Information Technology

Microsoft has weighed in on Spring4Shell, a recently discovered flaw in the Spring Framework for Java.Microsoft is telling customers of its Azure cloud service to patch the recently disclosed bug, a critical-rated remote code execution (RCE) vulnerability that’s been tagged as CVE-2022-22965 and dubbed SpringShell or Spring4Shell — a twist on the dire Log4Shell bug affecting another Java-based application logging utility.  

While there was initial debate about how serious the bug is, sleuthing by security researchers in the days afterwards after the flaw was discovered revealed that Spring4Shell was indeed a serious bug that warranted attention. The US Cybersecurity and Infrastructure Security Agency (CISA) on April 1 urged all US organizations, including federal agencies, to patch it immediately. On April 4, CISA added the bug to its catalog of known exploited vulnerabilities, which requires federal agencies to patch it within a deadline. The Spring Framework is “the most widely used lightweight open-source framework for Java,” Microsoft notes. The bug resides in the Java Development Kit (JDK) from version 9.0 and upwards if the system is also using Spring Framework versions 5.3.0 to 5.3.17, 5.2.0 to 5.2.19, and earlier versions.”In Java Development Kit (JDK) version 9.0 or later, a remote attacker can obtain an AccessLogValve object through the framework’s parameter binding feature and use malicious field values to trigger the pipeline mechanism and write to a file in an arbitrary path, if certain conditions are met,” Microsoft’s Defender threat intelligence team reports. Other conditions required for exploitation include that Apache Tomcat serves as the Servlet container, that the app is packaged as a traditional Java web archive (WAR) and deployed in a standalone Tomcat instance. However, Spring Boot is most commonly deployed as an embedded Servlet container or reactive web server, which are are not impacted. “Any system using JDK 9.0 or later and using the Spring Framework or derivative frameworks should be considered vulnerable,” Microsoft notes. Microsoft notes that the only working exploit, a proof of concept, can only be used remotely on a Tomcat server via its logging module using certain commands. An attacker can change default access logs to whatever file they want by issuing requests to it over the web. An attacker can then change the contents of a web server or application. Just like Log4Shell, Spring4Shell’s impact is felt through its inclusion in other products. Hypervisor firm VMware, for example, warned it affected its Tanzu services for virtual machines and container software. “The current exploit leverages the same mechanism as in CVE-2010-1622, bypassing the previous bug fix. Java 9 added a new technology called Java Modules,” Microsoft assesses. “An accessor was added to the Class object, called getModule(). The Module object contains a getClassLoader() accessor. Since the CVE-2010-1622 fix only prevented mapping the getClassLoader() accessor of Class objects, Spring mapped the getClassLoader() accessor of the Module object. Once again, one could reference the class loader from Spring via the class.module.classLoader parameter name prefix.”Security teams interested in researching the subject can refer to this user post on GitHub. The team behind Spring has also explained the patch and vulnerability here.  More

GitHub has introduced a new scanning feature for protecting developers from accidental secret leaks.

On April 4, the Microsoft-owned code repository said the GitHub Advanced Security suite has now been upgraded with a new push protection feature to prevent the leak of secrets that could compromise organization-owned projects.GitHub Advanced Security is a licensed business product including code scanning, supply chain attack protection, and Dependabot alerts. The new feature is an optional check for developers to use during their workflows before a git push is accepted. As of now, the scan will only check for “highly identifiable patterns” of potential leaks based on the collaborative efforts of GitHub and partner organizations, including token issuers. There are 69 patterns in total that the tool will check for as potential indicators of secret leaks. In addition, over 100 different token types are checked. These include those issued by Alibaba Cloud, Amazon, AWS, Azure, npm, Slack, and Stripe.GitHub says that over 700,000 secrets across thousands of private repositories have been detected to date. If push protection is enabled, a scan will check for high-confidence leak patterns. If a pattern flags up, the push is blocked. According to the company, there has been a low false-positive rate during testing. “If a secret is identified, developers can review and remove the secrets from their code before pushing again,” GitHub explained. “In rare cases where immediate remediation doesn’t make sense, developers can move forward by resolving the secret as a false positive, test case, or real instance to fix later.” Open security alert cases are automatically generated if instances are selected as issues to be resolved after a push. The new feature can be enabled in the suite’s user interface or via the API. “By scanning for highly identifiable secrets before they are committed, we can, together, shift security to being proactive instead of reactive and prevent secrets from leaking altogether,” GitHub commented.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber criminals are copying legitimate smartphone applications and injecting them with malicious code to spy on users and steal personal data including bank information, passwords, photos and more.  According to cybersecurity company Pradeo’s Mobile Security Report 2022, there are more than 700 websites which operate as third-party download stores outside of the official app marketplaces. Third-party app stores mostly cater for Android smartphone users, because the open nature of Google’s ecosystem means that it’s easier to download apps from outside of Google’s Play Store. But some of these third-party sites don’t check the content of apps, and some are specifically designed to for illicit purposes, providing cyber criminals with an avenue for tricking users into downloading malicious apps containing malware. In many cases, researchers warn, crooks are making direct copies of original applications, but tamper with the code to add malicious features. Often the copied apps claim to be offering users additional features or a premium subscription, but in reality they’re just knock-offs designed to steal data from victims. Some of the popular apps being faked to help spread spyware include streaming services, VPN providers and anti-virus software. SEE: Cybersecurity: Let’s get tactical (ZDNet special report) Cyber criminals often use phishing emails to direct their victims towards malicious downloads, but many can also be found using search engines, particularly if users are specifically looking for free or cracked versions of apps. Information the crooks are after includes passwords, messages, photos, contact lists, digital wallets and more. The very nature of how people use smartphones makes them a prime target for stealing personal data which can be exploited by cyber criminals and cause ongoing problems for the victim. Downloading applications claiming to be well-known services from third-party sites can be potentially risky, particularly if the app promises to be free even though the service is usually accessed via a paid subscription. Users should always be cautious about offers like this which appear to be too good to be true, because the offer is potentially just a gimmick designed to attract downloads in order to install malware on as many phones as possible. For example the security researchers said they found hundreds of fake version of Netflix app online of varying sophistication, and which actually contained adware, spyware or malware. Another warning sign that an app might be fake: one version claimed to allow the user to watch shows which are exclusive to rival streaming service. One of the best ways to stay safe from malicious apps is to only download apps from the official app stores. Users who suspect they may have downloaded a malicious app are recommended to reset their device and to monitor their accounts for signs of suspicious activity which could be attempting to exploit stolen data. MORE ON CYBERSECURITY More

Singapore has unveiled plans to drive innovation and beef up cybersecurity resilience in its maritime industry. These new initiatives will include a roadmap to guide organisations in the sector to trial additive manufacturing practices.  Maritime and Port Authority of Singapore (MPA) said Tuesday it would continue to boost research and development (R&D) efforts as well as pilots in maritime technologies. It also would look to develop maritime cybersecurity capabilities, so the industry had the resilience and infrastructure to manage disruptions. Specifically, it introduced a report that aimed to provide a roadmap to help organisations trial new practices in additive manufacturing. The new report outlined maritime additive manufacturing capabilities in Singapore as well as learning points from previous trials and adoption processes. 

The document was jointly developed by MPA, National Additive Manufacturing Innovation Cluster, and Singapore Shipping Association (SSA).To further drive digital transformation in the sector, MPA said the Sea Transport Industry Digital Plan had been expanded to allow some 3,000 small and midsize businesses (SMBs) in all sea transport market segments to apply for co-funding assistance. This would include SMBs in subsectors such as ship brokers, marine surveyors, and ship operators, which can now apply to receive funding support for the adoption of pre-approved digital tools. SSA also inked an agreement with seven industry players, including Eastport Maritime, Ocean Network Express, and Orient Maritime Agencies, to boost the local sector’s cybersecurity capabilities. The collaboration would see the establishment of a maritime cybersecurity roundtable, during which participants would recommend initiatives aimed at improving maritime cybersecurity partnership. These would include data sharing, boosting local maritime cyber skillsets, and driving greater awareness as well as access to digital maritime tools and skills. This roundtable was slated to kick off its first meeting later this year, according to MPA.”As we digitalise more of our processes, we open up more nodes that could be exploited, including those with capabilities to mount sophisticated attacks on critical infrastructure,” said Singapore’s Senior Minister of State for Transport Chee Hong Tat, at the opening of the MarineTech Conference held Tuesday. “Cybersecurity is part of our overall security.”Noting that the city-state had been stepping up efforts to drive maritime cybersecurity, Chee said: “It is a requirement for maritime cyber risk management to be incorporated into the safety management systems of companies operating Singapore-flagged vessels. The Maritime Cluster Fund also provides co-funding support for cybersecurity training courses to ensure our workers are aware of such risks and have the knowledge and skills to protect themselves from these attacks.”He noted that MPA had been working with its peers through the Port Authorities Chief Information Officer Cybersecurity Network to share data and best practices. The minister added that the new maritime cybersecurity roundtable would look at initiatives over the next three years to boost Singapore’s cybersecurity defence and maritime cybersecurity skills.New agreements also were inked between Skyports, Wilhelmsen Ships Service, and Thome Group, to further push the commercialisation of maritime ship-to-shore delivery services in Singapore. In addition, the initiatives would look to develop the necessary infrastructure to support these services for all industry stakeholders.These would include trials of proof-of-concept operations that could lead to the operationalisation of drone delivery services in maritime. For example, Skyports would deploy Beyond Visual Line of Sight (BVLOS) deliveries from the Maritime Drone Estate to vessels at pre-identified anchorages. In addition, a three-year agreement has been inked between the Singapore Maritime Institute and Research Institutes of Sweden in maritime R&D. This research collaboration will cover maritime informatics, supply chain innovation, decarbonisation and sustainability, and safety and security. Chee said: “The pandemic has accelerated the adoption of new technologies by businesses and individuals, and opened up new collaborations across geographies and sectors. This provides opportunities for maritime technology companies to ‘start-up’ and ‘scale-up’.”He said the country aspired to be the Silicon Valley for maritime technology, focusing on digitalisation, innovation, and partnerships. RELATED COVERAGE More

A US judge has sentenced two men for operating an Apple Gift Card scam that netted them over $1.5 million. On Monday, the US Department of Justice (DoJ) said Syed Ali and Jason Tout-Puissant, 29- and 27-years-old, respectively, were sentenced after admitting to the scam in 2019.

Both pleaded guilty to wire fraud. Ali was sentenced in October 2021 by Texas US District Judge David Godbey, and Tout-Puissant has now joined his co-conspirator, having been sentenced by the same judge this week. Often, gift card scams are associated with fake romance scams and cold calls, in which criminals pretend to be an antivirus provider or a tax organization. These scam artists demand payment made in gift cards purchased from Apple, Google, or other vendors. In this case, however, Tout-Puissant physically stole numerous point-of-sale (PoS) devices from an Apple store in Texas. He then sat outside, logged into the store’s Wi-Fi network, and stole store credits before loading them onto virtual gift cards. The gift cards were loaded onto Apple Passbook, now known as Apple Wallet. The software can be used to store and share gift cards, boarding passes, tickets, and vouchers. Once Tout-Puissant loaded the gift cards, he then generated a QR code for the card’s value and sent screenshots of the QR codes to Ali. Together with an unnamed co-conspirator, Ali then used the QR codes to buy Apple products from stores in New York.US prosecutors estimate that the pair fraudulently obtained gift cards valued at over $1.5 million. Ali was sentenced to 37 months (3 years), and Tout-Puissant will serve 60 months (5 years) behind bars. Tout-Puissant has also been ordered to pay the iPad and iPhone maker $1.26 million in damages. “If these defendants thought their million-dollar fraud would go unnoticed simply because they targeted a trillion-dollar company, they were sorely mistaken,” commented US Attorney Chad Meacham. “The Justice Department will not tolerate fraud against any company, be it a multinational corporation or a mom-and-pop operation. We are grateful to our FBI partners for their work on this case.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyble
A new Remote Access Trojan (RAT) might have an amusing name to some, but its capabilities show the malware to be no laughing matter.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Dubbed Borat RAT, Cyble Research Labs said in a recent malware analysis that the new threat doesn’t settle for standard remote access capabilities; instead, Borat RAT also includes spyware and ransomware functions.According to the cybersecurity researchers, the Trojan, named after the character adopted by comedian Sacha Baron Cohen, is offered for sale to cybercriminals in underground forums. Borat RAT has a centralized dashboard and is packaged up with a builder, feature modules, and a server certificate. The malware’s capabilities are vast and include a keylogger, a ransomware encryption and decryption component — as well as the option for users to generate their own ransom notes — and an optionally distributed denial-of-service (DDoS) feature for “disrupting the normal traffic of a targeted server,” according to Cyble. Some of Borat RAT’s marketed capabilities
Cyble
The use of ‘RAT’ in the name is a clue to the remote and surveillance features of the malicious software. Borat RAT can remotely record a machine’s audio by compromising its microphone, capture webcam footage and also contains a host of remote control options: hijacking a mouse or keyboard, performing screen captures, tamping with system settings, and both stealing and deleting files.Borat RAT utilizes process hollowing for compromising legitimate processes on a target machine and may also enable reverse proxies to stay under the radar when performing malicious activities. The malware will harvest data, including operating system information, before sending it to an attacker-controlled command-and-control (C2) server. Furthermore, Borat RAT will hone in on browser information such as cookies, browser histories, bookmarks and favorites, and account credentials. Browsers such as Chrome and Chromium-based Microsoft Edge are impacted. Discord tokens, too, can be stolen. Cyble says that the malware can also perform other functions to “disturb” its victims, including playing audio, swapping mouse buttons, showing or hiding a desktop and taskbar, freezing the mouse, tampering with webcam lights, turning off a monitor, and more. Despite its name, remote control, spyware, and ransomware capabilities make Borat RAT a potent malware strain worth watching. Cyble intends to monitor the development of the “unique” malware in the future.  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Turkey is pursuing colossal sentences of over 40,000 years for suspects allegedly connected to a fraudulent cryptocurrency exchange.A prosecutor seeks sentences of up to 40,564 years each for 21 individuals accused of operating Thodex, a now-defunct cryptocurrency exchange.

As reported by Demiroren via Bloomberg, the alleged founders and executives of Thodex are in the prosecutor’s line of sight. The indictment, issued Thursday, names Faruk Fatih Ozer, the 28-year-old CEO of the cryptocurrency exchange who vanished a year ago. A notice was posted on the Thodex website in April 2021, informing users that the trading post would be closed for several days to deal with a “sales” process. The cryptocurrency exchange never reopened, and investors could not access their accounts or withdraw funds. Thodex claimed on social media that no one had been scammed or had lost their money. However, many accused the exchange of performing an exit scam. At the time, Thodex called the accusations “baseless” and no more than a “smear campaign.”While reports, at the time, estimated losses in the billions of dollars, the indictment has revised this figure to closer to $24 million. Ozer, who was reportedly last spotted in the same month the cryptocurrency exchange closed while boarding a flight to Albania from Istanbul airport, has been issued an international arrest warrant. The CEO claimed he was meeting investors abroad. Interpol has published a Red Notice for Ozer. The Turkish national is wanted for “establishing organizations for the purpose of committing crimes [and] aggravated fraud,” according to the law enforcement agency. Ozer is still missing, despite assurances made last year that he would return to his home country to co-operate with local authorities. Cryptocurrency is a popular fiscal outlet for many members of the younger Turkish generation due to Turkey’s economic problems and the volatile lira. The trend has concerned Turkish financial authorities for years, with clampdowns being discussed, but citizens continue to pursue potential crypto profits in stablecoins — as well as fiat currencies, including the US dollar. Last month, two alleged operators of a rug pull non-fungible token (NFT) scam were arrested by US law enforcement. The two 20-year-old suspects have been charged for running Frosties, an NFT project which raised approximately $1.1 million before an exit scam allegedly took place, leaving investors out of pocket. The US Department of Justice (DoJ) has imposed fraud-related charges. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The City of London police has said two teenagers have been charged in connection with an investigation into a hacking group.”The City of London Police has been conducting an investigation into members of a hacking group. Two teenagers, a 16-year-old and a 17-year-old, have been charged in connection with this investigation and remain in police custody,” said Detective Inspector Michael O’Sullivan, from the City of London Police. Both teenagers have been charged with three counts of unauthorised access to a computer with intent to impair the reliability of data, one count of fraud by false representation and one count of unauthorised access to a computer with intent to hinder access to data. The 16-year-old has also been charged with one count of causing a computer to perform a function to secure unauthorised access to a program, according to The City of London Police. More