Information Technology

The US Cybersecurity and Infrastructure Security Agency (CISA) has taken the unusual step of removing a bug from its catalog of vulnerabilities that are known to be exploited, and which federal civilian agencies are required to patch within a certain timeframe.  CISA said it is “temporarily removing”  Microsoft’s May 2022 fix for the security bug CVE-2022-26925 from its Known Exploited Vulnerability Catalog. It said after admins apply Microsoft’s May 10, 2022 rollup security fixes to Windows Servers that are used as domain controllers, there is a risk of authentication failures. CISA removed the vulnerability from its must-patch list on Friday. “Microsoft notified CISA of this issue, which is related to how the mapping of certificates to machine accounts is being handled by the domain controller,” it said.”After installing May 10, 2022 rollup update on domain controllers, organizations might experience authentication failures on the server or client for services, such as Network Policy Server (NPS), Routing and Remote access Service (RRAS), Radius, Extensible Authentication Protocol (EAP), and Protected Extensible Authentication Protocol (PEAP),” CISA explained. This issue only affects the update on Windows Servers used as domain controllers. CISA is still strongly encouraging admins to apply Microsoft’s May updates on client Windows devices and non-domain controller Windows Servers.  Microsoft describes CVE-2022-26925 as a Local Security Authority (LSA) Spoofing vulnerability. LSA allows applications to authenticate and log users on to a local system. Details of the bug have been publicly disclosed and exploits exist for it, according to Microsoft.  “An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM. This security update detects anonymous connection attempts in LSARPC and disallows it,” Microsoft says. The bug would have a severity score of 9.8 when it is chained with NTLM Relay Attacks on Active Directory Certificate Services (AD CS), Microsoft adds. The company noted the May 10, 2022 update addresses the vulnerability on all servers but urged admins to prioritize the update of domain controllers.CISA referred admins to Microsoft’s document KB5014754, which detail “certificate-based authentication changes on Windows domain controllers” concerning the May 10 updates for CVE-2022-26931 and CVE-2022-26923. These were an elevation of privilege vulnerability that can happen when the Kerberos Distribution Center (KDC) is servicing a certificate-based authentication request, according to Microsoft. “Before the May 10, 2022 security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name. This allowed related certificates to be emulated (spoofed) in various ways,” Microsoft says.  More

A phishing campaign targeting Microsoft Windows users delivers three different forms of malware, all designed to steal sensitive information from victims.Detailed by cybersecurity researchers at Fortinet, those who unintentionally run the malicious attachment sent in phishing emails fall victim to AveMariaRAT, BitRAT and PandoraHVNC trojan malware.The campaign allows cyber criminals to steal usernames, passwords and other sensitive information, including bank details. BitRAT is particularly dangerous to victims, because it can take full control of infected Windows systems, complete with the ability to view webcam activity, listen to audio through the microphone, secretly mine for cryptocurrency that goes into a wallet owned by the attackers and download additional malicious files.The initial phishing message is designed to look like a payment report from a trusted source, with a short request to open an attached Microsoft Excel document. SEE: Cybersecurity: Let’s get tacticalThis file contains malicious macros and researchers note that when the document is opened, Microsoft Excel flags potential security concerns about the use of macros. If the user ignores this and opens the file, it starts the process of delivering malware.Using Visual Basic Application (VBA) scripts and PowerShell, the malware is retrieved for installation onto the victim’s machine. The PowerShell code is split into three parts for the three different forms of malware, which can each be installed. It’s not detailed why the phishing email delivers three malware payloads, but it’s likely that with three different forms of malware to deploy, there’s a greater chance of the cyber criminals being able to gain access to whatever sensitive information they’re looking to steal.Phishing remains one of the most common methods cyber criminals use to deliver malware – because put simply, it’s effective – but there are things which can be done to avoid falling victim.Users should be wary of unexpected emails claiming to contain important information hidden in attachments – particularly if that attachment requires you to enable macros first. If possible, for example, if the email claims to come from a college or business associate, you could contact them using a different method than email to check if it’s really them who sent the email.Businesses can also help employees avoid falling victim to phishing emails by using appropriate anti-spam and anti-virus software, as well a training users on how to spot and report phishing emails. MORE ON CYBERSECURITY More

Microsoft has warned that a new variant of the Sysrv botnet is targeting a critical flaw in the Spring Framework to install cryptocurrency mining malware on Linux and Windows systems. Microsoft researchers spotted a new variant of Sysrv, which it calls Sysrv-K, scanning the internet for Wordpress plugins with older vulnerabilities as well as a recently disclosed remote code execution (RCE) flaw in the Spring Cloud Gateway software tagged as CVE-2022-22947.  The flaw affected VMware’s Spring Cloud Gateway and Oracle’s Communications Cloud Native Core Network Exposure Function and was given a critical rating by both firms. Sysrv-K can can gain control of web servers, Microsoft Security Intelligence warned. The botnet scans the internet to locate web servers and then uses various vulnerabilities such as path traversal, remote file disclosure, arbitrary file downloads and remote code execution. Once the malware is running on a Windows or Linux device, Sysrv-K deploys a cryptocurrency miner.Sysrv-K contains new features from older variants. Juniper in April 2021 reported Sysrv was bundled with exploits for six RCE vulnerabilities affecting installations of MongoDB’s Mongo Express admin interface, the ThinkPHP PHP framework, the Drupal CMS, VMware-owned SaltStack, and the XXL-JOB and XML-RPC projects. It also had exploits exploits for PHP framework Laravel, Oracle Weblogic, Atlassian Confluence Server, Apache Solr, PHPUnit, Jboss Application Server, Apache Hadoop, Jenkins, Jupyter Notebook Server, Sonatupe Nexus Repository Manager, Tomcat Manager, and Wordpress. The malware’s two functions were to spread itself across network by scanning the internet for vulnerable systems and installing the XMRig cryptocurrency miner to mine Monero. But Microsoft warns it can now also capture database credentials to control an infected web server.  “A new behavior observed in Sysrv-K is that it scans for WordPress configuration files and their backups to retrieve database credentials, which it uses to gain control of the web server. Sysvr-K has updated communication capabilities, including the ability to use a Telegram bot,” Microsoft Security Intelligence said. “Like older variants, Sysrv-K scans for SSH keys, IP addresses, and host names, and then attempts to connect to other systems in the network via SSH to deploy copies of itself. This could put the rest of the network at risk of becoming part of the Sysrv-K botnet,” it added. Microsoft warned organizations to secure internet-facing systems, apply security updates and protect credentials.  More

Google has created a new “Open Source Maintenance Crew” who will help upstream maintainers of critical open-source projects to handle bugs and patching processes. The new team is part of Google’s contribution to the White House’s push to improve cybersecurity in open source and protect software supply chains following the White House’s January summit with major tech vendors, including Microsoft, Google, IBM and Amazon Web Services. 

Google I/O 2022

Back then, President Joe Biden signed an executive order that requires the government to provide a Software Bill of Materials (SBOM) that details supply chain relationships of components used in building software. SEE: Cloud computing security: New guidance aims to keep your data safe from cyberattacks and breachesGoogle says the new maintenance crew consists of a dedicated team of Google engineers who will work with upstream maintainers of critical open-source projects.”One issue frequently cited by open source maintainers is limited time. Since under-maintained, critical open source components are a security risk, Google is starting a new Open Source Maintenance Crew, a dedicated staff of Google engineers who will work closely with upstream maintainers on improving the security of critical open source projects,” said Google’s Eric Brewer and Abhishek Arya in a blogpost.Google announced the open-source security team at last week’s “Open Source Software Security Summit II”, hosted at the White House and organized by The Linux Foundation and the Open Source Software Security Foundation (OpenSSF) to mark one year since the cybersecurity executive order, which demanded higher security standards based on the NIST’s Secure Software Development Framework (SSDF). The organizations outlined $150 million in funding required from the private sector and a 10-point plan to improve open source by tackling risk assessments, digital signatures, shifting coding from C and C++ to to memory-safe languages like Rust, Go and Java, incident response, code scanning, and code audits. Google’s work to improve open-source security and reduce supply chain risks has previously included $100 million to support groups like OpenSSF to fix security bugs in open source.     Google last year also published the “Know, Prevent, Fix” framework and is working to improve the accessibility of security tools through initiatives like Open Source Vulnerabilities (OSV) database and data format. The format has been adopted by Python, Rust, and Go ecosystems. The Python Software Foundation, for example, created the Python Packaging Advisory Database to centralize advisories for Python packages published on Pypi repository. The Rust Foundation has a similar database for advisories concerning Rust Crates packages. Other databases relying on OSV include vulnerability databases, such as GitHub’s Security Advisories (GHSA) and the Cloud Security Alliance’s Global Security Database.   “The OSV project showed that connecting a CVE to the vulnerability patch development workflow can be difficult without precise vulnerability metadata,” said Google’s Brewer and Arya. They want to see OSV findings distributed to developers through code editors and at the point where developers might deploy vulnerable workloads.   On the ‘Know’ side, Google highlights the Security Scorecards project that gives developers insights about dependencies they might use on a project. Now, there are scorecard scans of one million projects. The Kubernetes project has also started using Sigstore to sign and verify its releases, and makes this part of its Supply Chain Levels for Software Artifacts, or SLSA, compliance. The OpenSFF’s SLSA framework is based on Google’s internal tools to check code integrity.        “An SBOM created using SLSA provenance and metadata is more complete and addresses both source code and build threat vectors,” says Google. SEE: Rocky Linux developer lands $26m funding for enterprise open-source pushOther key projects include Google’s OSS-Fuzz for fuzzing for open-source software, which has helped developers fix 2,300 flaws across over 500 projects during the past year, The ‘Fix’ component was aimed at removing vulnerabilities and improving notifications to help remediate flaws in the most widely used versions of an affected project rather than just the most recent versions. Part of this is the OpenSSF’s Alpha Omega project, which Google and Microsoft gave an initial $5 million to improve supply chain security. The project awarded the widely used Node.js server-side JavaScript runtime project $300,000 to focus on fixing vulnerabilities in 2022.   Another is the Linux Foundation’s Secure Open Source (SOS) project, which Google backed with $1 million in funding. SOS offers up to $10,000 in rewards to developers for hardening software, for example. Google also gave $300,000 to the Internet Security Research Group to improve memory safety by bringing Rust into the Linux kernel. Linux kernel developers have worked on making Rust the second language to C in the kernel for the past two years.   More

Researchers say that geopolitical tension, ransomware, and cyberattacks using stolen credentials threaten the UK’s financial sector. On Monday, KELA’s security team published a report examining the cybersecurity issues and attacks that surfaced in 2021 and early 2022, specifically focused on the United Kingdom’s banks and other financial services.

The UK was one of the first countries to stand with Ukraine after the invasion by Russia. This could make UK organizations a tempting target for threat actors siding with Russia — whether by state-sponsored advanced persistent threat (APT) groups or hacktivists. The National Cyber Security Centre (NCSC) previously warned businesses to shore up their cybersecurity following Russia’s assault.APTs are often responsible for attacking the financial sector: account credentials, card numbers, and the personally identifiable information (PII) of customers are useful not only in social engineering and identity theft but also to make fraudulent purchases or for card cloning. APTs target organizations worldwide, and those located in the UK are no exception. Over the past few years, APTs, including the Chinese APT40 and APT31, have utilized vulnerabilities, including ProxyLogon, to compromise UK businesses. “In general, APTs may target the financial sector to commit fraud, burglarize ATMs, execute transactions, and penetrate organizations’ internal financial systems,” KELA says. “Although specific threats to the UK financial sector have not been identified, there is no doubt that the UK has occasionally been a target of APT groups during 2021.” Exposed corporate information and leaked credentials are also of note. After browsing Dark Web forums, the researchers found that UK data is “in demand” by cybercriminals who are seeking PII, access credentials, and internal data. For example, in January 2021, an ExploitIn forum user asked for a “UK database leak.” On the same Russian forum, another requested “UK targeted bank leads with DOB, full name, bank name/sort code, address and postal code […] DOB has to be between 1935 and 1955” this year. From January 2021 to February 2022, KELA tracked close to 16,000 unique, leaked credentials linked to UK financial organizations which appeared online. This includes information leaked during the RedCappi, ParkMobile, and Oxfam breaches. However, no UK organizations took a top spot in the 14 breaches during 2021 – 2022 with the highest number of leaked credentials. Instead, many of them were based in India. “As the UK plays a significant role in the global economy, often providing services to international companies and organizations, it is likely that breaches related to foreign companies would affect UK firms,” the researchers said. The sale of network access, while not as common, is also a threat to the UK financial sector. KELA found roughly 60 instances of network access listings, including one for a UK fintech firm with $5 million in annual revenue, offered for only $300, and a prolific Russian trader touting access to UK companies 13 times in the past year. Ransomware also remains a plague for UK financial organizations and services worldwide. The cybersecurity firm observed 135 UK financial companies experiencing a ransomware incident in 2021. However, this may only be a fraction of the true number as these organizations have only been identified due to ransomware blog and leak sites, negotiation portals, and media reports. When it came to targeting UK companies, the Conti, PYSA, LockBit, and Sodinokibi ransomware groups were the most active. “This report sheds light on the multiple, varying cyberthreats posed to UK companies and organizations in general, and the UK financial sector in particular,” the researchers noted. “Through 2021, both financial and other UK companies have been subject to multiple ransomware attacks, and credentials and compromised accounts belonging to British entities were often offered for sale on cybercrime forums.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

At the end of last week, Rapid7 disclosed a nasty bug in Zyxel firewalls that could allow for an unauthenticated remote attacker to execute code as the nobody user. The programming issue was not sanitising input, with two fields passed to a CGI handler being fed into system calls. The impacted models were its VPN and ATP series, and USG 100(W), 200, 500, 700, and Flex 50(W)/USG20(W)-VPN. At the time, Rapid7 said there were 15,000 affected models on the internet that Shodan had found. However, over the weekend, Shadowserver Foundation has boosted that number to over 20,800. “Most popular are USG20-VPN (10K IPs) and USG20W-VPN (5.7K IPs). Most of the CVE-2022-30525 affected models are in the EU – France (4.5K) and Italy (4.4K),” it tweeted. The Foundation also said it had seen exploitation kick off on May 13, and urged users to patch immediately. After Rapid7 reported the vulnerability on April 13, the Taiwanese hardware maker silently released patches on April 28. Rapid7 only realised the release had happened on May 9, and eventually published its blog and Metasploit module alongside the Zyxel notice, and was not happy with the timeline of events. “This patch release is tantamount to releasing details of the vulnerabilities, since attackers and researchers can trivially reverse the patch to learn precise exploitation details, while defenders rarely bother to do this,” Rapid7 discoverer of the bug Jake Baines wrote. “Therefore, we’re releasing this disclosure early in order to assist defenders in detecting exploitation and to help them decide when to apply this fix in their own environments, according to their own risk tolerances. In other words, silent vulnerability patching tends to only help active attackers, and leaves defenders in the dark about the true risk of newly discovered issues.” For its part, Zyxel claimed there was a “miscommunication during the disclosure coordination process” and it “always follows the principles of coordinated disclosure”. At the end of March, Zyxel published an advisory for another CVSS 9.8 vulnerability in its CGI program that could allow an attacker to bypass authentication and run around the device with administrative access. Related Coverage More

Best defense?
sfe-co2 / Getty Images
Some things about it didn’t feel quite right. Other things about it felt very right indeed.

ZDNet Recommends

The best 5G phones

5G is now standard on US networks, and these are the top phones that support it.

So I stared and stared again, wondering whether it was a setup or a skit even.Here was a video emitted on Twitter. It showed three sprightly youths storming a Best Buy. They tried to rip some phones from a display.It really wasn’t going perfectly. Those security cords can be sturdy. Meanwhile, seven Best Buy employees began to line up in the aisles as if they were an NFL defense in an attempt to block the shoplifters from leaving the store.Sadly, the video stopped before viewers could see if any tackles were made or any penalties were called.Millions, though, watched in wonder and wondered.

I was one, of course. So I immediately asked Best Buy whether its policy allowed– or even encouraged — employees to block and, perhaps, tackle.Apple’s policy, for example, is very clear: let them take what they can and don’t intervene. However, at some Apple stores, there’s uniformed security on hand to do the professional intervening.I waited for Best Buy to get back to me. I felt sure it would. I’ve always found its customer service to be quite stellar. However, nothing came. Had the company been caught out of position? Had the matter gone to replay? How could I get some answers?Naturally, I did the obvious. I showed the video to a Best Buy employee — oddly, he hadn’t yet seen it — and asked him whether, perhaps, he’d had special NFL-type training as part of his store induction.I asked in a relatively serious manner, you understand. In such shoplifting situations, violence could easily ensue. This Best Buy employee — let’s call him Freddy — watched the video twice. Finally, he said: “Nooooo. That’s not allowed.””So you’re specifically told not to engage with shoplifters?” I asked.”Correct,” Freddy said. “There’s no way I’d even want to. What’s the point?”Many retailers will fire employees if they attempt to capture a shoplifter. Home Depot, for example, once fired four employees who thought they were doing the retailer a favor by chasing after a shoplifter.Freddy explained that it’s not as if the products belong to him but to a large corporation. But then he stopped to consider something.”If I did try to stop a shoplifter, I wonder what the legal situation would be,” he said. What if, he mused, he tackled a shoplifter and injured them? Would he then be liable? Would the shoplifter sue? (This is America. Of course, they would.)I’ve not seen any Best Buy post uniformed security outside its stores, but the company does employ them at certain locations. Best Buy’s CEO, Corie Barry, sees shoplifting as a big problem. Last November, she told CNBC: “When we talk about why there are so many people looking for other jobs or switching careers, this… play[s] into my concerns for our people because, again, priority one is just human safety.”She specifically referenced San Francisco — and California in general.As I write, it’s unknown what did — or may — happen to the Best Buy NFL-style defenders. It’s hard to imagine this was a spontaneous action. It’s easier to imagine that they’d prepared, at least a little.I wonder what happened to the shoplifters too. The phones they ripped out are instantly useless. More

Written by

Eileen Yu, Contributor

Eileen Yu
Contributor

Eileen Yu began covering the IT industry when Asynchronous Transfer Mode was still hip and e-commerce was the new buzzword. Currently an independent business technology journalist and content specialist based in Singapore, she has over 20 years of industry experience with various publications including ZDNet, IDG, and Singapore Press Holdings.

Full Bio

Singapore has launched a rating scheme that assesses e-commerce marketplaces based on their anti-scam measures. Its technical guidelines for online transactions also have been updated to offer more details on safeguarding against scams.The E-commerce Marketplace Transaction Safety Ratings (TSR) aimed to evaluate the extent to which these platforms had implemented anti-scam measures that ensured, amongst others, user authenticity, transaction safety, and availability of loss remediation channels for consumers. For instance, e-commerce marketplaces would be assessed on whether they had measures in place to verify sellers’ identity and were continuously monitoring for fraudulent seller behaviour. The platforms also would be rated against the use of secure payment tools for transactions as well as the availability of dispute reporting and resolution mechanisms.

The information served to alert users on the safety of transacting with these online sites, said the Ministry of Home Affairs and Singapore Standards Council in a joint statement Saturday. The ratings covered “major e-commerce marketplaces” that facilitated transactions between multiple sellers and buyers, with “significant” local reach or a significant number of reported e-commerce scams. The lowest rating clocks at one tick, while the scale tips at four ticks. E-commerce marketplaces with all critical anti-scam measures in place were awarded the highest four-ticks rating, according to the ministry. TSR ratings are reviewed every year.  The current list has given Facebook Marketplace the lowest rating of one tick, while Carousell has two ticks, Shopee has three, and Qoo10 has four ticks alongside Amazon and Lazada.To further enhance anti-scam protection, the national standard for e-commerce transactions also have been updated to include additional guidelines for online retailers and marketplaces. The latest Technical Reference 76, which was first released in June 2020, encompassed best practices to secure different areas of online transactions, spanning pre-, during- and post-purchase activities, customer support, and merchant verification. E-marketplaces, for example, should look at implementing pre-emptive safeguards against fraudulent merchants on their platforms, such as activating early warning mechanisms when non-verified devices were used to access the account. Merchants deemed to be of fraud risk also should be blacklisted on the marketplace, restricting their activities on the platform or raising the customer’s awareness of the risks involved.”The [TR76] intent is to better enable merchant authenticity, improve transaction security, and aid enforcement against e-commerce scams,” said Ministry of Home Affairs and Singapore Standards Council, adding that the additional guidelines were part of the safety features rated in the TSR. “Generally, e-commerce marketplaces that adopt TR76 guidelines would score better on the TSR.”Singapore in the last couple of years has intensified its efforts in improving underlying infrastructures that it believes will pave the way for the country to become a global and regional e-commerce hub. The country’s “five-pronged” strategy to do so includes building out the local 5G networks, supply chain capabilities, and payment platforms. The Monetary Authority of Singapore (MAS) in February said it was working on a liability framework that detailed how losses from online scams would be shared amongst key parties in the ecosystem, stressing that victims of such scams should not assume they would be able to recover their losses. This framework would operate on the basis that all parties had responsibilities to be vigilant and take precautions against scams, MAS said. RELATED COVERAGE More