Information Technology

Multiple vulnerabilities have been discovered in the SureMDM device management solution sold by 42 Gears, prompting the company to release a series of updates to address the issues. Immersive Labs published a detailed breakdown of the vulnerabilities — one of which is critical — that affect SureMDM’s Linux agent and the web console. Kevin Breen, director of cyber threat research at Immersive Labs, told ZDNet that the company says it has more than five million successful deployments worldwide and 18,000 customers. 

ZDNet Recommends

It is unclear how many use the products affected by the issues they discovered, but Breen said anyone using the Linux version listed in the post was vulnerable to those vulnerabilities. Anyone who used the web console was also vulnerable until December. “The more concerning set of vulnerabilities were the ones affecting the web console. These vulnerabilities could have allowed an attacker to gain code execution over individual devices, desktops or servers using the SureMDM web dashboard. By chaining the vulnerabilities affecting the web console together, an attacker could disable security tools and install malware or other malicious code onto every Linux, MacOS or Android device with SureMDM installed. An attacker does not need to know customer details to achieve this or even have an account on SureMDM,” Breen explained.”Once the attacker has sent the exploit to every customer account, they would simply need to wait for the first user to log into the SureMDM web console for the payload to be executed. Upon login, the web application would automatically start the infected jobs that would affect every managed device in the organization.”Breen added that the second set of vulnerabilities affecting hosts running the Linux Agent for SureMDM would have allowed attackers to gain remote code execution on hosts as the root user. The issue “could also be exploited with local access to the affected hosts in order to escalate privileges from standard to root user,” Breen noted. 42 Gears released updates in November and January after working with Immersive Labs on the issue since July 2021. Immersive Labs noted that the company released multiple updates throughout the summer before finally addressing the vulnerabilities they found.

Casey Bisson, head of product growth at BluBracket, said the vulnerabilities are a big deal because individually, they are all problematic, but collectively, they constitute a serious risk for users. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“Additionally, the workflow that led to a team building and shipping an app with so many vulnerabilities is particularly worrisome, even if we do not yet know how widespread the impact of these vulnerabilities is. Vulnerabilities like these are the unfortunate byproduct of the speed with which software is developed and shipped,” Bisson said. “It’s easy to criticize each of them as obvious or easy to avoid with good engineering, but the reality is that many of these types of vulnerabilities are fairly common. Organizations have no idea what risks they have in their code because they don’t scan for them. There is a systemic breakdown of processes and the application of key technologies that are allowing these vulnerabilities to get to market. Vulcan Cyber engineer Mike Parkin noted that the series of issues discovered highlights the fact that vulnerabilities are often found in clusters rather than as a standalone problem. That researchers found new problems as the developer fixed the ones that had been reported is something threat actors also do, Parkin said. “The timeline is notable for the back and forth between the research team and the vendor, how long it took to get fixes in place, and how new vulnerabilities came to light during the process,” Parkin told ZDNet. Bugcrowd founder Casey Ellis took a more positive view of the situation, noting the timeline provided by Immersive Labs. The timeline and associated narrative demonstrates openness from 42 Gears in responding to external security feedback as well as highly organized and professional conduct from Immersive Labs to ensure their research — and the subsequent protection of the users of 42 Gears — was as complete and conducted in as safe a manner as possible, Ellis explained. “42 Gears is used widely enough to attract the attention of Immersive Labs, which is the data point which is most relevant here. These vulnerabilities look to be fairly impactful, but the thing that is striking to me about these issues is the amount of cooperation and collaboration in the timeline,” Ellis said. “Ideally, software would be perfect — but we know this isn’t always the case. After all, humans are responsible for writing it.”  More

Google is the world’s number one search engine, with a 92.4% market share, according to Statista. It is not surprising then that the number of takedown requests made to Google by countries around the world continues to grow as our reliance on the internet keeps us online.

Since 2009, Google has announced the number of content removal requests it receives from governments around the world in its annual Transparency Report — and there are some interesting trends in the report. Netherlands-based VPN company Surfshark has analysed these files to see which countries have asked Google to remove the most content and the most common reasons for those requests. It filtered the data from the Transparency Report by location, the volume of requests between 2011 – 2020, the volume of requests in 2020 alone, and the top reason for requests in each country and globally. Its goal was to reveal which government bodies around the world submit the most requests to Google to remove content and why.As a company, Google covers far more than just search engine requests and responses. Content removal can be requested across Google Docs, Google Play, Gmail, Maps, Photos, Ads and YouTube. But one of its products, YouTube, dominates takedown requests.Interestingly, YouTube receives more takedown requests than Google Search does. It tops the list of takedown requests in 2020 with 19,775 requests, with web search results not far behind at 19,198.

There were even 37 requests for content removal on Google Maps. From 2011 to 2020, there were 101,015 takedown requests for YouTube, so requests in 2020 showed a significant jump in numbers.
Surfshack
Surfshack’s findings show that Russia has sent Google more takedown requests over the past decade than all other countries combined, with 123,606 requests in total over the past ten years. Over one in three takedown requests cite national security as the main reason for the takedown request.
Surfshack
The US has made a total of 9,627 content removal requests since 2011, citing defamation — the act of damaging the reputation of someone due to verbal or written communication — as the main reason for the request. Although China has only issued 1,252 takedown requests over the past ten years, over three out of four requests (76.04%) cite violence as the main reason for the takedown request.Defamation is the most prevalent cause for requests made, with 10 of the 25 countries citing this reason the most. However, more uncommon reasons for takedown requests include Religious Office (Pakistan), Violence (China), Fraud (Canada) and Government Criticism (Thailand and Vietnam).Removal requests from the US spiked in the Trump administration’s first year due to a 285.47% rise in fraud-related complaints. Almost one in ten of America’s 3,039,200 fraud victims in 2017 were tricked via internet or phone services. Now US Government removal requests have fallen by 67.23% since 201.Google is not the only company to receive takedown requests. Other companies such as Twitter also produce similar transparency reports. And Google, whilst dominating search and video viewings, does not control everything according to the Transparency Report. The report explained one of the reasons that it did not remove content was “the content has already been removed by the content owner”. Sometimes, Google even receives requests to ‘remove content from the internet’. Not even Google is that powerful, after all. More

Over half of ransomware attacks are targeting one of three industries; banking, utilities and retail, according to analysis by cybersecurity researchers – but they’ve also warned that all industries are at risk from attacks. The data has been gathered by Trellix – formerly McAfee Enterprise and FireEye – from detected attacks between July and September 2021, a period when some of the most high profile ransomware attacks of the last year happened. According to detections by Trellix, banking and finance was the most common target for ransomware during the reporting period, accounting for 22% of detected attacks. That’s followed by 20% of attacks targeting the utilities sector and 16% of attacks targeting retailers. Attacks against the three sectors alone account for 58% of all of those detected.  Utilities is a particularly enticing industry for ransomware gangs to target, because the nature of the industry means it provides vital services to people and businesses and if those services can’t be accessed, it has an impact – as demonstrated by the ransomware attack against Colonial Pipeline, which led to gas shortages in the North Eastern United States. The incident saw Colonial paying a ransom of millions to cyber criminals in order to receive the decryption key.  SEE: A winning strategy for cybersecurity (ZDNet special report)Ransomware attacks against retailers can also have a significant impact, forcing shops to be restricted to taking cash payments, or even forcing them to close all together while the issue is resolved, preventing people from buying everyday items they need. Other sectors which were significant targets for ransomware include education, government and industrial services, serving as a warning that no matter which sector they operate in, all organisations could be a potential target for ransomware.  

“Despite the financial, utilities and retail sectors accounting for nearly 60% of all ransomware detections – no business or industry is safe from attack, and these findings should act as a reminder of this,” said Fabien Rech, VP EMEA for Trellix.   “As cybercriminals adapt their methods to target the most sensitive data and services, organisations must shore up their defences to mitigate further threats.” While several high-profile ransomware groups of 2021 seem to have disappeared or gone dark, particularly following arrests, new gangs and malware strains are emerging all the time and ransomware remains a key cybersecurity threat to organisations around the world. In order to help protect networks against ransomware and other cyber attacks, it’s recommended that organisations regularly apply the required security updates to operating systems, applications and software, something which can prevent hackers from exploiting known vulnerabilities to launch attacks. It’s also recommended that organisations apply multi-factor authentication across all accounts and that security teams attempt to scan for credential stealing attacks and other potential suspicious activity in order to prevent attacks before they happen.MORE ON CYBERSECURITY More

An unsecured server has exposed sensitive data belonging to airport employees across Colombia and Peru. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

On Monday, the SafetyDetectives cybersecurity team said the server belonged to Securitas. The Stockholm, Sweden-based company provides on-site guarding, electronic security solutions, enterprise risk management, and fire & safety services.  In a report shared with ZDNet, SafetyDetectives said one of Securitas’s AWS S3 buckets was not appropriately secured, exposing over one million files on the internet.  The server contained approximately 3TB of data dating back to 2018, including airport employee records. While the team was not able to examine every record in the database, four airports were named in exposed files: El Dorado International Airport (COL), Alfonso Bonilla Aragón International Airport (COL), José María Córdova International Airport (COL), and Aeropuerto Internacional Jorge Chávez (PE). The misconfigured AWS bucket, which did not require any authentication to access, contained two main datasets related to Securitas and airport employees. Among the records were ID card photos, Personally identifiable information (PII), including names, photos, occupations, and national ID numbers. In addition, SafetyDetectives says that photographs of airline employees, planes, fueling lines, and luggage handling were also found in the bucket. Unstripped .EXIF data in these photographs was exfiltrated, providing the time and date the photographs were taken as well as some GPS locations. 
SafetyDetectives
“Considering Securitas’ strong presence throughout Colombia and the rest of Latin America, companies in other industries could have been exposed,” the researchers say. “It’s also probable that various other places that use Securitas’ security services are affected.”

Application IDs listed within mobile apps were also stored in the bucket. The IDs were used for airport activities, including incident reports, pointing the researchers to the likely owner in the first place.  The cybersecurity researchers reached out to Securitas on October 28, 2021, and followed up on November 2 after receiving no response. Securitas engaged in conversation with the team and secured the server on the same day. Swedish CERT was also informed, ZDNet has reached out to Securitas, and we will update when we hear back. 
See also Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has revealed that it stopped what it described as the largest distributed denial of service (DDoS) attack ever reported in history in November, which at 3.47 terabytes (Tbps) per second outsized a mega 2.4 Tbps DDoS it thwarted last year that was then thought to be the largest DDoS in history. DDoS attacks harness the connectivity of many compromised devices and direct packets of data at a specific target, such as a website or internet service, with the aim of knocking it offline.  

ZDNet Recommends

Massive DDoS attacks measured in Tbps are becoming more common. According to Alethea Toh, a product manager on the Microsoft Azure networking team, Microsoft stopped two other DDoS attacks that exceeded 2.5 Tbps in December. SEE: A winning strategy for cybersecurity (ZDNet special report)The record-breaking 3.47 Tbps DDoS attack originated from approximately 10,000 sources from connected devices in the United States, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan. “We believe this to be the largest attack ever reported in history,” said Toh.The largest attacks last year used the User Datagram Protocol (UDP), while attacks focusing on gaming servers were carried out using variants of the Mirai DDoS botnet malware, which relies on compromised PCs and Internet of Things (IoT) devices. Like last year’s huge DDoS attack, the attack vector in the 3.47 Tbps DDoS attack was a UDP “reflection attack”, where UDP request and response packets are reflected within a local network using a source Internet Protocol (IP) address that’s been spoofed by the attacker. 

An attacker abuses UDP by creating a valid UDP request that falsely lists a target’s IP address as the UDP source IP address. The attacker sends the spoofed UDP request to a middleman server, which sends a larger number of UDP response packets to the target’s IP address rather than to the attacker’s actual IP address. The technique amplifies the size of a DDoS attack, but UDP is just one of several internet protocols that can be abused for amplification, including Domain Name System (DNS), and Network Time Protocol (NTP), and memcached. The 3.47 Tbps UDP reflection attack lasted only 15 minutes, Toh explains in a blogpost. The two other attacks that surpassed 2.5 Tbps were were also short bursts targeting servers in Asia. UDP was used in all three cases. The protocol has proved popular for these attacks because online-gaming servers can’t withstand high-volume attacks, even in short bursts. Also, UDP is commonly used in gaming and streaming applications. “The majority of attacks on the gaming industry have been mutations of the Mirai botnet and low-volume UDP protocol attacks. An overwhelming majority were UDP spoof floods, while a small portion were UDP reflection and amplification attacks, mostly SSDP, Memcached, and NTP,” notes Toh.”Workloads that are highly sensitive to latency, such as multiplayer game servers, cannot tolerate such short burst UDP attacks. Outages of just a couple seconds can impact competitive matches, and outages lasting more than 10 seconds typically will end a match,” Toh explains. SEE: DDoS attacks that come combined with extortion demands are on the riseThe gaming industry has been hit with multiple DDoS attacks this year affecting Titanfall, Escape from Tarkov, Dead by Daylight, and Final Fantasy, Microsoft notes. Voice over IP (VoIP) service providers were another heavily targeted group for DDoS attacks. The two other December attacks exceeding 2.5 Tbps were UDP attacks. One was a UDP attack on port 80 and 443 in Asia that lasted 15 minutes with four main peaks, at 3.25 Tbps, 2.54 Tbps, and 0.59 Tbps, and a final peak at 1.25 Tbps. The other attack lasted just five minutes and was a 2.55 Tbps UDP flood on port 443 with one single peak, Toh notes. Some 55% of DDoS attacks relied on UDP spoofing in 2021 and it became the main vector in the second half of 2021. The US was the target of 54% of DDoS attacks, followed by 23% of attacks targeting India. DDoS activity in Europe, however, dropped from 19% in the first half of 2021 to just 6% in the second half, putting it behind East Asia, which was the target of 8% of DDoS attacks. Last year’s 2.4 Tbps attack was aimed at European Azure cloud users. Again, gaming adoption in East Asia made it a popular target.  More

StackCommerce

Your data is not only in danger when you go online. It’s also at risk from hackers who can crack your passwords by using social engineering. So it’s absolutely necessary that you provide yourself with the strongest protection possible against both, and that’s exactly what The Lifetime Password Manager & Privacy Subscription Bundle offers.This deal comes with a lifetime subscription to KeepSolid’s VPN Unlimited, which is arguably the best service you could use to stay safe online. In addition to a zero-log policy, military-grade encryption and a kill switch, you have no limits on speed or bandwidth. With access to more than 400 blazing-fast servers in over 80 locations, you don’t have to worry about being prevented from watching your favorite content because of your location.But KeepSolid offers even more convenience with 24/7 customer service, as well as features such as Favorite Servers, Ping Tests, Trusted Networks and a whole lot more. Even better, all of this is available for as many as five of your devices. As VPN Special observes, “KeepSolid VPN Unlimited offers amazing services and its advanced features make it a solid VPN service provider.”Of course, as mentioned above, you still have to deal with protecting your passwords. Sticky Password Premium allows you to securely keep all of your passwords together, either on local storage or in the cloud, where you can access them with one master password. But the app can also automatically generate unique, encrypted passwords so that you won’t share the same one across multiple accounts.Sticky Password also lets you store other pieces of personal information, which you can use to fill out forms instantly. Although supremely secure, Sticky Password is easy to use, and it even lets you share passwords with others if necessary.Don’t pass up this opportunity to have maximum protection for your data. Get The Lifetime Password Manager & Privacy Subscription Bundle while it’s on sale for only $29.99.Prices are subject to change.

More ZDNet Academy Deals More

StackCommerce

If you’re disappointed with the way your tech career is progressing, it may be because your resume doesn’t have all of the certifications that employers are looking for. One way to turn recruiters heads is by earning a CompTIA certification, but you’ll need to pass the vendor’s exams to do so. The 2022 Complete CompTIA Exam Certification Labs & PBQs Training Bundle contains prep material that can help you earn them for $29.99.These DojoLab courses include Performance-based Questions (PBQs) and labs that follow CompTIA’s exam curriculum. There are no lectures, but they give you a chance to practice your existing skills and become familiar with the type of questions you’ll face during the exams. You also get to be part of a community of fellow IT students and subject matter experts.”CompTIA A+ (220-1001)” prepares you for an entry-level certification that validates your ability to use the latest technology to support IT infrastructure at the enterprise level. “CompTIA A+ (220-1002)” covers Core 2, which includes the configuration and installation of operating systems, operational procedures, software troubleshooting, expanded security and more.You can refresh your knowledge of network architecture and validate your skills in deploying networks with “CompTIA Network+ (N10-007 & N10-008)”. The certification you can earn with “CompTIA Linux+ (XK0-004)” not only demonstrates your knowledge of all major Linux distributions but also advances your progress toward the advanced certifications.Cybersecurity skills are in great demand, so you definitely want yours certified in order to stand out among the competition when applying for the best jobs. “CompTIA Security+ (SY0-601)” will help you earn the certification of baseline skills that are required for core security functions.Don’t pass up this chance to learn what you need to know in order to pass your CompTIA exams on your first try. Get lifetime access to the 2022 Complete CompTIA Exam Certification Labs & PBQs Training Bundle while it’s on sale for only $29.99.Prices are subject to change.

More ZDNet Academy Deals More

QNAP Network Attached Storage (NAS) device users are still struggling to address a range of issues connected to the Deadbolt ransomware, which began infecting devices earlier this week. On Tuesday, QNAP NAS users flocked to Reddit and QNAP forums to report ransomware infections. Censys reported that of the 130,000 QNAP NAS devices, 4,988 services “exhibited the telltale signs of this specific piece of ransomware.”On Friday afternoon, Censys updated its report, telling ZDNet that overnight, the number of exposed and ransomware infected devices went down by 1,061 to 3,927. A map of the infected devices around the world. 
Censys
“Why this went down could be for any number of reasons, we’re still investigating to see if we can pinpoint the reasoning behind this,” a Censys spokesperson said, theorizing that the decrease could be attributed to a forced update from QNAP. On Wednesday, QNAP initially urged users to update to the latest version of QTS, the Linux based operating system developed by the Taiwanese company to run on their devices.But MalwareBytes said QNAP pushed out an automatic, forced update with firmware on Thursday containing the latest security updates.”Later that day, QNAP took more drastic action and force-updated the firmware for all customers’ NAS devices to version 5.0.0.1891, the latest universal firmware which has been available since December 23rd, 2021,” MalwareBytes explained.

“As you might expect after a forced update, a number of unexpected side-effects arose… The firmware update removed the ransomware executable and the ransom screen used to initiate decryption, which apparently caused some victims who had paid the ransom to be unable to proceed with decrypting the files after the update.”

ZDNet Recommends

The best network-attached storage devices

If cloud-based servers don’t meet all of your storage needs, consider a NAS solution. We selected a handful of devices that passed our reliability torture tests and offer superior usability and feature sets.

Read More

QNAP responded to the controversy over the forced update on Reddit. A company representative explained why they decided to force the update, noting that it had been urging users to update their systems since January 7.”In QTS there was a message in control panel/auto-update that ‘QTS/QuTS hero will enable recommended version update soon to protect nas from deadbolt.’ But I think a lot of people did not see that message. We are trying to increase protection against deadbolt. If recommended update is enabled under auto-update, then as soon as we have a security patch, it can be applied right away,” the company spokesperson said. The message drew several furious responses from people who said the forced update caused a number of downstream issues. Others said it was concerning the company had a backdoor into their systems, while some said the forced update did little to actually address the issues of people who had already been infected with Deadbolt. Even with the update, at least one user confirmed getting hit with Deadbolt while using 5.0.0.1891 build 20211221 on a tvs-1282t3. QNAP would not confirm or deny that there was another vulnerability being exploited, according to Bleeping Computer. Recorded Future ransomware expert Allan Liska said this kind of specialty ransomware is very hard to defend against and commended QNAP for releasing a detailed guide to securing the appliance earlier this month. “It is difficult to defend against because the device is controlled by the manufacturer. Unless you are a company with the resources to enable compensating controls, you are largely at the mercy of the vendor,” Liska said. “For most IoT devices, this doesn’t matter too much. If someone launches a ransomware attack against my lightbulbs, I can just reset and go on with my life. But when those IoT devices hold all of your data, it is a very different matter.”Decryptor issuesSecurity company Emsisoft released its own version of a decryptor after several victims reported having issues with the decryptor they received after paying a ransom. Some users even said they never got a decryptor after paying the ransom, while others said the decryptor malfunctioned. Unfortunately, Emsisoft’s decryptor requires users to have already paid the ransom and received the decryption keys from the Deadbolt ransomware operators. Deadbolt’s ransom note says victims need to pay 0.03 BTC (equivalent to USD 1,100) to unlock their hacked device and that it “is not a personal attack.” They offered to give QNAP a universal decryptor for 50 BTC.Emsisoft’s Brett Callow told ZDNet that the situation was similar to REvil’s attack on Kaseya in that, in both cases, the threat actor asked for relatively small payments from individual victims as well as providing the company with an option to settle for a much larger sum on behalf of their affected customers. “The strategy makes sense as it increases the likelihood of the attack being monetized. Users who paid the demand experienced problems after QNAP’s forced update reportedly removed the ransomware executable making decryption impossible. That’s one of the reasons we released the decryptor,” Callow said. Liska said ransomware groups are notorious for providing poor decryption software and noted that it is not uncommon for incident response teams to take the key given by the ransomware group and ignore the decryption code.”The reason for Emsisoft to release a decryptor is to make sure victims have something they know will work once they get the key,” Liska explained.Liska also slammed the people behind the attack, questioning their insistence that the attack wasn’t “personal.””It is a personal attack. People often have their digital lives stored on these devices. Whether it is photos, work, the book they have been writing, or the program they have been developing, this stuff is important to them. And the attackers just took that away from them,” Liska added. “The attacker can dress it up as ‘poor vendor security’ all they want, but it is just a sign they are shitty people that have no regard for their fellow human beings.” More