Information Technology

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Getty
Heroku has alerted a “subset” of its users that it is going to reset their passwords on May 4 unless they change passwords beforehand. In resetting the password, the company is warning that existing API access tokens will also be useless, and new ones will need to be generated. Publicly, the company has only said “a subset” of its customers would be emailed “regarding our continuous efforts to enhance security”. “We appreciate your collaboration and trust as we continue to make your success our top priority,” it said on a security incident notification that has been running for 18 days and counting. The incident in question relates to a theft of OAuth tokens that GitHub saw in April, which impacted four OAuth applications related to Heroku Dashboard and one from Travis CI. “The initial detection related to this campaign occurred on April 12 when GitHub Security identified unauthorised access to our npm production infrastructure using a compromised AWS API key,” GitHub said. “Based on subsequent analysis, we believe this API key was obtained by the attacker when they downloaded a set of private npm repositories using a stolen OAuth token from one of the two affected third-party OAuth applications described above.” GitHub said it informed Heroku and Travis-CI of the incident on April 13 and 14. “GitHub contacted Heroku and Travis-CI to request that they initiate their own security investigations, revoke all OAuth user tokens associated with the affected applications, and begin work to notify their own users,” it said. By April 27, GitHub said it was sending out its final notifications to impacted customers, and said the attackers used the stolen OAuth tokens issued to Heroku and Travis CI to list user organisations before choosing targets, and cloning private repositories. “This pattern of behaviour suggests the attacker was only listing organisations in order to identify accounts to selectively target for listing and downloading private repositories,” GitHub said. “GitHub believes these attacks were highly targeted based on the available information and our analysis of the attacker behaviour using the compromised OAuth tokens issued to Travis CI and Heroku.” For its part, Heroku said in its incident page that it was alerted on April 13 that a subset of its private repositories and source code was downloaded on April 9, before it revoked tokens from the Heroku GitHub integration, and said on April 23 that the integration would stay down. “We take the protection of our customers very seriously, and as a result, we will not be reconnecting to GitHub until we are certain that we can do so safely, which may take some time. We recommend that customers use alternate methods rather than waiting for us to restore this integration,” Heroku said. Since that time until Tuesday, the Salesforce-owned company has been making almost daily updates simply stating the investigation is ongoing and asking customers to send them logs from GitHub. Related Coverage More

Researchers have disclosed a sophisticated Winnti cyber campaign that abuses Windows mechanisms in a way ‘rarely seen.”

According to Cybereason, the Chinese advanced persistent threat (APT) group Winnti is behind the campaign, which has gone undetected for years.Active since at least 2010, Winnti is a threat group that operates using a vast array of malware and tools at its disposal. The APT, also known as APT41, BARIUM, or Blackfly, is suspected of working on behalf of the Chinese state and focuses on cyberespionage and data theft. Past attacks connected to the group include cyberattacks against video game developers, software vendors, and universities in Hong Kong. Winnti also capitalized on the Microsoft Exchange Server ProxyLogon flaws, alongside other APTs, when the critical vulnerabilities were first made public. In two reports published on Wednesday, Cybereason said the company had briefed both the FBI and US Department of Justice (DoJ) on the APT’s campaign, which has been active since 2019 but only recently exposed. According to the cybersecurity researchers, the covert attacks have been focused on infiltrating the networks of technology and manufacturing companies in Europe, Asia, and North America, focusing on stealing sensitive proprietary information. Dubbed Operation CuckooBees, Winnti’s “multi-stage infection chain” begins with exploiting vulnerabilities in enterprise resource planning (ERP) software and the deployment of the Spyder loader. The researchers say that some of the exploited bugs were known, but others were also zero-day vulnerabilities. Once access to an enterprise system is achieved, a webshell, made up of simple code published on websites in the Chinese language, is dropped to maintain persistence. In addition, Winnti tampers with the Windows feature WinRM over HTTP/HTTPS, and IKEEXT and PrintNotify Windows services, to create backup persistence mechanisms and to sideload Winnti DLLs. The group then performs detailed reconnaissance on the operating system, network, and user files, before attempting to crack passwords locally using credential dumping techniques and tools. Remote scheduled tasks are used to try and move laterally across networks. Of particular note is Winnti’s use of Stashlog, malicious software designed to abuse the Microsoft Windows Common Log File System (CLFS). Stashlog manipulates the Transactional NTFS (TxF) and Transactional Registry (TxR) operations of CLFS. The executable stashes a payload into the CLFS log file as part of the infection chain. “The attackers leveraged the Windows CLFS mechanism and NTFS transaction manipulations, which allowed them to conceal their payloads and evade detection by traditional security products,” Cybereason says, adding that such abuse of CLFS is “rarely seen.” Following Stashlog activities, the APT will then use various tools, including Sparklog, Privatelog, and Deploylog. These malware variants extract data from the CLFS log, escalate privileges, enable further persistence, and will deploy the Winnkit rootkit driver – which acts as a kernel-mode agent to intercept TCP/IP requests. As the investigation into Winnti’s campaign is ongoing, the cybersecurity firm has only been able to share partial Indicators of Compromise (IoCs). “Perhaps one of the most interesting things to notice is the elaborate and multi-phased infection chain Winnti employed,” the researchers say. “The malware authors chose to break the infection chain into multiple interdependent phases, where each phase relies on the previous one in order to execute correctly. This demonstrates the thought and effort that was put into both the malware and operational security considerations, making it almost impossible to analyze unless all pieces of the puzzle are assembled in the correct order.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Written by

Chris Duckett, APAC Editor

Chris Duckett
APAC Editor

Chris started his journalistic adventure in 2006 as the Editor of Builder AU after originally joining CBS as a programmer. After a Canadian sojourn, he returned in 2011 as the Editor of TechRepublic Australia, and is now the Australian Editor of ZDNet.

Full Bio

Google’s Threat Analysis Group (TAG) has provided an update on cyber activity in Eastern Europe, which follows on from its March missive. Overall, TAG said threat actors were increasingly using the Russian invasion of Ukraine as a phishing and malware lure, and were targeting critical infrastructure such as oil and gas, telecommunications, and manufacturing. “Government-backed actors from China, Iran, North Korea and Russia, as well as various unattributed groups, have used various Ukraine war-related themes in an effort to get targets to open malicious emails or click malicious links,” TAG said. “Financially motivated and criminal actors are also using current events as a means for targeting users.” Proving that any target is fair game, TAG detailed the case of the Chinese People’s Liberation Army Strategic Support Force-linked Curious Gorge group, which has been hunting targets in Russia, Ukraine, and Central Asia. “In Russia, long running campaigns against multiple government organisations have continued, including the Ministry of Foreign Affairs. Over the past week, TAG identified additional compromises impacting multiple Russian defense contractors and manufacturers, and a Russian logistics company,” it said. Another Chinese group known as either Bronze President, Mustang Panda, TA416, or RedDelta has recently turned its attention to Russia. “This suggests that the threat actors have received updated tasking that reflects the changing intelligence collection requirements of the People’s Republic of China (PRC),” researchers from Secureworks said. From the Russian side, TAG said state-backed Fancy Bear group went after targets in Ukraine with malware built using .Net to email cookies and passwords from Chrome, Edge, and Firefox browsers to a compromised account. Meanwhile, the FSB-aligned Turla group was conducting campaigns against defence and cybersecurity entities from Baltic nations using malicious docx files, and Coldriver continued to use compromised Gmail accounts to target government and defence officials, politicians, NGOs, think tanks, and journalists with malicious files intended to get them onto a phishing domain. Not to be left out, the Belarusian actor Ghostwriter has resumed phishing to go after Gmail accounts, but has so far come up empty, TAG said. The group also conducted a Facebook phishing campaign mainly targeting Lithuanians. “Upon discovery, all identified websites and domains were added to Safe Browsing to protect users from further exploitation. We also send all targeted Gmail and Workspace users government-backed attacker alerts notifying them of the activity,” TAG said. Last week, Microsoft said it had seen six Russian state-sponsored groups launch 237 cyberattacks against Ukraine in the weeks leading up to the invasion. Related Coverage More

Written by

Aimee Chanthadavong, Senior Journalist

Aimee Chanthadavong
Senior Journalist

Since completing a degree in journalism, Aimee has had her fair share of covering various topics, including business, retail, manufacturing, and travel. She continues to expand her repertoire as a tech journalist with ZDNet.

Full Bio

Image: snjivo — Shutterstock
The US Securities and Exchange Commission (SEC) has announced that it will bolster the size of its enforcement units that target crypto assets and cyber-related threats.The unit, formerly known as the cyber unit, will be renamed as the crypto assets and cyber unit and will continue to reside in the Division of Enforcement. It will also gain 20 additional team members, taking the unit’s total headcount to 50.These additional roles will include fraud analysts, supervisors, investigative staff attorneys, and trial counsels, and are expected to focus on investigating violations related to crypto asset offerings, exchanges, lending and staking productions, as well as decentralized finance platforms, non-fungible tokens, and stablecoins.”The US has the greatest capital markets because investors have faith in them, and as more investors access the crypto markets, it is increasingly important to dedicate more resources to protecting them,” SEC chair Gary Gensler said. “The Division of Enforcement’s Crypto Assets and Cyber Unit has successfully brought dozens of cases against those seeking to take advantage of investors in crypto markets. By nearly doubling the size of this key unit, the SEC will be better equipped to police wrongdoing in the crypto markets while continuing to identify disclosure and controls issues with respect to cybersecurity.”According to SEC, since the unit’s creation in 2017, it has brought more than 80 enforcement actions related to fraudulent and unregistered crypto asset offerings and platforms, resulting in fines totalling more than $2 billion. One of these most recent cases was in February when the SEC found that crypto lender BlockFi operated for 18 months as an unregistered investment company.The company offered BlockFi Interest Accounts (BIAs) — where users lent crypto assets back to BlockFi for a variable monthly interest payment — which the SEC found were securities, and therefore the BlockFi needed to register with the regulator.BlockFi was also found to have made a false and misleading statement for over two years on its site related to the level of risk in loan portfolio and lending activity.Along with the findings, BlockFi agreed to pay a $50 million penalty to settle with the SEC and another $50 million to settle similar charges in 32 states. It also agreed to halt unregistered products, seek registration of new lending production, and was given 60 days to bring its business into compliance.Related Coverage More

A North Korean hacking and cyber-espionage operation breached the network of an engineering firm linked to military and energy organisations by exploiting a cybersecurity vulnerability in Log4j. First detailed in December, the vulnerability (CVE-2021-44228) allows attackers to remotely execute code and gain access to systems that use Log4j, a widely used Java logging library. The ubiquitous nature of Log4j meant cybersecurity agencies urged organisations globally to apply security updates as quickly as possible, but months on from disclosure, many are still vulnerable to the flaw. 

ZDNet Recommends

According to cybersecurity researchers at Symantec, one of those companies that was still vulnerable was an undisclosed engineering firm that works in the energy and military sectors. That vulnerability resulted in the company being breached when attackers exploited the gap on a public-facing VMware View server in February this year. From there, attackers were able to move around the network and compromise at least 18 computers. SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attemptsAnalysis by Symantec researchers suggests that the campaign is by a group they call Stonefly, also known as DarkSeoul, BlackMine, Operation Troy, and Silent Chollima, which is an espionage group working out of North Korea.  Other cybersecurity researchers have suggested that Stonefly has links with Lazarus Group, North Korea’s most infamous hacking operation. But while Lazarus Group’s activity often focuses on stealing money and cryptocurrency, Stonefly is a specialist espionage operation that researchers say engages in highly selective attacks “against targets that could yield intelligence to assist strategically important sectors” – including energy, aerospace, and military. “The group’s capabilities and its narrow focus on acquiring sensitive information make it one of the most potent North Korean cyber-threat actors operating today,” warn researchers at Symantec. Stonefly has existed in some capacity since 2009, but in recent years it has doubled down on targeting highly sensitive information and intellectual property. This is achieved by deploying password-stealers and trojan malware on compromised networks. In the case of the undisclosed engineering firm, the first malware had been dropped onto the network within hours of the initial compromise. Among the tools deployed in this incident was an updated version of Stonefly’s custom Preft backdoor malware. The payload is delivered in stages. When fully executed, it becomes an HTTP remote access tool (RAT) capable of downloading and uploading files and information, along with the ability to download additional payloads, as well as uninstalling itself when the malware is no longer needed. Alongside the Preft backdoor, Stonefly also deployed a custom-developed information-stealer that the attackers planned to use an alternative means of exfiltration. SEE: These are the problems that cause headaches for bug bounty huntersStonefly has been active for over a decade and it’s unlikely their attacks will stop soon, particularly as the group has a history of developing new tactics and techniques. While Stonefly is classified as a powerful state-backed hacking group, in this instance, they didn’t need advanced techniques to breach a network, they simply took advantage of an unpatched critical security vulnerability. To help make sure known vulnerabilities like Log4j can’t be exploited by state-backed hacking groups or cyber criminals, organisations should ensure that security updates for applications and software are rolled out as soon as possible. In the case of the firm above, this process would have involved applying the available patches for VMware servers, which were available before the attack happened.  Other cybersecurity protocols, such as providing users with multi-factor authentication, can also help prevent attacks that take advantage of stolen passwords to move around networks.  MORE ON CYBERSECURITY More

Google has detailed some of the work done to find malicious code packages that have been sneaked into bigger open-source software projects. The Package Analysis Project is one of the software supply chain initiatives from the the Linux Foundation’s Open Source Security Foundation (OpenSSF) that should help automate the process of identifying malicious packages distributed on popular package repositories, such as npm for JavaScript and PyPl for Python. It runs a dynamic analysis of all packages uploaded to popular open-source repositories. It aims to provide data about common types of malicious packages and inform those working on open-source software supply chain security about how best to improve it. “Unlike mobile app stores that can scan for and reject malicious contributions, package repositories have limited resources to review the thousands of daily updates and must maintain an open model where anyone can freely contribute. As a result, malicious packages like ua-parser-js, and node-ipc are regularly uploaded to popular repositories despite their best efforts, with sometimes devastating consequences for users,” Caleb Brown of Google’s Open Source Security Team explains in a blogpost.  

Open Source

“Despite open-source software’s essential role in all software built today, it’s far too easy for bad actors to circulate malicious packages that attack the systems and users running that software.”SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attemptsThe Package Analysis project identified more than 200 malicious packages in one month, according to OpenSFF. For example, it found token theft attacks on Discord users that were distributed on PyPl and npm. The PyPl package “discordcmd”, for example, attacks the Discord Windows client via a backdoor downloaded from GitHub and installed on the Discord app to steal Discord tokens.   Attackers distribute malicious packages on npm and PyPl often enough that it’s something OpenSSF, which Google is a member of, decided it needed to be addressed. In March, researchers found hundreds of malicious packages on npm that were used to target developers using Microsoft’s Azure cloud, most of which contained typosquatting and dependency confusion attacks. Both types are social-engineering attacks that exploit repetitive steps when developers frequently update a large number of dependencies. Dependency confusion attacks rely on unusually high version numbers for a package that in fact may have no previous version available.  OpenSSF says most of the malicious packages it detected were dependency-confusion and typo-squatting attacks. But the project believes most of these are likely the work of security researchers participating in bug bounties. “The packages found usually contain a simple script that runs during install and calls home with a few details about the host. These packages are most likely the work of security researchers looking for bug bounties, since most are not exfiltrating meaningful data except the name of the machine or a username, and they make no attempt to disguise their behavior,” OpenSSF and Google note.  OpenSSF notes that any of these packages “could have done far more to hurt the unfortunate victims who installed them, so Package Analysis provides a countermeasure to these kinds of attacks.”The recent Log4j flaw highlighted the general risks of software supply chain security in open source. The component was embedded in tens of thousands of enterprise applications and prompted a massive and urgent clean-up by the US government. Microsoft last week also highlighted the role of software supply chain attacks carried out by Russian state-backed hackers in connection with military attacks on Ukraine.   This February, Google and Microsoft pumped $5 million into OpenSSF’s Alpha-Omega Project to tackle supply chain security. The Alpha side works with maintainers of the most critical open-source projects, while the Omega side will select at least 10,000 widely deployed open-source programs for automated security analysis. More

Written by

Aimee Chanthadavong, Senior Journalist

Aimee Chanthadavong
Senior Journalist

Since completing a degree in journalism, Aimee has had her fair share of covering various topics, including business, retail, manufacturing, and travel. She continues to expand her repertoire as a tech journalist with ZDNet.

Full Bio

on May 2, 2022

| Topic: Cloud

One year on from unveiling its Apex-as-a-service portfolio, Dell Technologies is bolstering the portfolio to move beyond infrastructure and target more workload-based solutions, with the launch of Apex Cyber Recovery. The service is designed to streamline the deployment of cyber recovery solutions through standardised configurations and recovery options. “With Apex Cyber Recovery, customers can feel confident in the ability to recover from a destructive cyber attack and achieve more agility by offloading the day-to-day management of data protection. Customers get more resiliency from an isolated, immutable, and intelligent data vault,” Dell Apex product management vice president Chad Dunn told media during a briefing on Apex. Apex Cyber Recovery is initially being made available in the US with plans for broader availability later this year. The tech giant is also extending its reach in the multi-cloud ecosystem, starting with the release of PowerProtect Cyber Recovery for Microsoft Azure on the Azure Marketplace. Dell said it will allow organisations to deploy an isolated cyber vault in the public cloud, so that if recovery is necessary, they can do so back to their main corporate data centre, an Azure private network, or a clean environment within Azure. The release comes off the back of Dell recently delivering a similar offering for Amazon Web Services (AWS). On AWS, Dell has announced the launch of CyberSense on AWS Marketplace to use analytics, metadata and machine learning to proactively detect, diagnose and speed up data recovery when an attack has occurred, as well as identify the last known uncorrupted copy of data to recover from. Both PowerProtect Cyber Recovery for Microsoft Azure and CyberSense for Dell PowerProtect Cyber Recovery for AWS will be globally available in Q2. Additionally, Dell has drummed up a new strategic partnership with Snowflake, so that joint customers can for the first time leverage Snowflakes’ cloud-based analytics for on-premise data and gain more insights. Jon Siegal, the company’s ISG product marketing VP, explained customers will be able to connect Dell’s object storage to Snowflakes in two ways. “The first way is by running snowflakes analytics against Dell’s on-premise object storage without moving the data to the cloud … it’s really for customers who don’t want to move their data to the cloud, whether it’s for compliance, security, control, data sovereignty reasons,” he said. “Secondly, customers that have the ability also to connect their on-prem Dell object storage to Snowflake by simply copying Dell’s on-premises object data to the Snowflake cloud, so it can be analysed in Snowflake’s cloud itself.” Dell also took the opportunity to provide an update on Project Alpine that was introduced at the start of the year. Siegal said from the second-half of this year, Dell will be introducing data mobility and the same consistent management experience across on-premise and public cloud environments. He added customers will be able to “power up” their multi-cloud environments by leveraging Dell’s data services capabilities found its storage platforms, such as PowerStore, PowerScale, PowerFlex, and ObjectScale. Related Coverage More

Written by

Jack Wallen, Contributing Writer

Jack Wallen
Contributing Writer

Jack Wallen is what happens when a Gen Xer mind-melds with present-day snark. Jack is a seeker of truth and a writer of words with a quantum mechanical pencil and a disjointed beat of sound and soul.

Full Bio

Secure Shell (SSH) is one of those tools every Linux user will probably work with at some point. With SSH you can easily (and securely) log into remote servers and desktops to administer, develop, and check up on those machines.Using SSH is as simple as:ssh jack@192.168.1.11
Or even just:ssh 192.168.1.11
Of course, you would exchange the IP address for the address (or domain) of the machine you need to access. 

ZDNet Recommends

The best Linux Foundation classes

Want a good tech job? Then you need to know Linux and open-source software. One of the best ways to learn is via a Linux Foundation course.

SSH gets a bit less simple when you have numerous machines you access with different configurations (such as different usernames or SSH authentication keys). Imagine if you had 20 or so different servers you had to log into daily. Not only would you have to keep track of the IP addresses or domains of those servers, but you’d also have to remember what usernames or authentication keys were used. That alone could get rather overwhelming.Thankfully, SSH allows you to create a config file to house all of that information. So, instead of having to type something like ssh olivia@192.168.1.100 -p 2222, you could simply type ssh web1. Let me show you how this is done.Creating the SSH config fileLog in to the Linux machine you use to SSH into all of those remote machines. Open a terminal window and create the new configuration file with the command shown in Figure A.Figure ACreating the new SSH config file with the help of nano.Since this is a new file, it’ll be a blank canvas to which we can start adding configurations for servers. Let’s say you want to configure the following remote servers:web1 at 192.168.1.100 with user oliviadb1 at 192.168.1.101 with user nathan and SSH key ~/.ssh/id_nathandocker1 at 192.168.1.102 with user lilly on port 2222Our first entry will look like this:Host “web1”
Hostname “192.168.1.100”
User olivia
If you save and close the file at this point, you could SSH into 192.168.1.100 with the command:ssh web1
Let’s go ahead and configure the next two entries, which will look like this:Host db1
Hostname “192.168.1.101”
User nathan
IdentityFile ~/.ssh/id_nathan
PubkeyAuthentication yes

Host docker1
Hostname “192.168.1.102”
User lilly
Port 2222
Save and close the file. You can now secure shell into those machines with the commands:ssh web1
ssh db1
ssh docker1
You can use whatever nickname you need for each host, just make them memorable, so you don’t forget which machine you’re trying to reach and have to constantly reference the config file to jar your memory.Let’s say, however, that you use the same username on all your remote servers, but you use a different username on your local machine. For example, your local machine username might be jack but you’ve created the admin user on all of your remote servers. You could create a single entry for all of those servers with a wildcard in the IP address like this:Host 192.168.1.*
User admin
The above configuration would be placed at the top of your config file.You could then configure each server individually as needed, leaving out the User option. For example, if both servers at 192.168.1.200 and 192.168.1.201 use SSH key authentication, you could configure entries like so:Host web2
Hostname 192.168.1.200
IdentityFile ~/.ssh/id_admin
PubkeyAuthentication yes

Host web3
Hostname 192.168.1.201
IdentityFile ~/.ssh/id_admin
PubkeyAuthentication yes
Because we applied user admin to the entire range of machines on IP address scheme 192.168.1.x, that username will be applied to all connections. You can also override that global configuration by adding a User configuration line on an as-needed basis.The SSH config file allows for several other options (all of which can be read about in the official SSH config documentation), but these examples shown above should be everything you need to get going with the SSH config file. And that’s all there is to using the SSH config file to help make your remote access with Secure Shell even easier.

Jack Wallen: How To More