Information Technology

Nothing is quite as vexing as a security hole in a security program. Xiaochen Zou, a graduate student at the University of California, Riverside, went looking for bugs in Linux and found a whopper. This vulnerability, CVE-2022-27666, in IPSec’s esp6 (Encapsulating Security Payload) crypto module can be abused for local privilege escalation.

The problem is your basic heap overflow hole. Xiaochen explained that  “the basic logic of this vulnerability is that the receiving buffer of a user message in esp6 module is an 8-page buffer, but the sender can send a message larger than 8 pages, which clearly creates a buffer overflow.” Yes, yes it will. As buffer overflows always are, this is bad news. As Red Hat puts it in its security advisory on the bug, “This flaw allows a local attacker with a normal user privilege to overwrite kernel heap objects and may cause a local privilege escalation threat.” This is bad enough that both Red Hat and the National Institute of Standards and Technologies (NIST) give the hole a high Common Vulnerability Scoring System (CVSS) score of 7.8. Or, as I like to call vulnerabilities with such high scores, it’s a “Fix it now!” bug.Also: Linux developers patch security holes faster than anyone else, says Google Project ZeroRed Hat also noted that if a Linux system is already using IPsec and has IPSec Security Associations (SA) configured, then no additional privileges are needed to exploit the hole. Since almost everyone uses IPSec and SAs are essential for the network security protocol, this means pretty much everyone with the vulnerable code in their Linux distro is open to attack. Xiaochen has found that the latest Ubuntu, Fedora, and Debian Linux distros can be hacked with it. Red Hat reports that Red Hat Enterprise Linux (RHEL) 8 is vulnerable. Specifically, if your Linux contains a 2017 esp6 crypto module, which contains the commits cac2661c53f3 and 03e2a30f6a27, it’s attackable.  Usually, such an attack can knock a Linux system offline. Xiaochen dug into it deeper and found more. On his hunt, he found a way to get around Kernel Address-space Layout Randomization (KASLR). KASLR, as the name says, makes it harder to exploit memory vulnerabilities by placing processes at random, rather than fixed, memory addresses.Also: Nasty Linux netfilter firewall security hole foundThen, after hanging the process, an attacker can use Filesystem in User Space (FUSE) to create his own filesystem and map memory on it. Consequently, all the read and write going through that memory will be handled by his own file system. Once that’s done, it’s relatively trivial to get root in the system. And, as we all know, once the attacker has root, it’s game over. The attacker’s now in charge of the computer. The good news is the fix is now available on Ubuntu, Debian, the Linux kernel, and most other distros. Now get patching! More

Researchers have uncovered a new infostealer malware being peddled in Russian underground forums.  Dubbed BlackGuard, zScaler says that the new malware strain is “sophisticated” and has been made available to criminal buyers for a monthly price of $200.  Infostealers are forms of malware designed to harvest valuable data, potentially including operating system information, contact lists, screenshots, network traffic, and online account credentials including those used to access financial services and banking.  A range of malicious software and exploit kits are sold every day underground, some of which are purchased outright. In contrast, others are offered on a malware-as-a-service (MaaS) basis: subscribers pay on a weekly, monthly, or yearly basis, and the developer keeps their malicious creations updated in return. Perhaps to build a customer base for this malware, or to generate cash quickly, BlackGuard is also being sold for $700 in return for a lifetime subscription. 
zScaler
According to the cybersecurity researchers, BlackGuard can steal information, including saved browser credentials and history, email client data, FTP accounts, autofill content, conversations in messenger software, cryptocurrency credentials, and other account information. Messengers targeted include Telegram, Signal, Tox, Element, and Discord.

When it comes to cryptocurrency theft, the malware will target files such as wallet.dat that may contain wallet addresses and private keys. BlackGuard may also go after Chrome and Edge cryptocurrency wallet browser extensions. Written in .NET, the infostealer is still in active development but is already equipped with a crypto-based packer, base64 decoding, obfuscation, and antibugging capabilities to make reverse-engineering more difficult.  Once it lands on a vulnerable machine, the malware will also check the operating system’s processes and will try to stop any activities related to antivirus software or sandboxing.  The infostealer is also selective when it comes to its targets. For example, the malware will exit if the OS appears to be located in a CIS country, such as Russia, Belarus, or Azerbaijan.  If an exit isn’t necessary, the infostealer then grabs all of the information it can, packages it up into a .zip archive, and sends it to a command-and-control (C2) server through a POST request.  “While applications of BlackGuard are not as broad as other stealers, BlackGuard is a growing threat as it continues to be improved and is developing a strong reputation in the underground community,” the researchers say.  Infostealers can be used on their own or packaged up with other forms of malware, such as Trojans or ransomware variants.  In other malware news, researchers from Aqua Security have recently uncovered a new strain of ransomware designed to target Jupyter Notebook environments.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A major businesses email compromise (BEC) scheme which has cost victims millions of dollars has been disrupted in an international operation coordinated by the FBI. Over a period of three months which started in September 2021, ‘Operation Eagle Sweep’ resulted in the arrests of 65 people suspects. Arrests were made in the United States as well 12 in Nigeria, eight in South Africa, two in Canada, and one in Cambodia. The operation targeted scammers who were believed to be behind business email compromise attacks targeting over 500 victims in the United States which caused losses of at least $51 million. BEC attacks see cyber criminals use social engineering to trick an employee at a business into transferring a large sum of money to an account controlled by the scammers. Common techniques used in BEC attacks including sending emails designed to look like urgent requests for payments from your boss or a colleague.  Cyber criminals have also been known to use phishing emails to hack into email accounts and monitor communications around real business deals and contracts, waiting until the deal is about to be completed before sending an email from the compromised user which asks for the real payment, but directs it into a bank account owned by the attackers. SEE: How to keep your bank details and finances more secure onlineWhile many of these campaigns target businesses to make off with hundreds of thousands or millions of dollars at once, the FBI says that the same criminal groups which carry out BEC attacks also target individuals, including homebuyers and the elderly. Romance scams also follow a similar model. According to the Internet Crime Complaint Center (IC3), victims of BEC attacks reported total losses of nearly $2.4 billion in 2021. “The FBI works tirelessly with our domestic and international partners to disrupt and dismantle criminal enterprises, to stop the victimization of U.S. citizens and businesses, and to impose real consequences on cybercriminals using our unique authorities and enduring partnerships,” said Assistant Director Bryan Vorndran of the FBI’s Cyber Division.  “Our message to criminals involved in these BEC schemes will remain clear: We will pursue you no matter where you may be located. The public we serve deserves nothing less,” he added. Law enforcement agencies around the world helped conduct investigations and arrests. Those working alongside the FBI and U.S. Postal Inspection Service include the Nigerian Economic and Financial Crimes Commission, South African Police Service, Toronto Police Service, Cambodian National Police, as well as law enforcement agencies in Australia and Japan. Microsoft Corporation’s Digital Crimes Unit also provided assistance. MORE ON CYBERSECURITY More

Hostile hacking groups are exploiting Russia’s invasion of Ukraine to carry out cyberattacks designed to steal login credentials, sensitive information, money and more from victims around the world. According to cybersecurity researchers at Google’s Threat Analysis Group (TAG), government-backed hackers from Russia, China, Iran and North Korea, as well as various unattributed groups and cyber-criminal gangs, are using various themes related to the war in Ukraine to lure people into becoming victims of cyberattacks. 

In just the last two weeks alone, Google has seen several hacking groups looking to take advantage of the war to fulfil their malicious aims, whether that’s stealing information, stealing money, or something else. SEE: Ukraine is building an ‘IT army’ of volunteers, something that’s never been tried beforeAmong these are a Russian-based hacking group that Google refers to as Coldriver, but also know as Calisto. Their targets have included several US-based NGOs and think tanks, military of multiple Eastern European countries, the military of a Balkans country, a Ukraine-based defense contractor, as well as a NATO Centre of Excellence. The campaigns use newly created Gmail accounts to send phishing emails. The links are designed to steal usernames and passwords from victims, something that the attackers could use to commit espionage or potentially plant malware.Another hacking threat that Google says is attempting to exploit the Russian invasion of Ukraine is Ghostwriter, a cyber-threat group working out of Belarus. Ghostwriter’s phishing attacks simulate a browser within the browser in order to spoof legitimate domains, exploiting this to host websites designed to steal login credentials.  Once a user enters their username and password, the details are sent to a domain controlled by the attacker, where they are stored and can be exploited to conduct further attacks in future. Google also warns about campaigns by a hacking group referred to as Curious Gorge, which is linked to the People’s Liberation Army Strategic Support Force, the cyber and electronic warfare branch of the Chinese military. According to TAG, Curious Gorge is using lures related to Russia’s invasion of Ukraine and has conducted campaigns against government and military organizations in Ukraine, Russia, Kazakhstan, and Mongolia. But it isn’t just governments that are looking to exploit the interest and confusion around the war to commit cyberattacks. Criminals have been getting in on the action, too. Google notes that one cyber-criminal operation is impersonating military personnel and demanding payments for rescuing relatives stuck in Ukraine.  “We’ll continue to take action, identify bad actors and share relevant information with others across industry and governments, with the goal of bringing awareness to these issues, protecting users and preventing future attacks,” said Billy Leonard, security engineer at Google’s Threat Analysis Group.  Google notes that ransomware groups are still operating as normal. MORE ON CYBERSECURITY More

A new report examines how an organization’s approach to cyberattack incident and response strategies can have implications for investment in the broader cybersecurity market. On Thursday, financial services and credit rating provider Moody’s published new research, including a survey of financial services, enterprise firms, infrastructure providers, public sector organizations, and government entities.

Out of roughly 5,000 issuers asked to complete the survey, conducted between April 2020 and April 2021, 1,300 responded. According to the researchers, many organizations involved in the market today — including global debt issuers — are increasing their investments in cybersecurity, but their “preparedness levels and defensive capabilities vary widely.”It only takes one successful cyberattack to severely damage an organization’s reputation, finances, and share price. One incident alone can open up a company to scrutiny by shareholders and regulators, and lawsuits are also a factor, whether launched by investors or class-action consumers impacted by a breach. Moody’s researchers say that “cybersecurity governance sets the tone for an issuer’s overall cyber strategy.” The report states:”To date, the cost of cyber events has generally been manageable for issuers we rate and has only rarely resulted in lasting financial harm or reputational damage. However, as the cost of these attacks continues to rise, the importance of cyber preparedness grows.”Out of those surveyed, 93% now have a cybersecurity manager who reports directly to the board. However, their importance in a company varies. 

Managers in financial companies were far more likely to report directly to business leaders (71%) than corporates, infrastructure firms, or public entities, at 61%, 57%, and 50%, respectively. “A direct line to the CEO supports more frequent interactions between the cyber manager and the executive team,” Moody’s noted. “This fosters greater awareness and understanding of cyber risk within an organization and typically translates into more support for an enterprise-wide risk management approach.”In addition, when a breach occurs, disparities in data breach transparency and guidelines “can leave key stakeholders with little information about a matter of growing importance.”Recent high-profile supply chain attacks, including one experienced by Kaseya, have prompted a focus on addressing vulnerabilities and risk factors associated with these types of security incidents. Moody’s expects “this matter to remain a top priority.”However, while survey data shows that basic defense practices appear to be rising, the use of more ‘advanced’ and robust solutions is “lagging.””Our survey results show a strong correlation between the closeness of the reporting structure between the cyber manager and the executive suite, and the amount of budget and resource allocation to cybersecurity,” Moody’s says. “Survey responses also show that more cyber expertise at the board of directors level correlates well with the adoption of more advanced cyber defense practices.”Cybersecurity insurance is now becoming a more common investment in today’s businesses. In the US, standalone cybersecurity insurance is held by roughly 57% of issuer organizations, slightly above those in the EMEA region at 54%. Approximately 41% of those surveyed said they held these insurance policies in other regions. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Singapore and the US have agreed to expand their economic cooperation to include artificial intelligence (AI) governance and cybersecurity initiatives involving other Asean markets. The two nations also will collaborate on sustainable infrastructure projects. The announcements come on the sidelines of Singapore Prime Minister Lee Hsien Loong’s visit to the United States this week, where he met with US President Joe Biden.  Both countries signed new Memorandums of Understanding (MOUs) to expand bilateral cooperation outlined in the Singapore-US Partnership for Growth and Innovation, which was first signed last October. The partnership agreement aimed to establish “inclusive growth” for both economies and regions, according to Singapore’s Ministry of Trade and Industry (MTI).

It encompasses collaborative efforts in digital economy and smart cities, energy and environmental technologies, advanced manufacturing and supply chain resilience, as well as healthcare. Under the agreement, both nations aim to develop common technical standards and build more “trustworthy and interoperable” systems.This week’s MOUs looked at new areas of cooperation, the Singapore ministry said. First, Singapore’s Infocomm Media Development Authority (IMDA) and the US Department of Commerce (DOC) would jointly develop interoperable AI governance frameworks and drive the adoption of ethical AI. The two government agencies would co-organise mapping exercises, workshops, and various events with participation from both Singapore and US organisations. DOC and MTI also would collaborate on cybersecurity best practices, including regional capacity building efforts on smart nations via the Asean-Singapore Cybersecurity Centre of Excellence. In addition, MTI, Enterprise Singapore, and Singapore’s Economic Development Board would support DOC’s advanced manufacturing trade mission efforts in Singapore as well as other Asian markets, such as Indonesia. These US-led trade missions aimed to promote standards to boost manufacturing resiliency and facilitate new partnerships between Singapore and US private sectors. Minister for Communications and Information and Second Minister for Home Affairs Josephine Teo said: “The digital pillar of the [Singapore-US Partnership for Growth and Innovation] reflects how the bilateral relations between our countries are advancing in emerging areas of cooperation. This will enable inclusive participation by our companies and people in the growing digital economies in our countries and regionally. One practical example of our digital cooperation is on aligning our respective AI governance frameworks. Companies can expect to deploy AI across borders with greater ease, to seize innovation opportunities while managing the risks.”Since it was inked last October, the bilateral economic agreement had established various plans that included regional development of digital trade standards and participation in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules System, which aimed to facilitate global interoperability between different data privacy regimes.Both nations earlier this week also renewed and expanded their collaboration on infrastructure development, which now would include green and sustainable infrastructure projects in the region. The partnership also would explore new approaches to “mobilise” participation within the private sector, such as via a clean energy roundtable involving businesses from Singapore, the US, and Asia. Singapore and US also agreed to deepen their collaboration in new areas that included renewable energy as well as carbon capture, utilisation, and storage (CCUS). RELATED COVERAGE More

Microsoft has detailed how you should use Windows Update policies to keep your devices updated and secure, from single-user devices right through to kiosks and billboards – and rollercoasters.The tech giant’s first bit of advice for admins using Windows Group Policy to manage enterprise Windows 10 and Windows 11 devices is don’t mess too much with the defaults. 

Admins shouldn’t try too hard to customize device security patching and feature updates because the defaults are “often the best”, according to Microsoft. This focus on defaults keeps users happy and productive, while ensuring devices are patched and up to date. SEE: Windows 11 security: How to protect your home and small business PCsAdmins can use Group Policy to control the timing of updates for Patch Tuesday, emergency patches, and new feature releases of Windows. The default for Windows Update in the enterprise is much like the experience for consumers on Windows PCs. But there are many other ways Windows and Windows Update is used to keep all manner of devices operational when needed and also patched regularly during downtime. The default Windows Update policy is for devices to scan daily, automatically download and install any applicable updates “at a time optimized to reduce interference with usage, and then automatically try to restart when the end user is away,” according to Microsoft senior program manager Aria Carley. “Leverage the defaults!” Carley said. But there are so many use cases for Windows that the defaults can’t cover every scenario. Besides single-user personal Windows devices, there are: multi-user devices; education devices; kiosks and bank ATMs; factory machines, rollercoasters, and critical infrastructure; and Microsoft Teams Rooms devices.While the defaults are a good baseline, Carley offers details about how to use Group Policy to tweak the timing of automatic updates for each use case. She’s also compiled a list of 25 Group Policy settings that admins should not use.  For use cases where Group Policy can be used, admins can specify “the number of days before an update is forced to install” during active hours, when the user may be present. This is applicable to single-user devices that could be connected to the corporate network or used remotely. Microsoft recommends the use of deadlines because of heightened security risks from ransomware and destructive malware. The US Cybersecurity and Infrastructure Security Agency (CISA) is concerned destructive malware may target US organizations due to US sanctions on Russia over its invasion of Ukraine.      Multi-user devices like HoloLens or a PC in a lab or library setting may have set periods in which they are used, such as a building’s opening hours. Updating these at midnight, when staff are away, could be ideal. For education device, admins can ensure Windows update notifications or automatic reboots don’t happen during the school day. To do this while remaining patched, admins can check the new Group Policy box option “Apply only during active hours”. However, this feature is currently only for devices in the Windows Insider Program for Business in the Dev or Beta channels. Microsoft notes: “For those on Windows 10 or Windows 11, version 21H2 devices, we do not recommend configuring this and instead recommend leveraging the default experience.”Another relevant Group Policy setting is “Turn off auto-restart for updates during active hours”, which overrides Microsoft’s default “intelligent active hours” – a measure that is calculated on the devices based on user usage. SEE: How to talk about tech: Five ways to get people interested in your new projectFor things like kiosks, billboards and ATMs, owners may wish for no notifications or auto reboots, and prefer to reboot during ‘low visibility’ hours.  There are four relevant policies for these devices to avoid notifications that would be useless and disruptive to passive users, as well as reboots during typical active hours. Admins have an option to set the update to occur at 3AM daily, the assumed low visibility hour.   There are some devices that you might not think of as needing a Windows Update, but even admins of factory devices, rollercoasters and critical infrastructure also get advice around how to to manage automate update behavior if needed. As Carley notes: “Machines on the factory floor, rollercoasters at amusement parks, and other critical infrastructure can all require updates. Given the criticality of these devices, it is pivotal that they stay secure, stay functional, and are not interrupted in the middle of a task. Often these are some of the devices in the final wave when rolling out an update after everything else has been validated.” Carley adds: “Note: This is one of the only use cases where compliance deadlines are not recommended given automatic updates are never acceptable in this scenario.”

Enterprise Software More

Globant has admitted to a data breach after notorious hacking group Lapsus$ allegedly leaked the firm’s source code.

ZDNet Recommends

Globant is an IT and software development giant. Founded in 2003, the company caters to a global customer base and operates Globant X, an innovation incubator. On March 30, Lapsus$ came back from a ‘vacation’ with a new victim pinned in the hacking group’s Telegram chat: Globant. The cybercriminals are alleged to have compromised the tech giant’s system, stealing credentials and intellectual property. Lapsus$ then published a torrent containing approximately 70GB of data, allegedly including source code belonging to their latest victim. In response, Globant said in a statement that a “limited section of our company’s code repository has been subject to unauthorized access.””According to our current analysis, the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients,” Globant says. “To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected.”Globant added that an investigation is underway and the firm is “taking strict measures to prevent further incidents.”Other high-profile organizations connected to Lapsus$ attacks are Okta and Sitel. First, Okta was the subject of screenshots circulated online by the hacking group on March 22. Okta pointed the finger at Sitel, a third-party Okta subprocessor, as the source of the security incident, which happened in January. Okta said that up to 366 customers might have been impacted by the security breach, adding that the company “made a mistake” in not informing clients sooner. The FBI has now placed Lapsus$ on its Most Wanted list and seeks information on the group’s members. Earlier this month, UK law enforcement arrested seven teenagers, the youngest being 16 years old, who are suspected of being involved in a criminal hacking group. A 16-year-old from Oxford has also been accused of having ties with Lapsus$, but no formal connection has been made to the operation. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More