US municipal government domain.”Since these vulnerabilities were first discovered, Fortinet has taken exhaustive steps to notify and educate customers, urging them repeatedly to upgrade their affected systems to the latest patch release,” the company said in June. “It’s a scenario software and firmware developers know all too well. Fortinet and organizations like the NCSC, FBI, and CISA have issued 15 separate notifications and advisories to Fortinet customers over the past two years, warning them of the risks of failing to update affected systems and providing links to critical patches.”If users suspect they may have been involved in the breach due to a failure to refresh their credentials, the tech giant recommends that VPN services are temporarily disabled while organizations perform password resets.  Fortinet is also urging customers to upgrade to FortiOS 5.4.13, 5.6.14, 6.0.11, or 6.2.8 and above, which contain the necessary security fixes.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new survey suggests that the majority of IT staff have felt pressured to ignore security concerns in favor of business operations.

The coronavirus pandemic has caused enormous economic damage, and as the virus continues to sweep across the globe, many businesses have suffered. In order to keep operations ticking over — or to facilitate the changes needed in order to survive — employers turned to virtual meetings and remote working.  While working from home may once have appeared to be just a temporary measure, remote and hybrid work is now firmly entrenched in some sectors — and there may be serious ramifications for cybersecurity.On Thursday, HP Wolf Security published a new study, the Security Rebellions & Rejections report, which combines data from an online YouGov survey targeting office workers that adopted WFH and global research conducted with IT decision-makers.  In total, 91% of those surveyed said that they have felt “pressured” to compromise security due to the need for business continuity during the COVID-19 pandemic. 76% of respondents said that security had taken a backseat, and furthermore, 83% believe that working from home has created a “ticking time bomb” for corporate security incidents.  IT teams, their workloads, and the need to compromise are not the only issues — it also appears there are general feelings of apathy and frustration when it comes to managing cybersecurity in a remote workplace.  According to the survey, younger workers, in particular, are more likely to circumvent existing security controls in order to manage their workloads, with 48% of this group saying that security tools, such as website restrictions or VPN requirements, are a hindrance — and 31% have at least attempted to bypass them. 

Overall, 48% of office workers said that security measures waste time and 54% in the 18 – 24-year-old bracket were more concerned with meeting deadlines than potential security breaches. In addition, 39% of this group were unsure or unaware of their employer’s security policies.Other points of note include: 37% of office workers believe security policies are often too restrictive 80% of IT teams experienced backlash from home users because of security policies 83% of IT teams said the blurred lines between home and work life made enforcement “impossible.”
HP Wolf
“CISOs are dealing with increasing volume, velocity, and severity of attacks,” commented Joanna Burkey, HP CISO. “Their teams are having to work around the clock to keep the business safe while facilitating mass digital transformation with reduced visibility. Cybersecurity teams should no longer be burdened with the weight of securing the business solely on their shoulders; cybersecurity is an end-to-end discipline in which everyone needs to engage.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

GitHub has resolved numerous vulnerabilities in Node.js packages tar and @npmcli/arborist, with the worst allowing file overwrites and arbitrary code execution. 

On Wednesday, GitHub said the company received reports from Robert Chen and Philip Papurt, between July 21 and August 13, of security flaws impacting the packages via one of GitHub’s bug bounty programs, which give researchers credit and financial rewards for responsibly disclosing vulnerabilities to the vendor.  GitHub’s Chief Security Officer Mike Hanley says that these reports prompted GitHub to conduct its own review of tar and @npmcli/arborist, leading to the discovery of additional security issues.  The tar Node.js package is used to mimic the tar archive system on Unix, whereas @npmcli/arborist has been developed to manage node_modules trees. Tar is a core npm dependency for npm package extraction, and @npmcli/arborist is a core dependency for npm CLI. Node-tar has accounted for 22,390,735 weekly downloads, at the time of writing, whereas @npmcli/arborist has been downloaded 405,551 times over the past week.  In total, seven vulnerabilities have been verified through the bug bounty reports and the security team at GitHub’s findings: Tar: CVE-2021-32803, high impact: Arbitrary File Creation/Overwrite via insufficient symlink protection. A malicious tar archive could create/overwrite arbitrary files with the privileges of the process using tar. CVE-2021-32804, high impact: Arbitrary File Creation/Overwrite due to insufficient absolute path sanitization. Malicious npm packages could create/overwrite files with the privileges of the user running the install, leading to code execution. CVE-2021-37701, high impact: A path separator issue in file names could lead to malicious tar archives creating/overwriting arbitrary files with the privilege levels of the process running tar. CVE-2021-37712, high impact: Unicode conversions and Windows 8.3 file name semantics could cause directory cache poisoning and symlink check bypasses, leading to arbitrary file creation and overwrite. CVE-2021-37713, high impact: Arbitrary File Creation/Overwrite on Windows via insufficient relative path sanitization. Malicious npm packages could create and overwrite files outside of their installation root, with user privileges. 

@npmcli/arborist: CVE-2021-39134, medium impact: An issue in how symbolic links within the node_modules tree are handled. Exploitation could result in malicious packages overwriting files outside of an installation root with user privileges. CVE-2021-39135, medium impact: This vulnerability also impacts symbolic link handling, specifically when untrusted packages are installed on case insensitive file systems.”CVE-2021-32804, CVE-2021-37713, CVE-2021-39134, and CVE-2021-39135 specifically have a security impact on the npm CLI when processing a malicious or untrusted npm package install,” GitHub says. “Some of these issues may result in arbitrary code execution, even if you are using –ignore-scripts to prevent the processing of package lifecycle scripts.” To make developers aware of these bugs, GitHub created 16.7 million Dependabot alerts and released 1.8 million notifications.  GitHub has requested project managers that use npm CLI and download it directly to upgrade to v6.14.15, v7.21.0, or newer. If Node.js is in use, the organization recommends an upgrade to the latest releases of Node 12, 14, or 16, all of which contain patches to resolve the security flaws. Tar users are now able to upgrade to versions 4.4.19, 5.0.11, and 6.1.10. The latest version of @npmcli/arborist available is 2.8.3. Chen and Papurt have been awarded a combined bounty of $14,500 for their reports.   Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has revealed that it has fixed a bug in its Azure Container Instances (ACI) service that may have allowed a user to access other customers’ information in the ACI.    ACI lets customers run applications in containers on Azure using virtual machines that are managed by Microsoft rather than managing their own.   

ZDNet Recommends

The best cloud storage services

Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

Read More

Researchers from Palo Alto Networks reported the security bug to Microsoft, which recently addressed the issue.  SEE: The CIO’s new challenge: Making the case for the next big thingMicrosoft said in a blogpost there was no indication any customer information was accessed due to the vulnerability — both in the cluster the researchers were using or in other clusters. “Microsoft recently mitigated a vulnerability reported by a security researcher in the Azure Container Instances (ACI) that could potentially allow a user to access other customers’ information in the ACI service. Our investigation surfaced no unauthorized access to customer data,” it said.Nonetheless, it has told customers who received a notification from it via the Azure Portal to revoke any privileged credentials that were deployed to the platform before August 31, 2021. 

Ariel Zelivansky, researcher at Palo Alto, told Reuters his team used a known vulnerability to escape Azure’s system for containers. Since it was not yet patched in Azure, this allowed them to gain full control of a cluster. Palo Alto reported the container escape to Microsoft in July.  Even without vulnerabilities, containerized applications, which are often hosted on cloud infrastructure, can be difficult to shield from attackers. The NSA and CISA recently issued guidance for organizations to harden containerized applications because their underlying infrastructure can be incredibly complex. SEE: Open source matters, and it’s about more than just free softwareMicrosoft noted that among other things admins should revoke privileged credentials on a regular basis.Microsoft disclosed a separate Azure vulnerability two weeks ago affecting customers running NoSQL databases on Azure, which provides the Cosmos DB managed NoSQL DB service. A critical flaw, dubbed ChaosDB, allowed an attacker to read, modify or delete databases.   More

Image: Asha Barbaschow/ZDNet
ANZ New Zealand’s internet banking app and website was offline as it dealt with a cyber attack.The app and website issues are now online again, with the bank saying in a tweet that the issues were resolved by 2:27pm AEST.”Kia ora whanau! The outage across our online services has been resolved. Again thank you all for your patience and understanding,” ANZ tweeted.ANZ was among a number of organisations hit by a cyber attack yesterday, which also reportedly took down the Kiwibank, MetService, New Zealand Post, and Inland Revenue websites. New Zealand’s cybersecurity agency Cert NZ tweeted yesterday that a number of New Zealand organisations were being targeted by a distributed denial of service (DDoS) attack. Cert NZ said it was monitoring the situation and working with affected parties. While most of these sites were back online by Thursday morning, ANZ New Zealand was still working towards resolving the outage.

“Kia ora, as you’ll be aware we are still experiencing outages in channels, all hands on deck are working on this!” ANZ New Zealand said in a tweet earlier today. The bank clarified, however, that ANZ ATMs, Eftpos, credit and debit cards, automatic payments, bill payments, and direct debits are working. Last year, the New Zealand Stock Exchange (NZX) was forced offline for almost an entire week due to DDoS attacks that hit the exchange.The NZX attack was attributed to a criminal gang that has launched DDoS attacks against some of the world’s biggest financial service providers and demanded Bitcoin payments as extortion fees to stop their attacks. Updated at 3:51pm AEST, 9 September 2021: ANZ’s online issues are now resolved. Related Coverage More

Image: Getty Images
The inventor of the World Wide Web, Tim Berners-Lee, has joined the advisory board of hosted email service provider ProtonMail.In a statement, ProtonMail CEO and founder Andy Yen said the addition of Berners-Lee to the company’s advisory board was aligned with its goal to “create an internet where people are in control of their information at all times”. “Our vision is to build an internet where privacy is the default by creating an ecosystem of services accessible to everyone, everywhere, every day,” Yen said.Yen said the company already had a past relationship with Berners-Lee, explaining that the idea of ProtonMail was initially conceived at CERN, the European Organization for Nuclear Research, where the World Wide Web was created.The addition of Berners-Lee comes almost immediately after ProtonMail received flak for giving a climate activist’s IP address to French authorities to comply with a Swiss court order. Addressing the logging of the IP address in a blog post earlier this week, Yen said all companies have to comply with laws, such as court orders, if they operate within 15 miles of land.”No matter what service you use, unless it is based 15 miles offshore in international waters, the company will have to comply with the law,” Yen said.

Since the incident, ProtonMail has changed its privacy policy to state that the company can be “legally compelled to log IP addresses as part of a Swiss criminal investigation”. Previously, the company’s website said that, by default, it did not keep any IP logs that could be linked to an anonymous email account. In making the change, ProtonMail apologised for its previous wording and said it clarified ProtonMail’s obligations.ProtonMail currently has 50 million users.RELATED COVERAGE More