Information Technology

A mass phishing campaign is targeting Windows PCs and aims to deliver malware that can steal usernames, passwords, credit card details and the contents of cryptocurrency wallets. Detailed by cybersecurity researchers at Bitdefender, RedLine Stealer is offered to in a malware-as-a-service scheme, providing even low-level cyber criminals with the ability to steal many different forms of sensitive personal data – for as little as $150. 

ZDNet Recommends

The malware first appeared in 2020, but recently RedLine has added additional features and has been widely distributed in mass spam campaigns during April. The mass phishing emails contain a malicious attachment which, if run, will start the process of installing the malware. Victims being targeted are mostly in North America and Europe. SEE: A winning strategy for cybersecurity (ZDNet special report)The malware uses CVE-2021-26411 exploits found in Internet Explorer to deliver the payload. The vulnerability was disclosed and issued with a patch last year, so the malware can only infect users who have yet to apply the security update. After being executed, Redline Stealer performs initial recon against the target system, scouting for information including usernames, which browsers are installed and whether anti-virus software is running.  From there, it seeks out information that can be stolen and then exfiltrates passwords, cookies and credit card data saved in browsers, as well as crypto wallets, chat logs, VPN login credentials and text from files. Redline is available in underground marketplaces and cyber criminals are offered several levels of tiered service, reflecting how malware has become easily available: would-be crooks can ‘lease’ the software for $100 or they can buy a ‘lifetime’ subscription for $800. The malware is relatively simple, but it’s potent, with the ability to steal vast amounts of sensitive information, even if the affiliates are relatively inexperienced. However, it’s possible to protect against Redline by applying security patches, particularly for Internet Explorer, as that will prevent the exploit kit from taking advantage of the CVE-2021-26411 vulnerability. It’s also recommended that users keep operating systems, applications and anti-virus software up to date, in order to prevent known vulnerabilities being exploited to help deliver malware. MORE ON CYBERSECURITY More

Vulnerable plugins, extensions, and default settings are responsible for a high rate of website compromise, according to new research.

Content management systems (CMSs) are frequently used to structure websites and online services, including e-commerce shops, and make it easier for web admins to manage and publish content.Plugins and extensions add to website functionality and can provide everything from contact forms to SEO optimization, maps, image albums, and payment options. As a result, they are incredibly popular — but if they are vulnerable to exploitation, their use can put entire websites at risk of being hijacked. Sucuri’s 2021 Website Threat Research Report (.PDF) has examined these issues in-depth with a particular focus on CMS usage, including WordPress, Joomla, and Drupal. According to the researchers, vulnerable plugins and extensions “account for far more website compromises than out-of-date, core CMS files,” with roughly half of website intrusions recorded by the firm’s clients occurring on a domain with an up-to-date CMS. Threat actors will often leverage legitimate — but hijacked — websites to host malware, credit card skimmers, or for the deployment of spam. Sucuri says that websites containing “a recently vulnerable plugin or other extension” are the most likely to be abused in these ways. “Even a fully updated and patched website can suddenly become vulnerable if one of the website elements has a vulnerability disclosure and action is not swiftly taken to remediate it,” the researchers commented. In addition, webmasters who leave their CMS websites and control panels on default configurations are considered a “serious liability,” especially when multi-factor authentication (MFA) is not implemented or possible. The report has listed the most common types of malware found on compromised websites. At the top, we have backdoors — forms of malware that give their operators persistent access to a domain and the ability to exfiltrate data, among other features. Sucuri said over 60% of its website compromise cases involved at least one backdoor. In addition, credit card skimmers remain a persistent threat to e-commerce retailers. Skimmers are usually small pieces of code implanted on payment pages, which harvest customers’ card details. and transfer them to an attacker-controlled server. They now account for over 25% of new PHP-based malware signatures detected in 2021.Spam is also one of the most common forms of website compromise. In total, 52.6% of websites cleared up by the firm contained SEO spam, such as URL redirects, which are used to force visitors to landing pages that display malicious content. Furthermore, the team found evidence of spam injectors that hide spam links in hijacked websites to boost their SEO rankings. Most spam-related content relates to pharmaceuticals such as viagra, essay writing services, escorts, gambling, adult websites, and pirated software. “While there is no 100% security solution for website owners, we have always advised that a defense in depth strategy be used,” Sucuri says. “Laying defensive controls helps you better identify and mitigate attacks against your website. […] At its core, maintaining a good security posture comes down to a few core principles: keep your environment updated and patched, use strong passwords, exercise the principle of least privilege, and leverage a web application firewall to filter malicious traffic.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

HackerOne has acquired PullRequest, a code-review-as-a-service platform. 

The deal was announced on Thursday. No financial details have been disclosed.HackerOne is known for its bug bounty platform, a system for security researchers to privately disclose vulnerabilities in services and software to vendors in return for credit and financial rewards.  However, the organization has also branched out into vulnerability management, cloud environment protection, and application security services.  Customers include General Motors, GitHub, Google, Microsoft, and PayPal.  Founded in 2017, PullRequest provides on-demand code reviews by engineers to thousands of organizations. By having more eyes on code before it goes too far down the production line, it is possible to catch vulnerabilities and errors early — and before they could potentially be exploited by threat actors.  Different languages and frameworks, including Go, Python, PHP, and JavaScript are supported across web, mobile, and other platforms.  The company previously raised $12.7 million in funding.  According to HackerOne, the acquisition of PullRequest “builds upon HackerOne’s focus on reducing [it’s] customers’ attack resistance gap – the space between what organizations can defend and what they need to defend.” This “will ultimately help customers release trustworthy software faster by embedding expert security reviewers within their software development lifecycle,” the company added.  HackerOne CTO Alex Rice says that there is a shift occurring from reactive security — finding and patching bugs after code has been published — to a “developer-first” model that will attempt to eradicate vulnerabilities far sooner in software development cycles.  Rice commented: “Over 70% of organizations claim to integrate aspects of security earlier in development to minimize their attack resistance gap, yet less than 25% of security issues are found during development. Clearly, something more is needed. We’re bringing feedback from security experts to the developer workflow so they can quickly fix bugs and get back to building.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The United States, European Union, ex-EU member the United Kingdom, and 32 other nations have committed to the Declaration for the Future of the Internet [PDF], an agreement to strengthen democracy online by agreeing to not undermine elections by running online misinformation campaigns, or illegally spy on people, the White House said on Thursday. The declaration also commits to promote safety, particularly among young people and women, and the equitable use of the internet. Further, the countries have agreed to refrain from imposing government-led shutdowns and committed to providing affordable and reliable internet services.Although not legally binding, the declaration states that the principles should be used “as a reference for public policy makers, as well as citizens, businesses, and civil society organizations”.In a statement the White House claimed it would work together with partner nations to promote the declaration’s principles, but that a mutual respect should be held for each individual nation’s regulatory autonomy. So far, 60 countries have endorsed the declaration, and according to the European Commission, more are expected to join in the coming weeks.Notable omissions include India, China, and Russia. Their absence is hardly surprising given that Ukraine is a signatory, and that the declaration calls on countries to refrain from using social score cards, a transparent criticism of China’s social credit score. Meanwhile, a senior Biden administration official responded to India’s absence by claiming “the hope remains that time isn’t fully passed yet for India to join”.Google responded in support of the declaration, but made clear that the private sector must also play an important role in furthering internet standards when faced with global crisis.”Since Russia’s invasion in Ukraine, our teams have been working around the clock to support people in Ukraine through our products, defend against cybersecurity threats, and surface high-quality, reliable information,” said Google in a statement.Microsoft president and vice chair Brad Smith shared this sentiment as he claimed in a blog post that governments cannot manage the global challenges facing the management of the internet alone.”We need new and innovative internet initiatives that bring governments together with NGOs, academic researchers, tech companies and many others from across the business community,” said Smith.Signatories beyond the US, UK, and 27 EU members include: Albania, Andorra, Argentina, Australia, Cabo Verde, Canada, Colombia, Costa Rica, Dominican Republic, Georgia, Iceland, Israel, Jamaica, Japan, Kenya, Kosovo, Maldives, Marshall Islands, Micronesia, Moldova, Montenegro, New Zealand, Niger, North Macedonia, Palau, Peru, Senegal, Serbia, Taiwan, Trinidad and Tobago, Ukraine, and Uruguay.Related Coverage More

Written by

Mary Jo Foley, Contributor

Mary Jo Foley
Contributor

Mary Jo Foley has covered the tech industry for 30 years for a variety of publications, including ZDNet, eWeek, and Baseline. She is the author of Microsoft 2.

Full Bio

Microsoft is looking to give its Edge browser an extra security boost with a coming feature called “Edge Secure Network.” The coming VPN service will be powered by Cloudflare, as noted in a recently discovered Microsoft Support page about the feature. (Thanks to XDA Developers for the link.)Edge Secure Network isn’t yet available to Edge Dev Channel testers, and there’s no indication when it will be. The new Secure Network feature requires users to be signed into their Microsoft Accounts and provides 1 GB of free data per month that is tied to users’ Microsoft Accounts. Edge Secure Network will encrypt users’ Internet connections by routing data from Edge through an encrypted tunnel to create a secure connection, “even when using a non-secure URL that starts with HTTP,” the support page says. Thanks to this encryption, users will get an extra layer of protection from hackers accessing browsing data via shared public Wi-Fi networks. Cloudflare permanently deletes any diagnostic and support data collected every 25 hours. The Edge Secure Network capability also can help prevent online tracking, keep users’ locations private and will be available for free, the support page indicates. Users will get 1 GB of free data every month when they are signed in with their Microsoft Accounts. Instructions for turning on Secure Network, once it’s available, are on the Edge support page article. Some other browser vendors like Opera already have VPN integration. And Mozilla, while not integrating its own VPN into Firefox, has made its VPN available separately to customers. More

Months on from a critical zero-day vulnerability being disclosed in the widely-used Java logging library Apache Log4j, a significant number of applications and servers are still vulnerable to cyberattacks because security patches haven’t been applied. First detailed in December, the vulnerability (CVE-2021-44228) allows attackers to remotely execute code and gain access to systems that use Log4j. 

Not only is the vulnerability relatively simple to take advantage of, but the ubiquitous nature of Log4j means that it’s embedded in a vast array of applications, services and enterprise software tools that are written in Java – and used by organisations and individuals around the world. SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attemptsIt’s why director of US cybersecurity and infrastructure agency CISA, Jen Easterly, described the vulnerability as “one of the most serious that I’ve seen in my entire career, if not the most serious”. But despite critical warnings over the vulnerability, there’s still a large amount of Log4j instances operating in the wild that have yet to be patched and are still exposed to cyberattacks. According to researchers at cybersecurity company Rezilion, there’s over 90,000 vulnerable internet-facing applications and more than 68,000 servers that are still publicly exposed.  The exposed instances were discovered by running searches through Internet of Things (IoT) search engine Shodan – and researchers warn that what’s been discovered is likely “just the tip of the iceberg” in terms of the actual vulnerable attack surface. Log4j vulnerabilities leave organisations open to various cyberattacks from cyber criminals who can easily scan for vulnerable instances to exploit. Not long after Log4j was disclosed, attempts were made to deploy ransomware and crypto-mining malware on vulnerable servers. State-sponsored hacking groups have also been spotted attempting to take advantage of Log4j vulnerabilities. These include Chinese state-sponsored espionage groups Hafnium and APT41, as well as Iranian-backed hacking groups APT35 and Tunnel Vision. While state-sponsored hacking groups are likely to have deep pockets and plentiful resources, the ability to exploit common vulnerabilities is particularly useful as attacks are less likely to leave traces that could be tied to a specific hacking group.One of the reasons why Log4j vulnerabilities are still lingering is because the flaw could be deeply ingrained in applications, to the extent that it might not even be clear that the Java logging library is even part of that system. SEE: The Emotet botnet is back, and it has some new tricks to spread malwareBut there are steps that can – and should – be taken to ensure the network is protected against attacks trying to exploit Log4j, the most vital of which is identifying and patching insecure instances of Log4j. The network should also be regularly examined to help identify potential vulnerabilities. “You need to have processes in place that continuously monitor your environment for critical vulnerabilities with an emphasis on third-party code,” said the report. If a vulnerable Log4j asset is identified, it’s recommended that information security teams act on the basis that the system has been compromised, to look for signs of potential malicious activity and to prepare to take action.  MORE ON CYBERSECURITY More

Microsoft has patched a security weakness in Azure PostgreSQL which could have been exploited to execute malicious code.

On Thursday, researchers from Wiz Research published an advisory on “ExtraReplica,” described as a “cross-account database vulnerability” in Azure’s infrastructure.Microsoft Azure is a hybrid cloud service and accounts for hundreds of thousands of enterprise customers. According to Wiz, a “chain” of vulnerabilities could be used to bypass Azure’s tenant isolation, which prevents software-as-a-service (SaaS) systems customers from accessing resources belonging to other tenants. ExtraReplica’s core attack vector is based on a flaw that allowed attackers read access to PostgreSQL databases without authorization. Once a target, public PostgreSQL Flexible Server has been selected, an attacker has to find the target’s Azure region “by resolving the database domain name and matching it to one of Azure’s public IP ranges,” according to Wiz. An attacker-controlled database then has to be created in the same region. The first vulnerability, found in Azure’s PostgreSQL engine modifications, would be exploited on the attacker-controlled instance, leading to escalated ‘superuser’ privileges and the ability to execute code. The second bug in the chain, buried in the certificate authentication process, would then be triggered on the target instance via replication to gain read access. While this attack could be used on a subnet, the Certificate Transparency feed could also be abused to retrieve domain SSL certificates and extract a database’s unique identifier, thereby expanding the potential attack surface beyond a subnet. An attacker would need to retrieve target information from the Certificate Transparency feed and purchase a “specifically crafted certificate” from a CA to perform such an exploit. The vulnerability doesn’t, however, impact Single Server instances or Flexible servers with “VNet network configuration (Private access)” enabled, according to the researchers. The vulnerability was disclosed to Microsoft in January. Microsoft’s security team triaged the vulnerability and was able to replicate the flaw. Wiz was awarded a bug bounty of $40,000 for its report and a fix was rolled out by February 25 by the Redmond giant. Now fully mitigated, Azure customers do not need to take any action. Microsoft is not aware of any exploitation in the wild. “We appreciate MSRC’s cooperation and their attentiveness to our report,” the researchers commented. “Their professional approach and close communication throughout the disclosure process is a model for all vendors.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft warns it saw six Russia-aligned, state-sponsored hacking groups launch over 237 cyberattacks against Ukraine starting in the weeks before Russia’s February 24 invasion.Microsoft has released an in-depth report detailing how Russian cyberattacks against Ukraine were “strongly correlated” or “directly timed” with its military operations in the country. 

ZDNet Recommends

For example, on March 1, several Kyiv-based media companies were struck by destructive and information-stealing malware, which coincided with a missile strike on a Kyiv TV tower on the same day. SEE: Google: Multiple hacking groups are using the war in Ukraine as a lure in phishing attemptsThen on March 13, a suspected Russian nation-state actor stole data from a nuclear safety organization, aligning with Russian troops seizing the Chernobyl nuclear power plant and the Zaporizhzhia Nuclear Power plant.The report takes a closer look at Russia’s use of destructive malware during and before the invasion, the first of which was discovered by Microsoft in mid-January and dubbed WhisperGate. The combination of cyber and military points to Russia’s hybrid warfare strategy, according to Microsoft. “Russia’s use of cyberattacks appears to be strongly correlated and sometimes directly timed with its kinetic military operations targeting services and institutions crucial for civilians,” says Corporate Vice President, Customer Security & Trust, Tom Burt.According to the report, the day before Russia’s military invaded Ukraine, operators linked to the GRU – Russia’s military intelligence service – launched destructive wiper attacks on hundreds of systems in Ukrainian government, IT, energy, and financial organizations. Microsoft detected 37 destructive malware attacks against Ukraine between February 24 and April 8 through eight known destructive malware families, including FoxBlade, which Microsoft found in February, FiberLake, IsaacWiper/HermeticWiper/SonicVote, and CaddyWiper, as well as Industroyer2, aimed at industrial control systems (ICS). In many cases, the malware used the SecureDelete utility to wipe data.   The US government two weeks ago warned of suspected Russian malware called Pipedream that was customized to compromise multiple vendors’ ICS equipment. Ukraine officials earlier this month also said they stopped a cyberattack on an energy facility that could have cut power to two million people. “Known and suspected Russian threat actors deployed malware and abused legitimate utilities 37 times to destroy data on targeted systems. SecureDelete is a legitimate Windows utility that threat actors abused to permanently delete data from targeted devices,” Microsoft says in the report. “More than 40% of the destructive attacks were aimed at organizations in critical infrastructure sectors that could have negative second-order effects on the government, military, economy, and people,” Microsoft says. Additionally, 32% of destructive incidents affected Ukrainian government organizations at the national, regional, and city levels.The three main Russian military agencies Microsoft identifies in the report are the GRU, SVR (Russia’s foreign intelligence service), and the FSB or Federal Security Service. The main methods for initial access were phishing, using unpatched vulnerabilities, and compromising IT service providers. Microsoft says Russia’s cyberattacks appeared to “work in tandem” against targets of military activity. However, it was uncertain whether these were coordinated, centralized or if there was just a common set of understood priorities. “At times, computer network attacks immediately preceded a military attack, but those instances have been rare from our perspective. The cyber operations so far have been consistent with actions to degrade, disrupt, or discredit Ukrainian government, military, and economic functions, secure footholds in critical infrastructure, and to reduce the Ukrainian public’s access to information,” Microsoft says.  SEE: Bronze President spies on Russian targets as Ukraine invasion continuesBurt says following Microsoft’s discovery of WhisperGate, it established a secure line of communication with Ukraine officials and has been providing support ever since. In the lead up to the invasion, Microsoft also observed that Russian cyberattacks were growing increasingly loud and disruptive and usually intensified following diplomatic failures related to the conflict with Ukraine and NATO members.Burt urged all organizations to take heed of alerts published by the US Cybersecurity and Infrastructure Security Agency (CISA) and other US government agencies due to fears that NATO military support to Ukraine could see Russia’s efforts expand beyond Ukrainian targets. “Given Russian threat actors have been mirroring and augmenting military actions, we believe cyberattacks will continue to escalate as the conflict rages. Russian nation-state threat actors may be tasked to expand their destructive actions outside of Ukraine to retaliate against those countries that decide to provide more military assistance to Ukraine and take more punitive measures against the Russian government in response to the continued aggression,” warned Burt. This article has been updated to correct the name of the author of Microsoft’s blog, which was by Tom Burt – Corporate Vice President, Customer Security & Trust.
Microsoft More