Information Technology

FireEye has opened the gates of its bug bounty program to the public after running privately for several months. 

On Wednesday, the cybersecurity firm said the scheme is now open to any researcher or bug bounty hunter willing to take a look at in-scope FireEye domains and services. 
Bug bounty programs, hosted on platforms including HackerOne and Bugcrowd, are a way to ‘crowdsource’ the hunt for vulnerabilities. Thousands of organizations now offer bug bounties to researchers who privately disclose security flaws they find through these programs and provide both financial rewards and credit in return. 
See also: HackerOne awards $20,000 bug bounty for private data access vulnerability on its own platform
These programs can free up internal security teams for other jobs and can also provide access to broader talent pools to prevent breaches or successful cyberattackers based on unknown bugs from taking place. 
“We understand that — despite our best efforts — we cannot eradicate all security vulnerabilities,” FireEye says. “The technology landscape is constantly expanding, and as such, there will always be emerging threats. While we’ve been heavily involved with responsible disclosure, including helping other companies set up and modify their own programs, we are taking the next step in this effort.”
The bug bounty program focuses on FireEye’s corporate infrastructure. 
CNET: Facebook, Google, Twitter team up on election security ahead of RNC and DNC
To date, the program — ran via Bugcrowd — has been private, but now, any registered researcher can try their hand at finding vulnerabilities across domains including fireeye.com, fireeyecloud.com, and mandiant.com, as well as existing DNS setups. 
As website domains are the only in-scope targets at present, the rewards on offer could be considered relatively low, with up to $2,500 offered for critical vulnerabilities. However, FireEye intends to expand the program to include products and services “in the coming months.”
Research is conducted under safe harbor principles. 
TechRepublic: Abandoned apps like TikTok pose a security risk in a BYOD world
In January, Google revealed that researchers were paid $6.5 million throughout 2019 by way of the tech giant’s bug bounty program. Since 2010, over $21 million has been awarded through bug bounties. 
During 2019, the highest earner was a researcher who found a one-click remote code execution (RCE) exploit on Pixel 3 devices, netting him over $200,000. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Group-IB

Security researchers have uncovered a new Russian-speaking hacking group that they claim has been focusing on the past three years on corporate espionage, targeting companies across the world to steal documents that contain commercial secrets and employee personal data.
Named RedCurl, the activities of this new group have been detailed in a 57-page report released today by cyber-security firm Group-IB.
The company has been tracking the group since the summer of 2019 when it was first called to investigate a security breach at a company hacked by the group.
Since then, Group-IB said it identified 26 other RedCurl attacks, carried out against 14 organizations, going as far back as 2018.
Victims varied across countries and industry sectors, and included construction companies, retailers, travel agencies, insurance companies, banks, and law and consulting firms from countries like Russia, Ukraine, Canada, Germany, Norway, and the UK.
Spear-phishing and PowerShell
But despite the prolonged three-year hacking spree, the group didn’t use complex tools or hacking techniques for their attacks. Instead, the group heavily relied on spear-phishing for initial access.
“RedCurl’s distinctive feature, however, is that the email content is carefully drafted,” researchers said today. “For instance, the emails displayed the targeted company’s address and logo, while the sender address featured the company’s domain name.
“The attackers posed as members of the HR team at the targeted organization and sent out emails to multiple employees at once, which made the employees less vigilant, especially considering that many of them worked in the same department,” they added.
The emails included links to malware-laced files that victims had to download. Once victims ran the content of the boobytrapped archives, they got infected with a collection of PowerShell-based trojans.

Image: Group-IB
Group-IB said the trojans were unique to the group and allowed RedCurl operators access to basic operations, such as searching systems, downloading other malware, or uploading stolen files to remote servers.
RedCurl hid in hacked networks between two and six months
Where possible, the group also attempted to move laterally through infected networks by accessing network shared drives and replacing original files with boobytrapped LNK (shortcut) files that would infect other employees if they executed the files.
Group-IB researchers say that this phase usually lasted between two and six months.
“The stage of spreading over the network is significantly extended in time as the group strives to remain unnoticed for as long as possible and does not use any active Trojans that could disclose its presence,” the company said.
One particular thing that stood out about RedCurl was the use of the WebDAV protocol as a data exfiltration channel, similar to other hacking groups like CloudAtlas and RedOctober. However, Group-IB said it did not find any other major overlaps between the three, and believes they are separate operations based on the current evidence.

Image: Group-IB More

Image: Rupprecht et al.

A team of academics has detailed this week a vulnerability in the Voice over LTE (VoLTE) protocol that can be used to break the encryption on 4G voice calls.
Named ReVoLTE, researchers say this attack is possible because mobile operators often use the same encryption key to secure multiple 4G voice calls that take place via the same base station (mobile cell tower).
Academics say they tested the attack in a real-world scenario and found that multiple mobile operators are impacted, and have worked with the GSM Association (GSMA), the organization that governs telephony standards, to have the issue resolved.
What are LTE, VoLTE, and encrypted calls
But to understand how the ReVoLTE attack works, ZDNet readers must first know how modern mobile communications work.
Today, the latest version of mobile telephony standards is 4G, also commonly referred to as Long Term Evolution (LTE).
Voice over LTE (VoLTE) is one of the many protocols that make up the larger LTE/4G mobile standard. As the name suggests, VoLTE handles voice communications on 4G networks.
By default, the VoLTE standard supports encrypted calls. For each call, mobile operators must select an encryption key (called a stream cipher) to secure the call. Normally, the stream cipher should be unique for each call.
How the ReVoLTE attack works
However, a team of academics from the Ruhr University in Bochum, Germany, has discovered that not all mobile operators follow the 4G standard to the letter of the law.
Researchers say that while mobile operators do, indeed, support encrypted voice calls, many calls are encrypted with the same encryption key.
In their research, academics said that the problem usually manifests at the base station (mobile cell tower) level, which, in most cases, reuse the same stream cipher, or use predictable algorithms to generate the encryption key for voice calls.
In a real-world scenario, academics say that if an attacker can record a conversation between two 4G users using a vulnerable mobile tower, they can decrypt it at a later point.
All an attacker has to do is place a call to one of the victims and record the conversation. The only catch is that the attacker has to place the call from the same vulnerable base station, in order to have its own call encrypted with the same/predictable encryption key.
“The longer the attacker [talks] to the victim, the more content of the previous conversation he or she [is] able to decrypt,” David Rupprecht, one of the academics said.
“For example, if attacker and victim spoke for five minutes, the attacker could later decode five minutes of the previous conversation.”
The attacker can compare the two recorded conversations, determine the encryption key, and then recover the previous conversation. A demo of a typical ReVoLTE attack is available embedded below:
[embedded content]
Researchers say that the equipment to pull off a ReVoLTE attack costs around $7,000. While the price might seem steep, it is certainly in the price range of other 3G/4G mobile interception gear, usually employed by law enforcement or criminal gangs.
Issue reported to the GSMA, patches deployed
The research team said it conducted thorough research on how widespread the problem was in real-world deployments of 4G mobile cell towers.
Researchers analyzed a random selection of base stations across Germany and said they found that 80% were using the same encryption key or a predictable one, exposing users to ReVoLTE attacks.
Academics said they reported the issues to both German mobile operators and the GSMA body back in December 2019, and that the GSMA issued updates for the 4G protocol implementation to address and prevent ReVoLTE attacks.
“We then tested several random radio cells all over Germany and haven’t detected any problems since then,” Rupprecht said today.
App available for mobile telcos
But researchers say that while German mobile operators appear to have fixed the issue, other telcos across the world are most likely vulnerable.
That is why the research team released today an Android app that mobile operators can use to test their 4G networks and base stations and see if they are vulnerable to ReVoLTE attacks. The app has been open-sourced on GitHub.
Details about the ReVoLTE attack are available on a dedicated website the research team published today after presenting their work at the USENIX 29 security conference. A video of the ReVoLTE presentation the research team gave at USENIX is available on this page.
A scientific paper detailing the ReVoLTE attack is also available for download as PDF from here and here. The paper is titled “Call Me Maybe: Ea­ves­drop­ping En­cryp­ted LTE Calls With Re­VoL­TE.”
The research team behind the ReVoLTE attack is the same team who earlier this year discovered the IMP4GT attack on the 4G protocol, a vulnerability that allowed 4G users to impersonate other subscribers and sign up for paid services at another user’s expense.
Today’s ReVoLTE disclosure is the latest in a long list of vulnerabilities identified in the 4G/LTE protocol over the past years. Previous findings were also published in March 2019, February 2019, July 2018, June 2018, March 2018, June 2017, July 2016, and October 2015. More

NHS staff were hit with a wave of malicious email attacks at the height of the COVID-19 pandemic, with doctors, nurses and other key workers reporting over 40,000 spam and phishing attacks between March and the first half of July.
Data from NHS Digital obtained through a Freedom of Information request sent by UK think tank, Parliament Street, revealed that NHS staff reported 21,188 malicious emails in March alone. In April, 8,085 emails were reported by staff, with 5,883 emails reported in May, 6,468 in June and 1,484 in the first half of July.

The data only includes emails that were reported to spamreports@nhs.net – the official NHSmail reporting address – meaning the actual number of attempted email attacks on the NHS is likely to be higher.
Neil Bennett, Chief Information Security Officer at NHS Digital, said the increase in reporting showed that NHS staff were “taking seriously their responsibilities to keep information safe.”
SEE: ‘There’s no going back after COVID-19’ – Inside the unexpected tech revolution at the NHS
Bennett said: “This is an unprecedented time for the NHS, including the cyber security and IT teams who are continuing to work hard in all NHS organisations to keep patient data and systems secure to support the delivery of safe patient care. 
 “As part of NHS Digital’s cyber security operations, we collaborate with all areas of the system to ensure they are aware of potential threats. This includes highlighting the need for staff to report suspicious emails by raising awareness through our Keep I.T. Confidential campaign.”
The global pandemic has brought with it a sharp increase in the number of coronavirus-related cyber-attacks from criminals looking to exploit the widespread confusion and uncertainty the pandemic has created.
Both the UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) have both warned that under-pressure services involved in the response to coronavirus have been targeted.  
In June, NHS Digital reported that more than 113 NHSmail mailboxes had been compromised and used to send malicious emails to external recipients.
St Helens and Knowsley Hospitals NHS Trust issued a warning to staff about scammers that were impersonating employees and sending emails to HR and payroll departments, asking them to change the bank accounts their salaries were paid in to.
The hospital warned of additional phishing attacks that invited employees to click on malicious links to verify their details and ensure they received their paycheck.
SEE: Security Awareness and Training policy (TechRepublic Premium)  
Jake Moore, cybersecurity specialist at ESET, warned that the NHS faced a second wave of attacks once information around potential vaccines for COVID-19 started to surface, with the current work-from-home scenario making the situation particularly problematic.
“Many people are still working from home in the NHS, and must remain vigilant to the constant threats,” Moore added.
“As phishing emails continue to be the most prominent vehicle to infiltrate or disrupt systems, I would urge staff to verify every email they receive.”
Bennett said that NHS Digital had published additional advice and guidance for NHS staff around cybersecurity best practice while working remotely.

Coronavirus More

Almost 70% of consumers in Asia-Pacific will give up their privacy for better user experience, but just 25% feel it is their duty to safeguard their own data, with the rest pushing this responsibility to governments and businesses. China’s consumers appear most willing to forgo their privacy for richer experiences, while their counterparts in Japan are least likely to do likewise. 
Across the region, just 4% refrained from using an app after a security breach. However, trust in an organisation’s ability to safeguard their data had dipped from a previous 2018 report, with social media platforms seeing the biggest drop of 19%, revealed a survey by F5 Networks. Conducted from March to April this year, the Curve of Convenience 2020 report polled 4,100 respondents from eight Asia-Pacific markets, including Singapore, India, Indonesia, Australia, and Taiwan. 
The report noted that a majority of consumers in the region pushed the responsibility of protecting their data to others, with 43% believing businesses should assume this role while 32% pointed to their governments. 

In addition, 27% were unaware of security breaches including incidents that involved government agencies and popular apps. 
This would be cause for worry, especially in China where 82% would give up their privacy in exchange for better user experience, as would 79% in India as well as in Indonesia. In comparison, 43% in Japan were willing to do the same, alongside 50% in Australia and 58% in Singapore.
Across the region, however, a whopping 96% would opt for convenience and seamless app user experience over security. Such behaviours, alongside a belief that businesses and governments should assume responsibility for consumers’ data protection, indicated a need for these organisations to beef up their security infrastructures as well as tighten regulations and compliance policies, according to the F5 report. 
However, the lack of breach awareness amongst consumers also underscored the need for these users to be more involved and vigilant when sharing their personal data as well as demand for more transparency with regards to the use of their data.
F5’s Asia-Pacific senior vice president Adam Judd said: “As the pandemic redefines our lives, and businesses step up their digital transformation efforts, consumers are demanding more from the applications that they use to work, play, and connect. To truly integrate convenience and security, businesses should proactively involve consumers across the development of the applications, not only at the end. 
“This is especially the case in an age where both application consumption and security vulnerabilities are multiplying by the day,” Judd said. “Partnering with consumers means that the industry can thrive, and businesses, together with their digital partners, can create better solutions that deliver seamless yet secure experiences, any time, all the time. Ultimately, showing users what’s at stake will help them feel that they should be invested in their own protection.” 
F5 further urged businesses and governments to educate and work alongside consumers, so the latter were aware of the consequences when they chose to trade their data or privacy in exchange for more seamless user experience.
RELATED COVERAGE More

Hackers can gain access to the internal networks of corporations by exploiting two security failings and in as little as 30 minutes.
Ethical hackers and cybersecurity researchers at Positive Technologies perform penetration testing against organisations in a wide variety of sectors, but find common security vulnerabilities across all industries. The findings have been detailed in a new report, Penetration Testing of Corporate Information Systems.
The report, based on anonymised data from real organisations which have had their networks tested, said that for 71 percent of companies, there’s at least one obvious weakness which could provide malicious outsiders with entry into the network.
One of the most common security issues is weak passwords, allowing hackers to gain access to accounts by using brute force attacks. Cracking the password of one account shouldn’t be enough to gain full access to an internal network, but in many cases, it just takes this and the ability to exploit known vulnerabilities to gain further access to systems.
“The problem lies in the low levels of protection even for large organizations. Attack vectors are based primarily on exploiting known security flaws. This means that companies do not follow basic information security rules,” Ekaterina Kilyusheva, head of information security analytics at Positive Technologies told ZDNet.
In addition to weak passwords, over two thirds of organisations are using vulnerable versions of software which hasn’t received the required security updates, leaving it open to being exploited.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
“An attacker can quickly gain access to an internal network if a web application contains a known vulnerability for which a public exploit exists,” Kilyusheva explains.
For example, in one instance, ethical hackers were about to use a brute force attack to access a remote desktop application – something which has become more commonly used due to the increase in working from home in 2020.
The user didn’t have access to many applications, but by opening a mapping application, the security testers were able to gain access to the Windows Explorer processes and command lines, allowing the ability to execute commands on the operating system and gain more access.
In a third of penetration exercises, researchers were able to gain access to the internals of the corporate network by combining the brute forcing and software vulnerabilities. In this instance, attacks could be protected against by ensuring the use of strong passwords and any applications being used having security patches applied, so they can’t be exploited in attacks.
In these examples, the networks were being accessed by ethical hackers as part of security testing, but cyber criminals are looking to exploit these vulnerabilities – and could use them to gain access to vast swathes of corporate networks.
The average time it took ethical hackers to get to the internal network was four days, but in one case it was possible in just thirty minutes.
“An attacker can develop an attack on critical business systems, for example, financial systems, gain access to computers of top managers, or conduct an attack on a company’s customers or partners. In addition, hackers can sell the obtained access on the darknet to other criminals to conduct attacks – for example, ransomware,” said Kilyusheva.
However, by following some common security procedures, such not using weak passwords, applying multi-factor authentication ensuring the network is patched with software updates, it’s possible for organisations to protect themselves against many forms of attempted cyber attacks.
READ MORE CYBERSECURITY More

Google Project Zero (GPZ) is refusing to give Microsoft further extensions on disclosing a Windows 10 authentication bug because it says a patch Microsoft delivered in the August 2020 Patch Tuesday update is incomplete.
One of the 120 security bugs Microsoft released patches for on Tuesday was CVE-2020-1509, which was reported to Microsoft on May 5 by GPZ Windows researcher James Forshaw.  

Windows 10

The bug allows a remote attacker who’s already gained credentials for a Windows account on a network to elevate privileges after sending a specially crafted authentication request to the Windows Local Security Authority Subsystem Service (LSASS).  
SEE: IoT: Major threats and security tips for devices (free PDF) (TechRepublic)
While the bug is only rated as medium severity by Google and ‘important’ by Microsoft, LSASS is a key process for authenticating users when they log on to a Windows PC managed via Active Directory. 
LSASS has been targeted by advanced hackers who use it to dump credentials from memory to move laterally on a network. The bug affects all supported versions of Windows 10 through to the latest release, version 2004.  
Google’s refusal to extend the disclosure deadline in this case appears to be more a formality, given it had already published details and a proof of concept under the belief that Microsoft’s patch was complete. 
Forshaw listed the bug as ‘fixed’ on Tuesday but then added to the report a few hours later to say “after review it seems that this hasn’t been completely fixed”.
GPZ’s 2020 disclosure policy states: “Details of incomplete fixes will be reported to the vendor and added to the existing report (which may already be public) and will not receive a new deadline.”
According to Forshaw, LSASS doesn’t properly enforce the ‘Enterprise Authentication capability’. This allows any UWP app – whether it’s from the Microsoft Store or a custom enterprise app – that’s wrapped in the Windows AppContainer sandbox to perform network authentication with the user’s credentials via single sign-on. 
Microsoft’s documentation of the feature suggests there is an exception to the rule to support organizations that need to install line of business (LOB) applications if they authenticate to a network proxy. But there’s a problem with this exception, according to Forshaw.
“If the target is a proxy then the authentication process is allowed, even if the [Enterprise Authentication capability] is not specified. The issue is, even if LsapIsTargetProxy returns false, the authentication is still allowed to proceed but an additional flag is set to indicate this state. I couldn’t find any code which checked this flag, although it’s a bit unclear as it comes from a TLS block so tracking down usage is awkward,” explained Forshaw. 
“What this means is that an AppContainer can perform Network Authentication as long as it specifies a valid target name to InitializeSecurityContext, it doesn’t matter if the network address is a registered proxy or not. This is probably not by design, but then this behavior only warrants a few throw-away comments with no in-depth detail on how it’s supposed to behave, maybe it is by design.”
SEE: Ransomware: These warning signs could mean you are already under attack
Since an attacker can specify any target name they could “authenticate to a network-facing resource as long as the application has network access capabilities which aren’t really restricted”.
“Also, as you can specify any target name, and you’re doing the actual authentication, then server protections such as SPN checking and SMB Signing are moot,” added Forshaw. 
Google extended the disclosure deadline for this bug at the end of July, presumably to give Microsoft to release a complete patch in its August update.  More

Adobe’s latest security update has tackled a set of critical and important bugs in Acrobat and Reader.

On Tuesday, the company issued its standard monthly round of fixes, the majority of which relate to the popular PDF viewing and editing software. 
In total, 26 vulnerabilities have been resolved, 11 of which are deemed critical and could lead to remote code execution. 
The patches have been created for Acrobat DC, Acrobat Reader DC, Acrobat and Classic 2020, Acrobat Reader 2020, Acrobat/Reader 2017, and Acrobat/Reader 2015 on Windows and macOS machines. 
See also: Adobe releases Acrobat web experience for Box platform
Two critical vulnerabilities (CVE-2020-9693, CVE-2020-9694) are out-of-bounds write security flaws that lead to arbitrary code execution if exploited. Two further critical bugs (CVE-2020-9696, CVE-2020-9712) are security bypass problems that can be exploited to circumvent existing security controls. 
Arbitrary code vulnerabilities account for seven of the critical vulnerabilities resolved in the Acrobat and Reader update. The first five (CVE-2020-9698, CVE-2020-9699, CVE-2020-9700, CVE-2020-9701, and CVE-2020-9704) are buffer issues, whereas the remaining two (CVE-2020-9715, CVE-2020-9722) are use-after-free flaws that can also lead to arbitrary code execution in the context of the current user. 
The important vulnerabilities range from sensitive data exposure, security bypass, stack exhaustion, and out-of-bounds read problems. Adobe says that if exploited, these issues could result in memory leaks to information disclosure and application denial-of-service.  
CNET: How China uses facial recognition to control human behavior
In addition to the main security update, the tech giant also fixed a single vulnerability in Lightroom Classic, versions 9.2.0.10 and earlier, on Windows machines. Tracked as CVE-2020-9724, the insecure library loading issue could be abused for privilege escalation purposes. 
It is recommended that users accept automatic updates to apply the new set of patches. 
Adobe thanked researchers from Fortinet’s FortiGuard Labs, Qihoo 360, Offensive Security and iDefense Labs, and Palo Alto Networks, among others. 
TechRepublic: How companies are getting employees to take vacation this summer rather than hoard PTO
In July, Adobe released an out-of-band patch to resolve 13 vulnerabilities — 12 of which deemed critical — impacting Photoshop, Prelude, and Bridge. The fixes relate to out-of-bounds read and write issues leading to arbitrary code execution attacks. 
Over Patch Tuesday, Microsoft released a massive security update tackling 120 vulnerabilities. In total, 17 vulnerabilities are considered critical, and two are considered zero-day vulnerabilities that are being actively exploited in the wild.  
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More