Information Technology

The US Cybersecurity and Infrastructure Security Agency (CISA) has told federal agencies to patch 66 new security bugs based on evidence of active exploitation. These new 66 bugs join a growing list of bugs in the Known Exploited Vulnerabilities Catalog that covers technology typically used in enterprises, such as network security appliances. 

ZDNet Recommends

Federal agencies have been given until April 15, 2022 to apply this batch of patches under the Binding Operational Directive aimed at reducing the significant risk of known exploited vulnerabilities. SEE: There’s a critical shortage of women in cybersecurity, and we need to do something about itThe 66 bugs include recent and older flaws in networking kit and security appliances from D-Link, Cisco, Netgear, Citrix, Kuiper, Palo Alto, Sophos, Zyxel, plus enterprise software from Oracle, OpenBSD, VMware and others, as well as multiple Windows bugs.Among the bugs are one affecting Watch Guard’s Firefox and XTM appliances (CVE-2022-26318), one impacting Mitel’s MiCollab, MiVoice Business Express Access Control Vulnerability (CVE-2022-26143), and the Windows Print Spooler Elevation of Privilege Vulnerability (CVE-2022-21999). The Mitel bug was being exploited for the TP240PhoneHome DDoS attack, which was capable of an amplification ratio of 4,294,967,296 to 1. It was observed being exploited in February and March. CISA last month gave agencies two weeks to fix a whopping 95 bugs. Again some were newly exploited while others have had patches available for several years. So, it looks like admins at federal agencies will have yet another busy few weeks finding and then patching systems. As part of its Shields Up initiative, CISA and the White House are encouraging all US organizations to step up patch and check multi-factor authentication configurations due to an increased threat from cyberattacks being directed at them by Russia. More

Sophos has patched a remote code execution (RCE) vulnerability in the Firewall product line. Sophos Firewall is an enterprise cybersecurity solution that can adapt to different networks and environments. Firewall includes TLS and encrypted network traffic inspection, deep packet inspection, sandboxing, intrusion prevention systems (IPSs), and visibility features for detecting suspicious and malicious network activity.

On March 25, the cybersecurity company disclosed the RCE, which was privately disclosed to Sophos via the firm’s bug bounty program by an external cybersecurity researcher. Sophos offers financial rewards of between $100 and $20,000 for reports. Tracked as CVE-2022-1040 and issued a CVSS score of 9.8 by Sophos as a CNA, the vulnerability impacts Sophos Firewall v18.5 MR3 (18.5.3) and older. According to Sophos’ security advisory, the critical vulnerability is an authentication bypass issue found in the user portal and Webadmin Sophos Firewall access points. While the vulnerability is now patched, Sophos has not provided further technical details. Sophos Firewall users will have received a hotfix, in most cases, to tackle the flaw. So if customers have enabled the automatic installation of hotfix updates, they do not need to take further action. However, if customers are still using older software versions, they may have to update their builds to a newer version to stay protected. There is also a general workaround to mitigate the risk of attacks made through the user portal and Webadmin. Users can disable WAN access to these platforms entirely, and Sophos recommends using a virtual private network (VPN) alongside Sophos Central to improve the security of remote connections. Earlier this month, Sophos resolved CVE-2022-0386 and CVE-2022-0652, two vulnerabilities in Sophos UTM threat management appliance. CVE-2022-0386 is a high-severity post-auth SQL injection vulnerability, whereas CVE-2022-0652 is an insecure access permissions bug. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: slyellow/Shutterstock
Google is urging users on Windows, macOS, and Linux to update Chrome builds to version 99.0.4844.84, following the discovery of a vulnerability that has an exploit in the wild. Due to the this, the browser maker is being tight lipped on details. “CVE-2022-1096: Type Confusion in V8. Reported by anonymous on 2022-03-23,” was as far as Google would explain the issue. V8 is Chrome’s JavaScript engine — it is also used server-side in Node.js, but has not yet said it is impacted. Google added that bug details would be restricted until a majority of users had updated the browser. “We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven’t yet fixed,” it said on Friday. A day later, Microsoft issued its own notice and said the issue was fixed in Edge version 99.0.1150.55 released the same day. At the start of the month, Google said it was seeing more Chrome zero-day flaws in the wild. Related Coverage More

Image: Getty Images
The US Federal Communications Commission (FCC) has added Kaspersky to the country’s entity list, along with China Telecom and China Mobile. First reported by Bloomberg, the Kaspersky addition marks the first time a Russian company has been added to the list. Prior to the latest update to the entity list, the list comprised only of Chinese companies.Companies placed on the entity list are banned from buying parts and components from US companies without government approval.The FCC said it placed the three companies onto the list as it found they all posed national security risks. “I am pleased that our national security agencies agreed with my assessment that China Mobile and China Telecom appeared to meet the threshold necessary to add these entities to our list. Their addition, as well as Kaspersky Labs, will help secure our networks from threats posed by Chinese and Russian state-backed entities seeking to engage in espionage and otherwise harm America’s interests,” said Brandan Carr, FCC commissioner. In response to being placed on the entity list, Kaspersky, in a statement, accused the US agency of making that decision based on political grounds. “This decision is not based on any technical assessment of Kaspersky products — that the company continuously advocates for – but instead is being made on political grounds,” Kaspersky said. “Kaspersky will continue to assure its partners and customers on the quality and integrity of its products, and remains ready to cooperate with US government agencies to address the FCC’s and any other regulatory agency’s concerns.” Kaspersky’s response mirrors a similar complaint it made against Germany’s Federal Office for Information Security, which recently issued an advisory warning people to avoid using Kaspersky’s products and services. In Kaspersky’s complaint against the German regulator, the company said the advisory was made on political grounds too. Prior to being on the US entity list, the US government in 2017 had already banned the use of Kaspersky products and services by federal entities and contractors. For China Telecom and China Mobile, their additions to the entity list come as no surprise as the two telcos were already booted off the New York Stock Exchange by the US Treasury Department at the start of last year. The FCC in October also ordered the removal of China Telecom’s authority to operate in the US.Related Coverage More

UK law enforcement has made a spate of arrests in connection to an unnamed hacking group. 

Detective Inspector Michael O’Sullivan, from the City of London Police, said in a statement that the law enforcement agencies and its partners have been conducting an investigation into a cybercriminal outfit, leading to seven arrests. Seven teenagers between the ages of 16 and 21 years old have been arrested.  According to O’Sullivan, they have been “arrested in connection with this investigation and have all been released under investigation.” The City of London Police did not formally name the hacking group or provide any further detail concerning the inquiry.   On Wednesday, the BBC reported that a 16-year-old teenager from Oxford, who used the “White” and “Breachbase” aliases online, was accused of being affiliated to the Lapsus$ hacking group. White has been tracked for over a year and was reportedly doxxed online after falling out with others involved in the underground, leading to the leak of his personal information.  Law enforcement has not commented on whether the teenager is among those arrested.  Lapsus$ has rapidly risen through the cybercriminal ranks in recent months, claiming high-profile organizations as victims.  See also: Who are the Lapsus$ hackers and what do they want? This week, Okta and its subprocessor Sitel admitted to a security breach in January following the leak of ‘evidence’ screenshots by Lapsus$. The incident has impacted up to 366 customers.  Microsoft also confirmed Lapsus$ compromise on Wednesday after the group was able to maliciously infiltrate a “limited” account. However, the Redmond giant has not confirmed the validity of a torrent released by the hacking group, allegedly containing source code from Bing, Bing Maps, and Cortona. In other security news this week, four Russian nationals have been indicted by US law enforcement for their alleged participation in cyberattacks against critical infrastructure, made by the DragonFly and Triton hacking groups.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber criminals are attempting to stealing cryptocurrency from Android and iPhone users by luring them into downloading malicious apps posing as cryptocurrency wallet services. Cybersecurity researchers at ESET have identified over 40 copycat websites designed to look like those of popular cryptocurrency websites, but which actually trick users into downloading fake versions of the apps containing trojan malware. New cryptocurrency users appear to be targeted in particular. The websites are specifically designed to target mobile users and lure them into downloading the malware.  The attackers use online advertising, posted to legitimate cryptocurrency and blockchain related websites, to direct traffic to the malicious cryptocurrency wallet downloads. Those behind the attacks – who researchers note communicate in Chinese – also use messaging app Telegram to search for affiliates to help spread the malware, with some of these links also being shared in Facebook groups, complete with step-by-step video tutorials on how the fake wallets work and how to steal cryptocurrency from victims. Affiliates who help distribute the malware can be offered as much as 50% commission on the stolen contents of cryptocurrency wallets which are successfully compromised. The malware works differently depending on whether the victim is an iOS or Android user. On Android it appears to target new cryptocurrency users who do not yet have a legitimate wallet application installed because it’s not possible for the malware to overwrite any existing apps on the device because of Android security protocols.  However, on iOS it’s possible for the victim to have both a real app and the fake one installed, so more experienced cryptocurrency enthusiasts could potentially be targeted too, even though in both cases its somewhat cumbersome to download these fake wallets.SEE: How to keep your bank details and finances more secure onlineFor Android users, the fake cryptocurrency websites invite the user to ‘Download from Google Play’ although it actually downloads from the fake site’s server. Once downloaded the app needs to be manually installed by the user. While many of these apps came from third-party sites, ESET researchers say that 13 malicious apps related to the campaign were removed from the Google Play store itself in January.  It’s not possible for attackers to upload the malicious apps to Apple’s App Store, so instead they’re sending potential victims to third-party websites for the downloads. In order to make sure that the malicious apps are successfully installed, alerts and notifications are used to encourage the user to bypass iPhone’s default protections and install unverified apps. Whether it’s on Apple or Android, once installed the malware behaves like a fully working cryptocurrency wallet, undisguisable from the real apps.  By inserting malicious code into the app, the attackers can manipulate the content of the app as if it was their own – meaning they can drain the cryptocurrency from the wallet, without the user knowing. It’s believed that the cryptocurrency-stealing campaign remains active. To avoid falling victim to attacks, it’s recommended that users only download apps from trusted, official sources as these are most likely to be secure, legitimate apps. It’s also recommended that users install anti-virus software on their smartphone to help detect malicious apps and links.  “We would like to appeal to the cryptocurrency community, mainly newcomers, to stay vigilant and use only official mobile wallets and exchange apps, downloaded from official app stores that are explicitly linked to the official websites of such services, and to remind iOS device users of the dangers of accepting configuration profiles from anything but the most trustworthy of sources,” said Lukáš Štefanko, ESET researcher. For users who suspect they may have downloaded a malicious app, researchers urge them to immediately create a brand-new wallet with a trusted device and application and transfer all funds to it, so attackers can’t come back and steal it.  MORE ON CYBERSECURITY More

Two alleged operators of the Frosties NFT rug pull have been arrested and charged by US law enforcement. The US Department of Justice (DoJ) said on Thursday that Ethan Nguyen and Andre Llacuna have been charged with conspiracy to commit wire fraud and conspiracy to commit money laundering.

The pair, both 20 years old, allegedly operated “Frosties,” a Non-Fungible Token (NFT) project that, at the outset, looked professional and offered quirky cartoon art.  However, as documented by Protocol, investors who handed over cryptocurrency to purchase the NFTs in January this year were alerted to a potential scam when the Frosties Discord server vanished alongside the original project’s Twitter profile, having briefly displayed the message, “I’m sorry.” Rug pulls are along the same vein as exit scams performed by cryptocurrency exchanges and projects in recent years or pump-and-dump meme stock activities.  You ramp up a project, share, or service, dangle the prospect of making money or package up an initiative as an exciting and trustworthy project, and once investors have been reeled in and have parted with their funds, you take the cash and vanish.  Rug pulls aren’t commonly seen in the NFT space, but as the trade of these tokens rises in popularity, we are likely to see such fraud increase in the future.  Frosties promised investors tokens, rewards, giveaways, mint passes, and early access to a future game. According to the DoJ’s complaint, the alleged rug pull was the work of the pair, who tried to disappear with roughly $1.1 million, abandoning the project without notice.  The funds were transferred out to different cryptocurrency wallets. Law enforcement says that there were attempts to launder the cryptocurrency by ‘washing’ it through numerous stealth transactions.  Furthermore, $1.1 million might not have been enough for the alleged scam artists. Nguyen and Llacuna were also advertising a second NFT project called “Embers,” due to mint this Saturday, before their arrests in Los Angeles. The DoJ claims that Embers could have generated as much as $1.5 million in cryptocurrency if it was also an apparent rug pull.  If the pair are found guilty, they face maximum sentences of 20 years in prison for both conspiracy to commit wire fraud and conspiracy to commit money laundering. “NFTs represent a new era for financial investments, but the same rules apply to an investment in an NFT or a real estate development,” commented IRS-CI Special Agent-in-Charge Thomas Fattorusso. “You can’t solicit funds for a business opportunity, abandon that business and abscond with money investors provided you.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Avast has acquired SecureKey Technologies to bolster the firm’s digital authentication and identity management portfolio.The deal was announced on Thursday. Financial details have not been disclosed. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

According to the cybersecurity firm, the purchase “will expand Avast’s Identity product and services portfolio as part of its digital freedom vision.” Founded in 2008, the Ontario, Canada-based firm is the developer of access management solutions for the enterprise. SecureKey’s software includes identity and authentication management processes — connecting consumers to banks, telecommunications firms, and government agencies — to “securely and privately authenticate with, and assert their identities for accessing, the services of participating organizations.”  The organization’s technologies have an emphasis on financial data security and handling personally identifiable information (PII). Over 200 million digital ID transactions are managed by SecureKey every year worldwide.  “We live in a digital world but are being forced to use outdated and broken identity systems, with too many avenues that welcome the possibility of fraud,” SecureKey says. SecureKey has memberships and affiliations with organizations including The Linux Foundation, Fido Alliance, Hyperledger, and DIACC.  Fortune Business Insights estimates that the identity and access management market services market will be worth $34.52 billion by 2028.  Avast CEO Ondrej Vlcek said the company “envisage[s] a global and reusable digital identity framework which will underpin a new trust layer for the internet,” and to reach this goal, digital identity management needs to be developed further on an international scale.  Avast says the acquisition is expected to close next month, with SecureKey products becoming available to consumers under the Avast umbrella in the second quarter.  “By working closely with governments, financial institutions, and businesses, we have an established track record of trusted and mature identity networks that provide consumers with the secure digital capabilities they deserve,” commented SecureKey CEO Greg Wolfond. “Combining forces with Avast enables us to innovate further and faster with our technology as we together look to build a more trustworthy future for all internet users.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More