Information Technology

The US Cybersecurity and Infrastructure Security Agency (CISA) updated its catalog of known exploited vulnerabilities this week, adding 15 vulnerabilities based on evidence that threat actors are actively exploiting them.The list includes a Microsoft Windows SAM local privilege escalation vulnerability with a remediation date set for February 24. Vulcan Cyber engineer Mike Parkin said the vulnerability — CVE-2021-36934 — was patched in August 2021 shortly after it was disclosed. “It is a local vulnerability, which reduces the risk of attack and gives more time to deploy the patch. CISA set the due date for Federal organizations who take direction from them, and that date is based on their own risk criteria,” Parkin said. “With Microsoft releasing the fix 5 months ago, and given the relative threat, it is reasonable for them to set late February as the deadline.”The rest of the list covers a range of Microsoft, Apache, Apple, and Jenkins vulnerabilities with remediation dates of August 10.While some experts questioned CISA’s new additions to the list, Netenrich’s John Bambenek explained that anything that provides a straightforward path to elevated privileges and is being exploited by the kind of threat actors CISA is concerned about needs to be remediated immediately.  
CISA
Pravin Madhani, CEO of K2 Cyber Security, noted that more than half of the vulnerabilities are classified as remote code execution (RCE) vulnerabilities.  

“RCE is one of the most dangerous types of vulnerabilities as it gives the attacker the ability to run almost any code on the hacked site. RCE, and other flaws such as XSS (Cross Site Scripting), have long been included on the OWASP Top 10 list, so why aren’t companies better equipped to protect against these attacks?” Madhani asked. Viakoo CEO Bud Broomhead said he believes cybercriminals are using older vulnerabilities in exploits against new device targets, specifically IoT devices. As an example, Broomhead mentioned vulnerabilities that enable man-in-the-middle (MitM) attacks. “Virtually all IT systems are protected against this threat, but IoT systems often are not, leading threat actors to revisit these older vulnerabilities knowing that network-connected IoT devices can be exploited through them,” Broomhead said. “This would lead to a vulnerability discovered years ago being added recently to the CISA catalogue. With close to 170,000 known vulnerabilities priority should be given to the ones that are causing real damage right now, not ones that in theory could cause damage.” More

Google announced this week that its Vulnerability Reward Programs doled out $8,700,000 for vulnerability rewards in 2021. Researchers donated $300,000 of their rewards to a charity of their choice, according to a blog from Sarah Jacobus of Google’s Vulnerability Rewards Team.For Android vulnerabilities, payouts doubled compared to 2020, with almost $3 million being rewarded to researchers for a variety of bugs. The company also handed out its largest Android payout ever at $157,000. The company also launched the Android Chipset Security Reward Program, an invite-only program for researchers looking through manufacturers of certain popular Android chipsets. The program paid $296,000 for over 220 unique security reports, specifically shouting out Aman Pandey of the Bugsmirror Team, Yu-Cheng Lin, and researcher gzobqq@gmail.com, who secured the $157,000 award. The company noted that it is also offering $1,500,000 for bugs found in the Titan-M Security chip used in their Pixel device. 
Google
When it comes to Chrome, the company set a new record as well. Google gave out $3.3 million in VRP rewards to 115 researchers that found 333 unique Chrome security bugs. “Of the $3.3 million, $3.1 million was awarded for Chrome Browser security bugs and $250,500 for Chrome OS bugs, including a $45,000 top reward amount for an individual Chrome OS security bug report and $27,000 for an individual Chrome Browser security bug report,” Jacobus said. 

“Of these totals, $58,000 was awarded for security issues discovered by fuzzers contributed by VRP researchers to the Chrome Fuzzing program. Each valid report from an externally provided fuzzer received a $1,000 patch bonus, with one fuzzer report receiving a $16,000 reward.”Jacobus also spotlighted Rory McNamara, Leecraso, and Brendon Tiszka for their work on Chrome bugs. Google Play paid out $550,000 in rewards to more than 60 security researchers. The tech giant was also eager for exploit research on their kCTF cluster, raising their reward amounts in November from up to $10,000 to up to $50,337. Several participants brought in $175,685 in rewards. The Google Cloud Platform awarded Ezequiel Pereira the top prize for finding an RCE in Google Cloud Deployment Manager, awarding him $133,337. In total, the Google Cloud Platform paid winners of the 2020 competition $313,337. Google said they partnered with researchers to find and fix thousands of vulnerabilities throughout 2021 and launched bughunters.google.com to help move the effort along. The platform gives researchers a place to submit bugs for Google, Android, Chrome, Google Play, and more. The platform gamifies the bug hunting process by offering per-country leaderboards, company swag, awards, and more. The company also explained that the Vulnerability Research Grant program awarded $200,000 in grants to more than 120 security researchers around the world. “With the launch of the new Bug Hunters portal, we plan to continue improving our platform and listening to you – our researchers – on ways we can improve our platform and Bug Hunter University,” Jacobus said. “Thank you again for making Google, the Internet, and our users safe and secure!” More

Google’s Project Zero released a report covering its work in 2021. It found that vendors took an average of 52 days to fix reported security vulnerabilities.Between 2019 and 2021, Project Zero researchers reported 376 issues to vendors under their 90-day deadline. Of those 376 issues, more than 93% of these bugs have been fixed and over 3% have been marked as “WontFix” by the vendors, according to Project Zero. The researchers added that 11 other bugs remain unfixed and 8 have passed their deadline to be fixed. Microsoft, Apple, and Google account for 65% of the bugs discovered. Microsoft led the way with 96 bugs, followed by 85 from Apple and 60 from Google.”Overall, the data show that almost all of the big vendors here are coming in under 90 days, on average. The bulk of fixes during a grace period comes from Apple and Microsoft (22 out of 34 total). Vendors have exceeded the deadline and grace period about 5% of the time over this period,” Project Zero researchers said. “In this slice, Oracle has exceeded at the highest rate, but admittedly with a relatively small sample size of only about 7 bugs. The next-highest rate is Microsoft, having exceeded 4 of their 80 deadlines. [The] average number of days to fix bugs across all vendors is 61 days.”
Google
Google also provided other statistics showing that the overall time to fix has consistently been decreasing, particularly for vendors like Microsoft, Apple, and Linux. All three reduced their time to fix between 2019 and 2020 while Google sped up in 2020 and slowed down again in 2021. 

In 2021, they noted that only one 90-day deadline was exceeded, a stark decrease compared to the average of 9 per year in the other two years. The researchers added that the grace period was used 9 times — with half being by Microsoft — versus the slightly lower average of 12.5 in the other years.When it comes to mobile vulnerabilities, iOS devices had 76 total bugs, followed by 10 for Samsung Android devices and 6 for Pixel Androids. For browsers, Chrome had 40 bugs and an average time to patch of 5.3 days. WebKit had 27 bugs and an 11.6-day average time to patch while Firefox had 8 bugs and a 16.6-day average time to fix.”Chrome is currently the fastest of the three browsers, with time from bug report to releasing a fix in the stable channel in 30 days. Firefox comes in second in this analysis, though with a relatively small number of data points to analyze. Firefox releases a fix on average in 38 days,” the researchers said.”WebKit is the outlier in this analysis, with the longest number of days to release a patch at 73 days. Their time to land the fix publicly is in the middle between Chrome and Firefox, but unfortunately, this leaves a very long amount of time for opportunistic attackers to find the patch and exploit it prior to the fix being made available to users.”Project Zero said the findings were a positive development, showing that many vendors are fixing most of the bugs they find. Vendors are also moving faster to rectify issues, with Google attributing it to responsible disclosure policies that have become the standard in the industry.Google urged all vendors to focus on a “more frequent patch cadence for security issues.””We encourage all vendors to consider publishing aggregate data on their time-to-fix and time-to-patch for externally reported vulnerabilities. Through more transparency, information sharing, and collaboration across the industry, we believe we can learn from each other’s best practices, better understand existing difficulties and hopefully make the internet a safer place for all,” Project Zero said. More

Digital scheduling platform FlexBooker has been accused of exposing the sensitive data of millions of customers, according to security researchers at vpnMentor.The researchers said the Ohio-based tech company was using an AWS S3 bucket to store data but did not implement any security measures, leaving the contents totally exposed and easily accessible to anyone with a web browser. The 19 million exposed files included full names, email addresses, phone numbers and appointment details. FlexBooker did not respond to requests for comment from ZDNet but vpnMentor said they contacted the company and Amazon about the issue.”We did contact them in January, to which they sent what seemed to be an automatic reply about the leak that affected them in December. We tried to explain it was a new breach, but didn’t hear back,” a vpnMentor spokesperson said. “Which is why we decided to contact AWS directly (as Flexbooker wrote on their site they were working together with Amazon), and soon after the bucket was secured (Amazon probably informed Flexbooker, as Amazon isn’t supposed to do it themselves).”In January, FlexBooker apologized for a data breach that involved the sensitive information of 3.7 million users. At the time, the company told ZDNet a portion of its customer database had been breached after its AWS servers were compromised on December 23. FlexBooker said their “system data storage was also accessed and downloaded” as part of the attack. They added they worked with Amazon to restore a backup and they were able to bring operations back in about 12 hours. 

“We sent a notification to all affected parties and have worked with Amazon Web Services, our hosting provider, to ensure that our accounts are re-secured,” a spokesperson said. “We deeply apologize for the inconvenience caused by this issue.”Researchers at vpnMentor said they were not aware of this data breach as they scanned the internet for potential vulnerabilities in December. By January 23, vpnMentor confirmed the latest issue and contacted FlexBooker on January 25. Amazon was contacted the same day and by January 26, Amazon had resolved the issue. “Flexbooker’s misconfigured AWS account contained over 19 million HTML files which exposed what seemed to be automated emails sent via FlexBooker’s platform to users. This means potentially up to 19 million people were exposed, depending on how many people made multiple bookings on a website using Flexbooker,” the researchers said in the report. “Each email appeared to be a confirmation message for bookings made via the platform, and exposed both the FlexBooker account holder and the person(s) who made a booking. For example, a plumbing supply company was using FlexBooker to schedule consultations between employees and customers. In this instance, PII data for both people were exposed.”One of the appointments exposed by FlexBookers platform. 
vpnMentor
The leaks are alarming because they included links with unique codes that could be used to create cancellation links, edit links, and view the appointment details that were hidden in the emails.The S3 bucket was also live when vpnMentor discovered it, meaning it was constantly being updated with new information, exposing more and more people every day. vpnMentor included screenshots of the appointments, which ranged from COVID-19 tests to pet euthanizations and babysitting appointments. The babysitting emails exposed the sensitive information of children as well. “A few days after the breach was secured, we observed hackers on the dark web once again selling private data apparently owned by Flexbooker. It’s not clear if this was from the previous breach, the one our team discovered, or a mix of both. However, it shows the risk for companies who don’t adequately secure their users’ data and how quickly hackers can get stolen data out into the open,” the researchers explained. In January, Australian security expert Troy Hunt, who runs the Have I Been Pwned site that tracks breached information, said the first trove of stolen data included password hashes and partial credit card information for some accounts. Hunt added that the data “was found being actively traded on a popular hacking forum.”A FlexBooker spokesperson confirmed Hunt’s report, telling ZDNet that the last 3 digits of card numbers were included in the breach but not the full card information, expiration date, or CVV.  More

Third-party risk management (TPRM) is high on the list of business priorities and risk management priorities, and that’s a good thing. 

Despite predictions in the early days of the COVID-19 pandemic that firms would rein in outsourcing strategies, the third-party ecosystem continues to grow, smaller vendors and suppliers remain cybersecurity targets, the global regulatory machine continues to churn out new requirements, and disruption in the value chain has become a regular occurrence. For TPRM vendors, that’s great news because, unlike in the years following the Great Recession, firms aren’t pulling back on security and risk investment. What’s in a name? Is it TRPM or IT VRM? To-may-to, to-mah-to, right? Not exactly. Here’s some context on third-party risk nomenclature. Financial services use “third parties” to align with OCC (Office of the Comptroller of the Currency) language, healthcare references “business associates” to align with HIPAA, and manufacturing commonly uses “supplier.” Everyone else gravitates to the term “vendor” because much of what we now call third-party risk management started out with (and, in some cases, is still mostly focused on) software vendors and IT services providers, where the primary concern is about complying with the IT control frameworks/standards. Also: The definition of modern Zero TrustForrester uses “third party” to refer to these entities, plus nontraditional third parties such as foreign affiliates, external legal counsel, PR firms, contingent or gig workers, and even your board of directors. If it’s not an employee, then it’s a third party. The TPRM market is not “one size fits all” 

Several types of vendors support the TPRM market, each specializing in one or more risk domains, industries, or levels of customer maturity. For us, the third-party risk is more than a cybersecurity rating or a due diligence tool. Forrester defines this category as: Platforms that identify assess, score, monitor, and report on risks to the organization stemming from their third-party relationships. They support analysis, treatment, and workflow for risk mitigation at every stage of the third-party lifecycle, including: 1) sourcing/procurement, 2) due diligence, 3) selection, 4) onboarding, 5) ongoing risk monitoring, and 6) termination/offboarding. There’s no shortage of options when it comes to managing the risk and compliance of third-party entities. The new Forrester report, Now Tech: Third-Party Risk Management Platforms, Q1 2022, categorizes 22 of the top TPRM technologies into four segments based on their capabilities: Dedicated technologies. These provide robust capabilities throughout the third-party risk management lifecycle. They offer a combination of domain expertise and breadth of functionality to support all levels of TPRM maturity. GRC platforms. Governance, risk, and compliance (GRC) platforms offer robust support for a wide range of risk and compliance use cases in addition to TPRM. Exchange sponsors. Exchange sponsors offer access to prepopulated and validated assessment results, multiple types of documentation and evidence, and analytics. Vertical-focused vendors. These providers have the depth of expertise of dedicated technologies, the range of capabilities of GRC platforms, and often provide supporting services but are singularly focused on industries with complex third-party compliance requirements. Each segment contains vendors that will be a good fit for different types of buyers. This post was written by Senior Analyst Alla Valente, and it originally appeared here.  More

If you didn’t already upgrade to iOS 15.3, now might be a good time to do it because of a security flaw Apple has now patched.Apple released iOS 15.3 earlier this month but it didn’t include one fix for a security flaw it has now addressed in iOS 15.3.1. Details from Apple, as usual, are scant but it gave enough to suggest it is a serious bug because it can lead to malicious code execution simply by users opening a web page in the Apple Safari browser. “Processing maliciously crafted web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited,” Apple said.   The update is available for iPhone 6s and later, iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch 7th generation.Since the bug affects WebKit, the browser engine for Safari, it also affects macOS. Apple also released macOS Monterey 12.2.1 to address the issue on Macs.  The bug, like many security flaws, was a memory flaw that code written in C++ is particularly prone to. 

According to Microsoft and Google, about 70% of a security issues are caused by memory safety problems and those issues are tied to flaws written in C and C++, arguably the most important family of programming languages that have been used for decades in multi-million line infrastructure systems like Windows, WebKit, Chrome, Android, Firefox, the Linux kernel and now embedded systems for Internet of Things devices. More

Cybercriminals are hijacking the devices of civil rights activists and planting “incriminating evidence” in covert cyberattacks, researchers warn.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

According to SentinelLabs, an advanced persistent threat (APT) group dubbed ModifiedElephant has been responsible for widespread attacks targeting human rights activists and defenders, academics, journalists, and lawyers across India. The APT is thought to have been in operation since at least 2012, and over the past decade, ModifiedElephant has continually and persistently targeted specific, high-profile people of interest.  However, rather than focusing on data theft, the APT’s activities are far more sinister: once inside a victim’s machine, the group conducts surveillance and may plant incriminating files later used to prosecute individuals. “The objective of ModifiedElephant is long-term surveillance that at times concludes with the delivery of ‘evidence’ — files that incriminate the target in specific crimes — prior to conveniently coordinated arrests,” the researchers say. SentinelLabs has identified “hundreds of groups and individuals” targeted by the APT. ModifiedElephant starts an infection chain with spear-phishing emails. These emails contain documents laden with malware, including the NetWire and DarkComet remote access trojans (RATs), as well as keyloggers and an Android Trojan. 

SentinelLabs has connected the dots between previously unattributable attacks and says that while ModifiedElephant has operated under the radar for so long, there is an “observable correlation between ModifiedElephant attacks and the arrests of individuals in controversial, politically-charged cases.” While the malware used by the threat actors is considered “mundane” and not particularly sophisticated, a number of the APT’s victims have also been targeted with NSO Group’s Pegasus surveillanceware, the subject of an explosive investigation by Amnesty International, Forbidden Stories, and various media outlets in 2021. While attribution isn’t concrete, the team says that ModifiedElephant activity “aligns sharply with Indian state interests.”  “Many questions about this threat actor and their operations remain; however, one thing is clear: Critics of authoritarian governments around the world must carefully understand the technical capabilities of those who would seek to silence them,” SentinelLabs cautioned. “A threat actor willing to frame and incarcerate vulnerable opponents is a critically underreported dimension of the cyber threat landscape that brings up uncomfortable questions about the integrity of devices introduced as evidence.” See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Spanish law enforcement has arrested eight people suspected of running a SIM-swapping ring. 

SIM-swapping attacks, also known as SIM hijacking, occur when criminals attempt to take over your phone number. As our mobiles are now central hubs used in second-stage account verification, including through two-factor authentication (2FA) text messages or apps, being able to dupe carriers into handing over control means that victims may lose access to their online accounts and services.  SIM-swaps usually lead to the theft of funds from bank accounts and cryptocurrency wallets. Last year, a UK national was indicted by US law enforcement for allegedly performing a SIM-swap to steal $784,000 in cryptocurrency, and as one of our own writers experienced, funds can be stolen to make cryptocurrency purchases that are then sent to attacker-controlled wallets.  So-called ‘porting’ of a phone number occurs when a criminal uses stolen information and social engineering to pretend to be a carrier’s customer and makes the request for a number transfer or for a duplicate SIM to be sent out. Even if a victim quickly realizes something is wrong, a short time window is all that is needed to cause serious damage.In the case investigated by Spain’s National Police, eight suspects allegedly used phishing texts, emails, and instant messages to masquerade as banks. Victims would then hand over their sensitive, personal data and bank details, providing the information required for social engineering attempts.  Now armed with this information, the suspects reportedly contacted carriers and requested duplicate SIM cards for their victims’ phone numbers. 

SIM-swap attacks would then be performed, in which the telephone numbers linked to the bank accounts would, for a time, be under the criminal’s control. It was then possible for the cybercriminals to intercept the 2FA codes sent by the victim’s bank to access their accounts and conduct fraudulent transactions. The police say that the suspects also “falsified official documents.” In particular, photocopies of Documento nacional de identidad (DNI) identity cards were shown to staff, in which photographs were manipulated to make the fraudster appear to be the legitimate handset owner.  The eight individuals, seven located in Barcelona and one in Seville, are being detained. According to the National Police, law enforcement first caught wind of the scheme in March 2021, when complaints were made relating to fraudulent bank transfers.  “Although the initial steps took place in remote places, the investigations led the investigators to the province of Barcelona, where those now detained laundered the defrauded money operating through bank transfers and digital instant payment platforms,” officers said.  In February, the Federal Bureau of Investigation (FBI) warned that SIM-swapping attack rates are increasing.  According to the law enforcement agency, from January 2018 to December 2020, 320 SIM-swapping attack complaints were recorded, with losses reaching roughly $12 million. In 2021 alone, 1,611 SIM-swapping complaints were made with estimated damages of at least $68 million.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More