Information Technology

OpenSea is contacting and reimbursing users affected by a loophole that allows people to buy NFTs for a fraction of their true cost and resell it for thousands.On Monday, blockchain security company Elliptic and multiple Twitter users spoke out about the bug. Motherboard was the first to report on the incident. Elliptic said it “identified at least three attackers who have purchased at least eight NFTs for much less than their market value within the past 12 hours.” The issue affects Bored Ape Yacht Club, Mutant Ape Yacht Club, Cool Cats and Cyberkongz NFTs.One user wrote on Twitter that his NFT was bought for about $1,800 worth of the Ethereum cryptocurrency before it was resold for $196,000.

Yooo guys! Idk what just happened by why did my ape just sell for .77?????— TBALLER.eth (@T_BALLER6) January 24, 2022

“One attacker, going by the pseudonym ‘jpegdegenlove’ today paid a total of $133,000 for seven NFTs — before quickly selling them on for $934,000 in ether. Five hours later this ether was sent through Tornado Cash, a ‘mixing’ service that is used to prevent blockchain tracing of funds. Jpegdegenlove also seems to have partially compensated two of their victims — sending 20 ETH ($45,000) to TBALLER and 13 ETH ($30,000) to Vault327. Another attacker purchased a single Mutant Ape Yacht Club NFT for $10,600, before selling it on five hours later for $34,800,” Elliptic explained.”The exploit appears to originate from the ability to re-list an NFT at a new price, without cancelling the previous listing. Those previous listings are now being used to purchase NFTs at prices specified at some point in the past — which is often well below current market prices.”DeFi developer Rotem Yakir released a detailed thread on Twitter explaining the OpenSea bug, writing that it “stems from the fact that previously you could re-list an NFT without canceling it (which you can’t now) and all the previous listing are not canceled on-chain.”

“Previously, you could have re-list an NFT without canceling the previous list. Sometimes but not always, If you cancel your new listing, the old one will not appear on the UI but is still valid,” Yakir said. “Using services like https://orders.rarible.com or even OS API someone can obtain the old listing and still use it. To make sure you are safe, you can check on https://orders.rarible.com and see if your previous listing is still there. However, if you want to be 100% safe then just transfer your NFT to a different wallet.”An OpenSea spokesperson told ZDNet that it has been trying to create solutions for the problem since it was identified. They also denied that it was a bug or vulnerability.”Since this issue was identified, we’ve taken it incredibly seriously and worked to ship product solutions for the community. This is not an exploit or a bug — it’s an issue that arises because of the nature of the blockchain. OpenSea cannot cancel listings on behalf of users. Instead, users must cancel their own listings,” the spokesperson said. “It’s OpenSea’s priority to make users aware of all their listings, and we’re working on a number of product improvements to address this, including a dashboard where they can easily see and cancel listings. In addition, we have been actively reaching out to and reimbursing affected users. We have not communicated broadly about this issue because we did not want to risk bringing it to the attention of bad actors who could abuse it at scale before we had mitigations in place.” ZDNet could not confirm whether users have been reimbursed. The OpenSea spokesperson said that it’s an issue of “confusing UI” that arises when users create listings and then transfer the listed NFT to a different wallet. When a user transfers items out of their third-party wallet, the listing they created for the item does not automatically cancel and cannot be canceled by OpenSea directly because it requires the user to sign for the cancellation in their wallet, the spokesperson explained. OpenSea is not the only platform affected by the issue, the NFT platform explained. According to OpenSea, the issue can arise any time a user moves an NFT to a different wallet without canceling active listings because the transaction is posted to the blockchain.The company added that it is in the process of changing its default listing duration from 6 months to 1 month so that if an NFT is transferred back into a wallet after 1 month, the listing will have expired.They also plan to notify users that they have a higher-priced listing still active when they lower the price for the same item. OpenSea said it is adding a dashboard to user profiles that shows all inactive listings and gives users an opportunity to cancel each listing with a single click.In the next two days, the company plans to integrate another feature that will surface in-product notifications about active listings and ask if users want to cancel it when they transfer an NFT that has an active listing associated with it out of their wallet. Users will also get an email from OpenSea when they transfer an NFT into a wallet with an active listing for that NFT. More

Some internet service has returned to the residents of Yemen and Burkina Faso after violence in both countries led to outages over the last week. NetBlocks, an organization tracking internet access across the world, said internet was restored in Yemen after a four-day, nation-wide outage. 

At about 1 am local time on Friday, Yemen suffered a total internet blackout due to air strikes on a telecommunications hub in the port city of Al Hodeida. Some online shared photos of a telecommunications building damaged by bombs. The Associated Press eventually confirmed that the attack on the telecommunications hub in Al Hodeida was part of a larger aerial assault on Yemen’s Houthi rebels by a Saudi-led coalition. The Houthis now run the state-owned monopoly that controls the country’s internet access, TeleYemen. A news channel in Yemen said the attack on the telecommunications hub killed an unknown number of people. “Visual reports appeared to corroborate initial reports of a strike. Al Hodeida is the main landing point for internet connectivity in Yemen, hosting the undersea FALCON and SEA-ME-WE 5 cables that route via the Red Sea,” NetBlocks explained in a report. TeleYemen uses the FALCON cable to connect much of the country’s western population to the internet. SMEX, an internet advocacy organization in the Middle East, attributed the internet outage to Saudi-led airstrikes targeting Houthi-held cities like Al Hodeida. 

“Internet is now only available to large companies and banks still connected through satellites, as well as those subscribed to the ‘Aden Net’ network, which has a very limited number of subscribers,” SMEX explained, adding that all government servers were disrupted after the attack. The Saudi-led coalition did not confirm whether it specifically targeted the telecommunications hub in Al Hodeida but told the Associated Press that it did launch “accurate airstrikes to destroy the capabilities of the militia” in Al Hodeida.The Washington Post reported that citizens were terrified during the internet outage because they could not contact family members and friends during the deadly bombing campaign. Internet in Burkina Faso shut down during coupMobile internet in Burkina Faso was down for more than 35 hours as fighting between rival military factions broke out. Since the outage, the president of the country, Roch Marc Christian Kaboré, was overthrown and removed from power. The country’s government was dissolved, all of the borders were closed and the Constitution has been suspended, according to The New York Times. Internet access returned on Monday, according to NetBlocks.

“Analysis of Google Transparency metrics corroborates user reports of a mobile internet blackout, indicating that traffic has been significantly disrupted at national scale from Sunday morning around 10 am. VPN services, which can circumvent partial restrictions, are not generally able to work around this class of network disruption,” NetBlocks said.The country previously shut off the internet to deal with a coup attempt earlier this month. The government also shut off the internet in November amid unrest. Alp Toker, director of NetBlocks, told ZDNet that the trend of governments shutting off the internet as a response to security issues was concerning. Leaders in Kazakhstan, Sudan and Myanmar have all recently closed off internet access during military takeovers, coups or unrest.”The tendency toward more severe nation-scale Internet blackouts is alarming, particularly at a time of growing reliance on digital communications worldwide. Shutdowns imposed by governments are inherently disproportionate and they harm human rights as well as economies across the board,” Toker said.”Legal frameworks are lacking, and where international conventions do exist, these are rarely effective at halting the practice, so the trend is likely to continue. Whether a regime is invading a neighboring country or silencing their own population, shutdowns give governments a free reign over the general public, leaving independent media muzzled and human rights abuses unreported.” More

The Department of Homeland Security (DHS) sent out a bulletin on Sunday to critical infrastructure operators and local governments warning about the potential for cyberattacks launched by the Russian government. These attacks would be in response to any US involvement in a potential war in Ukraine. First reported by CNN, the notice said Russia “maintains a range of offensive cyber tools that it could employ against US networks –from low-level denials-of-service to destructive attacks targeting critical infrastructure.” 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“We assess that Russia would consider initiating a cyber attack against the Homeland if it perceived a US or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security,” the bulletin said, according to ABC News.DHS added that it has not seen Russia launch cyberattacks against US critical infrastructure, “notwithstanding cyber espionage and potential prepositioning operations in the past.”DHS sent the memo to state governments, local governments, and operators of critical infrastructure. A DHS spokesperson would not discuss the memo specifically but told ZDNet they regularly share information “with federal, state, local, tribal, and territorial officials and the private sector to ensure the safety and security of all communities across the country.” “We have increased operational partnerships between private sector companies and the federal government to strengthen our nation’s cyber defenses, including through CISA’s newly established Joint Cyber Defense Collaborative (JCDC). The JCDC brings these partners together to help us understand the full threat landscape and enable real-time collaboration to empower our private sector partners to gain information and take action against the most significant threats to the nation,” a DHS spokesperson said.CNN reported that in addition to the DHS memo, multiple government agencies have been in contact with private sector companies and organizations to issue similar warnings. The Cybersecurity and Infrastructure Security Agency (CISA) has published multiple advisories this year similarly warning of a Russian cyberattack following multiple incidents in Ukraine over the last two weeks.  

CISA, which referred all questions about the most recent memo to DHS, released an alert on January 11 detailing a variety of tactics used by Russian state-sponsored groups to attack local and tribal governments across the US between September 2020 and December 2020. 

The alert said Russian state-sponsored actors have targeted a variety of the US and international critical infrastructure organizations over the years and made specific references to previously reported attacks by Russian groups on critical infrastructure in Ukraine. A US Homeland Security report from 2016 said 225,000 customers were left without power two days before Christmas because of the Russian attack on three regional electric power distribution companies. CISA then followed up that alert with another warning last week urging all US organizations to shore up defenses “now” in response to website defacements and destructive malware targeting Ukraine government websites and IT systems.CISA recommended that organizations implement multi-factor authentication for remote systems, disable ports and access points that are not business-critical, and put strong controls in place for cloud services. Late last week, US President Joe Biden threatened reciprocal cyberattacks against Russia if it continued to attack Ukrainian systems. Kevin Breen, director of cyber threat research at Immersive Labs, said the attacks last year on Colonial Pipeline and food manufacturer JBS were proof that cyberattacks could cause significant damage to everyday life. “We’ve seen notable ransomware groups operating out of that region, including REvil and DarkSide, with the technical ability to compromise large networks rapidly and at great scale. It would be wrong to assume that the nation state housing such criminal elements doesn’t have a matching capability,” Breen said. “In this fast-paced world of constant cyberattacks and zero-day exploits, it’s always better to err on the side of caution. It’s better to assume you are a target and have strategic plans in place to match that of the adversaries’ capabilities,” Breen added.

Government More

The International Committee of the Red Cross (ICRC) has released an update about a cyberattack that led to a data breach affecting more than 500,000 vulnerable people receiving services from the organization. The ICRC expressed concern that the stolen data — which was from its global Red Cross and Red Crescent Movement’s Restoring Family Links services — would be “used by States, non-state groups, or individuals to contact or find people to cause harm.””This attack is an extreme violation of their privacy, safety, and right to receive humanitarian protection and assistance,” the organization said. Restoring Family Links works to reconnect missing people and children with their families after wars, violence, or other issues. Last week, the ICRC said hackers accessed servers on January 18 that had the personal information of more than 515,000 people from across the world. The personal information includes the names, locations, and contact information of missing people and their families, unaccompanied or separated children, detainees, and other people receiving services from the Red Cross and Red Crescent Movement as a result of armed conflict, natural disasters, or migration. They added that the login information for about 2,000 Red Cross and Red Crescent staff and volunteers was also been breached. In a more detailed explanation of the attack, the ICRC said its cyber partners detected an anomaly on ICRC servers before doing a deep dive and determining that hackers had gotten into the system and gained access to sensitive data. 

“The nature of the attack meant we could not guarantee the integrity of the system, so we took the compromised servers offline. We are now going through each application log to better understand what occurred. We do not believe that the data has been tampered with at this time, but to be sure we are hiring an independent audit firm to confirm this,” the ICRC said.”We do not know who is behind this attack. We have not had any contact with the hackers and no ransom ask has been made. In line with our standing practice to engage with any actor who can facilitate or impede our humanitarian work, we are willing to communicate directly and confidentially with whoever may be responsible for this operation to impress upon them the need to respect our humanitarian action.”

We are appalled that this humanitarian information has been compromised.Our most pressing concern now is the potential risks for people that the Red Cross and Red Crescent network seeks to protect and assist.@RMardiniICRC’s response to the cyber attack 👇 pic.twitter.com/lBBGlnMf1p— ICRC (@ICRC) January 20, 2022

The ICRC noted that the attack did not target the company hosting their servers and was specifically aimed at their systems. The organization is in the process of working with local ICRC arms to inform people who had their data accessed during the attack and will be letting them know about what is being done to address the situation as well as any risks they may face. There is no current evidence that the information accessed has been released or traded, according to the ICRC. They are still figuring out ways to continue helping families separated by war or violence without the affected servers. “As a result of this breach, we have been forced to take the data hosting systems in question offline, severely limiting the humanitarian services we can offer to the over half a million people affected. States have mandated impartial humanitarian organizations, such as the ICRC, with specific responsibilities. These include collecting information on people reported missing in order to reconnect separated family members,” the ICRC explained. “We need a safe and trusted digital humanitarian space in which our operational information, and most importantly the data collected from the people we serve, is secure. This attack has violated that safe digital humanitarian space in every way.”The ICRC also expressed concern that the attack would affect their ability to work with vulnerable populations who may not trust them with sensitive information anymore. They urged people concerned about their data to contact a local ICRC office for more information.  More

An Akamai researcher has discovered an attempt to use Log4j vulnerabilities in ZyXEL networking devices to “infect and assist in the proliferation of malware used by the Mirai botnet.”Larry Cashdollar, a member of the Security Incident Response Team at Akamai Technologies, explained that Zyxel may have been specifically targeted because they published a blog noting they were impacted by the Log4j vulnerability. 

more Log4j

“The first sample I examined contained functions to scan for other vulnerable devices,” Cashdollar wrote in an Akamai blog post.”The second sample… did contain the standard Mirai attack functions,” he added. “It appears the… attack vectors had been removed in favor of Log4j exploitation. Based on the attack function names and their instructions, I believe this sample is part of the Mirai malware family.”Cashdollar concluded his blog post by writing that “if you have automated string extraction utilities for malware samples that log to a vulnerable Log4j instance, this payload could execute.” Zyxel released a security advisory about the issue, noting that it is aware of the vulnerability and that it only affects the NetAtlas Element Management System line of products. “After a thorough investigation, we’ve identified only one vulnerable product that is within its warranty and support period, and we will release a hotfix and a patch to address the issue, as shown in the table below,” they wrote.

Zyxel said a hotfix was released on December 20 and urged those in need to contact them for the file. A patch will be available by the end of February. Vulcan Cyber co-founder Tal Morgenstern said that by design, the Zyxel NetAtlas Element Management System provides extensive control of Zyxel enterprise network infrastructure and the services that run on it. In the right hands, the task automation provided by systems management tools allows IT and network operators to keep things running uninterrupted at massive scale, Morgenstern explained. In the wrong hands, threat actors can do extensive damage quickly to the vulnerable networks they get access to. “Unfortunately, vulnerabilities in systems and network management software tools are trending. SolarWinds, Open Management Infrastructure (OMI), Salt, VMware, and Zoho ManageEngine are just a few we’ve seen in the last few months. Considering the amount of access and control these tools have, it is critical IT security teams take immediate steps to fully mitigate the notable risk these vulnerable tools present to the companies that use them,” Morgenstern said. Bugcrowd founder Casey Ellis told ZDNet that this is one of the many vendors which include Log4j as an open-source library and that the attack “is a demonstration of the ubiquity of the Log4j library and the attack surface created as a result.””It’s one of the reasons the security community went a bit bananas about this issue when it first dropped, and I’d expect to see similar advisories from other vendors for some time to come,” Ellis said.  More

The UK’s security agency has told organizations of the steps to take to beef up their defenses “when the cyber threat is heightened” by zero-day software flaws or geopolitical tensions. The National Cyber Security Centre (NCSC) is not alone in warning companies to take action. Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) also warned all organizations to take “near, urgent steps” to mitigate critical cyber threats in response to last week’s cyberattacks on Ukraine government websites and IT systems. This advice comes amid growing fears of a Russian invasion of Ukraine.

ZDNet Recommends

CISA raised the alarm after Microsoft discovered wiper malware, dubbed “WhisperGate”, on several Ukraine systems. CISA reminded US businesses of NotPetya, the wiper malware that targeted Ukraine organizations in 2017 via a tainted update to a popular accounting software package, but that also infected worldwide IT networks of US and European businesses. The attack cost European and US businesses billions of dollars in the White House’s estimates.  SEE: A winning strategy for cybersecurity (ZDNet special report)Rafe Pilling, senior security researcher at Secureworks’ Counter Threat Unit, reckons US and European organizations could become casualties of WhisperGate in a similar fashion. “While it is unlikely that organizations outside of Ukraine will be directly targeted, customers should consider their exposure to collateral damage via service providers or business partners in Ukraine,” said Pilling.”Organizations should be extra vigilant and maintain current backups of business-critical systems and data, exercise restoration processes before they are needed, and ensure that backups cannot be impacted by ransomware-style or wiper malware attacks.”

So what should potentially affected businesses and public agencies in the UK and elsewhere do to mitigate the risk of becoming collateral damage? The UK’s NCSC says organizations need to balance cyber risks and defense and notes there “may be times when the cyber threat to an organisation is greater than usual.”  Triggers for heightened risk include a spike in adversary capability from new zero-day flaws in popular software, or something “more specific to a particular organisation, sector or even country, resulting from hacktivism or geopolitical tensions,” says the NCSC. The NCSC’s answer is to control what you can because you can’t control the threat level. And that means patching systems, checking configurations and shielding the network from password attacks. “It is rare for an organisation to be able to influence the threat level, so actions usually focus on reducing your vulnerability to attack in the first place and reducing the impact of a successful attack,” NCSC says.Like CISA, the NCSC has provided a checklist of fundamental cybersecurity actions that are “important under all circumstances but critical during periods of heightened cyber threat.” They’re important to do because organizations probably can’t quickly implement widespread changes when threat levels rise.  NCSC’s list includes:Check your system patching: Ensure your users’ desktops, laptops and mobile devices are all patched Verify access controls: Ask staff to ensure that their passwords are unique to your business systems and are not shared across other, non-business systems Ensure defences are working: Check antivirus and firewalls Logging and monitoring: Understand what logging you have in place, where logs are stored, and for how long Review your backups: Confirm that your backups are running correctly Incident plan: Check your incident response plan is up to date Check your internet footprint: Perform an external vulnerability scan of your whole internet footprint Phishing response: Ensure that staff know how to report phishing emails Third-party access: Have a comprehensive understanding of what level of privilege is extended into your systems, and to whom NCSC services: Register for the Early Warning service, so that the NCSC can quickly inform you of any malicious activity Brief your wider organisation: Ensure that other teams understand the situation and the heightened threat More

Microsoft has disabled Excel 4.0 macros by default in the latest release of its spreadsheet software to help customers protect themselves against related security threats.That setting, released as an optional configuration in Excel Trust Center setting in July, is now the default when opening Excel 4.0 macros (XLM), Microsoft said in a blogpost. 

A macro is a series of commands that you can use to automate a repeated task, and can be run when you have to perform the task. But unexpected macros can pose a significant security risk. You don’t have to enable macros to see or edit the file; only if you want the functionality provided by the macro. But crooks will try to trick the unwary into enabling macros and then using that functionality as part of their attacks.SEE: Windows 11: Here’s how to get Microsoft’s free operating system updateThe move to restrict Excel 4.0 macros is an attempt to counter a rise in ransomware and other malware groups using Excel 4.0 macros as part of an initial infection. State-sponsored and cybercriminal attackers started experimenting with legacy Excel 4.0 macros in response to Microsoft in 2018 cracking down on macro scripts written in Visual Basic for Applications (VBA).  The initial Excel Trust Center settings targeted organizations that wanted VBA and legacy macros to run via the setting “Enable Excel 4.0 macros when VBA macros are enabled”. This allowed admins to control the behavior of macros without impacting VBA macros.  Macros are now disabled by default in Excel in build 16.0.14427.10000 and later. Admins can still configure the setting in Microsoft 365 applications policy control. 

Microsoft has added some new policy settings options to the original Group Policy settings that were made available in July.  Now there is also the option to manage the policy setting in the Office cloud policy service, which is applied to users who access Office apps from any device with their Active Azure Directory (AAD) account. The policy can also be managed from Microsoft Endpoint Manager. To block XLM across the board, including new files created by users, admins can set Group Policy to “Prevent Excel from running XLM”. This can be done via Group Policy Editor or registry key.   This should help admins mitigate VBA and XLM malware threats using policy. Microsoft has addressed the antivirus side of defense via an integration between its Antimalware Scan Interface (AMSI) and Office 365 that Defender and third-party antivirus can integrate with. The AMSI-Office 365 integration allowed scanning of Excel 4.0 macros at runtime last year, bringing it in line with the same runtime scanning capability for VBA macros in 2018. Basically, when VBA runtime scanning for Excel arrived, attackers moved to older XL-based macros, which they knew organizations still used for legitimate purposes and were powerful enough to call Win32 interfaces and run shell commands.

Enterprise Software More

The Tor Project has filed an appeal against a Russian court’s decision to block the Tor website in the country. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

The Tor network is an open source system for anonymizing online communication. Also known as the onion router, the network is used to circumvent censorship and is widely accessed by civil rights activists, whistleblowers, lawyers, human rights defenders, and those under oppressive regimes.   On Monday, the network developers said an appeal has been filed regarding a decision by the Saratov District Court to impose a block on the torproject.org website in Russia.  The appeal has been filed between the Tor Project and RosKomSvoboda, a Russian digital rights protection outfit.  On December 6, 2021, the Tor Project was told that its website would be blocked in accordance with Article 15.1 of the Law on Information. Public proxy servers and some bridges were also blocked in the country, and Tor developers have noticed blocks across Russia in the past month.  According to Tor, the decision by the court was not based on any particular content. Instead, Russian authorities decided the website needed to be blocked as it permits “the download [of] an anonymizer browser program for subsequent visits to sites that host materials included in the Federal List of extremist Materials.” RosKomSvoboda lawyers are representing the Tor Project. According to the civil rights group, the ban “violates the constitutional right to freely provide, receive and disseminate information and protect privacy.” 

In addition, the decision may also be considered problematic as “the case was considered without the participation of Tor representatives, which violated their procedural rights and the competitiveness of the process.” Tor says that Russian users account for the second-largest user base by country, with over 300,000 daily users.  A mirror version of the Tor website has been launched by the Electronic Frontier Foundation (EFF).  “With the help of Roskomsvoboda lawyers Sarkis Darbinyan and Ekaterina Abashina, we will appeal the court decision and hope to correct this situation and help create a precedent for the protection of digital rights in Russia,” commented Isabela Bageros, executive director of The Tor Project. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More