Information Technology

Cyber criminals are becoming more advanced as they continue to find new ways to deliver attacks, and some are now willing to buy zero-day vulnerabilities, something more traditionally associated with nation-states. Knowledge about vulnerabilities and exploits can command a high price on underground forums, because being able to take advantage of them can be very profitable for cyber criminals. That’s especially if this involves a zero-day vulnerability that’s not known about by cybersecurity researchers, because attackers know potential victims won’t have had the chance to apply security updates to protect against it.For example, in the weeks after Microsoft Exchange vulnerabilities were disclosed earlier this year, cyber criminals rushed to take advantage of them as quickly as possible, in order to benefit from the ability to carry out attacks before the security patches were widely applied. Zero-day vulnerabilities are usually deployed by well-resourced, nation-state backed hacking operations – but analysis by cybersecurity researchers at Digital Shadows details how there’s increasingly chatter on dark web message boards about the criminal market for zero-days. “This market is an extremely expensive and competitive one, and it’s usually been a prerogative of state-sponsored threat groups. However, certain high-profile cybercriminal groups (read: ransomware gangs) have amassed incredible fortunes in the past years and can now compete with the traditional buyers of zero-day exploits,” said Digital Shadows.”States can purchase zero-day exploits in a legal way from companies that are solely dedicated to creating these tools,” Stefano De Blasi, threat researcher at Digital Shadows told ZDNet. “However, when these tools are developed by cybercriminals outside of the law, it is likely easier to identify clientele from the cybercriminal world; there is however only a handful of cybercriminal actors who could afford the cost of a zero-day exploit”. 

SEE: A winning strategy for cybersecurity (ZDNet special report) Vulnerabilities like this can cost even millions of dollars, but that’s a price that could be affordable for a successful ransomware group which makes millions from every successful ransomware attack – and they could easily make what they spend back if the vulnerability works as intended by providing a reliable means of infiltrating networks. But there’s another method of making money from vulnerabilities being explored, and it’s one which could place them into the hands of less-sophisticated cyber criminals – something known as “exploit-as-a-service”. Instead of selling the vulnerability outright, the cyber criminal who discovered it can lease this out to others. It potentially starts making them money quicker than it would if they went through the complex process to sell it, and they could continue to make money from it for a long time. They also have the option of eventually selling the zero-day if they tire of leasing it. “This model enables zero-day developers to generate substantial earnings by renting the zero-day out while waiting for a definitive buyer. Additionally, with this model, renting parties could test the proposed zero-day and later decide whether to purchase the exploit on an exclusive or non-exclusive basis,” said the report. Selling to government-backed hacking groups is still the preferred option for some zero-day developers for now, but a growing interest in exploits like this on underground forums indicates how some cyber criminal groups are approaching the level of state-backed operations. “The rise of the exploit-as-a-service business model confirms that the cyber criminal environment is consistently growing both in terms of sophistication and professionalization. Some high-profile criminal groups can now compete in terms of technical skills with state-sponsored actors; many prominent ransomware groups in particular have now amassed enough financial resources to purchase zero-days advertised in illicit environments,” De Blasi explained. The nature of zero-day vulnerabilities means defending networks against them is a difficult task but cybersecurity practices like applying critical security updates as soon as they’re released can stop cyber criminals having a lengthy window to take advantage of vulnerabilities. Organisations should also have a plan for what to do if they discover they’ve been breached. “Well drilled and documented incident response strategies can provide crucial in responding to any attacker that may have gained access to a target’s environment,” said De Blasi.MORE ON CYBERSECURITY More

Embracing the concept of DevSecOps, Palo Alto Networks on Tuesday rolled out Prisma Cloud 3.0, bringing a number of updates to the platform focused on the security of the entire application development lifecycle. That includes infrastructure as code (IaC) security and agentless security.  Palo Alto launched Prisma Cloud in 2019 as a comprehensive cloud security suite designed to govern access, protect data and secure applications consistently. Offering a comprehensive, integrated security platform has become all the more important in the wake of the COVID-19 pandemic when workforces are increasingly dispersed, Palo Alto’s chief product officer Lee Klarich told reporters. Prisma Cloud attempts to offer consistent network security across campuses, branches, remote offices and anywhere else. People are not just working from home but “increasingly working from anywhere,” Klarich said. “How do we safely enable that construct that is increasingly becoming the norm?”Comprehensive cloud security starts in the app development phase, Palo Alto contends. With Cloud Code Security, the company is adding IaC scanning and code fixes directly into developer tools across the development lifecycle. This will help catch misconfigurations in code templates that can lead to thousands of alerts in runtime. Meanwhile, Prisma Cloud is unique in offering both agentless and agent-based security built into the same platform, with rules and results managed from a single UI. Agentless Security provides visibility into an organization’s cloud workload and application risks — it’s meant to complement existing agent-based protection. Prisma Cloud 3.0 also expands Cloud Infrastructure Entitlement Management (CIEM) to Microsoft Azure. This builds on already existing functionality available for Amazon Web Services (AWS).Palo Alto on Tuesday also unveiled its next-generation CASB (Cloud Access Security Broker) to help organizations safely adopt new SaaS applications. It automatically secures new applications, including collaboration tools. It protects sensitive data in real-time using machine learning, natural language processing and optical character recognition. 

Palo Alto also announced the first specialization for its NextWave Managed Service Program. The new specialization focuses on  Cortex XDR, Palo Alto Network’s extended detection and response service that natively integrates network, endpoint and cloud data.The NextWave Managed Service Program (MSP) includes close to 300 partners worldwide that help Palo Alto customers get the most out of their investments. The program provides partners with the tools, training, incentives and resources to promote the adoption of Palo Alto Networks-based managed services. With the Cortex eXtended Managed Detection and Response (XMDR) specialization, customers should get help streamlining security operations center (SOC) operations and mitigating cyber threats. To achieve the new specialization status, partners must have Cortex XDR-certified SOC analysts/threat hunters on staff and be available around the clock.  More

ZDNet Recommends

The US Department of Homeland Security, a key cybersecurity agency, has just announced a new system that will help it recruit, develop and retrain cybersecurity pros in the federal government. The DHS’s new recruitment system, dubbed the Cybersecurity Talent Management System (CTMS), launches amid a tight labor market for cybersecurity professionals who are in extremely high demand and can therefore command big salaries.DHS is just one federal department, but it plays a special role in responding to major cyberattacks on US critical infrastructure. It hopes the new system will help it hunt for and can keep talent for mission critical-critical roles, with the aim of hiring 150 priority roles across 2022.See also: A winning strategy for cybersecurity (ZDNet special report).”CTMS will enable DHS to fill mission-critical cybersecurity positions by screening applicants based on demonstrated competencies, competitively compensating employees, and reducing the time it takes to be hired into the department,” it said. The first roles to be filled using CTMS will be “high-priority” jobs at CISA and the DHS Office of the chief information officer. Then in 2022, DHS Cybersecurity Service jobs will be available across several DHS agencies with a cybersecurity mission, says DHS. The CTMS salary range has an upper limit of the vice president’s salary ($255,800 in 2021), plus an extended range for use in limited circumstances, which has an upper limit of $332,100 in 2021.

DHS is currently recruiting for a variety of cybersecurity roles, including incident response, risk analysis, vulnerability detection and assessment, intelligence and investigation, networks and systems engineer, forensics, and software assurance. The CTMS “fundamentally re-imagines how the Department hires, develops, and retains top-tier and diverse cybersecurity talent,” says secretary of Homeland Security, Alejandro N. Mayorkas. “As our nation continues to face an evolving threat landscape, we cannot rely only on traditional hiring tools to fill mission-critical vacancies. This new system will enable our department to better compete for cybersecurity professionals and remain agile enough to meet the demands of our critical cybersecurity mission.”See also: Tech skills: Four ways you can get the right mix.The Biden-Harris administration made cybersecurity a priority at an early stage, for example, by appointing the US’s first deputy national security advisor for cyber, Anne Neuberger, who led federal investigations into the SolarWinds and Exchange attacks. DHS, in particular its Cybersecurity and Infrastructure Security Agency, or CISA, was given an elevated cybersecurity role too, via Biden’s cybersecurity executive order.  More

Emotet, once described as “the world’s most dangerous malware” before being taken down by a major international police operation, is apparently back – and being installed on Windows systems infected with TrickBot malware.Emotet malware provided its controllers with a backdoor into compromised machines, which could be leased out to other groups, including ransomware gangs, to use for their own campaigns. Emotet also used infected systems to send automated phishing emails to increase the size of the botnet – before it was taken out in January this year.  

ZDNet Recommends

Dismantling the botnet was one of the most significant disruptions of cyber-criminal operations in recent years, as law enforcement agencies around the world – including Europol and the FBI – worked together to gain control of hundreds of Emotet servers that controlled millions of PCs infected with malware. A specially crafted killswitch update created by investigators effectively uninstalled botnet from infected computers in April. SEE: A winning strategy for cybersecurity (ZDNet special report)But now researchers from a number of cybersecurity companies have warned that Emotet has returned. Another malware botnet, TrickBot – which became the go-to for many cyber criminals following the January takedown – is being used to install Emotet on infected Windows systems. “We observed on several of our Trickbot trackers that the bot tried to download a DLL to the system. According to internal processing, these DLLs have been identified as Emotet. However, since the botnet was taken down earlier this year, we were suspicious about the findings and conducted an initial manual verification,” Luca Ebach, security researcher at G Data, a German cybersecurity company, wrote in a blog post. “Currently, we have high confidence that the samples indeed seem to be a re-incarnation of the infamous Emotet,” he added. 

Cybersecurity researchers from AdvIntel, Crypolaemus and others have also confirmed that this does look like the return of Emotet, which appears to be using a different encryption technique to the one that was previously seen. Currently, Emotet isn’t attempting to redistribute itself, instead relying on TrickBot to spread new infections – but it does indicate that those behind Emotet are trying to get the botnet up and running again. “The relationship between this new variant and the old Emotet shows code overlap and technique overlap,” James Shank, chief architect of community services and senior security evangelist at Team Cymru, a cybersecurity company that was among those that helped disrupt Emotet in January, told ZDNet in an email.   “It will take some time to see how Emotet rebuilds, and whether it can become the ‘world’s most dangerous malware’ again. You can be sure that those that helped to take it down the first time are keeping watch. It doesn’t come as a surprise that Emotet resurfaced. In fact, more may wonder why it took so long,” he added. SEE: This mysterious malware could threaten millions of routers and IoT devicesCybersecurity researchers have provided a list of command and control servers network administrators can block to help prevent Emotet infections. In order to protect systems from falling victim to Emotet, Trickbot and other malware loaders, it’s recommended that security patches are applied when they’re released to prevent cyber criminals exploiting known vulnerabilities, and that users are made aware of the dangers of phishing emails. MORE ON CYBERSECURITY More

Researchers have revealed a new type of Rowhammer attack on DRAM devices that can reliably bypass mitigations implemented by vendors after the first such attacks emerged in 2014. 

ZDNet Recommends

Data in Dynamic DRAM (DRAM) is stored in grids of memory. Rowhammer attacks work by rapidly and repeatedly reading data in one memory row to cause an electrical charge in adjacent memory rows in order to modify or corrupt data. SEE: A winning strategy for cybersecurity (ZDNet special report)The latest Rowhammer attack seeks to bypass Target Row Refresh (TRR) mitigations that the DRAM industry added to modern RAM cards in response to the first Rowhammer attack in 2014. The researchers from ETH Zurich, Vrije Universiteit Amsterdam, and Qualcomm ran their attack – via a fuzzer called Blacksmith, available on GitHub – against various proprietary TRR implementations in 40 DRAM devices. The technique allowed them to quickly discover ways to cause bit flips in all of them. “This result has a significant impact on the system’s security as DRAM devices in the wild cannot easily be fixed, and previous work showed real-world Rowhammer attacks are practical, for example, in the browser using JavaScript, on smartphones, across VMs in the cloud, and even over the network,” the group said.”All currently deployed mitigations are insufficient to fully protect against Rowhammer. Our novel patterns show that attackers can more easily exploit systems than previously assumed,” they warned.

The 40 devices were from memory vendors Samsung, Micron, SK Hynix, as well as two more vendors that didn’t agree to have their names published in the research.      “TRR aims to detect rows that are frequently accessed (i.e., hammered) and refresh their neighbors before their charge leak results in data corruptions,” the researchers explain in a new paper. While TRR for the most part works when detecting even multiple aggressor rows being hammered frequently, the researchers note that past Rowhammer attacks “always access aggressors uniformly”.  TRR in this sense does create a cost problem for attackers because the space to search for non-uniform patterns that can bypass the mitigation is “huge”, the researchers explain. Their answer was to run the Blacksmith fuzzer for 12 hours on sampled DDR4 DRAM devices in order to discover and build non-uniform patterns that expose weaknesses in TRR implementations designed to look for various uniform patterns. “Thereafter, we swept the best pattern (based on the number of total bit flips triggered) over a contiguous memory area of 256 MB and report the number of bit flips,” they explain in a blogpost.SEE: This mysterious malware could threaten millions of routers and IoT devicesThe technique enabled them to use these non-standard patterns to trigger bit flips in all 40 DRAM devices. In some cases, the technique uncovered several thousand bit flips within seconds.This type of Rowhammer attack targeting TRR is likely to get more powerful in future. The group says it is working with Google to fully integrate the Blacksmith fuzzer into an open-source FPGA Rowhammer-testing platform. The researchers’ findings are being tracked as CVE-2021-42114. The researchers have discussed their findings with Intel and Google, which separately this week launched a new open-source Rowhammer Tester platform. More

The MosesStaff hacking group has entered the ‘ransomware’ fray with a difference: blackmail payments are furthest from their minds.

ZDNet Recommends

On November 15, Check Point Research (CPR) said the group began targeting organizations in Israel during September this year, joining campaigns launched by Pay2Key and BlackShadow. The focus of these operations was to deploy ransomware on their victim’s systems, cause damage, and steal valuable information destined for future public leaks.  Ransomware operators, including Maze, Conti, and LockBit, to name but a few, have adopted double-extortion tactics through the launch of dedicated data leak websites on the Dark Web.  During an assault, these groups will steal valuable corporate information ahead of the encryption of a victim’s systems. If they refuse to pay up, these organizations are then faced with the threat of this data being leaked to the public or sold.  However, MosesStaff is open about its intentions: the attacks are political. No ransom demand is made — the only purpose is to steal information and to cause damage.  “In the language of the attackers, their purpose is to “Fight against the resistance and expose the crimes of the Zionists in the occupied territories,” CPR says.

The researchers assume that initial access is obtained through vulnerabilities in public-facing systems, such as the bugs in Microsoft Exchange Server, which were patched earlier this year.  Once access has been secured, MosesStaff then drops a webshell to execute further commands; batch scripts for disabling Windows firewall and to enable SMB; PsExec for operating processes remotely; and OICe.exe, an executable written in the Golang programming language for receiving and executing commands via the command line.   Data is then exfiltrated from the victim machine, including domain names, machine names, and credentials — information which is then used to compile a custom version of the PyDCrypt malware. This payload is focused on infecting any other vulnerable machines on a network as well as ensuring the main encryption payload, DCSrv, is executed properly. DCSrv is based on the open source DiskCryptor tool. The DiskCryptor bootloader is also executed to ensure the system can’t be booted again without a password. However, the researchers say that it may be possible to reverse the current encryption process if properly kept EDR records are available in the right circumstances. Attribution is not firm in this case, but CPR suspects that they may be located in Palestine due to development time logs and coding clues in a tool used, OICe.exe, which was submitted to VirusTotal from Palestine several months before the campaign began.  “Like the Pay2Key and BlackShadow gangs before them, the MosesStaff group is motivated by politics and ideology to target Israeli organizations,” the researchers commented. “Unlike those predecessors, however, they made an outright mistake when they put together their own encryption scheme, which is honestly a surprise in today’s landscape where every two-bit cybercriminal seems to know at least the basics of how to put together functioning ransomware.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new Android banking Trojan has been discovered that is able to circumvent multi-factor authentication controls through the abuse of ATS. 

At the end of October, cybersecurity researchers from Cleafy found the malware, which does not appear to belong to any known family. Now dubbed SharkBot, the Android malware has been traced in attacks focused on stealing funds from vulnerable handsets running on the Google Android operating system.  So far, infections have been found in the UK, Italy, and the United States.  It is believed that SharkBot is likely a private botnet and is still in the early stages of development. SharkBot is modular malware that the researchers say belongs to the next generation of mobile malware able to perform attacks based on the Automatic Transfer System (ATS) system.  ATS allows attackers to automatically fill in fields on an infected device with minimal human input. In the same way as the Gustuff banking Trojan, the autofill service is launched to facilitate fraudulent money transfers through legitimate financial service apps — a general trend in malware development and a pivot from older theft techniques on mobile handsets, such as the use of phishing domains. 

Cleafy suggests that SharkBot utilizes this technique in an attempt to bypass behavioral analytics, biometric checks, and multi-factor authentication (MFA) — as no new device would need to be enrolled. However, in order to do so, the malware must first compromise Android Accessibility Services.  Once executed on an Android handset, SharkBot will immediately request accessibility permissions — and will plague the victim with pop-ups until this is granted.  No installation icon is displayed. Now armed with all of the handset permissions it needs, SharkBot will then quietly perform standard window overlay attacks to steal credentials and credit card information, theft based on ATS, and is also able to key log and both intercept or hide incoming SMS messages.  The researchers say the banking Trojan is also capable of performing “gestures” on the victim’s behalf.  Apps provided by international banks and cryptocurrency services are being targeted.  One silver lining is that no samples have been found in the official Android app repository, the Google Play Store. Instead, the malware has to be loaded from an external source through side-loading — a practice that the vendor has warned can be dangerous, as this allows malicious apps to circumvent Google Play security controls.  At the time of writing, SharkBot has low detection rates by antivirus solutions.  “With the discovery of SharkBot we have shown new evidence about how mobile malware [is] quickly finding new ways to perform fraud, trying to bypass behavioral detection countermeasures put in place by multiple banks and financial services during the last years,” Cleafy says. “Like the evolution of workstation malware occurred in the past years, in the mobile field, we are seeing a rapid evolution towards more sophisticated patterns like ATS attacks.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Mozilla has released the latest edition of its *Privacy Not Included shopping guide, aiming to provide holiday buyers with a concrete list of how the most popular items handle privacy issues.  Mozilla researchers spent over 950 hours examining 151 popular connected gifts, identifying 47 that had what they called “problematic privacy practices.” The worst, according to Mozilla, include Facebook Portal, Amazon Echo, NordicTrack Treadmill and other workout tools. Not all of the products examined were bad, and Mozilla found that about 22 did a good job of protecting user privacy by not collecting, selling, or sharing data. These devices ranged from the iRobot Roomba to the Garmin Venu and Apple Homepod Mini. The researchers sought to figure out whether items had cameras, microphones or location tracking features as well as any other tools that collected data on users. Mozilla also examined whether devices used encryption or forced users to have strong passwords. Jen Caltrider, *Privacy Not Included lead researcher, told ZDNet that while gadgets may be getting smarter, they are also getting creepier and far more prone to security lapses and data leaks — even among leading companies like Microsoft, Amazon and Facebook. “We also found that consumers continue to shoulder way too much of the responsibility to protect their own privacy and security. Consumers are asked to read complicated documents scattered across multiple websites to even begin to understand how their data is being used,” Caltrider said. “Smart exercise equipment stood out as especially problematic. Consumers buy equipment like a Peloton bike or a NordicTrack treadmill to work out in the privacy of their own homes. Unfortunately, there seems to be little privacy with these devices.”

Many of the most problematic devices came from companies notorious for lackluster privacy features, including Amazon and Facebook. The Facebook Portal was spotlighted as an extraordinarily dangerous device because it routinely sends data collected by its AI-powered smart camera and microphone back to Facebook. Mozilla researchers said Amazon’s Echo Dot for Kids — which can be used for reading children bedtime stories — tracks information about children. The e-reader Onyx Boox doesn’t have any privacy policy at all. Apple was commended by the researchers because they do not share or sell any of the data they collect, while Garmin’s fitness watches protect users’ personal data. The Sonos One SL speaker was also praised for being built without a microphone.Mozilla leveled harsh criticism at home exercise equipment companies like Peloton, NordicTrack, Tonal, and SoulCycle, all of which collect extraordinary amounts of personal information and routinely sell it as a way to make money. “The NordicTrack Treadmill is especially problematic: They can sell your data, call or text your phone number even if you’re on a do-not-call list, and may collect data from data brokers to target you with ads,” Mozilla said. The report notes that because of privacy laws passed in California, many companies have added sections specifically governing those that live in the state. But many companies have no privacy policy at all or make it difficult to find and hard to read. “Major culprits include Kwikset, Amazfit, Ubtech, Onyx Boox, Fi Series 2, and Whistle pet trackers. Amazon’s Alexa is everywhere. That makes us nervous. Amazon Alexa is embedded in numerous products, including ones that Amazon doesn’t manufacture,” Mozilla explained. “That concerns us because Alexa and Amazon retain records of Alexa interactions. Even if you ask Amazon to not collect personal data on their kids, they say they still might collect some data. And Alexa Skills seem to be problematic in its oversight/privacy.” More