Information Technology

Researchers have disclosed the existence of the critical “Pantsdown” vulnerability in some Quanta Cloud Technology (QCT) server models. On Thursday, cybersecurity firm Eclypsium said that several servers belonging to the data center solutions provider were still vulnerable to the bug, which has been publicly known for years now. The vulnerability, tracked as CVE-2019-6260, was first discovered in January 2019. At the time one security researcher described it as “the nature of feeling that we feel that we’ve caught chunks of the industry with their….” CVE-2019-6260, issued a CVSS severity score of 9.8, or critical, is a vulnerability in ASPEED Baseband Management Controller (BMC) hardware & firmware. AHB bridges, in particular, can be exploited for arbitrary read/write access, leading to information leaks, code execution, data tampering or theft, or denial-of-service (DoS) attacks.  At the time of disclosure, Pantsdown impacted multiple firmware BMC stacks including AMI, SuperMicro, and OpenBMC (up to v.2.6). Exploits exist in the wild that harness the Pantsdown bug, potentially placing enterprise servers at risk.  According to Eclypsium, some QCT server models are still vulnerable to CVE-2019-6260. The team tested a QuantaGrid D52B rackmount server containing update package version 1.12 — with a release date of 2019.04.23 — and BIOS version 3B13, as well as BMC version 4.55.00. “This same firmware package names support for D52BQ-2U, D52BQ-2U 3UPI, and D52BV-2U models of the server,” the team noted. “On inspection, we found that the server contained an Aspeed 2500 BMC (AST2500(A2)) and was running a version of AMI-based BMC software vulnerable to Pantsdown.”During tests, the researchers were able to patch the web server code while it was running in memory on the BMC by exploiting CVE-2019-6260, granting themselves read/write access to memory. Furthermore, they could replace it with their own crafted code to trigger a reverse shell whenever a user attempted to connect to the server or refresh its linked webpage. Eclypsium created proof-of-concept (PoC) code that they say “demonstrates how even an unsophisticated attacker with remote access to the operating system could leverage this vulnerability to gain code execution within the BMC of QCT servers.” The presence of the vulnerability in Quanta servers was disclosed on October 7, 2021. According to Eclypsium, QCT has now patched the vulnerability and new firmware was made available privately to customers.  Eclypsium VP of Technology, John Loucaides, told ZDNet:”Unfortunately, we cannot be sure just how many server models are vulnerable. Some of our partners have run our tests on other models and found the same issue. Given that even some major manufacturers did not run comprehensive tests for this, no one is likely to have a complete list.”ZDNet has reached out to Quanta and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Shutterstock Google has released stable Chrome version 102 with 32 security fixes for browser on Windows, Mac and Linux.  Chrome 102 for the desktop includes 32 security fixes reported to Google by external researchers. There’s one critical flaw, while eight are high severity, nine are medium severity, and seven are low severity. Google also […] More

Image: Getty Images/iStockphoto Microsoft has detailed how Windows customers can defend themselves from automated ‘Kerberos Relay’ attacks that can give an attacker System privileges on a Windows machine.  Microsoft has responded to the April release of KrbRelayUp, a tool that streamlines several earlier public tools to escalate privileges from a low-privileged Windows domain user to […] More

YouTube has remained in Russia to serve as a source of independent news, according to CEO Susan Wojcicki who spoke at the Davos World Economic Forum on Tuesday where she also addressed the company’s decision to remove Russian state media from the platform.”As soon as the war broke out, we realised this was an incredibly important time for us to get it right with regard to our responsibility,” said Wojcicki.The CEO explained the company had updated its policies to remove Russian state media from its platform, as well as other content, in an effort to stem misinformation that sought to deny or trivialise the war in Ukraine. Read: YouTube moves to block Russian state-funded media globallyWojcicki added the YouTube platform had been used for “all kinds of humanitarian reasons” throughout the conflict, such as aiding medical professionals on the battlefield and educating children isolated from school as a result of the war.Further to this, the CEO detailed how Russia has been pushing citizens toward Rutube, a Russian video platform with similarities to YouTube, but added that she was not concerned by the emergence of the service.With regard to other social media and content services, Russian communications agency Roskomnadzor announced in March it was blocking access to Facebook, alleging the US social media giant had discriminated against Russian media and information resources, whilst Netflix chose to shut down its service in the country. TikTok also announced in March that it would suspend any livestreaming and new content on its video service.Meanwhile, in Davos on Tuesday, the dichotomy between innovation and health data protection was discussed by a panel of experts.Director and co-founder of Access Now Brett Solomon took a human-rights centric approach proclaiming that it’s proved to be “historically problematic” to leave human rights at the mercy of market forces, placing specific emphasis on the realm of health data.”It’s become very clear as a result of the pandemic, how important health data is to us as individuals, and we don’t know where all of that information is in terms of the contact tracing apps, in terms of where it’s being held by big pharma,” said Solomon.Wipro CTO Subha Tatavarti disagreed, pointing to the positives of retaining health data so that businesses can share information to allow for faster innovation of important medicine.On Wednesday, the Western Australian government committed AU$8 million towards data linkage reforms and public sector capabilities to address social, economic, and health issues.The funding would ensure better cybersecurity protection of sensitive health data, support health experts in conducting research, and streamline existing government services, Minister of Innovation and ICT Stephen Dawson said.”Improved linkage capabilities will enable decisions to be better informed by data and will aid researchers in their efforts to improve the health and wellbeing of all Western Australians,” said Dawson. Previously the Auditor-General of Western Australia had given state authorities a whack for security weaknesses in IT systems used in the state after a report on its contact tracing system was released earlier this month.
Ukraine Crisis More

The government lacks comprehensive data on ransomware attacks and suffers from fragmented reporting, according to a new US Senate committee report. The 51-page report from the Senate Homeland Security and Governmental Affairs Committee calls on the government to swiftly implement new mandates for federal agencies and critical infrastructure organizations to report ransomware attacks and payments to attackers. The 10-month investigation, which focussed on the role of cryptocurrency in ransomware payments, found that reporting on attacks is “fragmented and incomplete”, in part because the FBI and Cybersecurity and Infrastructure Security Agency (CISA) both claim have the “one stop” website for reporting attacks — respectively, IC3.gov and StopRansomware.gov. Since the investigation began, the US has introduced several new laws to improve ransomware incident reporting and data collection, including the Cyber Incident Reporting Act of 2021, which passed the Senate in March, 2022 under the Strengthening American Cybersecurity Act. The new laws require critical infrastructure organizations to report cyberattacks to CISA within 72 hours and ransomware payments within 24 hours. CISA said in March it would immediately share incident reports with the FBI, but the investigation found shortcomings with this arrangement. “While the agencies state that they share data with each other, in discussions with committee staff, ransomware incident response firms questioned the effectiveness of such communication channels’ impact on assisting victims of an attack,” the report states. Beyond the dual reporting functions of the FBI and CISA, there are sector-specific reporting regimes under Treasury’s FinCEN, the Transport Security Administration, and the Security and Exchange Commission, as well as reporting through FBI field offices, and some state governments.”These agencies do not capture, categorize, or publicly share information uniformly,” the report notes. It notes that the FBI’s IC3 figures on ransomware are believe by experts to be a “subset of a subset” of data. The FBI admits its ransomware data in its annual IC3 report is “artificially low” as victims only voluntarily report incidents to the FBI. Meanwhile, FBI field offices that do collect ransomware victim reports lose contact with about 25% of victims during follow-up investigations.   FinCEN would like improved reporting of financial information related to ransomware attacks to give it better actionable data about the laundering of cryptocurrency ransoms, it notes. The lack of comprehensive data impedes US responses through sanctions, law enforcement and international partnerships, as well as private sector contributions to ransomware recovery, the report said. The report calls on federal agencies to immediately implement the requirements under the incident reporting acts to share all incident reports with CISA “to enable a consolidated view of incidents from across different sectors and reported under different regulatory regimes.”The report also stresses that ransomware data collection is also critical for US national security, especially in the context of Russia’s invasion of Ukraine. “As Russia’s invasion of Ukraine continues and Russia seeks to find ways around the international finance system, the need to address these shortfalls grows. Approximately 74 percent of global ransomware revenue in 2021 went to entities either likely located in Russia or controlled by the Russian government,” the report notes. “Further, CISA and other federal agencies have warned that Russia’s invasion of Ukraine could lead to additional malicious cyber activity, including ransomware attacks, in the United States. Therefore, as the report finds, prioritizing the collection of data on ransomware attacks and cryptocurrency payments is critical to addressing increased national security threats.”  More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Image: Shutterstock / fizkes
Zoom users are advised to update their clients to version 5.10.0 to patch a number of holes found by Google Project Zero security researcher Ivan Fratric. “User interaction is not required for a successful attack. The only ability an attacker needs is to be able to send messages to the victim over Zoom chat over XMPP protocol,” Fratric said in a bug tracker description of the chain. Looking at the way XMPP messages are parsed differently by Zoom’s server and clients, since they use different XML parsing libraries, Fratric was able to uncover an attack chain that ultimately could lead to remote code execution. If a specially crafted message was sent, Fratric was able to trigger clients into connecting to a man-in-the-middle server that served up an old version of the Zoom client from mid-2019.”The installer for this version is still properly signed, however it does not do any security checks on the .cab file,” Fratric said. “To demonstrate the impact of the attack, I replaced Zoom.exe in the .cab with a binary that just opens Windows Calculator app and observed Calculator being opened after the ‘update’ was installed.” In its security bulletin published last week, Zoom said the security researcher also found a way to send user session cookies to a non-Zoom domain, which could allow for spoofing. The CVE-2022-22786 vulnerability that allowed for downgrading the client only impacted Windows users, while the other three issues — CVE-2022-22784, CVE-2022-22785, and CVE-2022-22787 — impacted Android, iOS, Linux, macOS, and Windows. Fratric discovered the vulnerabilities in February, with Zoom patching its server-side issues the same month, and releasing updated clients on April 24. Related Coverage More

Image: Blue Planet Studio / Shutterstock
The number of decentralized finance (DeFi) and blockchain projects grew massively during the past year, but their increased popularity has also piqued the interest of cyberattackers – who managed to steal at least an estimated $1.8 billion in 2021.

The blockchain is a digital ledger that records transactions in a way that is difficult to tamper with or change. As a result, these technologies have tremendous potential for managing cryptocurrency assets and transactions, as well as for facilitating smart contracts, finance, and legal agreements.SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systemsIn recent years, the blockchain has led to the emergence of decentralized finance. DeFi financial products and systems are an alternative to traditional banks and financial services, relying on decentralized technologies and smart contracts to operate. DeFi, NFTs, and cryptocurrencies are now popular targets for threat actors, who take advantage of vulnerabilities, logic errors, and programming flaws – as well as performing phishing campaigns to steal digital funds from their victims. In May, Microsoft introduced the term ‘cryware’ to the standard dictionary of digital threats, including malware, infostealers, cryptojackers, and ransomware. The new term describes malware designed to harvest and steal information from non-custodial cryptocurrency wallets, otherwise known as ‘hot wallets’.While the blockchain facilitates the infrastructure digital wallets need for transfers, deposits, and withdrawals, hot wallets are stored locally and so might be susceptible to theft. On Tuesday, cybersecurity researchers from Bishop Fox published an analysis of the significant blockchain and DeFi heists that occurred in 2021. The cybersecurity firm analyzed $1.8 billion in losses. There were 65 major ‘events’ examined by the team, of which 90% were considered to be “unsophisticated attacks”.
Source: Bishop Fox | CryptoSec
According to the researchers, DeFi projects experienced an average of five significant cyberattacks per month, with peaks in May and December.The main attack vectors in 2021 were:51%, smart contract vulnerabilities18%, protocol and design flaws10%, wallet compromise6%, rug pull, exit scams4% key leaks4%, frontend hacks3%, arbitrage2%, cryptocurrency-related bugs2%, front runs (transactions queued with knowledge of future exchanges)”We can see that in most cases, the attack came from a vulnerability in smart contracts or in the very logic of the protocol,” the researchers noted. “This is not surprising for a recent technology that may lack a certain technical hindsight on the implementation of security measures.” When it comes to the types of vulnerabilities exploited in smart contracts, the most common issues exploited by threat actors are well-known bugs, vulnerabilities contained in forks, and sophisticated attacks. Rug pulls and exit scams have also been recorded to a lesser degree. However, many of these attacks could be avoided with robust auditing and testing before production. Developers using forks, too, should check their codebases regularly for any security issues impacting a DeFi project’s source code. “We can say without hesitation that DeFi is currently a tasty target that attracts thieves looking for big and fast gains,” Bishop Fox says. “This observation is obvious given the youth of this technology and the fact that it’s all about the money. “Rare are the technological advances and developments that have never run into problems. In the same way that the first computers were networked without really considering the possibility of spreading a virus, DeFi developers tend to seek innovation in their algorithms more than protection.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
Card-skimming malware is increasingly using malicious PHP script on web servers to manipulate payment pages in order to bypass browser defenses triggered by JavaScript code, according to Microsoft. Microsoft threat researchers have observed a change in tactics used by card-skimming malware. Over the past decade, card skimming has been dominated by so-called Magecart malware that relies on JavaScript code to inject scripts into checkout pages and deliver malware that captures and steals payment card details.  

Injecting JavaScript into front-end processes was “very conspicuous”, Microsoft notes, because it might have triggered browser protections like Content Security Policy (CSP) that stop external scripts from loading. Attackers found less noisy techniques by targeting web servers with malicious PHP scripts.SEE: Microsoft warns: This botnet has new tricks to target Linux and Windows systemsMicrosoft in November 2021 found two malicious image files, including one fake browser favicon, being uploaded to a Magento-hosted server. Magento is a popular e-commerce platform. The images contained embedded PHP script, which by default didn’t run on the affected web server. Instead, the PHP script only runs after confirming, via cookies, that the web admin is not currently signed-in, in order to only target shoppers. Once the PHP script was run, it retrieved the current page’s URL and looked for “checkout” and “one page”, two keywords that are mapped to Magneto’s checkout page. “The insertion of the PHP script in an image file is interesting because, by default, the web server wouldn’t run the said code. Based on previous similar attacks, we believe that the attacker used a PHP ‘include’ expression to include the image (that contains the PHP code) in the website’s index page, so that it automatically loads at every webpage visit,” Microsoft explained.There has been a rise in the use of malicious PHP in card-skimming malware. The FBI last week warned of new cases of card-skimming attackers using malicious PHP to infect US business’ checkout pages with webshells for backdoor remote access to the web server. Security firm Sucuri found that 41% of new credit card-skimming malware observed in 2021 was related to PHP skimmers targeting backend web servers. Malwarebytes earlier this month said Magecart Group 12 was distributing new webshell malware that dynamically loads JavaScript skimming code via server-side requests to online stores. “This technique is interesting as most client-side security tools will not be able to detect or block the skimmer,” Malwarebytes’ Jérôme Segura noted.  “Unlike previous incidents where a fake favicon image was used to hide malicious JavaScript code, this turned out to be a PHP web shell.”       But malicious JavaScript remains part of the card-skimming game. For example, Microsoft found examples of card-skimming malware based on JavaScript spoofing Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts. This can trick admins into thinking the scripts are benign.  More