Information Technology

Microsoft has released several out-of-band updates to address features of Windows 11, Windows 10 and Windows Server broken by the January 2022 Patch Tuesday update. Microsoft released the separate fixes on Tuesday via the Microsoft Update Catalog for direct download, and via Windows Update as an optional update. 

ZDNet Recommends

The Windows Update on January 11 was intended to address 96 security flaws but also brought a load of pain for users and admins. SEE: Windows 11: Here’s how to get Microsoft’s free operating system updateIn release notes for the out-of-band fixes, Microsoft admits the January 2022 security updates broke some VPN connections, caused some Windows Servers domain control controllers to restart unexpectedly, and prevented virtual machines in Microsoft’s Hyper-V from starting. On top of this, users discovered a windows Resilient File System (ReFS) issue blocked access to volumes stored on removable media, including external USB drives.The issues affected the Windows 10 21H2 update (KB5009566), Windows 11 update (KB5009566), and Windows Server 2022 update (KB5009555), as well as the security updates for older versions of Windows and Windows Server. Microsoft has released fixes in the out-of-band updates KB5010795 for Windows 11, KB5010796 for Windows Server 2022, KB5010793 for Windows 10 21H2, 21H1 20H2 and 20H1, as detailed in its Windows release health dashboard. 

Updates are also available for all versions through to Windows 7 Service Pack 1 and Windows Server 2008 Service Pack 2. These are cumulative updates, meaning previous updates don’t need to be installed before installing it. The VPN issue affected Windows 11 through to Windows 10 Enterprise 2015 LTSB and stemmed from IP Security (IPSEC) connections which contain a Vendor ID failing. VPN connections using Layer 2 Tunneling Protocol (L2TP) or IP security Internet Key Exchange (IPSEC IKE) might also be affected, according to Microsoft. The issue causing Windows Server domain controllers (DCs) to restart affected Windows Server 2022 through to Windows Server 2012. Windows Server 2016 and later was more likely to be affected when DCs are using Shadow Principals in Enhanced Security Admin Environment (ESAE) or environments with Privileged Identity Management (PIM), according to Microsoft. Hyper-V VMs were failing to start on devices with Unified Extensible Firmware Interface (UEFI) enabled on Windows 8.1, and Windows Server 2012 R2 and Windows Server 2012. The ReFS issue caused removable volumes formatted with ReFS to fail to mount or for it to mount as RAW. Its likely cause was that the ReFS file system isn’t supported on removable media, including external USB drives, according to Microsoft. Also, the fix appears to be more complicated than just installing the out-of-band patch.  Microsoft recommends uninstalling the January 11 update and following several steps to recover data from a ReFS partition before installing the out-of-band update. The recovery steps include ensuring data contained on the affected removable media is moved to a ReFS volume on a different fixed device or to a NTFS volume. “After data is recovered from the ReFS partition on the removable media, install the January 17, 2022 Windows out-of-band update that is applicable for your Windows operating system,” Microsoft says. The issues that surfaced after Microsoft’s first Patch Tuesday for 2022 aren’t likely to inspire confidence amongst Windows admins who’ve long been skeptical about the quality of Microsoft’s updates and whether it does sufficient testing before their release. As Ask Woody’s influential IT admin blogger Susan Bradley recently argued in 2020, Microsoft’s decision to roll up patches in a big bundle on the second Tuesday of every month requires admins to place a great deal of trust in the company. That trust is eroded if applying the updates results in a lag on productivity from buggy patches.

Enterprise Software More

Two vulnerabilities recently disclosed to Zoom could have led to remote exploitation in clients and MMR servers, researchers say. 

On Tuesday, Project Zero researcher Natalie Silvanovich published an analysis of the security flaws, the results of an investigation inspired by a zero-click attack against the videoconferencing tool demonstrated at Pwn2Own. “In the past, I hadn’t prioritized reviewing Zoom because I believed that any attack against a Zoom client would require multiple clicks from a user,” the researcher explained. “That said, it’s likely not that difficult for a dedicated attacker to convince a target to join a Zoom call even if it takes multiple clicks, and the way some organizations use Zoom presents interesting attack scenarios.” Silvanovich found two different bugs, a buffer overflow issue that impacted both Zoom clients and Zoom Multimedia Routers (MMRs), and the other was an information leak security flaw central to MMR servers.  A lack of Address Space Layout Randomization (ASLR), a security mechanism to protect against memory corruption attacks, was also noted. “ASLR is arguably the most important mitigation in preventing exploitation of memory corruption, and most other mitigations rely on it on some level to be effective,” Silvanovich noted. “There is no good reason for it to be disabled in the vast majority of software.”As MMR servers process call content including audio and video, the researcher says that the bugs are “especially concerning” – and with compromise, any virtual meeting without end-to-end encryption enabled would have been exposed to eavesdropping, 

The researcher did not complete the full attack chain, but suspects that a determined attacker could do so given the time and “sufficient investment.” The vulnerabilities were reported to the vendor and patched on November 24, 2021. Zoom has since enabled ASLR.It was possible to find these bugs as Zoom allows clients to set up their own servers; however, the “closed” nature of Zoom – which does not include open source components (such as WebRTC or PJSIP) that many other comparable tools do – made security vetting more difficult.  For the Project Zero team, this meant forking out close to $1500 in licensing fees, an expense that others, including independent researchers, may not be able to afford.  “These barriers to security research likely mean that Zoom is not investigated as often as it could be, potentially leading to simple bugs going undiscovered,” Silvanovich said. “Closed-source software presents unique security challenges, and Zoom could do more to make their platform accessible to security researchers and others who wish to evaluate it.” In November, Zoom implemented automatic updates for the software’s desktop clients on Windows and macOS, as well as on mobile. This feature was only previously available to enterprise users. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

QR codes are useful shortcuts to online resources via a phone’s camera, but scammers are now tampering with them to direct victims to phishing pages and cryptocurrency scams. QR or ‘Quick Response’ codes have been connecting scanners to real-world objects since the 1990s, but got widely adopted during the pandemic as businesses moved to contactless communication and payments via QR codes on restaurant menus, parking meters and other public spaces. 

ZDNet Recommends

But scammers are now targeting the QR code’s increased familiarity by tampering with the pixelated barcodes and redirecting victims to sites that steal logins and financial information, according to an FBI alert. SEE: Your cybersecurity training needs improvement because hacking attacks are only getting worse “Businesses use QR codes legitimately to provide convenient contactless access and have used them more frequently during the COVID-19 pandemic. However, cybercriminals are taking advantage of this technology by directing QR code scans to malicious sites to steal victim data, embedding malware to gain access to the victim’s device, and redirecting payment for cybercriminal use,” the FBI notes in its alert.  It doesn’t cite any recent examples of QR scams, but follows the use of QR codes in phishing emails to steal Microsoft 365 credentials in October. The QR codes were useful to attackers because the barcode images bypassed email filters that use URL scanners to block malicious links. The FBI in October said it had recently started to receive reports about malicious QR codes being used, particularly in cryptocurrency scams. “Crypto transactions are often made through QR codes associated with crypto accounts… making these transactions easy marks,” the FBI noted. 

“Do not scan a randomly found QR code,” the FBI warned.   Ars Technica reported about scammers placing fraudulent QR code stickers on parking meters in major Texas cities. These aimed to trick people into paying for parking to a fraudulent website. The social engineering element was that parking meter terminals today frequently have signs with QR codes to direct users to a non-city, third-party parking payment app.  The FBI’s alert addresses this type of scam, too: “A business provides customers with a QR code directing them to a site where they can complete a payment transaction. However, a cybercriminal can replace the intended code with a tampered QR code and redirect the sender’s payment for cybercriminal use.” QR codes can also load malware to steal financial information and then withdraw funds from victim accounts, the FBI warns. There are parallels between email phishing and malicious QR codes stuck on public spaces. How do people know which ones to trust? Employee cyber-awareness training usually tells users not to click on links from unsolicited email, but they still do.      Some of the FBI’s self-defense advice warns against following common practices when using a QR code, but the overall message is to exercise caution when entering information from a website accessed via a QR code. “Law enforcement cannot guarantee the recovery of lost funds after transfer,” it warns. The FBI’s tips for smartphone users include: check the URL after scanning a QR code because the URL may look like the legitimate site; be careful when entering credentials or financial information on a site visited via a QR code; avoid downloading an app from a QR code and instead use an official app store; and call the organization if it sent a bill in email, allowing payment through a QR code in order to verify its authenticity.  Also, don’t download a QR code scanner because most phones have one built in to the camera. (The iPhone got one in 2011 in iOS 11, with Android makers quickly following suit.)  Finally, avoid making payments through a site navigated to from a QR code, the FBI warns. Instead, manually enter a known and trusted URL to complete the payment. More

Researchers have exposed the inner workings of Donot Team, a threat group that will strike the same targets for years if that’s what it takes to succeed. 

Also known as APT-C-35 and SectorE02, the Electronic Frontier Foundation (EFF) has previously tied Donot Team to Innefu Labs, an Indian ‘cybersecurity’ company that claims to work with the government. According to the EFF, Innefu Labs does not appear to perform “human rights due diligence” on clients and its surveillance solutions, “despite the enormous risks their products pose to civil society.” Active since at least 2016, Donot Team tends to focus on a small number of targets in Asian countries including Bangladesh, Sri Lanka, Pakistan, and Nepal. Entities including local government departments, embassies, military units, and Ministries of Foreign Affairs are on the victim list. While the advanced persistent threat (APT) group tends to stay within this geographical area, Donot Team has also been traced to attacks against embassies in the Middle East, Latin America, North America, and Europe.  Donot Team group members leverage a custom “yty” malware framework in attacks. Malware in use is suitable for Windows machines and Android handsets.  What makes this APT interesting is its consistency and how persistent Donot Team can be. According to ESET researchers, the group will constantly hammer at a target network, in some cases for years, until they have found a way in. 

“It’s not a rarity for APT operators to attempt to regain access to a compromised network after they have been ejected from it,” ESET says. “In some cases, this is achieved through the deployment of a stealthier backdoor that remains quiet until the attackers need it; in other cases, they simply restart their operation with new malware or a variant of the malware they used previously. The latter is the case with Donot Team operators, only that they are remarkably persistent in their attempts.” The cybersecurity researchers say that phishing emails will be sent every two to four months to the same targets. This consistency, which is aimed at luring an employee into opening a malicious Office attachment, was not gained through spoofing; instead, it appears that compromised email accounts – or overall email servers – obtained in earlier campaigns are used to conduct further phishing attempts.  If a victim opens an attachment, they are at risk through malicious macros or .RTF files with .doc extensions that contain an exploit for CVE‑2017‑11882, a Microsoft Office memory corruption flaw leading to remote code execution (RCE).  In addition, the .RTFs contain embedded .DLLs that can be used to download further malicious components and to deploy shellcode. The shellcode is used to deliver DarkMusical and Gedit malware. DarkMusical is comprised of a chain of downloaders and droppers, leading to the launch of a basic backdoor tasked with handling command-and-control (C2) server communication, file & folder creation, and data exfiltration.   Gedit is also connected to the yty framework. This malware variant downloads components to maintain persistence – such as through scheduled tasks – and also contains reverse shell capabilities, screenshot functionality, and is able to collect and steal files.  “Donot Team makes up for its low sophistication with tenacity,” ESET says. “We expect that it will continue to push on regardless of its many setbacks. Only time will tell if the group evolves its current TTPs and malware.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

During 2021, Symphony Technology Group (STG) picked up McAfee Enterprise for $4 billion in March, and followed it up in June with a $1.2 billion purchase of FireEye.With the merger of the two cybersecurity firms completed in October, the companies have been given a new name.The name is Trellix, and STG said the business will focus on threat detection and response using machine learning and automation. Citing the humble trellis as inspiration, Trellix will develop what is being coined as “living security — security technology that learns and adapts to protect operations from the most advanced threat actors”.Not all of McAfee Enterprise is bundled into Trellix, with the secure service edge portfolio, which includes cloud access security broker, secure web gateway, and zero trust network access set to be separated later this quarter. Trellix is said to have a combined customer base of 40,000, about 5,000 employees and almost $2 billion in revenue. More

Meta and Twitter have called for Australia’s federal government to review the effectiveness of the country’s digital platforms regulation in light of the passing of the Online Safety Act, along with anti-trolling and online privacy laws currently being under consideration.Both tech giants made these demands in submissions to the Select Committee on Social Media and Online Safety, with Twitter writing that the committee should conduct a review of the online safety space in Australia one-year from its initial report, which is due next month. The Select Committee on Social Media and Online Safety was established late last year to inquire into the practices of major technology companies and consider evidence relating to the impact social media platforms have on the mental health of Australians. The committee’s inquiry was approved by the federal government with the intention of building on the proposed social media legislation to “unmask trolls”.Twitter said the recent passing of the Online Safety Act and the government’s federal probe only running for three months is not enough time to effectively implement digital platforms legislation.”With the range of factors that need to considered to holistically advance online safety, we therefore ask for the timeline be extended for the Select Committee Inquiry into Social Media and Online Safety to allow for the effective introduction and implementation of the Online Safety Act 2021 (Cth) and to ensure meaningful consultation with the community,” Twitter wrote to the committee.Meta, meanwhile, wrote in its submission that the federal government should make statutory reviews of new digital platforms legislation mandatory to ensure they are effective and fit-for-purpose, specifically pointing to the “significant amount of new legislation that has been passed”.

“Policymakers should be alive to the risk of overlapping, duplicative or inconsistent rules across different laws,” Meta said.Digital Industry Group Inc (DiGi), the Australian industry group advocating for tech giants, including Facebook, Google, TikTok, and Twitter, shared a similar sentiment in its submission to the parliamentary committee. In its submission, DiGi wrote that proposed regulatory measures, such as making age verification mandatory on social media platforms, have been put in the limelight without any legislative notice. It said that given the unprecedented implications of age verification of Australians on a range of digital services, it said wider consultation must first take place if it were to be implemented.DiGi added that the slew of new laws could result in overlap, and recommended that the federal government consider streamlining online safety legislation into a singular Online Safety Act.Parliamentary committee hears testimony of death and rape threats on social mediaDays after these submissions were publicly released, Australian television presenter Erin Molan appeared before the committee yesterday morning. During her appearance, she testified that trolls have faced no recourse for sending her death and rape threats on social media platforms.”These are sent directly to me on platforms that I use professionally,” Molan told the Select Committee on Social Media and Online Safety, when explaining how she received threats that were directed at herself and her daughter.”It was almost impossible to get help and you almost feel silly. As I said, the personal impact of this on people and we’ve seen people take their lives, we’ve seen kids try to take their lives. We’ve seen so many lives ruined by this kind of behaviour.”She also told the committee that the work performed by social media platforms, such as Facebook and Twitter, to assist police in certain instances are “not that effective” in preventing trolling behaviour on social media platforms and that victims often feel powerless in reporting online abuse.In light of this, Molan called for the eSafety commissioner’s powers to be expanded as well as for legislation to be introduced to put more accountability on social media platforms.”[Big tech] generate a ton of money and with that comes responsibility. They, of course, have the responsibility to ensure their platforms are a safe space because every workplace in the country needs to ensure that, within their walls, it is a safe place for their employees, but they won’t do it. Unless there are laws that punish them for not doing it, why would they do it?” Molan told the committee.University of New South Wales sociology associate professor, Michael Salter, who also appeared before the committee, told the committee that Molan’s experience of feeling powerless in preventing online abuse was a common occurrence, especially among children.”It’s actually really hard to get [children] to tell an adult in their life … so this is a really complex situation. There is work to do here in Australia, to think about how we develop a holistic response to children in order to target their unique needs and vulnerabilities,” Salter said.Salter also testified to the committee about instances when YouTube’s algorithm created playlists of children dancing and performing gymnastics that are only visible to paedophiles. He explained that as the playlists are not shown to non-paedophile communities, YouTube’s detection and reporting of inappropriate behaviour response can be ineffective.”Having basic safety expectations built into platforms from the get-go is not too much to expect from an online service provider,” Salter added.Aussie free-to-air channels want law requiring smart TVs to feature them prominentlyAustralia’s free-to-air television networks have called for the federal government to introduce laws that would make it a requirement for smart TV manufacturers to feature them prominently on TV systems and remotes.”Legislating a prominence framework is the only way to guarantee that Australian audiences will be able to continue to discover and easily access free-to-air content no matter how, when, or where they choose to find it,” said industry body Free TV said, which represents networks such as Seven, Nine, and Ten.The call for new legislation was made as part of its submission to the inquiry on social media and online safety.In demanding these laws, the industry body said continued access to local news provided by Free TV members is reliant on these services being prominent and easy to find on modern TVs and related devices. It explained that the design of smart TVs and remotes have given preferential treatment to streaming services, such as Netflix, Disney+, and Amazon Prime, and made it harder for Australians to access free-to-air television.”TV manufacturers and operating system developers increasingly exert control over which options are displayed to consumers, directing viewers to those services that can pay the highest price for preferred placement on the home screen,” Free TV wrote in its submission.”This means that decisions about whether free, licensed terrestrial services, together with broadcast video on-demand apps will be readily available to Australian viewers, and if so on what terms, are increasingly being made in boardrooms in Japan, South Korea, and the US.”Free TV also claimed that TV manufacturers see themselves as distributors and expect a “clip of the ticket” or some form of payment for providing access to services.Addressing the topic of harms arising from social media, FreeTV said it supported the government’s proposal of anti-trolling legislation, which would reduce the defamation risk for its members and reallocate it to social media platforms.”While the Anti-Trolling Bill is still under consideration, media companies continue to be legally responsible for this material. It will be important, in final drafting of the Anti-Trolling Bill, to ensure that social media services cannot contract-out of legal liability,” FreeTV said.IF YOU OR ANYONE YOU KNOW IN AUSTRALIA NEEDS HELP CONTACT ONE OF THESE SERVICES:Suicide Call Back Service on 1300 659 467Lifeline on 13 11 14Kids Helpline on 1800 551 800MensLine Australia on 1300 789 978Beyond Blue on 1300 22 46 36Headspace on 1800 650 890QLife on 1800 184 527Updated at 12:00pm, 19 January 2022: added information about FreeTV Australia’s submission.RELATED COVERAGE More

Citizen Lab
The International Olympic Committee has defended China’s MY2022 Olympics app following a report from Citizen Lab that found serious privacy issues with the platform.All attendees of the 2022 Olympic Games in Beijing need to download and use the app, but Citizen Lab released a report on Monday that said a “simple but devastating flaw” allows the encryption protecting users’ voice audio and file transfers to be “trivially sidestepped.”

According to Citizen Lab, passport details, demographic information, and medical/travel history in health customs forms are also vulnerable. Server responses can be spoofed, allowing an attacker to display fake instructions to users, according to the report.The MY2022 app also allows users to report “politically sensitive” content and includes a censorship keyword list involving topics like Xinjiang and Tibet. Citizen Lab noted that the app may violate Google’s Unwanted Software Policy, Apple’s App Store guidelines, and China’s own laws and national standards pertaining to privacy protection. Google and Apple did not respond to requests for comment. The report caused widespread outrage, since the thousands of people at the games will have no choice but to download the app if they want to represent their country. In comments to ZDNet, the International Olympic Committee defended the app and downplayed the severity of the issues discovered by Citizen Lab.

A spokesperson justified the app’s security holes by saying that due to the COVID-19 pandemic, “special measures” needed to be put in place to “protect the participants of the Olympic and Paralympic Winter Games Beijing 2022 and the Chinese people.””Therefore, a closed loop management system has been implemented… The ‘My2022’ app supports the function for health monitoring. It is designed to keep Games-related personnel safe within the closed loop environment,” the IOC said.The IOC also defended the app by saying it received approval from the Google Play store and the App Store.

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“The user is in control over what the ‘My2022’ app can access on their device. They can change the settings already while installing the app or at any point afterwards. It is not compulsory to install ‘My 2022’ on cell phones, as accredited personnel can log on to the health monitoring system on the web page instead,” the IOC claimed. “The IOC has conducted independent third-party assessments on the application from two cyber-security testing organizations. These reports confirmed that there are no critical vulnerabilities.”Ron Deibert, director of Citizen Lab at the University of Toronto’s Munk School of Global Affairs & Public Policy, told ZDNet that the IOC’s comments do not address the serious security vulnerabilities the organization discovered and reported. “To date, the app vendor has not either. In fact, the app vendor has not responded at all to our vulnerability disclosure, and the latest version of the app, unfortunately, still includes the vulnerabilities,” Deibert noted. “The IOC has a responsibility to ensure user privacy and security is protected for any applications and systems used during the Olympic Games. The IOC’s comments suggest that rather than taking that responsibility seriously, they are in fact hoping to minimize the risks.”DW was the first to report on the vulnerabilities, and many news outlets noted that the US, UK, Australia, and Germany have urged their citizens to leave all of their personal devices and laptops at home over concerns that they will be hacked or monitored by the Chinese government both during the games and once they go home. The Dutch Olympic Committee has already banned its citizens from bringing their devices to the games. Some experts said the vulnerabilities would also give criminal hackers a way to steal sensitive personal information. The Beijing 2022 organizing committee, however, told USA Today that personal information collected by Beijing 2022 “will not be disclosed unless the disclosure is necessary.” “Information of accredited media representatives will only be used for purposes related to the Olympic and Paralympic Winter Games,” the Beijing 2022 organizing committee said. The games begin on February 4.  More

More than 2,300 local governments, schools, and healthcare organizations in the US were affected by ransomware attacks in 2021, according to a new report from security company Emsisoft. The company found that at least 77 state and municipal governments, 1,043 schools, and 1,203 healthcare providers were impacted by a ransomware incident last year. The attacks also led to 118 data breaches, exposing troves of sensitive information. Emsisoft noted that while the numbers are still high, the 77 local governments attacked represents a decrease compared to 2020 and 2019, both of which saw 113 governments hit. 

In 2021, ransomware groups targeted smaller counties and towns instead of bigger cities like New Orleans, Baltimore, and Atlanta. Emsisoft theorized that this may have happened because larger cities invested more in cybersecurity following damaging attacks throughout 2019 and 2020. In order to calculate the cost of the damage caused by ransomware incidents, Emsisoft used the estimates from Winnebago County, Illinois CIO Gus Genter, who said in 2019 that the average ransomware incident costs $8.1 million and requires 287 days to recover. Based off those numbers, Emsisoft estimated that the 77 incidents in 2021 amounted to $623.7 million in losses. In addition to the financial losses, at least one incident involved dispatch services that were affected. Nearly half of the 77 incidents led to data breaches.For public educational organizations, there was a small uptick in attacks for 2021. In total, 88 organizations were hit with ransomware attacks, including 62 school districts and 26 colleges or universities. There were 84 attacks on the education sector in 2020. 

Of the 88 educational organizations attacked in 2021, 44 led to data breaches involving the information of both students and employees. While more districts were attacked in 2021, the number of individual schools affected was less than what was seen in 2020. At least 1,043 schools were impacted in 2021 compared to 1,681 in 2020. Last year also saw dozens of ransomware attacks on hospitals and healthcare institutions, with 68 healthcare providers reporting impacts from ransomware in 2021. In total, about 1,203 individual healthcare sites were affected. While more healthcare providers were attacked in 2020, only 560 individual sites were impacted. 

“The providers hit in 2021 included… Scripps Health, which operates 24 locations, including 5 hospitals,” Emsisoft. Scripps Health estimated its ransomware attack cost $112.7 million.Emsisoft noted that while the overall numbers are still high, there are signs of progress. Headline-grabbing attacks on companies like Colonial Pipeline and global meat processor JBS seemed to have kicked the government response to ransomware into high-gear. The Biden Administration initiated several efforts aimed at curbing ransomware activity, and the recent arrests of ransomware actors may indicate that some headway is being made internationally. The Justice Department has been able to recover several ransom payments from ransomware gangs, and some groups have indicated a tacit fear of attacking certain government institutions due to offensive actions taken by US Cyber Command and other governments. Emsisoft ransomware expert Brett Callow, who tracks ransomware incidents affecting public institutions, told ZDNet the US public sector has experienced a very similar number of incidents in each of the last three years, indicating the sector has not done enough to bolster their security despite knowing it is in the crosshairs. “But they may be starting to change. As noted in the report, the size of victim organization seems to have decreased, possibly indicating that bigger organizations have used their bigger budgets to rectify their security shortcomings,” Callow said.”While that would obviously be a good thing, it would still mean that ways would need to be found to help smaller organizations get to where they need to be.” More