Information Technology

Microsoft’s Windows 10 operating system already disables by default SMB (Server Message Block) version 1, the 30-year-old file-sharing protocol. Now the company is doing the same with Windows 11 Home Dev Channel test builds, announced officials on April 19. SMB1 is considered outdated and not secure. However, some users with very old equipment may be in for a surprise if their Windows 11 laptops can’t connect to an old networked hard drive, as officials said in a blog post about the SMB1 phase out plan. “There is no edition of Windows 11 Insider that has any part of SMB1 enabled by default anymore. At the next major release of Windows 11, that will be the default behavior as well,” said Ned Pyle, Principal Program Manager. “Like always, this doesn’t affect in-place upgrades of machines where you were already using SMB1. SMB1 is not gone here, an admin can still intentionally reinstall it,” Pyle added. Pyle said that Microsoft next will be removing the SMB1 binaries, and that both Windows and Windows Server will no longer include the drivers and DLLs of SMB1. Microsoft will provide an out-of-band, unsupported install package for users that still need to connect to old factory machinery, medical gear, consumer NAS and other equipment that still requires SMB1, however.Speaking of Windows 10, Microsoft also announced this week that Windows 10 version 21H2 (the November Update) is now considered ready for broad deployment and will be available to everyone via Windows Update. Anyone with a device that has been deemed compatible for various reasons by Microsoft or which isn’t set up to defer feature updates will be offered 21H2. The update can be manually installed by checking for Windows Updates as of April 15.

Windows 11 More

Google has released patches for two security flaws in Chrome, of which one was being exploited in the wild. The zero day is tracked as CVE-2022-1364, a high severity flaw reported to the Chrome team by Clément Lecigne of Google’s Threat Analysis Group on. Google hasn’t revealed any details about it in the blogpost besides that it was a type confusion in Chrome’s V8 JavaScript engine. “Google is aware that an exploit for CVE-2022-1364 exists in the wild,” the company says. The fixes are contained in the Chrome stable channel release 100.0.4896.127 for Windows, Mac and Linux. It will roll out over the coming days or weeks, according to Google.The US government’s Cybersecurity and Infrastructure Agency advised users to update their software and said “This version addresses a vulnerability that an attacker could exploit to take control of an affected system. This vulnerability has been detected in exploits in the wild.” Google fixed 14 Chrome zero-day flaws in 2021, up from seven in 2020. Google argued that the uptick in Chrome zero-days might be alarming for some, but it may also indicate the company is getting better at catching and fixing them. One reason for hackers focusing on Chrome is because of the demise of Adobe Flash Player, previously a big target. This February, Google also patched the Chrome zero day CVE-2022-0609 and in March it patched another bug, CVE-2022-1096 that was being exploited in the wild. Google linked the use of CVE-2022-0609 to multiple hacking groups associated with North Korean state-based hacking group Lazarus. Google TAG researchers said they believed different North Korean hacking groups were sharing the same software supply chain, so used the same exploit kit. The group had targeted US organizations in news media, tech, cryptocurrency and fintech sectors, according to Google.  More

The US government has detailed how North Korean state-sponsored attackers have been hacking cryptocurrency firms using phishing, malware and exploits to steal funds and initiate fraudulent blockchain transactions. The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), and the U.S. Treasury Department (Treasury) have issued a joint cybersecurity advisory to warn all businesses in cryptocurrency to watch out for attacks from North Korean state-sponsored hackers. 

ZDNet Recommends

Last week, the US Treasury Department linked the massive $600 million heist from the Ronin blockchain network to Lazarus hackers. SEE: Windows 11 security: How to protect your home and small business PCsThe new joint alert mostly concerns the work of Lazarus Group, also known as APT38, and follows multiple alerts since 2020 about the group’s crypto-stealing malware. “As of April 2022, North Korea’s Lazarus Group actors have targeted various firms, entities, and exchanges in the blockchain and cryptocurrency industry using spearphishing campaigns and malware to steal cryptocurrency,” the alert from the FBI’s Internet Crime Center (IC3) states. “These actors will likely continue exploiting vulnerabilities of cryptocurrency technology firms, gaming companies, and exchanges to generate and launder funds to support the North Korean regime.”The alert flags that Lazarus attacks often begin with spear-phising messages targeting employees of cryptocurrency firms, often those working in system administration or software development/IT operations or DevOps roles. “The messages often mimic a recruitment effort and offer high-paying jobs to entice the recipients to download malware-laced cryptocurrency applications,” the agencies said, with the aim of tricking the target into downloading ‘TraderTraitor’, the FBI’s name for a malware-laced version of several cryptocurrency applications.  SEE: Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned upTraderTraitor is a set of malicious applications written in JavaScript, with a Node.js runtime also using Electron, to create apps that work across Windows and macOS. The attackers use a variety of open-source crypto-trading and price-prediction projects to package their malware. It runs a bogus “update” process that downloads and executes a malicious payload. “Observed payloads include updated macOS and Windows variants of Manuscrypt, a custom remote access trojan (RAT), that collects system information and has the ability to execute arbitrary commands and download additional payloads,” IC3 notes. “Post-compromise activity is tailored specifically to the victim’s environment and at times has been completed within a week of the initial intrusion.”The IC3 alert lists several new cryptocurrency-related Electron applications containing binaries signed with now-revoked Apple Developer Team certificates. Hackers from North Korea stole around $400 million worth of cryptocurrency in 2021 through at least seven attacks, according to blockchain analysis firm, Cainalysis.  More

Microsoft has announced new “scenario-based” awards for its Dynamics and Power Platform Bounty Program and the Microsoft 365 Bounty Program. Microsoft says the scenario-based awards are designed to encourage researchers to focus their work on “vulnerabilities that have the highest potential impact on customer privacy and security”.

ZDNet Recommends

The best cloud storage services

Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

Read More

The new scenario-based awards are on top of existing general awards for security bugs, such as remote code execution and elevation of privilege bugs in products – and amount to up to $26,000 on offer in new awards. SEE: Windows 11 security: How to protect your home and small business PCsThe new scenario-based award for Dynamics 365 and Power Platform is a cross-tenant information disclosure bug, which carries a maximum award of $20,000. Microsoft has patched similar bugs to this affecting some Azure APIs and another similar cross-tenant information disclosure bug affecting the Azure Automation service in March.   Microsoft is also adding bonuses of between 15-30% on top of the general Microsoft 365 bounty for Office 365 products and Microsoft Account pages for Outlook, Teams, SharePoint Online, OneDrive, Skype, and more. The Microsoft 365 bounty highest general award is $20,000 for a critical remote code execution flaw. The new high-impact scenarios award a 30% bonus for remote code execution (RCE) through untrusted input (CWE-94 “Improper Control of Generation of Code” (‘Code Injection’)); and 30% for for RCE through untrusted input (CWE-502 “Deserialization of Untrusted Data”). There are also 20% awards for unauthorized cross-tenant and cross-identity sensitive data leakage for both (CWE-200 “Exposure of Sensitive Information to an Unauthorized Actor”) and (CWE-488 “Exposure of Data Element to Wrong Session”). Finally, there’s a 15% award for “Confused Deputy” vulnerabilities that can be used in a practical attack that accesses resources in a way that bypasses authentication (CWE-918 “Server-Side Request Forgery (SSRF)”). Microsoft offered similar scenario-based awards for its Teams bug bounty last year on top of its general awards in that program. in December, it also added six scenario-based awards of up to $60,000 for high-impact bugs to its Azure bounty. More

Lenovo has patched a trio of bugs that could be abused to perform UEFI attacks.

Discovered by ESET researcher Martin Smolár, the vulnerabilities, assigned as CVE-2021-3970, CVE-2021-3971, and CVE-2021-3972, could be exploited to “deploy and successfully execute UEFI malware either in the form of SPI flash implants like LoJax or ESP implants like ESPecter” in the Lenovo Notebook BIOS.In UEFI cyberattacks, malicious operations are loaded on a compromised device at an early stage of the boot process. This means that malware can tamper with configuration data, establish persistence, and may be able to bypass security measures that are only loaded at the OS stage. On Tuesday, ESET said the vulnerabilities impact “more than one hundred different consumer laptop models with millions of users worldwide” and were caused by drivers only meant to be used during Lenovo’s product development stage. The impacted product list includes IdeaPads, Legion gaming devices, and both Flex and Yoga laptops. The first vulnerability, CVE-2021-3970, impacts the SW SMI handler function. This SMM memory corruption issue, caused by improper input validation, permits attackers to read/write into SMRAM, which, in turn, could allow malicious code with SMM privileges to execute — and for SPI flash implants to be deployed.”SMM is a highly privileged execution mode of x86 processors […],” the researchers explained. “SMM code is written within the context of the system firmware and is usually used for various tasks including advanced power management, execution of OEM proprietary code, and secure firmware updates. It provides an independent execution environment completely invisible to the running operating system.”The other two vulnerabilities, CVE-2021-3971 and CVE-2021-3972, relate to drivers named SecureBackDoor and SecureBackDoorPeim. Lenovo has described the first security flaw as a “potential vulnerability by a driver used during older manufacturing processes on some consumer Lenovo Notebook devices that was mistakenly included in the BIOS image could allow an attacker with elevated privileges to modify [the] firmware protection region by modifying an NVRAM variable.” The second issue is a “potential vulnerability by a driver used during [the] manufacturing process on some consumer Lenovo Notebook devices that was mistakenly not deactivated [and] may allow an attacker with elevated privileges to modify secure boot setting[s] by modifying an NVRAM variable.”The drivers, when they are queried by Lenovo software, could be compromised to disable flash protections and UEFI Secure Boot. Attackers with a high enough privilege level can exploit CVE-2021-3971 to change UEFI firmware settings, and CVE-2021-3972 requires tampering with NVRAM variables to deploy malicious implants.ESET reported the three vulnerabilities to Lenovo on October 11, 2021. The security flaws were triaged and confirmed in November. Patches have now been released, leading to April’s public disclosure.It is recommended that users patch their firmware immediately. Lenovo has published an advisory and alternative mitigation options for users who can’t accept fixes at this time. However, not every device on the list will be updated with fixes as legacy products. When it comes to out-of-support devices, ESET recommends using TPM-aware full-disk encryption software to make information inaccessible if UEFI Secure Boot configurations are tampered with.”All of the real-world UEFI threats discovered in the last years — LoJax, MosaicRegressor, MoonBounce, ESPecter, FinSpy — needed to bypass or disable the security mechanisms in some way in order to be deployed and executed,” Smolár commented. “Our discovery demonstrates that in some cases, deployment of the UEFI threats might not be as difficult as expected, and the larger amount of real-world UEFI threats discovered in the last years suggests that adversaries are aware of this.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Consumers in Singapore and Australia share more personal information now than they did two years ago, but more in the two Asian markets will ditch service providers that suffer a data breach than their global counterparts. The former also are disgruntled about having to provide their data to use online services.Some 67% of respondents across Singapore and Australia felt they had little choice but to divulge their personal information in order to use online services. In fact, 54% said they shared their data with so many organisations online each day that they could not verify each company’s ability to safeguard personal data, according to a survey commissioned by security vendor Imperva. Conducted by YouGov, the online study polled 6,773 consumers in the two Asian markets as well as the US and UK, with 1,079 respondents from Singapore and 1,004 from Australia. 

More in Singapore and Australia, at 46%, said they shared more personal information now than they did two years ago, compared to the global average of 33%. Feeling compelled to share their personal data, 37% in the Asian markets said their trust in digital services providers’ willingness to safeguard their personal data had dipped over the past five years. The global average for this was 41%. Specifically, retailers and online games services providers were deemed the least trustworthy in protecting confidential information, with just 5% of respondents in Asia expressing trust in these companies. Another 8% trusted social media platforms such as Facebook and Twitter. Government and financial organisations were amongst the most trusted. Some 44% had complete trust in the former, while 41% trusted financial business would keep their personal data private.Some 50% in the two Asian markets would stop or had stopped using services from companies that suffered a serious data breach, higher than the global average of 43%. Despite their lack of trust in some businesses, respondents appeared more willing to reveal personal data on cloud-based messaging platforms. Some 23% admitted to having said something via these services to a colleague, friend, or family member that could damage a relationship. Another 18% acknowledged to uttering offensive, such as homophobic and racist, statements while 16% had intentionally lied on these messaging platforms.Across the board, 37% in Singapore and Australia had discussed private topics via a cloud messaging app or service, despite 93% acknowledging they could face serious consequences if these conversations were leaked. Some 45% would feel violated if this happened, while 29% said they could lose their job if their conversations on cloud messaging platforms were leaked. Imperva’s Asia-Pacific Japan regional vice president, George Lee, said: “Consumers face a disheartening Catch-22 scenario: they need digital services to operate in modern life, but their trust in these services is deteriorating. Businesses need to focus on who is accessing their data and protecting the paths a cybercriminal might exploit to get to the data. Taking a data-centric security approach must be part of every organisation’s strategy as consumers grow increasingly cynical of the services they use.”According to Forrester’s 2021 State of Enterprise Breaches, 68% of respondents in Asia-Pacific revealed they suffered at least one security breach last year, higher than the global average of 63%. Businesses in this region took a median of 33 days to identify and eradicate an attack and 11 days to recover from an attack. They lost a median of $2.2 million per breach. Globally, organisations spent a median of 27 days identifying and eradicating an attack as well as 10 days to recover from a breach. It cost businesses a median of $2.4 million in total per breach.RELATED COVERAGE More

The US Treasury Department on Thursday linked a notorious North Korean hacking group to a massive $600 million cyber breach last month. The connection was clear when the Treasury Department updated its sanctions listing for the hacking group, called Lazarus Group. The federal agency added a cryptocurrency address that was used to steal $600 million from the Ronin network, a blockchain network created by the Vietnamese game company Sky Mavis.  

The Ronin network powers the play-to-earn game Axie Finity. Sky Mavis created the network to get around Ethereum network congestion. Last month, the company revealed it had 173,600 in Ethereum (ETH) and 25.5 million USD coins drained from the Ronin network. At the time, the crypto assets were valued at over $600 million.Sky Mavis on Thursday acknowledged the new Treasury Department listing. “We are still in the process of adding additional security measures before redeploying the Ronin Bridge to mitigate future risk. Expect the bridge to be deployed by end of month,” the company said. “We would like to extend a thank you to all law enforcement agencies who have supported us in this ongoing investigation.”To put the $600 million heist in context, hackers from North Korea stole nearly $400 million worth of cryptocurrency in 2021, according to blockchain analysis firm Chainalysis. Lazarus is among the most prolific and sophisticated of the hacking groups with links to North Korea. The group was responsible for the destructive wiper attack on Sony Pictures Entertainment in 2014. More

Over half of all ransomware attacks reported during the first three months of this year are the work of just two cyber criminal outfits. According to analysis of recorded ransomware attacks between January and March 2022 by cybersecurity researchers at Digital Shadows, LockBit 2.0 and Conti were the two most active ransomware gangs during the three-month reporting period, accounting for 58% of all incidents. And of the two, LockBit is by far the most prolific, accounting for 38% of ransomware attacks. That’s almost twice the number of recorded attacks by the Conti ransomware group, which accounted for 20% of campaigns in the same period.  Both groups steal data from their victims and threaten to publish it on leak sites if the ransom isn’t paid. According to Digital Shadows, LockBit leaked the information of over 200 victims during the first quarter of the year – the most leaks thus far.While these two gangs were the busiest, other threats included Hive ransomware, Vice Society ransomware and Blackbyte ransomware, among others. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Conti ransomware has remained a major threat, despite February’s Conti Leaks, which revealed much about the inner workings of the ransomware group. Internal chat logs and other information got leaked after Conti publicly posted a message of support for Russia’s invasion of Ukraine. But this setback doesn’t seem to have dissuaded those behind Conti, who continue to conduct ransomware attacks. “While the Conti chat leak is likely to have some impact on the group, it is unlikely that this will significantly affect the group’s market share. Conti has shown no signs of slowing down since the chat logs and source code leak,” Ivan Righi, senior cyber threat intelligence analyst at Digital Shadows told ZDNet.”However, the leak is a blow to the group’s reputation, and could therefore affect its ability to attract new affiliates and have a long-term impact on its ability to grow,” he added.One ransomware group does seem to have disappeared. Researchers note that PYSA ransomware, which was the third most active ransomware group during the final three months of 2021 appears to have dropped off the radar. Another previously prolific ransomware group, Revil, also appears to have stopped operating.But while some ransomware groups seem to disappear, other new ransomware threats continue to appear. Some new ransomware groups which have appeared since January 2022 which have been listed by Digital Shadows include Stormous, Night Sky, Zeon, Pandora, Sugar, and x001xs. It’s likely that individuals involved in groups which shut down simply find new work with other ransomware gangs. “New ransomware groups are created at a similar rate to groups being shut down. This is likely because affiliates frequently move from groups that are no longer active to those that are emerging,” said Righi.”Regardless of the external factors and shifts in targeting, ransomware is likely to remain one of the biggest threats to organizations worldwide over the next quarter,” he added. There are several steps which businesses can take to avoid falling victim to ransomware. These include applying security patches to software and operating systems as quickly as possible, so cyber criminals can’t exploit known vulnerabilities to enter and exploit networks.  Organisations should also roll out multi-factor authentication to all users to provide an extra barrier to attacks and if it’s suspected that a password has been hacked, it should be changed immediately. MORE ON CYBERSECURITY More