More stories

  • in

    Log4j flaw: Attackers are targeting Log4Shell vulnerabilities in VMware Horizon servers, says NHS

    The UK’s National Health Service (NHS) has issued a warning that hackers are actively targeting Log4J vulnerabilities and is recommending that organisations within the health service apply the necessary updates in order to protect themselves. An advisory by NHS Digital says that an ‘unknown threat group’ is attempting to exploit a Log4j vulnerability (CVE-2021-44228) in VMware Horizon servers to establish web shells which could be use to distribute malware, ransomware, steal sensitive information and other malicious attacks. It’s unclear if the warning has been issued because attacks targeting NHS systems have been detected, or if the advisory has been released as a general precaution because of the ongoing problem of the critical security vulnerability in Java logging library Apache Log4j which was disclosed in December. “We are aware of an exploit and are actively monitoring the situation. We will support our partners with the system response to this critical vulnerability and will continue to provide guidance to NHS organisations,” an NHS spokesperson told ZDNet. The attacks being warned against exploit the Log4Shell vulnerability in the Apache Tomcat service embedded within VMware Horizon. Once the weaknesses have been identified, the attack uses the Lightweight Directory Access Protocol (LDAP) to execute a malicious Java file that injects a web shell into the VM Blast Secure Gateway service If successfully exploited, attackers can establish persistence on the affected networks and use this to carry out a number of malicious activities. NHS Digital recommends that organisations known to be running Horizon servers take the appropriate action and apply the necessary patches in order to ensure networks can resist attempted attacks. 

    “Affected organisations should review the VMware Horizon section of the VMware security advisory VMSA-2021-0028 and apply the relevant updates or mitigations immediately,” said the alert. Log4j is used in many forms of enterprise and open-source software, including cloud platforms, web applications and email services, meaning that there’s a wide range of software in organisations around the world which could be at risk from attempts to exploit the vulnerability. Cyber criminals were quick to scan for vulnerable systems after the vulnerability was disclosed and a variety of cyber criminals and many took the opportunity to launch attacks including malware and ransomware campaigns. Attackers are still actively exploiting the vulnerability, Microsoft has warned. It’s feared that the widespread use of Log4j in open-source software – to the extent that there’s the potential that organisations may not know it’s even part of the ecosystem – could result in the vulnerability being a problem for years to come. The UK’s National Cyber Security Centre (NCSC) is among those which have issued advice to organisations on how to manage Log4j vulnerabilities in the long run. MORE ON CYBERSECURITY More

  • in

    Google acquisition of Siemplify is a knockout punch for standalone SOAR

    Google announced the acquisition of Siemplify, a security orchestration, automation, and response (SOAR) tool, this past Monday. Google Cloud’s acquisition of a SOAR tool in and of itself is not surprising — this has been a missing piece for its Chronicle offering that other security analytics platforms have built-in for the past several years. 

    What is interesting, however, is the timing of this acquisition, which comes years after the spate of SOAR acquisitions from 2018-2019. Siemplify was one of the few remaining holdouts as a standalone SOAR, as most other independent SOAR vendors were acquired or diversified their portfolio with other products such as threat intelligence platforms (TIPs). In some ways, that makes this a heady acquisition, as it signals the true end of the standalone SOAR. Forrester predicted early on that the SOAR market could not stand on its own, and given that that was five years ago, it’s starting to feel like we are belaboring the point. The bottom line is this: The SIEM has irrevocably been altered to the more holistic security analytics platform, incorporating SIEM, SOAR, and SUBA in a single offering. Just offering a piece of the puzzle — a SOAR, a SIEM, or SUBA — is not enough. Security teams want a unified security analytics platform that they can use through the entire incident response lifecycle, from detection to investigation to the orchestration of response… and beyond?SOAR is part of a larger set of SecOps capabilities Security teams now have one less standalone SOAR offering to choose from. This is detrimental in some ways since some practitioners prefer to use a separate, independent SOAR offering. They find the depth of available integrations to be more powerful and prefer a tool and the vendor behind it to be entirely focused on improving automation in the SOC. While standalone SOAR is becoming a rarity, SOAR still exists in many forms. There are benefits to having a security analytics platform that tightly integrates SIEM and SOAR. A combined tool can help you implement more seamless automation and streamline the entirety of the incident response lifecycle in one place. It also gives you one less vendor to manage, and data from the latest Forrester Analytics Business Technographics® Security Survey shows that security pros are looking to consolidate security tooling. 

    Buying SOAR as a standalone versus as part of a broader platform is the classic best-of-breed versus best-of-suite debate. The tricky part, though, is that SOAR is the supporting act, not the headliner. This means things get a little more complicated — as you will find in the flavors of SOAR below.Flavors of SOAR
    Forrester
    Consider the different flavors of SOAR and the risks of each:  Integrated security analytics platforms can provide tight integration and a simpler user experience. The main challenge with these vendors is ensuring that they stay cutting-edge — big suites of products tend to lead to complacency on innovation and bloat. Security analytics portfolios try to balance the best of what standalone SOAR offers while providing that integration (but this makes them more likely to fail at both as a jack of all trades). If these vendors struggle with one element of their SOAR offering, it’s more likely to be the integrations with other vendors than their own tools. SOAR + TIP + etc. vendors, or those with other additional areas of focus, bank on the fusion between SOAR and their other adjacent offerings. This can be unique and provides them a way of staying independent while still gaining ground in different markets. Combining SOAR and TIP capabilities also helps to operationalize threat intelligence in the SOC. Standalone SOAR can have a great depth of integrations because of its independence and its singular focus on building better automation for the SOC. Even if you choose a standalone SOAR, however, it may not be standalone for much longer. This post was written by Analyst Allie Mellen and it originally appeared here.  More

  • in

    NoReboot attack fakes iOS phone shutdown to spy on you

    A new technique that fakes iPhone shutdowns to perform surveillance has been published by researchers. 

    ZDNet Recommends

    Best security key 2021

    While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

    Read More

    Dubbed “NoReboot,” ZecOps’ proof-of-concept (PoC) attack is described as a persistence method that can circumvent the normal practice of restarting a device to clear malicious activity from memory. Making its debut with an analysis and a public GitHub repository this week, ZecOps said that the NoReboot Trojan simulates a true shutdown while providing a cover for the malware to operate — which could include the covert hijacking of microphone and camera capabilities to spy on a handset owner.  “The user cannot feel a difference between a real shutdown and a “fake shutdown,” the researchers say. “There is no user interface or any button feedback until the user turns the phone back “on”.”The technique takes over the expected shutdown event by injecting code into three daemons: InCallService, SpringBoard, and backboardd.  When an iPhone is turned off, there are physical indicators that this has been completed successfully, such as a ring or sound, vibration, and the Apple logo appearing onscreen — but by disabling “physical feedback,” the malware could create the appearance of a shutdown while a live connection to an operator is maintained. 
    ZecOps
    “When you slide to power off, it is actually a system application /Applications/InCallService.app sending a shutdown signal to SpringBoard, which is a daemon that is responsible for the majority of the UI interaction,” the researchers explained. “We managed to hijack the signal by hooking the Objective-C method -[FBSSystemService shutdownWithOptions:]. Now instead of sending a shutdown signal to SpringBoard, it will notify both SpringBoard and backboardd to trigger the code we injected into them.”

    The spinning wheel indicating a shutdown process can then be hijacked via backboardd and the SpringBoard function can both be forced to exit and blocked from restarting again. ZecOps said that by taking over SpringBoard, a target iPhone can “look and feel” like it is not turned on, which is the “perfect disguise for the purpose of mimicking a fake power off.” Users, however, still have the option of a forced restart. This is where tampering with backboardd further comes in — by monitoring user input, including how long buttons are held, a reboot can be simulated just before a true restart takes place, such as by displaying the Apple logo early.  “Stopping users from manually restarting an infected device by making them believe they have successfully done so is a notable malware persistence technique,” Malwarebytes commented. “On top of that, human deception is involved: Just when you thought it’s gone, it still pretty much there.” As the technique focuses on tricking users rather than vulnerabilities or bugs in the iOS platform, this is not something that can be fixed with a patch. ZecOps says that the NoReboot method impacts all versions of iOS and only hardware indicators could help in detecting this form of attack technique.  A video demonstration can be found below.

    [embedded content]

    Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

  • in

    Chinese scientist pleads guilty to stealing US agricultural tech

    A Chinese national has pleaded guilty to the theft of agricultural secrets from the US, intended to reach the hands of scientists across the pond. 

    Xiang Haitao, formerly living in Chesterfield, Missouri, assumed a post at Monsanto and its subsidiary, The Climate Corporation, between 2008 and 2017, the US Department of Justice (DoJ) said on Thursday. Monsanto and The Climate Corporation developed an online platform for farmers to manage field and yield information in a bid to improve land productivity. One aspect of this technology was an algorithm called the Nutrient Optimizer, which US prosecutors say was considered “a valuable trade secret and their intellectual property.” According to the DoJ, the former employee stole this information “for the purpose of benefitting a foreign government, namely the People’s Republic of China.” In June 2017, Xiang left these companies and boarded a flight back to China a day after. The 44-year-old drew the attention of airport officials who conducted a search – but it was not until later that investigators found copies of the Nutrient Optimizer stored on his electronic devices.  Xiang was still able to leave the United States and began working for the Chinese Academy of Science’s Institute of Soil Science.  However, during a return trip to the US, Xiang was arrested and charged. The Chinese national submitted to the charge of conspiracy to commit economic espionage and faces up to 15 years behind bars, a maximum of three years supervised release – and a fine of up to $5 million. 

    Sentencing is due to take place on April 7.  “Mr. Xiang used his insider status at a major international company to steal valuable trade secrets for use in his native China,” commented US Attorney Sayler Fleming for the Eastern District of Missouri. “We cannot allow US citizens or foreign nationals to hand sensitive business information over to competitors in other countries, and we will continue our vigorous criminal enforcement of economic espionage and trade secret laws.” Monsanto, meanwhile, pleaded guilty in December to 30 ‘environmental crimes,’ including the illegal use of a banned pesticide in Hawaii. The plea agreement includes a fine of $12 million. Bayer closed the acquisition of Monsanto in 2018 and is now facing a potential class-action lawsuit from investors and a demand of $2.5 billion over claims of failed due diligence.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

  • in

    Illinois fertility clinic, online pharmacy giant Ravkoo report data breaches

    Online pharmacy company Ravkoo and Fertility Centers of Illinois (FCI) have both informed thousands of current and former patients of data breaches involving troves of their sensitive information. The HIPAA Journal said 79,943 current and former patients were sent breach notification letters informing them that passport numbers, Social Security numbers, financial account information, payment card information, treatment information, treating physicians, medical billing/claims information, prescription/medication information and Medicare/Medicaid identification information was leaked. The breach also involved significantly more patient information related to treatment and health insurance coverage as well as some employee information. FCI said it “became aware of suspicious activity on its internal systems” on February 1 and determined that patient information was involved by August. The company did not respond to requests for comment about the delay in informing victims but said in the notice that they are offering one year of free credit monitoring and identity theft protection services. FCI wasn’t the only healthcare institution dealing with a breach. Internet pharmacy service Ravkoo also notified customers of a data breach involving their information. In a letter sent to New Hampshire Attorney General Gordon McDonald, the Florida-based Ravkoo said hackers tried to infiltrate their AWS hosted cloud prescription portal on September 27. The incident exposed the prescription and healthcare information of 105,000 people, including nearly 400 in Maine. After hiring a cybersecurity firm, CEO Alpesh Patel said the company was told on October 27 that names, mail addresses, phone numbers, prescriptions and medical information were exposed. 

    Breach notification letters were sent out January 3 and the FBI was notified, according to a notice on the Ravkoo website. Victims are being provided with one year of free online identity monitoring service from Kroll Information Assurance. In September, the hacker behind the attack on Ravkoo told The Intercept’s infosec director Micah Lee that Ravkoo was “hilariously easy” to hack and that they had access to hundreds of thousands of prescriptions filed with the company since 2020. According to what the hacker told The Intercept, Ravkoo’s site had “a hidden admin panel that every user can log in to and view all the data.”Multiple fertility clinics reported data breaches in 2021, including Quest-owned ReproSource and Georgia-based Reproductive Biology Associates as well as its affiliate My Egg Bank North America. Jake Williams, CTO at BreachQuest, explained that it is not uncommon for medical organizations to store patient data outside of their electronic health record system and said it sounds like that’s what happened in the FCI case. The theft of administrative accounts and other high privilege accounts give hackers access to widespread data and often act as a single point of failure, according to nVisium’s Ben Pick. More

  • in

    JFrog researchers find JNDI vulnerability in H2 database consoles similar to log4shell

    Security researchers from JFrog said on Thursday that they discovered a critical JNDI-based vulnerability in the H2 database console exploiting a root cause similar to Log4Shell. The CVE hasn’t been posted by NIST but will be assigned CVE-2021-42392. In a blog post, the company said that CVE-2021-42392 should not be as widespread as Log4Shell even though it is a critical issue with a similar root cause. JFrog explained that the Java Naming and Directory Interface (JNDI) is an API that provides naming and directory functionality for Java applications. H2 is a widely-used open-source Java SQL database used for various projects ranging from web platforms like Spring Boot to IoT platforms like ThingWorks. The researchers noted that com.h2database:h2 package is “part of the top 50 most popular Maven packages, with almost 7,000 artifact dependencies.”Shachar Menashe, senior director of JFrog security research, told ZDNet that similar to the Log4Shell vulnerability uncovered in early December, attacker-controlled URLs that propagate into JNDI lookups can allow unauthenticated remote code execution, giving attackers sole control over the operation of another person or organization’s systems. The security company said CVE-2021-42392 for the H2 database console is the first critical issue published since Log4Shell, on a component other than Log4j, that exploits the same root cause of the Log4Shell vulnerability, namely JNDI remote class loading. 

    more Log4j

    “To the best of our knowledge, CVE-2021-42392 is the first JNDI-related unauthenticated RCE vulnerability to be published since Log4Shell, but we suspect it won’t be the last,” the researchers wrote. “One of our key takeaways from the Log4Shell vulnerability incident was that due to the widespread usage of JNDI, there are bound to be more packages that are affected by the same root cause as Log4Shell – accepting arbitrary JNDI lookup URLs. Thus, we’ve adjusted our automated vulnerability detection framework to take into consideration the javax.naming.Context.lookup function as a dangerous function (sink) and unleashed the framework onto the Maven repository to hopefully find issues similar to Log4Shell.”

    The H2 database package was one of the first they validated and they reported it to H2 maintainers who immediately fixed it in a new release, creating a critical GitHub advisory.According to JFrog, several code paths in the H2 database framework pass unfiltered in attacker-controlled URLs to the javax.naming.Context.lookup function, which they said allows for remote codebase loading. Of all the attack vectors of the issue, the most severe is through the H2 console.”This feature can impact those running an H2 database console exposed to the network and we recommend updating your H2 database to version 2.0.206 immediately. Note that the H2 database is used by many 3rd-party frameworks, including Spring Boot, Play Framework and JHipster,” Menashe said. “While this vulnerability is not as widespread as Log4Shell, it can still have a dramatic impact on developers and production systems if not addressed accordingly.”The report notes that because the H2 database is used by so many artifacts, it is difficult for them to quantify how many vulnerable deployments of the H2 console exist in the wild. JFrog also explained several other attack vectors using the same vulnerability. JFrog suggested users upgrade their H2 database to the latest version. They noted that they have seen a number of developer tools “relying on the H2 database and specifically exposing the H2 console.””If you are running an H2 console which is exposed to your LAN (or worse, WAN) this issue is extremely critical (unauthenticated remote code execution) and you should update your H2 database to version 2.0.206 immediately,” the company said. “Network administrators can scan their local subnets for open instances of the H2 console with nmap. Any returned servers are highly likely to be exploitable.”According to the researchers, version 2.0.206 is similar to Log4j 2.17.0 because it fixes the issue by limiting JNDI URLs to use the (local) java protocol only, which denies any remote LDAP/RMI queries.JFrog also provided several mitigation options for those who cannot upgrade H2. Matthew Warner, CTO at Blumira, told ZDNet that according to OSINT, there are likely under 100 impacted servers on the internet because the H2 Database Console must be purposefully exposed to the internet by changing the configuration to not only listen on localhost. “While this vulnerability also utilizes remote JNDI class loading, it requires access that is not available with the default configuration of the H2 Database,” Warner said. BreachQuest CTO Jake Williams said widespread exploitation is unlikely because this vulnerability is in an application as opposed to a library like log4j, meaning vulnerable systems should be much easier to discover and remediate. In a default configuration, the vulnerability can only be triggered from the same machine the database console is running on meaning exploitation is extremely conditional. “It’s unlikely that this will cause widespread damage, though vulnerability managers should be ready to patch other newly discovered JNDI vulnerabilities as they are disclosed,” Williams said. “It’s clear that this vulnerability won’t be the last one discovered that’s related to log4j.”Others, like NTT Application Security’s Ray Kelly, said that while exploitation was unlikely, using a mashup of SQL and JNDI to exploit an RCE vulnerability “is quite creative and excellent example on how a single issue can be abused multiple ways.”The research is also worthwhile because even though log4j had specific coding flaws resulting in Log4Shell, the broader idea of a lack of validation on JNDI lookups leading to vulnerabilities is a general attack pathway which is likely to exist elsewhere and, given the log4j vulnerabilities weren’t discovered sooner, likely hasn’t been the subject of directed scrutiny, according to Bugcrowd CTO Casey Ellis. “This is a classic example of ‘research clustering’ which is a phenomenon Bugcrowd has observed many times before and one we predicted after the initial publication of Log4Shell,” Ellis said. “Some research teams have opted to capitalize on a sense of panic to get their message out there, while the JFrog folks seem to have taken great care to get their message across, but not cause undue work for already overloaded security teams.” More

  • in

    Hackers are sending malicious links through Google Doc comment emails

    Research from cybersecurity company Avanan has shown that hackers are increasingly using Google Docs’ productivity features to slip malicious content past spam filters and security tools. 

    Avanan’s Jeremy Fuchs said that in December, the company saw cyberattackers using the comment feature in Google Docs and Google Slides to leverage attacks against Outlook users.”In this attack, hackers are adding a comment to a Google Doc. The comment mentions the target with an @. By doing so, an email is automatically sent to that person’s inbox. In that email, which comes from Google, the full comment, including the bad links and text, is included. Further, the email address isn’t shown, just the attackers’ name, making this ripe for impersonators,” Fuchs wrote in a blog post. The technique has long been used by cybercriminals and Google even released fixes for the issue in 2020. But Avanan included images showing researchers testing the flaw with Google Docs and Google Slides using a malicious link that was added to a comment. “We primarily saw it target Outlook users, though not exclusively. It hit over 500 inboxes across 30 tenants, with hackers using over 100 different Gmail accounts,” Fuchs added, noting that the email feature in Google Docs makes it difficult for scanners to stop the attack because the email comes directly from Google. 
    Avanan
    Google is on most Allow Lists, Fuchs explained, and most users trust emails coming from Google. Anti-spam features are also helpless against the attack because the email doesn’t use the hacker’s email address, only their display name. No one would know whether the comment came from someone within their company or from somewhere else. “Further, the email contains the full comment, along with links and text. The victim never has to go to the document, as the payload is in the email itself. Finally, the attacker doesn’t even have to share the document — just mentioning the person in the comment is enough,” Fuchs said. 

    The company noted that last year, they reported another Google Docs exploit that also allowed hackers to easily deliver malicious phishing websites to end-users.Avanan suggested users check multiple times before clicking on any links in a Google Doc comment sent to you. A number of cybersecurity experts reiterated that this kind of attack has been used for many years by cyberattackers because of how successful it is. Shawn Smith, director of infrastructure at nVisium, noted that the attack is not significantly different from many other methods of phishing. “Users should always be wary of links in emails — even emails from legitimate senders — due to the possibility of an account becoming compromised. It seems to me that this could be categorized less as an ‘exploit’ per se, and more so a case of a lack of spam prevention,” Smith said. “In addition to checking links, users should also be hovering over links before clicking to confirm that the embedded hyperlink is sending them where they expect — and not to a completely different site than the link indicates.” More

  • in

    Counties in New Mexico, Arkansas begin 2022 with ransomware attacks

    Two counties in New Mexico and Arkansas are dealing with ransomware attacks affecting government services, according to officials from both states. On Wednesday evening, New Mexico’s Bernalillo County — which covers the state’s most populous cities of Albuquerque, Los Ranchos and Tijeras — officially reported that it was hit with a ransomware attack that began between midnight and 5:30 a.m. on January 5.

    County officials have taken the affected systems offline and cut network connections but most county building are now closed to the public. Emergency services are still available and 911 is still operating, but a Sheriff’s Office customer service window was closed.Visitation at the Metropolitan Detention Center has been postponed indefinitely, but all community centers are still open. Many other government services are still available over the phone and in person. The county said it is working with its vendors to respond to the incident. Bernalillo County spokesman Tom Thorpe told KOB4 that he was unaware of a specific ransom demand issued by the attackers. Bernalillo County communications director Tia Bland said in a statement to KOAT, “Accounting and technology staff are doing a thorough assessment to figure out what the impact is.”Arkansas’ Crawford County is also dealing with a ransomware attack that began right before the new year.

    Crawford County Judge Dennis Gilstrap told Arkansas’ news outlets last week that a ransomware attack was discovered at the County Assessors office on December 27, forcing them to shut down the office’s servers. Gilstrap said IT workers with the county contacted their cybersecurity provider, Apprentice, for guidance on how to deal with the attack. “Basically we had to shut down everything from the servers on, but we got it stopped,” Gilstrap told TalkBusiness. “Last I heard, the (County Clerk’s office) could not issue marriage licenses. I guess it was good that it happened during a slow period (between Christmas and New Year), if there can be anything good said about it.”Crawford County public defender Ryan Norris added in an interview with the outlet that the clerk’s office was not able to pull up jury lists, calling it a “mess.” By Tuesday, Gilstrap said operations were back to normal at both the assessor office and tax collector office. But he told both TalkBusiness and 5News that it will take weeks before they know whether personal information was accessed by the attackers. Also: Government data breach in Rhode Island leads to AG investigationRansomware expert Brett Callow told ZDNet that while fewer local governments fell victim to ransomware attacks in 2021 than in either of the previous two years — 77 versus 113 in both 2020 and 2019 — that can hardly be seen as a win.”The fact that a local government was hit so early into the New Year isn’t at all surprising, given that they fall victim to ransomware attacks at a rate of about 1.5/week,” Callow said.  “One is one too many, and 77 is far too many. This is especially true as far more incidents now involve data exfiltration, making it more likely that a ransomware attack on a local government will result in sensitive information leaking online.”Shared Assessments’s Nasser Fattah said attacks will continue to occur due to the lack of resources and the use of stale technologies, which “collectively make municipalities an attractive target.” YouAttest CEO Garret Grajek noted that recent research from the Palo Alto Networks Cortex Xpanse team showed that hackers are scanning within 15 minutes of a known vulnerability, while most companies are not patching and updating for 12 hours.”No company, county or organization is too obscure or too off-the-beaten path for the attackers,” Grajek said. “To the hackers, the sites are simply targets of opportunity.”   More