Information Technology

Enterprise software giant Oracle has released its April Critical Patch Update (CPU) advisory, which includes 520 fixes for security flaws. Critical Patch Updates are collections of security fixes for Oracle products, published quarterly. This update addresses security flaws in dozens of products with three bugs getting a severity rating of 10 out of a possible 10, and about 70 with a score of 9.8.

ZDNet Recommends

Oracle notes that customers should update their software as soon as they can, as it continues to receive reports periodically of attempts to maliciously exploit vulnerabilities for which Oracle has already released security patches: “In some instances, it has been reported that attackers have been successful because targeted customers had failed to apply available Oracle patches. Oracle therefore strongly recommends that customers remain on actively-supported versions and apply Critical Patch Update security patches without delay.”SEE: Google: We’re spotting more zero-day bugs than ever. But hackers still have it too easyOracle Communications Cloud Native Core Network Exposure Function has two bugs with a score of 10, both tracked as CVE-2022-22947, and 31 bugs with a score of 9.8, while Oracle Communications Billing and Revenue Management is affected by one flaw with a score of 10, CVE-2022-21431.  Eric Maurice, Oracle’s VP of security assurance, says the updates are for a “wide range of product families”, from its database server to the blockchain platform and Oracle Virtualization. Maurice flagged a small adjustment to the timing of Oracle’s CPU release schedule from this point on. “With this Critical Patch Update release, Oracle is making a small adjustment to the Critical Patch Update release schedule. Critical Patch Updates will no longer be released on the Tuesday closest to the 17th of the month of January, April, July, and October, but they will be released on the third Tuesday of January, April, July, and October,” he says in a blogpost.    “This minor adjustment will not affect the frequency of Critical Patch Update releases (still 4 times a year), but essentially, makes it easier to set calendar reminders and determine the date of future Critical Patch Update releases.”  Of the 520 patches, Oracle Communications products received 149 of them, 98 of which “may be remotely exploitable without authentication.” Oracle Financial Services applications received 41 patches, with 19 possibly remotely exploitable without authentication. Oracle Fusion Middleware got 54 patches and 41 of them may be remotely exploitable without authentication. Some 13 vulnerabilities have a severity score of 9.8, affecting products such as Oracle Business Intelligence Enterprise Edition, Oracle Business Process Management Suite, Oracle Coherence, Oracle HTTP Server, and more. SEE: Windows 11 security: How to protect your home and small business PCsThe other major recipient of patches was Oracle MySQL, which got 43 patches, of which 11 may be remotely exploitable without authentication. Oracle Retail applications got 30 patches, 15 of which may be remotely exploitable without authentication. Oracle Retail Xstore Point of Service was hit by a 9.8 severity bug tracked as CVE-2022-22965. Oracle Blockchain platform received 15 patches, 14 of them may be remotely exploitable without authentication. It has one bug with a severity score of 9.8 that affects its nginx backend.  Admins of Oracle E-Business Suite Cloud Manager and Cloud Backup Module also need to fix a bug with a score of 9.8, which affects the Log4j component that was hit by the Log4Shell bug. More

Of the 58 zero-day exploits in popular software that Google’s Project Zero tracked in 2021, only two were particularly novel, while the rest relied on the same techniques over and again. That’s both good and bad news for the software industry. 2021 was a record year in terms of the number of zero-day flaws in software like Chrome, Windows, Safari, Android, iOS, Firefox, Office and Exchange that Google Project Zero (GPZ) tracked as being exploited in the wild before a vendor patch was available. 

At 58, that was more than double the annual rate of discovery and detection of zero-day exploits in the wild since GPZ started tracking zero days in mid-2014. SEE: These are the problems that cause headaches for bug bounty huntersGoogle security researchers have previously pointed out the problems with deriving trends from data about zero days in the wild. For example, just because a bug wasn’t spotted, that doesn’t mean it wasn’t being used. Google has argued that detection is getting better. But there was also a major gap in information: there were only five samples of the exploits used against each of the 58 vulnerabilities. While zero days that are discovered in the wild are a “failure” for attackers, Maddie Stone, a researcher with GPZ, points out in a blogpost that “without the exploit sample or a detailed technical write-up based upon the sample, we can only focus on fixing the vulnerability rather than also mitigating the exploitation method.”This focus means that attackers are able to continue using their existing exploit methods rather than having to go back to the design and development phase to build a new exploitation method, she says. Attackers, she notes, are successfully using the same bug patterns and exploitation techniques and going after the same attack surfaces. This repetition means attackers aren’t yet being forced to invest in new methods and raises questions about how much the industry is raising the cost for attackers. “Only two 0-days stood out as novel: one for the technical sophistication of its exploit and the other for its use of logic bugs to escape the sandbox,” she notes. To make progress in 2022, GPZ hopes to see all vendors agree to disclose that a flaw is being exploited in the wild in their bug bulletins, as Google’s Chrome security team routinely does. Apple disclosed that status for iOS for the first time in 2021. It also wants exploit samples or detailed technical descriptions of the exploits to be shared more widely. And GPZ would like to see more work on reducing memory corruption vulnerabilities, which are by far the most common type of flaw, according to both Microsoft and Google.SEE: Clueless hackers spent months inside a network and nobody noticed. But then a ransomware gang turned upStone notes that 67% – or 39 – of the 58 in-the-wild 0-days for the year were memory corruption vulnerabilities.GPZ’s conclusion is that the industry made some progress in 2021 through better detection and disclosure, but Stone adds that “as an industry we’re not making 0-day hard.”As she explains: “The goal is to force attackers to start from scratch each time we detect one of their exploits: they’re forced to discover a whole new vulnerability, they have to invest the time in learning and analyzing a new attack surface, they must develop a brand new exploitation method.”   More

A highly successful and aggressive ransomware gang is getting even faster at encrypting networks as they look to extort ransom payments from as many victims as possible.   Researchers at Mandiant examined ransomware attacks by a cyber-criminal group they refer to as FIN12 – responsible for one in five attacks investigated by the cybersecurity company – and found that there’s been a significant decrease in the amount of time between initially breaking into networks and their encryption with ransomware, most commonly Ryuk ransomware. 

ZDNet Recommends

According to data published in Mandiant’s M-Trends 2022 report, the average dwell time of FIN12 campaigns – the amount of time between criminal hackers gaining initial access to the network and triggering the ransomware attack – has dropped from five days to less than two days.  SEE: Cloud security in 2022: A business guide to essential tools and best practicesOne of the reasons the life cycle of these attacks has been so heavily reduced is because FIN12 campaigns don’t focus on finding sensitive data and stealing it before triggering a ransomware attack.  Searching for and stealing data has become a common tactic for many ransomware groups, who in addition to encrypting the data, threaten to publish it if a ransom isn’t paid. It’s a successful technique that many of the most high-profile ransomware gangs deploy to coerce the victim into paying the ransom. But despite not adopting this technique, FIN12 is still a highly successful ransomware operation, which in addition to deploying speed also appears to specially select what they perceive to be easy targets from which to extort ransoms. For example, the cyber-criminal group is known to frequently target hospitals and healthcare – organisations that desperately need networks up and running to provide patient care. That means victims in the healthcare sector might be more willing to give into ransom demands than victims in other industries. The group also targets organisations that make high revenues, potentially a tactic that is also deployed because the attackers believe they have the best chance of making large amounts of money from ransoms.  “The lack of large-scale data exfiltration in FIN12 incidents has almost certainly contributed to the group’s high cadence of operations,” says the Mandiant report. There are several methods that FIN12 uses to infiltrate networks, including gaining access via earlier backdoor malware infections, such as TrickBot and BazarLoader. The malware is delivered to machines – sometimes via phishing email – and it’s common for ransomware groups to lease out or otherwise leverage this access to ultimately encrypt the network. Researchers also note that several FIN12 campaigns have leveraged legitimate usernames and passwords to log in to virtual environments, including Microsoft Office 365. It’s possible that these credentials were bought on underground forums. FIN12 tends to focus attacks against North American victims – but Mandiant warns that the ransomware group could potentially target a wider range of victims around the world.  “The United States government and law enforcement community have significantly amped up the pressure on ransomware operators. This has increased the risks of ransomware groups targeting American organisations and by extension makes EMEA a more tempting target,” said Jamie Collier, senior threat intelligence advisor at Mandiant “Cyber criminals will often seek to capitalise on the mixed levels of security maturity within EMEA to focus on high-value, low-security targets,” he added. Some of the steps that organisations can take to help avoid falling victim to ransomware attacks include applying security patches promptly, so cyber criminals can’t exploit known vulnerabilities to deliver malware and to ensure that any password that is known to have been breached is changed. Organisations should also provide users with multi-factor authentication as an additional barrier against cyberattacks that attempt to abuse leaked credentials.  MORE ON CYBERSECURITY More

Chromium-based browser maker Brave has introduced a new feature called De-AMP which allows users to bypass Google’s Accelerated Mobile Pages framework (AMP) to allow them to instead visit websites directly. Brave was scathing in its assessment of Google’s AMP framework, claiming in a blog post released on Tuesday that the framework is “harmful to privacy” and “helps Google further monopolize and control the direction of the web”. “An ethical web must be a user-first web, where users are in control of their browsing, and are aware of who they are communicating with. AMP (along with Google’s upcoming, actual name still to come, ‘AMP 2.0’) is incompatible with a user-first Web. De-AMP adds to the long list of Brave features that put users first on the Web,” Brave said in the post.”Where possible, De-AMP will rewrite links and URLs to prevent users from visiting AMP pages altogether. And in cases where that is not possible, Brave will watch as pages are being fetched and redirect users away from AMP pages before the page is even rendered, preventing AMP/Google code from being loaded and executed.”Brave announced that the De-AMP feature is now available in its Nightly and Beta versions and will soon be enabled in the upcoming 1.38 Desktop and Android versions before being released on iOS.Google claims on its website that the purpose of AMP is to enhance website performance in order to create “user-first experiences”.This is not the first time the privacy browser maker has gone after Google, with Brave previously accusing the search engine giant of breaching one of the EU General Data Protection Regulation’s principles surrounding consent for data collection, whilst a coalition of 10 US states filed a lawsuit against Google in 2020 alleging the company used the AMP framework to throttle advertisements.”Google’s internal documents belie the public image of brainy Google engineers having fun at their sunny Mountain View campus while trying to make the world a better place. Rather, to cement its dominance across online display markets, Google has repeatedly and brazenly violated antitrust and consumer protection laws,” the coalition said in its legal complaint [PDF] at the time.

Open Source More

Following the conclusion of its investigation into a January security breach, Okta on Wednesday said the incident was “significantly smaller” in scope than previously thought. The breach, in which hackers were able to access the laptop of a third-party customer support engineer, lasted just 25 minutes and impacted just two active customer tenants. The incident occurred on January 21, when the Lapsus$ hacking group had remote access to a laptop of a Sitel customer support engineer. The breach came to light on March 22, when the hacking group published screenshots of Okta’s systems.Based on the final forensic report of an unnamed “globally recognized cybersecurity firm,” the group had control of a single workstation, used by a Sitel support engineer with access to Okta resources. During the 25 minutes when they had control of the workstation, the threat actor accessed two active customer tenants within the SuperUser application. They also viewed limited additional information in certain other applications like Slack and Jira that cannot be used to perform actions in Okta customer tenants.Okta said the threat actor was unable to successfully perform any configuration changes, MFA or password resets, or customer support “impersonation” events. They were also unable to authenticate directly to any Okta accounts.”While the overall impact of the compromise has been determined to be significantly smaller than we initially scoped, we recognize the broad toll this kind of compromise can have on our customers and their trust in Okta,” Okta Chief Security Officer David Bradbury wrote in Wednesday’s blog post. After the screenshots appeared on March 22, Okta disclosed that as many as 366 customers were affected. Of course, there were questions as to why customers did not know about the incident sooner. About a week later, the company explained that it didn’t inform customers earlier because it “did not know the extent of the Sitel issue… We didn’t recognize that there was a risk to Okta and our customers.”Now that their investigation is over, Okta has given customers access to the final forensic report, as well as Okta’s “Security Action Plan.” The company said Wednesday that it’s taking various steps to improve its audit procedures and security assurances for sub-processors. For instance, it will require that sub-processors who provide Support Services on Okta’s behalf adopt “Zero Trust” security architectures. Okta has also terminated its relationship with Sykes/Sitel.Additionally, Okta will now directly manage all devices of third parties that access its customer support tools. More

Duck Duck Go started out as a privacy-focused search engine. It obviously had (and still has) seriously stiff competition with Google. But the company behind the search engine wasn’t content with just offering that one service and soon began building a web browser. Said web browser was built, from the ground up, to be just as privacy-centric as the search engine. The first platform to receive the Duck Duck Go browser was Android and although I don’t use it as my go-to mobile browser, there is one feature that I’ve grown to absolutely depend on. That feature is called App Tracking Protection and it blocks third-party trackers that lurk in the apps you’ve installed. That’s right, tracking doesn’t just occur within a web browser, but also happens within any of those apps you’ve installed. 

In today’s world of constant privacy invasions and security threats, you’ll want to block any type of tracking you can. Since installing Duck Duck Go and enabling App Tracking Protection, I get a fairly steady stream of tracker blocking when an app isn’t in use or even when an app hasn’t been opened for weeks or months. Here’s an example: Within the past 5 hours, Duck Duck Go App Tracking Protection has blocked the following:4 Tracking attempts from the Uber app (haven’t used the app since last November 2021).38 Tracking attempts from the NYTimes app (haven’t opened the app today).30 Tracking attempts from my banking app (which I did use this morning).Duck Duck Go blocked every one of those attempts, without me having to do anything. With those tracking attempts blocked, the apps (and the companies behind them) cannot track my behavior either when I’m using the app or not using it. And given that companies often track you via apps they don’t even own, the need for such privacy protection is amplified. You too can enjoy such privacy. There is one caveat, however. The App Tracking Protection is currently in beta, so you have to request an invite to the program to enable the feature. But once your invite has been accepted, you can enable App Tracking Protection and enjoy the added privacy.Let’s install Duck Duck Go on Android and get the App Tracking Protection feature enabled.Installing Duck Duck Go on AndroidThe process for installing Duck Duck Go is simple. Just follow these steps:Open the Google Play Store on your Android device.Search for Duck Duck Go.Locate and tap the entry by DuckDuckGoTap InstallAllow the installation to completeOnce the installation is finished, you should find the Duck Duck Go app in your App Drawer. Tap the launcher to open the app.How to enable App Tracking ProtectionWith the app open, tap the menu (three vertical buttons in the top right) and tap Settings from the popup menu. Scroll to the bottom of the Settings menu and tap App Tracking Protection. When prompted, tap Join the Private Waitlist to be added to the mailing list. You shouldn’t have to wait too long before you’re accepted. Close the app and wait a few minutes before reopening. Once you’ve been accepted to the beta program, go back to the Settings menu and tap App Tracking Protection. You should now see the On/Off slider associated with App Tracking Protection (Figure A).Figure AApp Tracking Protection has been enabled on my Pixel 6 Pro.At this point, you can sit back, relax, and enjoy the added protection Duck Duck Go offers. You’ll get notifications every time an app tracker is blocked and you’ll be surprised at how often that happens.

Jack Wallen: How To More

Microsoft’s Windows 10 operating system already disables by default SMB (Server Message Block) version 1, the 30-year-old file-sharing protocol. Now the company is doing the same with Windows 11 Home Dev Channel test builds, announced officials on April 19. SMB1 is considered outdated and not secure. However, some users with very old equipment may be in for a surprise if their Windows 11 laptops can’t connect to an old networked hard drive, as officials said in a blog post about the SMB1 phase out plan. “There is no edition of Windows 11 Insider that has any part of SMB1 enabled by default anymore. At the next major release of Windows 11, that will be the default behavior as well,” said Ned Pyle, Principal Program Manager. “Like always, this doesn’t affect in-place upgrades of machines where you were already using SMB1. SMB1 is not gone here, an admin can still intentionally reinstall it,” Pyle added. Pyle said that Microsoft next will be removing the SMB1 binaries, and that both Windows and Windows Server will no longer include the drivers and DLLs of SMB1. Microsoft will provide an out-of-band, unsupported install package for users that still need to connect to old factory machinery, medical gear, consumer NAS and other equipment that still requires SMB1, however.Speaking of Windows 10, Microsoft also announced this week that Windows 10 version 21H2 (the November Update) is now considered ready for broad deployment and will be available to everyone via Windows Update. Anyone with a device that has been deemed compatible for various reasons by Microsoft or which isn’t set up to defer feature updates will be offered 21H2. The update can be manually installed by checking for Windows Updates as of April 15.

Windows 11 More

Google has released patches for two security flaws in Chrome, of which one was being exploited in the wild. The zero day is tracked as CVE-2022-1364, a high severity flaw reported to the Chrome team by Clément Lecigne of Google’s Threat Analysis Group on. Google hasn’t revealed any details about it in the blogpost besides that it was a type confusion in Chrome’s V8 JavaScript engine. “Google is aware that an exploit for CVE-2022-1364 exists in the wild,” the company says. The fixes are contained in the Chrome stable channel release 100.0.4896.127 for Windows, Mac and Linux. It will roll out over the coming days or weeks, according to Google.The US government’s Cybersecurity and Infrastructure Agency advised users to update their software and said “This version addresses a vulnerability that an attacker could exploit to take control of an affected system. This vulnerability has been detected in exploits in the wild.” Google fixed 14 Chrome zero-day flaws in 2021, up from seven in 2020. Google argued that the uptick in Chrome zero-days might be alarming for some, but it may also indicate the company is getting better at catching and fixing them. One reason for hackers focusing on Chrome is because of the demise of Adobe Flash Player, previously a big target. This February, Google also patched the Chrome zero day CVE-2022-0609 and in March it patched another bug, CVE-2022-1096 that was being exploited in the wild. Google linked the use of CVE-2022-0609 to multiple hacking groups associated with North Korean state-based hacking group Lazarus. Google TAG researchers said they believed different North Korean hacking groups were sharing the same software supply chain, so used the same exploit kit. The group had targeted US organizations in news media, tech, cryptocurrency and fintech sectors, according to Google.  More