Information Technology

Google is to acquire cybersecurity company Mandiant in a deal worth $5.4 billion. The all-cash acquisition will see Mandiant join Google Cloud and deliver an end-to-end security operations suite, as well as advisory services to help customers address critical security challenges and stay protected. The deal will also bring Mandiant’s threat detection and intelligence service, along with testing and validation services under Google Cloud’s umbrella. “Cybersecurity is a mission, and we believe it’s one of the most important of our generation. Google Cloud shares our mission-driven culture to bring security to every organization,” said Kevin Mandia, CEO, Mandiant.  

ZDNet Recommends

“Together, we will deliver our expertise and intelligence at scale via the Mandiant Advantage SaaS platform, as part of the Google Cloud security portfolio. These efforts will help organizations to effectively, efficiently and continuously manage and configure their complex mix of security products,” he added.SEE: A winning strategy for cybersecurity (ZDNet special report)Mandiant says that the acquisition by Google “underscores Google Cloud’s commitment to advancing its security offerings to better protect and advise customers across their on-premise and cloud environments”, and help enterprises stay protected at every stage of the security lifecycle.”Organizations around the world are facing unprecedented cybersecurity challenges as the sophistication and severity of attacks that were previously used to target major governments are now being used to target companies in every industry,” said Thomas Kurian, CEO, Google Cloud.  “We look forward to welcoming Mandiant to Google Cloud to further enhance our security operations suite and advisory services, and help customers address their most important security challenges.” The acquisition is subject to customary closing conditions, including the receipt of Mandiant stockholder and regulatory approvals, and is expected to close later this year. Upon the close of the acquisition, Mandiant will join Google Cloud. “The cloud represents a new way to change the security paradigm by helping organizations address and protect themselves against entire classes of cyber threats, while also rapidly accelerating digital transformation,” Google said.MORE ON CYBERSECURITY More

Ukrainian flag waving over Parliament in Kyiv, Ukraine.
Image: Getty Images
Google’s Threat Analysis Group (TAG) has provided an update in the wake of the Russian invasion of Ukraine, saying it has issued hundreds of warnings to Ukrainian users over the past year that they are being targeted by “government backed hacking”, particularly from Russia.In the weeks since Russia began its military action, TAG said it has seen FancyBear, a group said to be part of the Russian military intelligence agency GRU, conducting phishing campaigns against a Ukrainian media company called UkrNet.For Ghostwriter, a group Ukraine has previously said is part of the Belarusian Ministry of Defence, Google TAG has identified activity against Polish and Ukrainian government and military. The group has also been going after UkrNet webmail users as well as Yandex users.Google said its Safe Browsing service has been able to block Ghostwriter’s phishing domains.The update also noted that Chinese group Mustang Panda has switched from going after its usual Southeast Asian targets to focusing on Europeans. The group was sending out a malicious attachment that contained a downloader that would grab a payload.Google also said it continued to see DDoS attacks against Ukrainian sites, including the Ministry of Foreign Affairs and Ministry of Internal Affairs.”We expanded eligibility for Project Shield, our free protection against DDoS attacks, so that Ukrainian government websites, embassies worldwide and other governments in close proximity to the conflict can stay online, protect themselves and continue to offer their crucial services and ensure access to the information people need,” TAG wrote.”As of today, over 150 websites in Ukraine, including many news organizations, are using the service.”

Ukraine Crisis More

Image: Pigprox — Shutterstock
Coinbase has come out in full-throated support of sanctions, and revealed the extent to which it works with governments, while at the same time stating it has blocked over 25,000 accounts linked to Russians the company believes are undertaking illicit activity. “Many of which we have identified through our own proactive investigations,” the company said. “Once we identified these addresses, we shared them with the government to further support sanctions enforcement.” In a blog post, the cryptocurrency exchange said when a user opens an account, it checks provided information against a list of sanctioned individuals or entities provided by United States, United Kingdom, European Union, United Nations, Singapore, Canada, and Japan, as well as blocking users from sanctioned areas such as Crimea, North Korea, Syria, and Iran. The company also revealed it keeps a list of accounts held by sanctioned people outside of Coinbase. “When the United States sanctioned a Russian national in 2020, it specifically listed three associated blockchain addresses,” it said. “Through advanced blockchain analysis, we proactively identified over 1,200 additional addresses potentially associated with the sanctioned individual, which we added to our internal blocklist.” Coinbase also claimed that digital assets are able to “naturally deter common approaches to sanctions evasion”. “By transacting through shell companies, incorporating in known tax havens, and leveraging opaque ownership structures, bad actors continue to use fiat currency to obscure the movement of funds,” it said. “In this way, they leave complex financial trails that are difficult to trace, requiring investigators to separately request information from many different financial institutions, and follow a trail across multiple countries.” The exchange said due to the public, immutable, and traceable nature of blockchains, it is possible to trace transaction without needing to get information from multiple parties. “When applied to public blockchain data, analytics tools offer law enforcement additional capabilities. In many cases, law enforcement can trace the transaction history of a wallet from the very first transaction, follow transactions in real time, and group transactions according to risk level based on interactions with other wallets,” it said. “Coinbase’s proactive on-chain analysis identified more than 16,000 addresses possibly associated with Iranian exchanges, many of which had not yet been identified by others. We used this analysis to strengthen our compliance systems and inform law enforcement in order to enhance industry-wide awareness.” If Russia tried to get around sanctions through use of cryptocurrency, Coinbase said it would be more difficult than using fiat currency, gold, or even art. While promoting cryptocurrency, the exchange did not address the existence of coin tumbler services that can be used to disguise the provenance of digital assets and assist in laundering. A recent report said since 2017, cybercriminals had laundered $33 billion worth of cryptocurrency. Related Coverage More

The FBI released a warning on Monday about scammers impersonating government officials or law enforcement agencies before attempting to extort people and steal personal information. The notice says scammers are spoofing authentic phone numbers and names while also using fake credentials of well-known government and law enforcement agencies.”Scammers will use an urgent and aggressive tone, refusing to speak to or leave a message with anyone other than their targeted victim; and will urge victims not to tell anyone else, including family, friends, or financial institutions, about what is occurring,” the FBI explained. “Payment is demanded in various forms, with the most prevalent being prepaid cards, wire transfers, and cash, sent by mail or inserted into cryptocurrency ATMs. Victims are asked to read prepaid card numbers over the phone or text a picture of the card. Mailed cash will be hidden or packaged to avoid detection by normal mail scanning devices. Wire transfers are often sent overseas so funds almost immediately vanish.”Scammers typically call victims and say their identity was used in a crime before asking them to verify their social security number and date of birth.Some victims are threatened with prosecution or arrest if they do not provide the information or pay for the charges to be removed. Others are called and asked about not reporting for jury duty or other local fines. The FBI said victims have been told they missed a court date or have a warrant for their arrest that requires payment to solve. At times, attackers can even text victims pretending to be government agencies in need of a passport or driver’s driver’s license information for document renewals. “Medical practitioners are contacted to warn of the expiration of their medical licensing, or their license was utilized to conduct a crime. The scammers will threaten revocation of their license or registration, and the medical professional is compelled to renew their license to protect their professional reputation,” the FBI said. “Many victims report extortion by law enforcement and government impersonators in connection with other types of fraud. A romance scam victim begins to realize they are being defrauded and stops communicating with the scammer. Often, the victim is contacted by a law enforcement impersonator attempting to extort the victim to clear their name for participating in a crime or to aid in the capture of the romance scammer.”The FBI added that some lottery scam victims are contacted by cybercriminals who demand taxes or fees. The FBI reiterated that no law enforcement agency will ever ask you for money and urged people to be careful about who they share their personal information with over the phone and online. Erich Kron, security awareness advocate at KnowBe4, noted that social engineering and scams often rely on eliciting a strong emotional response from victims, causing them to miss or ignore red flags that could otherwise help them avoid falling for the scam. “Few government agencies cause as much fear as the IRS, as they have broad law enforcement powers and people are often confused by the U.S. tax system, making them more prone to believe they made a mistake and must correct it. US government entities such as the Social Security Administration, are the primary source of income for many older Americans, making a threat to income a very stressful ordeal, and making them prone to fall for related scams,” Kron said. “Whenever receiving a text message, phone call or email that elicits a strong emotional response, the best thing a person can do is to take a deep breath and treat it very suspiciously. Most government agencies will not communicate via email or a phone call, especially when initially informing a person of an issue.” More

On Monday, a cybersecurity researcher released the details of a Linux vulnerability that allows an attacker to overwrite data in arbitrary read-only files.The vulnerability — CVE-2022-0847 — was discovered by Max Kellermann in April 2021, but it took another few months for him to figure out what was actually happening. 

Kellermann explained that the vulnerability affects Linux Kernel 5.8 and later versions but was fixed in Linux 5.16.11, 5.15.25 and 5.10.102.”It all started a year ago with a support ticket about corrupt files. A customer complained that the access logs they downloaded could not be decompressed. And indeed, there was a corrupt log file on one of the log servers; it could be decompressed, but gzip reported a CRC error. I could not explain why it was corrupt, but I assumed the nightly split process had crashed and left a corrupt file behind. I fixed the file’s CRC manually, closed the ticket, and soon forgot about the problem,” Kellermann said. “Months later, this happened again and yet again. Every time, the file’s contents looked correct, only the CRC at the end of the file was wrong. Now, with several corrupt files, I was able to dig deeper and found a surprising kind of corruption. A pattern emerged.”Kellermann went on to show how he discovered the issue and how someone could potentially exploit it. He initially assumed the bug was only exploitable while a privileged process writes the file and that it depended on timing.But he later found that it is possible to overwrite the page cache even in the absence of writers, with no timing constraints, “at (almost) arbitrary positions with arbitrary data.”

In order to exploit the vulnerability, the attacker needs to have read permissions, the offset must not be on a page boundary, the write cannot cross a page boundary and the file cannot be resized. “To exploit this vulnerability, you need to: Create a pipe, fill the pipe with arbitrary data (to set the PIPE_BUF_FLAG_CAN_MERGE flag in all ring entries), drain the pipe (leaving the flag set in all struct pipe_buffer instances on the struct pipe_inode_info ring), splice data from the target file (opened with O_RDONLY) into the pipe from just before the target offset [and] write arbitrary data into the pipe,” he explained. “This data will overwrite the cached file page instead of creating a new anonymous struct pipe_buffer because PIPE_BUF_FLAG_CAN_MERGE is set. To make this vulnerability more interesting, it not only works without write permissions, it also works with immutable files, on read-only btrfs snapshots and on read-only mounts (including CD-ROM mounts). That is because the page cache is always writable (by the kernel), and writing to a pipe never checks any permissions.”He also shared his own proof-of-concept exploit. The bug report, exploit, and patch were sent to the Linux kernel security team by Kellermann on February 20. The bug was reproduced on Google Pixel 6 and a bug report was sent to the Android Security Team. Linux released fixes (5.16.11, 5.15.25, 5.10.102) on February 23 and Google merged Kellermann’s bug fix into the Android kernel on February 24. Kellermann and other experts compared the vulnerability to CVE-2016-5195 “Dirty Cow” but said it is even easier to exploit.

Vulcan Cyber’s Mike Parkin said any exploit that gives root level access to a Linux system is problematic. “An attacker that gains root gains full control over the target system and may be able to leverage that control to reach other systems. The mitigating factor with this vulnerability is that it requires local access, which slightly lowers the risk,” Parkin said. “Escalating privileges to root (POSIX family) or Admin (Windows) is often an attacker’s first priority when they gain access to a system, as it gives them full control of the target and can help them extend their foothold to other victims. That hasn’t changed for ages and is unlikely to change in the foreseeable future.”Shweta Khare, cybersecurity evangelist at Delinea, noted that several Windows kernel, DNS server RCE, and Adobe vulnerabilities of high severity rating have already made news this year because they allow attackers to gain elevated local system or admin privileges. OS bugs and application-level vulnerabilities like these can allow attackers to elevate privileges, move laterally inside the network, execute arbitrary code, and completely take over devices, Khare said.   More

Walkie-talkie communication app Zello has become the latest app banned by Russian officials. On Sunday, Russia’s Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications, also known as Roskomnadzor, announced that it is banning Zello for spreading “false information” about the invasion of Ukraine. “On March 4, Roskomnadzor, based on the decision, sent the administration of the American Internet resource Zello a request to stop sending messages to users that contain false information about the course of a special operation of the Armed Forces of the Russian Federation on the territory of Ukraine,” Roskomnadzor said in a translated statement. “The administration of the Zello Internet resource did not comply with the requirement of Roskomnadzor within the period established by law. Due to the failure of the administration of Zello to comply with the requirements of Roskomnadzor, access to this application on the territory of the Russian Federation will be limited within 24 hours.”On Friday, Roskomnadzor announced that it will block access to Facebook, alleging the US social media giant has discriminated against Russian media and information resources. Early last week, Facebook said it would be “demoting” content from Russian state-backed media outlets on Facebook and Instagram as part of a wide range of efforts taken in light of the recent invasion of Ukraine. Nick Clegg, Facebook’s president of global affairs and the former UK deputy prime minister, said the Russian government was already throttling Facebook and Instagram to make it more difficult for Russian citizens to see certain content.Since Russia began the invasion in February, several tech companies like Google, Microsoft and Apple have taken punitive actions against Russia, banning services or ending business in the country. Emsisoft threat analyst Brett Callow noted that Russia has already blocked the BBC and multiple other international media outlets, “Blocking Zello is not a surprise,” Callow said. “The Russian government will likely continue to try to limit access to any sources of non-favorable information about the invasion, so more blocks are highly probable.”Zello did not respond to requests for comment about the situation. The app has become massively popular in Ukraine since the invasion began. 

Ukraine Crisis More

PressReader, a digital platform for hundreds of print newspapers and magazines, said its systems are slowly returning to normal after a cyberattack caused outages since last Thursday. The app provides access to more than 7,000 publications from newspapers, libraries and museums across the world. It first announced the outages on March 3 and later confirmed it was because of a cybersecurity incident. 

In posts on Facebook and Twitter last night, the company said its content processing system is now fully back to normal and all publications sent to the platform since March 6 have been published. But a number of publications remain delayed, even after PressReader received the files from publishers. “We are actively reaching out to publishers to receive and process these publications as soon as possible. Missing issues between March 3rd and March 5th will be processed in the coming days. Magazine content since March 3rd will resume processing from 9am PST, Monday March 7th,” the company said. “While we are still investigating the full-scope of the incident, what we can share is that the PressReader team has been working around the clock to ensure that we stand alongside our partners in our commitment to the free press and the distribution of quality journalism.”

To our readers and partners, PressReader thanks you immensely for your support and understanding as we navigated through this cyber security incident. Updates in thread (1/6)— PressReader (@PressReader) March 7, 2022

The company added on Sunday that its teams in Vancouver and the Philippines have been working around the clock to bring service back. This past weekend, the company said it was prioritizing titles from Europe, Africa, and the Middle East as it scaled its systems back to full capacity. The day before that, PressReader said its security teams were able to determine that the outage was caused by a cybersecurity incident. The company did not respond for requests for comment about whether it was a ransomware attack. But in its initial statement, PressReader claimed the attack was part of a larger trend of companies across North America experiencing “security incidents” over the last few weeks. They said there was no evidence that customer data was compromised in their first public message, but they did not include that line in subsequent statements. Users flooded both the Twitter and Facebook posts to complain about the loss of access to their favorite publications. Hundreds of newspapers released personal messages to readers explaining the outages. Many newspapers — especially those that rely on the platform as their only avenue for publishing daily electronic versions of their daily newspaper — shared PressReader’s statement verbatim. One newspaper said its call center was “experiencing high call volumes and long wait times because of this outage.” They urged customers to stop calling and wait for messages from the newspaper directly.   More

People who use Firefox as one of their browsers should update it now that it’s gained patches for two critical flaws that are being exploited in the wild. Mozilla just released Firefox 97.0.2, Firefox ESR 91.6.1, Firefox for Android 97.3.0, and Focus 97.3.0 with the security fixes. The bugs are also fixed in Thunderbird 91.6.2. 

ZDNet Recommends

Both CVE-2022-26485 and CVE-2022-26486 are critical use-after-free memory-related flaws. CVE-2022-26486 could also lead to an exploitable sandbox escape, according to Mozilla. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)”Removing an XSLT parameter during processing could have led to an exploitable use-after-free. We have had reports of attacks in the wild abusing this flaw,” Mozilla explains. “An unexpected message in the WebGPU IPC framework could lead to a use-after-free and exploitable sandbox escape. We have had reports of attacks in the wild abusing this flaw.”WebGPU is a browser specification for various interfaces that allow a web page to use a system’s GPU for improved graphics. Mozilla hasn’t released further details, but credits the bug reports to researchers at Chinese security firm Qihoo 360 ATA, Wang Gang, Liu Jialei, Du Sihang, Huang Yi and Yang Kang.    While Firefox user numbers are declining, Mozilla performed fairly well in Google Project Zero’s analysis of how quickly software vendors fixed bugs. Mozilla patched nine of the 10 bugs affecting its software within 90 days of the initial report. It also took an average 46 days to fix bugs compared to 44 days for Google, 69 days for Apple, and 83 days for Microsoft. Looking at browsers, Chrome was the fastest and with 40 fixed bugs it had an average time to patch of 5.3 days. WebKit had 27 bugs and an 11.6-day average time to patch, while Firefox had eight bugs and a 16.6-day average time to fix.  More