Information Technology

Intel announced the expansion of its Bug Bounty program this week, explaining in a statement that it plans to create a new effort called “Project Circuit Breaker.”The project will bring in an “elite” group of hackers to search for vulnerabilities in Intel’s firmware, hypervisors, GPUs, chipsets, and more. According to Intel, the program will involve “targeted time-boxed events on specific new platforms and technologies, providing training and creating opportunities for more hands-on collaboration with Intel engineers.” 

The first Project Circuit Breaker event, “Camping with Tigers,” started in December and includes 20 researchers who received systems with Intel Core i7 processors. The event will end in May, and Intel said bounty multipliers are being offered at three milestones for eligible vulnerabilities.Katie Noble, director of Intel’s Product Security Incident Response Team (PSIRT) and Bug Bounty, said the new program was possible due to the company’s “cutting-edge research community.””This program is part of our effort to meet security researchers where they are and create more meaningful engagement,” Noble said. “We invest in and host bug bounty programs because they attract new perspectives on how to challenge emerging security threats — and Project Circuit Breaker is the next step in collaborating with researchers to strengthen the industry’s security assurance practices, especially when it comes to hardware.”Tom Garrison, vice president and general manager of client security strategy & initiatives at Intel, added, “As we aim to develop the most comprehensive security features, we also realize the incredible value of deeper collaborations with the community to identify potential vulnerabilities and mitigate them for the ongoing improvement of our products.

Intel has run its Bug Bounty Program since 2018. Intel explained that 97 of 113 externally found vulnerabilities were reported through Intel’s Bug Bounty program in 2021. The company’s security experts are also part of both the Bug Bounty Community of Interest and Forum of Incident Response and Security Teams.The announcement comes days after Cloudflare announced its own paid public bug bounty program hosted on HackerOne’s platform.  More

Senior managers are putting businesses at risk of cyberattacks and data breaches because they don’t understand cybersecurity issues and, in some cases, don’t even want to learn about the dangers.According to research by cybersecurity company Trend Micro, just half of IT decision makers believe that the board understands cyber risks. Of the 5,321 IT leaders surveyed, 90% said that the C-suite aren’t focused on cybersecurity because they have other priorities, such as digital transformation or improving productivity. As a result, they see cybersecurity as a barrier to reaching their preferred goals. 

ZDNet Recommends

However, there’s also a significant minority of board members who actively aren’t trying to learn about cybersecurity. According to the research, 26% don’t try hard enough to learn about cyber risks, while 20% just don’t want to understand the cyber risks their organisation is facing. SEE: Cybersecurity: Let’s get tactical (ZDNet special report)This lack of understanding is causing tension between information security teams and the boardroom, to such an extent that 82% of IT decision makers say they have felt pressured to downplay the severity of cyber risks to their board.  Nearly a third of these individuals say this is a constant pressure, indicating that many boardrooms would prefer to bury their heads in the sand instead of tackling cybersecurity problems. Almost two-thirds (62%) said that the board would only sit up and take notice of cyber risks if the organisation suffered an attack or data breach, while 61% said they’d be forced to take notice if customers demanded enhanced security – suggesting that the risk of losing business because of perceptions of poor security could finally make executives take note.  

But even when boardrooms and executives are concerned about cyberattacks, and are engaging with cybersecurity leaders about issues, detailing risks and how to manage them can still prove to be tricky, especially if execs are starting out with little technical understanding of the issues. It’s therefore vital that information security teams break things down for executives, regularly explaining the issues – and, crucially, in ways that senior managers are able to understand. “More executives than ever understand that they have a responsibility to be informed, but they often feel overwhelmed by how rapidly the cybersecurity landscape evolves,” said Eva Chen, CEO of Trend Micro.”IT leaders need to communicate with their board in such a way that they can understand where the organization’s risk is and how they can best manage it,” she added. Steps that can be taken to help this process along include formalising cybersecurity with documentation and metrics, and encouraging business risk discussions around the issues. It’s also recommended that the CISO should report directly to the CEO in order to directly expose them to cybersecurity issues, therefore helping to drive discussions around cybersecurity. MORE ON CYBERSECURITY More

Microsoft has detailed the evolution of a relatively new piece of Mac malware called UpdateAgent that started out stealing system information in late 2020 but has morphed into a tool for delivering adware and potentially other threats. One of UpdateAgent’s newest and most potent features is the ability to bypass Apple’s built-in Gatekeeper system that is meant to allow only trusted, signed apps to run on Macs. 

ZDNet Recommends

Microsoft flagged the malware now as it appears to be under continuous development. Today, it installs an “unusually persistent” adware threat called Adload, but Microsoft cautions it could be used to distribute other more dangerous payloads in future. For example, Microsoft found its makers host additional payloads on Amazon Web Services’ S3 and CloudFront services.  SEE: Cybersecurity: Let’s get tactical (ZDNet special report)While it does require the victim to install an app masquerading as legitimate software, such as a video app or support agent promoted in ad pop-ups, the ability to bypass Gatekeeper controls is significant. It can also use existing user permissions to delete evidence of its presence on a system. Since its discovery between September to December 2020, when it was only an information stealer, the malware has undergone several upgrades to improve persistence allowing it to remain on a system after users sign in to the affected device. By January 2021, it could fetch secondary payloads as .dmg files for macOS from public cloud providers. In March 2021, it was updated again to fetch compressed .zip files instead of .dmg files and tweaked to prevent Gatekeeper from displaying the pop-up warning to users that a file is from an “unidentified developer”. Then in August, it was improved with changes that allowed the malware to inject persistent code that ran as root in a background process that’s invisible to the user. 

“UpdateAgent is uniquely characterized by its gradual upgrading of persistence techniques, a key feature that indicates this trojan will likely continue to use more sophisticated techniques in future campaigns,” Microsoft says in a blogpost, cautioning it could follow the trajectory of malware common to Windows. “Like many information-stealers found on other platforms, the malware attempts to infiltrate macOS machines to steal data and it is associated with other types of malicious payloads, increasing the chances of multiple infections on a device.”UpdateAgent’s makers started distributing Adload as a secondary payload in October 2021 when Microsoft raised an alarm it was distributing malware through public cloud providers. Microsoft says it has coordinated with AWS to remove malicious links from its cloud services. Adload is capable of opening a backdoor to install other payloads.  “Once adware is installed, it uses ad injection software and techniques to intercept a device’s online communications and redirect users’ traffic through the adware operators’ servers, injecting advertisements and promotions into webpages and search results,” Microsoft notes. “More specifically, Adload leverages a Person-in-The-Middle (PiTM) attack by installing a web proxy to hijack search engine results and inject advertisements into webpages, thereby siphoning ad revenue from official website holders to the adware operators.”Microsoft is interested in Mac malware because more enterprises support non-Windows devices on corporate networks. It is encouraging defenders to use its Edge browser on macOS since it supports Microsoft’s Defender SmartScreen for blocking malicious websites. Meanwhile, Microsoft’s Defender for Endpoint enterprise security platform can be used to detect UpdateAgent’s misuse of Apple’s PlistBuddy tool for managing PLIST (property list) attribute files for macOS applications.    More

Blockchain analysis firm Chainalysis said 110 NFT wash traders have collectively made about $8.9 million in profit in 2021. The company defines “wash trading” as transactions where the seller is on both sides of the trade and attempts to paint a misleading picture of an asset’s value and liquidity.The finding was part of a larger report on wash trading and money laundering in the NFT industry. The research only captures trades made in Ethereum and Wrapped Ethereum, excluding a significant amount of wash trading activity. Chainalysis said they tracked a minimum $44.2 billion worth of cryptocurrency sent to NFT-related smart contracts last year, up from just $106 million in 2020. But alongside that large increase in legitimate NFT business, Chainalysis said it did find actors wash trading to artificially increase the value of NFTs and money laundering through the purchase of NFTs. “In the case of NFT wash trading, the goal would be to make one’s NFT appear more valuable than it really is by ‘selling it’ to a new wallet the original owner also controls. In theory, this would be relatively easy with NFTs, as many NFT trading platforms allow users to trade by simply connecting their wallet to the platform, with no need to identify themselves,” the researchers explained. “With blockchain analysis, however, we can track NFT wash trading by analyzing sales of NFTs to addresses that were self-financed, meaning they were funded either by the selling address or by the address that initially funded the selling address. Analysis of NFT sales to self-financed addresses shows that some NFT sellers have conducted hundreds of wash trades.”They found 262 users who have sold an NFT to a self-financed address more than 25 times, with over half losing money due to gas fees. The 110 traders who made a profit brought in a total of about $8.9 million in profit while the rest lost a total of $416,984. The report adds that the money made “is most likely derived from sales to unsuspecting buyers who believe the NFT they’re purchasing has been growing in value, sold from one distinct collector to another.”

When it comes to money laundering, Chainalysis said value sent to NFT marketplaces by illicit addresses jumped significantly in the third quarter of 2021, crossing $1 million worth of cryptocurrency. “The figure grew again in the fourth quarter, topping out at just under $1.4 million. In both quarters, the vast majority of this activity came from scam-associated addresses sending funds to NFT marketplaces to make purchases. Both quarters also saw significant amounts of stolen funds sent to marketplaces as well,” the company said.”Perhaps most concerningly, in the fourth quarter, we saw roughly $284,000 worth of cryptocurrency sent to NFT marketplaces from addresses with sanctions risk. All of that was due to transfers from the P2P exchange Chatex, which was added to OFAC’s SDN list last year.”  Kim Grauer, head of research at Chainalysis, told ZDNet that she hoped the report would demonstrate to those involved that wash trading NFTs isn’t a great strategy because it usually isn’t profitable and is traceable. More

Law enforcement continues to tackle information online considered to be dangerous, with bomb manuals the subject of a new operation. 

As internet access shifted from a luxury made possible through dial-up to something akin to a human right in many countries, the web became a catalyst for new, innovative business models, e-commerce, new means of communication, and a critical channel for education – especially useful during COVID-19 stay-at-home orders. However, when it comes to education and e-commerce, law enforcement worldwide has taken different stances on what is considered allowable, and some topics, guides, and trading posts become the subjects of investigations and, in some cases, seizures or takedowns.  Underground marketplaces, including AlphaBay, Silk Road, DarkMarket, and more recently, CanadianHQ have been shut down by the police. These platforms were used to sell everything from narcotics to weapons and malware.  The debate surrounding the free flow of information online came to a head years ago due to Defense Distributed, created by Cody Wilson. The founder’s website offered blueprints for 3D-printed guns in the public domain, allowing users to ‘print’ their own at home – but US court orders made under international gun trafficking laws were imposed to try and stop the distribution of the CAD files.  Read on: Guns are already on UK streets. 3D printing could make things far worse Back in Europe, bomb manuals are now a hot topic for law enforcement. On February 1, Europol brought together agencies from France, Germany, Hungary, Italy, the Netherlands, Portugal, Spain, Switzerland and the UK under a “Referral Action Day” to wipe out dangerous content online.

Specifically, Europol says that “content on explosive chemical precursors” – in other words, instruction manuals for the creation of explosives – was targeted under an anti-terrorism action.  The agency says that this content was “being shared among terrorist supporting networks, including jihadist, right-wing and left-wing terrorist networks.” In total, 563 pieces of content on 106 websites were the subject of a referral for voluntary removal by online service providers. The files included manuals and tutorials on how to make bombs using precursors as well as instructions on “how to prepare and carry out terrorist attacks,” Europol claims.  The content may become a subject of the European platform for takedown of illegal content online/Plateforme Européenne de Retraits de Contenus illegaux sur Internet (PERCI) project, a platform in Europol’s roadmap (.PDF) that could eventually shift takedowns from a voluntary state to one that is forced – and potentially as soon as in the coming months, thereby increasing the power of law enforcement to tackle online content.  “This platform is a technical solution built by Europol and managed by the EU IRU to facilitate the implementation of the new regulation,” Europol says. “Before this, the process to take down terrorist content online was entirely voluntary on the part of the tech companies.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Beijing has lashed out at the US government’s decision to ban China Unicom from offering its services in the US, describing the move as baseless. It vows to safeguard the “legitimate rights and interests” of Chinese businesses operating in the US market. China’s Ministry of Industry and Information Technology (MIIT) said it strongly opposed a move by the US Federal Communications Commission (FCC) to revoke China Unicom’s licence, effectively banning the state-owned Chinese telco from providing services in the US market. In its statement, the FCC had said China Unicom posed national security risks as it was subject to exploitation and control by the Chinese government. “[China Unicom] is highly likely to be forced to comply with Chinese government requests without sufficient legal procedures subject to independent judicial oversight,” the US government agency said. MIIT said Thursday the FCC did not provide facts to back its allegations and overgeneralised national security issues to suppress Chinese businesses. Describing the US agency’s move as an abuse of state power, MIIT said the Chinese government would take necessary measures to protect the legitimate rights and interests of its organisations that invested and operated in the US. MIIT further noted that China Unicom had been operating in the US for two decades and had abided by US laws and regulations, according to a report by state-run Chinese newspaper, China Daily. It called on the FCC to reverse its decision and provide a “fair, just, and nondiscriminatory” environment for Chinese companies operating in the US market. 

On its part, China Unicom Global on Thursday said the FCC’s move was without justification, China Daily reported. The telco said its US outfit had a “good record” of complying with relevant US laws. It added that the FCC order was issued “without affording required due process”.”China Unicom Americas would act proactively to protect the rights and interests of the company and its customers,” it said. China Telecom also has been banned from operating in the US, where China Mobile currently is the remaining major Chinese telco to be allowed to provide its services.The US government in January 2021 ordered the delisting of three Chinese telcos from the New York Stock Exchange, namely, China Telecom, China Mobile, and China Unicom Hong Kong.RELATED COVERAGE More

Australia’s eSafety Commissioner Julie Inman Grant has criticised the federal government’s proposed anti-trolling legislation, outlining that it may be misused due to the lack of elements explicitly preventing cyberbullying and online abuse. “I think [the anti-trolling Bill] can lend itself to a lot of retaliation, a lot of vigilante-style justice,” Inman Grant said, who was reappointed into the eSafety commissioner post a fortnight ago. “I do worry about what that would mean in terms of giving individuals that kind of information, and that might be an IP address, or MAC address, or a device ID that the everyday person can’t do much with.” Inman Grant made these comments before the Select Committee on Social Media and Online Safety, which was set up by the federal government late last year with the intention of building on the proposed anti-trolling laws. In explaining her concerns, Inman Grant said the Bill does not contain a single element addressing “trolls”, with the proposed legislation being focused on defamation. In the leadup to the Bill’s exposure draft being released, Australian Prime Minister Scott Morrison said the proposed laws would be used to reduce online abuse and ultimately “unmask anonymous online trolls”. “There is no place for people to be anonymously going round and undertaking this horrific abuse and harassment and stalking online,” Morrison said at the time.

“Anonymous trolls are on notice, you will be named and held to account for what you say. Big tech companies are on notice, remove the shield of anonymity or be held to account for what you publish.” As currently drafted, the anti-trolling laws would require social media platforms to have a complaints scheme in place that allows victims of defamatory comments to both make complaints and request the personal information of the maker of those comments. In outlining what comments fall within the proposed laws’ scope, the Bill does not require the comments to be about cyberbullying or online abuse. Since the release of the Bill’s exposure draft, experts have been quick to flag that the laws would have a limited impact on online abuse. According to Elise Thomas, an open-source intelligence analyst at the Institute for Strategic Dialogue, social media users are already happy to make cruel comments under their own names. When asked about the doubt surrounding the Bill’s efficacy, Inman Grant said she was concerned that the proposed laws would most likely not live up to the initial expectation of “unmasking trolls”.”It’s probably a defamation reform bill. That does create some confusion with the public and what my primary concern is making sure we’re seeing the right expectations for the public so they know where to go when they experience personal harms or are a victim of online abuse,” she said. Earlier on Thursday, Facebook whistleblower Frances Haugen testified to the same committee Thursday that the platform deliberately provides less help, reporting of online abuse, and safety to Australian users to save on costs. “I’m sure on a per capita basis there is less help, less support, and less safety for Australians because Facebook knows it operates in the dark. Where they don’t have to, they don’t apologise about anything,” Haugen told the committee. Over the past few weeks, the select committee has heard from various government agencies and tech giants about social media’s role in online abuse. The committee is set to provide the inquiry’s findings later this month. Related Coverage More

Researchers have discovered 23 “high-impact vulnerabilities” affecting any vendors that adopted Independent BIOS Developers (IBV) code into their Unified Extensible Firmware Interface (UEFI) firmware.Binarly explained the vulnerabilities in a blog post this week, confirming that “all these vulnerabilities are found in several of the major enterprise vendor ecosystems” including Fujitsu, Siemens, Dell, HP, HPE, Lenovo, Microsoft, Intel and Bull Atos. CERT/CC confirmed that Fujitsu, Insyde and Intel were affected but left the others tagged as “unknown,” urging anyone affected to update to the latest stable version of firmware.According to the blog, the majority of the vulnerabilities disclosed lead to code execution with SMM privileges and had severity ratings of between 7.5 – 8.2. “The root cause of the problem was found in the reference code associated with InsydeH2O firmware framework code. All of the aforementioned vendors were using Insyde-based firmware SDK to develop their pieces of firmware,” Binarly wrote. “We had a short discussion with Fujitsu PSIRT and came to the conclusion that we should report all those issues to CERT/CC to lead an industry-wide disclosure. This is how the VU#796611 was created and how Binarly collaboration with CERT/CC began in September 2021.”They commended Fujitsu, Intel and others for responding quickly and solving the vulnerabilities. UEFI provider Insyde Software said it worked with Binarly to resolve the vulnerabilities and has released firmware updates for all the issues listed. “We are extremely thankful for Binarly’s work in discovering the items outlined in today’s published security disclosures,” said Tim Lewis, CTO at Insyde Software on Tuesday.

“We appreciated Insyde Software’s prompt and professional response to the results of our analysis on their firmware,” said Alex Matrosov, Founder and CEO of Binarly. The vulnerabilities are tracked as CVE-2020-27339, CVE-2020-5953, CVE-2021-33625, CVE-2021-33626, CVE-2021-33627, CVE-2021-41837, CVE-2021-41838, CVE-2021-41839, CVE-2021-41840, CVE-2021-41841, CVE-2021-42059, CVE-2021-42060, CVE-2021-42113, CVE-2021-42554, CVE-2021-43323, CVE-2021-43522, CVE-2021-43615, CVE-2021-45969, CVE-2021-45970, CVE-2021-45971, CVE-2022-24030, CVE-2022-24031, CVE-2022-24069.”A local attacker with administrative privileges (in some cases a remote attacker with administrative privileges) can use malicious software to perform any of the following: Invalidate many hardware security features (SecureBoot, Intel BootGuard), Iinstall persistent software that cannot be easily erased and create backdoors and back communications channels to exfiltrate sensitive data,” CERT/CC explained. Mike Parkin, engineer at Vulcan Cyber, said any vulnerabilities that let an attacker manipulate or alter a system’s BIOS can have potentially devastating consequences. “Fortunately, the attack described here requires privileged access to execute. This isn’t uncommon with BIOS attacks in that they require some level of privilege or physical access to implement. But that doesn’t mean we can ignore them. For a threat actor, the value of embedding malicious code in the BIOS makes the effort worthwhile,” Parkin said. “The issue will be identifying all the systems that are affected by these vulnerabilities and rolling out the updates once they are available from the vendor. System BIOS updates are often more involved and time consuming than a simple system patch, which makes finding and fixing them all somewhat challenging.”Viakoo CEO Bud Broomhead noted that the issue was similar to recent open source vulnerabilities like Log4j, PwnKit and others because vulnerabilities that exist within the UEFI layer from Insyde are difficult to quickly patch at scale due to the multitude of manufacturers that will each need to produce and distribute a patch to the end user. It’s then up to the end user how quickly the patch is installed, Broomhead said. Unless patched, these vulnerabilities provide a direct path for threat actors to deploy malware within the OS layer, or even brick the devices, he added. “This disclosure reinforces the need to ensure that all assets can be quickly located through an automated discovery and threat assessment solution, followed by an automated method to patch or upgrade the system firmware. The need to quickly patch multiple forms of devices (IT, IoT, OT, ICS, etc) is now way beyond any organization’s ability to manually implement security fixes,” Broomhead said. “Organizations will be dealing with this for a while; because multiple system manufacturers using Insyde UEFI are impacted by this there are likely many devices in the supply chain that will be delivered over the next few months to end users. Organizations will need to revisit how they are provisioning and onboarding new devices to ensure they are not continuing to distribute devices that can be easily exploited by cyber criminals.” More