Information Technology

Image: Dzelat/Shutterstock
The FBI has placed the blame for a weekend fake email incident on a misconfiguration in its Law Enforcement Enterprise Portal (LEEP) that allowed emails to be sent from the ic.fbi.gov domain.”LEEP is FBI IT infrastructure used to communicate with our state and local law enforcement partners,” it said. “While the illegitimate email originated from an FBI operated server, that server was dedicated to pushing notifications for LEEP and was not part of the FBI’s corporate email service. No actor was able to access or compromise any data or PII on the FBI’s network.”The FBI said it initially took the “impacted hardware” quickly offline, and later said it quickly remediated the “software vulnerability” as well as confirmed its network integrity.Spamhaus said it saw two waves of email being sent.Brain Krebs reported the sender of the emails found they were able to send emails because the FBI was generating a client-side  one-time code to sign up to a new account on LEEP, and it was sent along with an email subject and body as a POST request to the FBI’s servers. Manipulating the request parameters enabled the emails to be sent, and a script was used to automate the sending process.It would seem all the so-called misconfigurations and software vulnerabilities were in the way the FBI had its portal built, with the cherry on top being how it exposed and piped user input to a mail server. Pretty embarrassing and worthy of a dozen facepalms, at least. More

The federal government has released a new set of voluntary principles aimed at providing guidance to organisations in how they protect critical technologies from cyber attacks. Labelled the Critical Technology Supply Chain Principles, Minister of Home Affairs Karen Andrews said the voluntary principles were designed to give organisations and consumers the confidence to allocate more resources towards critical emerging technologies such as artificial intelligence, quantum computing, blockchain, and algorithmic automation. “These principles come at a vital time — both for Australia and for our critical industries. We face unprecedented threats from a range of malicious cyber actors, growing geostrategic uncertainty, and are increasingly reliant on technologies that can be hacked, held to ransom, or otherwise disrupted,” Andrews said. The principles were developed in partnership with industry, non-government organisations, state and territory governments, and the community.  There are 10 new principles in total, with the four of them being: Understand what needs to be protected, why it needs to be protected, and how it can be protected; understand the different security risks posed by an organisation’s supply chain; build security considerations into all organisational processes, including into contracting processes that are proportionate to the level of risk; and raise awareness of and promote security within supply chains;In relation to these four principles specifically, Home Affairs hopes they will allow less-resourced organisations to implement appropriate measures for protectecting critical technology. “When security is built in by-design it also means customers do not need to have expert knowledge and that they are not unfairly transferred risk that they are not best placed to manage,” Home Affairs said.

The remaining principles are: Know who critical suppliers are and build an understanding of their security measures; set and communicate minimum transparency requirements consistent with existing standards and international benchmarks for suppliers; encourage suppliers to understand and be transparent in the depth of their supply chains, and be able to provide this information to customers; seek and consider the available advice and guidance on influence of foreign governments on suppliers; consider if suppliers operate ethically, with integrity, and consistently with international law and human rights; and build strategic partnering relationships with critical suppliers.Home Affairs warned that consideration of these principles are important as the lack of security measures can have flow-on impacts to the broader community and Australia’s national interest. As part of the principles being announced, Andrews said the federal government itself would be implementing the principles for its own decision-making practices. “Alongside important legislation currently before the Senate to support and assist critical industries confront cyberattacks, wide adoption of these new principles will safeguard Australia’s security, and prosperity for years to come,” Andrews added.The release of the principles follows the federal government recently submitting a revised Security Legislation Amendment (Critical Infrastructure) Bill 2020 into Parliament. The revised Bill is a stripped-down version of the original version, only containing the elements that would introduce government assistance mechanisms and mandatory notification requirements. Meanwhile, parts of the Bill that have been cut out will be considered in a future Bill down the road. The Bill was revised in response to recommendations made by the Parliamentary Joint Committee on Intelligence and Security, which said this two-step approach would enable the quick passage of laws to counter looming threats against Australia’s critical infrastructure, while giving businesses and government additional time to co-design a regulatory framework that provide long-term security for the country’s critical infrastructure. The federal government is also developing a new set of standalone criminal offences for people who use ransomware as part of its Ransomware Action Plan. Related Coverage More

There has been considerable debate within the cybersecurity community about Randori, a security firm that waited one year before disclosing a critical buffer overflow bug it discovered in Palo Alto Networks’ GlobalProtect VPN.The zero-day — which has a severity rating of 9.8 and was first reported by ZDNet — allows for unauthenticated, remote code execution on vulnerable installations of the product.The issue affects multiple versions of PAN-OS 8.1 prior to 8.1.17, and Randori said it found numerous vulnerable instances exposed on internet-facing assets, in excess of 70,000 assets. It is used by a number of Fortune 500 companies and other global enterprises.Aaron Portnoy, principal scientist at Randori, explained to ZDNet that in October 2020, his team was tasked with researching vulnerabilities with the GlobalProtect Portal VPN. By November 2020, his team discovered CVE-2021-3064, began authorized exploitation of Randori customers, and successfully landed it at one of their customers — over the internet — not just in a lab. They did not notify Palo Alto Networks until a few weeks ago, according to the timeline they provided.Palo Alto Networks released its own advisory about the issue, has patched it and said there is no evidence it has been exploited in the wild. But Randori’s actions in the case have caused considerable backlash from some in the cybersecurity community, who argue the company should not have waited 12 months before disclosing it to Palo Alto Networks. Portnoy has released multiple statement on Twitter defending the company from criticism. 

Others have taken issue with Randori’s decision to use the 0-day in red team exercise and others questioned whether they held back notification of the issue in order to further publicize their work and their business. Despite the backlash, some have come to Randori’s defense, arguing that their actions are commonplace.David Wolpoff, Randori’s CTO, told ZDNet that the company “weighed a lot of factors when determining disclosure to minimize industry harm,” including analysis of the software, patch status, versioning issues, existing remediation strategies, and more.”We cannot respond in granular detail, as we are intentionally staying away from disclosing technical details that would enable exploit. We would like to increase the transparency of our decision process because people didn’t seem to grasp the nuance, but we still very much believe in our policy and our decision,” Wolpoff said.Randori would not answer questions about why they waited 12 months to disclose the vulnerability. But Wolpoff said there “are always concerns” and argued that the company is “acutely aware of the risks of having a capability like this.”Yet he argued that knowing about the vulnerability “doesn’t increase the risk.””If we knew about the bug or didn’t, the risk profile to the public is the same. In this case — a minor release within a major version of software — we knew remedies already existed being recommended by the vendor,” Wolpoff said. “This factored into our decision. We were aware of the nuance in regards to the PAN update, and it (along with other metrics) factored into our weighing of the risks associated.”Opinions among experts varied. Casey Ellis, founder and CTO at Bugcrowd, said vulnerability equity decisions are difficult to trust when there’s an obvious commercial conflict of interest. Vulcan Cyber CEO Yaniv Bar-Dayan told ZDNet that there are several approaches to responsible vulnerability disclosure but most critical is the expediency of all involved parties, and an altruistic collaboration between researchers and responsible organizations. “Time is of the essence if the goal is systems and data security. The intent of vulnerability disclosure programs breaks down if the disclosure goals of researchers or vendor organizations ever deviate from pure security,” Bar-Dayan said. “As an example, the recently announced Google Project Zero requires the full details of a vulnerability to be published within 90 days after discovery regardless of whether or not the vendor organization has provided a patch or mitigation option.”ThreatModeler CEO Archie Agarwal explained that there is a long tradition of cybersecurity professionals finding security holes in popular software and disclosing the vulnerability to the development company and then afterwards the public. The idea, Agarwal said, is that the ‘good guys’ find the problems before the ‘bad guys.’ “There is nothing ethically wrong with this practice as long as the disclosure is responsible and all efforts are made to coordinate with the company in terms of remediation and allowing them time to create a patch before it becomes publicly known as appears to be the case in this instance,” Agarwal explained. “Legitimate bug bounties operate the same. The unfortunate part is criminals also see the public disclosure and are getting faster and faster at exploit development and so those not updating the patch fast enough are often left open to automated attacks.”J.J. Guy, CEO of Sevco Security, argued that the job of a red team is simple: emulate the adversary. “If adversaries are using 0-days, our red teams should be using them too. We can’t prepare for the reality of how we’ll react to compromise if red teams are pulling punches. Many organizations must protect high-value assets from real-world attacks by adversaries bringing this level of capability. It is extremely valuable for these orgs to practice their ability to detect and respond to 0-day. They know they must defend against unknowns,” Guy said. “Software is not and never will be perfectly secure. There are an infinite number of 0days waiting to be discovered, so if your IT team believes they can patch all the holes, they’re wrong.” More

RHEL 8.5, the newest version of Red Hat Enterprise Linux (RHEL), is out. As Joe Brockmeier, Red Hat Blogs’ Editorial Director, said, “Whether you’re deploying RHEL on-prem, in the public cloud, at the edge — or all of the above — RHEL 8.5 has improvements that users will be eager to dig into.” He’s not wrong.

In particular, as we continue to move to a container and Kubernetes-based world, RHEL 8.5 comes with significant container improvements. These include: Containerized Podman: The RHEL 8 Podman container image is now generally available and can help unlock the usage of Podman in cloud continuous integration/delivery (CI/CD) systems, on Windows Subsystem for Linux (WSL) 2, under Docker Desktop on macOS, and (of course) on RHEL 6, 7 and 8. You can use the Podman container image to help develop and run other container images. Verify container image signatures by default: In RHEL 8.5, users can pull container images with confidence. Out of the box, RHEL 8.5 will check container image signatures to verify that they are, in fact, from Red Hat and haven’t been tampered with or manipulated. Native OverlayFS as a Rootless container user: RHEL 8.5 offers better performance when building and running rootless containers, with native support for OverlayFS.Returning to RHEL basics, its web console, which is based on the open-source Cockpit project, now enables you to live patch the kernel from it. Previously, you could only keep your Linux running while updating the kernel in real-time by using the shell. The updated web console also includes an enhanced-performance metrics page. With this, you can more easily identify high CPU, memory, disk, and network resource usage spikes and their causes. In addition, you can also more easily export metrics to a Grafana server for a deeper look at what’s going on in your servers.Red Hat is also continuing to integrate its Ansible DevOps program into RHEL. RHEL’s system roles now use Ansible roles and modules to configure, automate, and manage RHEL services. Its new or enhanced system roles include: RHEL system role for VPN: Reduces the time to configure VPN tunnels and reduces the risk of misconfiguration or use of non-recommended settings. Also supports host-to-host and mesh VPN configurations.RHEL system role for Postfix: In tech preview for some time, the RHEL system role for Postfix is fully supported with RHEL 8.5. It enables administrators to skip the manual configuration of Postfix, automating how you install, configure, and start the server, as well as specify custom settings to better control how Postfix works in your environment.RHEL system role for timesync: Uses a new Network Time Security (NTS) option as part of the existing timesync system role.RHEL system role for Storage: Adds support for LVM (Logical Volume Manager) VDO (Virtual Data Optimizer) volumes and volume sizes that can be expressed as a percentage of the pool’s total size.There are numerous other improvements as well. This includes OpenJDK 17, the latest open-source reference implementation of Java SE. And, for better network and system security, RHEL now includes network time security (NTS) for Network Time Protocol (NTP). 

In addition — showing how much things have changed since Microsoft and Red Hat were at each other’s throats — RHEL now comes with a system role for Microsoft SQL Server. This enables IT administrators and DBAs to automatically and quickly install, configure, and tune SQL Server. It also now includes Microsoft’s latest .NET 6 release. The new NET 6 is now available for Windows, Linux, and macOS. It provides a unified platform across cloud, desktop, IoT, and mobile apps.In short, RHEL 8.5 is ready to run today on any platform you care to name. Want to know more? Check out the RHEL system roles overview to learn how to install and use RHEL system roles.Related Stories: More

CISA has released a notice urging administrators to apply updates to a variety of industrial control systems after discovering vulnerabilities in multiple open-source and proprietary Object Management Group (OMG) Data-Distribution Service (DDS) implementations.In the advisory, CISA said the issues were found in equipment from Eclipse, eProsima, GurumNetworks, Object Computing, Inc. (OCI), Real-Time Innovations (RTI), and TwinOaks Computing.

The equipment containing the vulnerabilities includes CycloneDDS, FastDDS, GurumDDS, OpenDDS, Connext DDS Professional, Connext DDS Secure, Connext DDS Micro, and CoreDX DDS. “Successful exploitation of these vulnerabilities could result in denial-of-service or buffer-overflow conditions, which may lead to remote code execution or information exposure,” CISA explained.They provided links to each company’s patches or fixes for the issue, but they noted that GurumNetworks did not respond to their messages. CISA said organizations using GurumNetworks’ tools should contact them directly. Dr. Dennis Hackney, head of industrial cybersecurity services development at ABS Group, told ZDNet that many industrial control system owners don’t realize that their systems are full of open-source software, much like OpenDDS. “The reasons for this are multifaceted but often stem from the proprietary and tailored nature of each control system. OEMs and engineers develop solutions that are as functional as possible without adding unnecessary costs. Be warned, by their very nature, ICS are open,” Hackney explained. 

“They use connectivity called OPC which stands for Object Linking and Embedding (OLE) for Process Control, otherwise known as open process control specifications. Open refers to non-authenticated communication between computers and equipment. There are increasingly new authenticated models but that does not cover the majority of what are in operation today. The concern being, when there is a vulnerability in components like OpenDDS, there are limited options to control access and ensure quality of service due to the nature of ICS designs.” OpenDDS vulnerabilities are a concern, he added, because these applications are based on a subscription model. The vulnerabilities are also concerning because they can be exploited remotely and have a low attack complexity, he said. Like CISA’s notice, Hackney suggested that affected organizations install the latest updates, isolate systems from business IT networks, utilize firewalls, and secure remote access through VPNs. Other experts, like Netenrich principal threat hunter John Bambenek, explained that this advisory stood out because it impacts a wide variety of vendors and open-source solutions that address the data distribution layer of real-time systems. Typically, a vulnerability only impacts specific products. The fact that all involved have released updates in a coordinated fashion shows that CISA is taking its role of protecting critical infrastructure and coordinating response between many organizations seriously, Bambenek said. “While CISA has said there are no known public exploits for these vulnerabilities, this announcement will certainly drive those attackers interested in attacking these systems to develop them quickly. Affected organizations should patch quickly while there is still time,” Bambenek added.  More

The Pysa ransomware group dumped dozens of victims onto their leak site this week right after US law enforcement officials announced a range of actions taken against ransomware groups. 

More than 50 companies, universities, and organizations had their names added to the ransomware group’s leak site. The group, which also goes by the name Mespinoza, was called out by the FBI in March for specifically targeting “higher education, K-12 schools, and seminaries.” The FBI said at least 12 educational institutions across the US and UK had been hit with the ransomware. The French National Agency for the Security of Information Systems issued a similar alert one year earlier.Multiple ransomware experts questioned the timing of the leak, noting that Pysa has a penchant for waiting to add victims to their leak site. Recorded Future ransomware expert Allan Liska told ZDNet he did not think all of the victims published to the site were new.”We have seen them take six months, and even longer, from when a victim is first hit to when [stolen data] is published,” Liska said. “This could be all the victims they have been stalling on publishing data, but it would represent more victims than we have seen from them the rest of the year. It is a lot of different organizations, from around the world, with no theme.” Emsisoft threat analyst Brett Callow told ZDNet that Pysa names and shames its victims weeks, or sometimes months, after the attacks take place, differentiating it from other ransomware groups. 

The reason they waited this long to leak victim information is still unclear, he said, adding that it was curious they dumped this many names all at once. A sample from the leak site.
Brett Callow
The dump came as law enforcement in the US, Europe, and other regions took forceful measures against a number of ransomware groups. US officials from the Justice Department, Treasury, and FBI announced a slate of actions taken against some of the members of the REvil ransomware group as well as sanctions against organizations helping ransomware groups launder illicit funds.US agencies have been working with Europol, Eurojust, Interpol, and other law enforcement organizations on “Operation GoldDust” to disrupt multiple ransomware groups over the past six months. Seventeen countries have been involved in the effort, and dozens of people have been arrested across Europe in connection with ransomware groups.This all followed an operation to take down REvil’s infrastructure that led to the group closing shop for the second time. Both Callow and Liska said the timing of the Pysa’s dump was curious considering the actions being taken by law enforcement.”You can’t help but wonder whether their doing so now is in response to the news in relation to REvil — either a middle finger to law enforcement or, perhaps, an expression of confidence in case any of their affiliates are starting to get cold feet,” Callow told ZDNet. Liska echoed that it felt like Pysa was “giving the finger” to law enforcement after a bad day for ransomware groups. The FBI said in its March notice that Pysa, which was first seen in 2019, is known for exfiltrating data from victims before encrypting their systems “to use as leverage in eliciting ransom payments.”They noted that in addition to attacks on educational institutions, Pysa has also gone after foreign government entities, educational institutions, private companies, and the healthcare sector. “In previous incidents, cyber actors exfiltrated employment records that contained personally identifiable information (PII), payroll tax information, and other data that could be used to extort victims to pay a ransom,” the FBI said in the notice. “The cyber actors have uploaded stolen data to MEGA.NZ, a cloud storage and file sharing service, by uploading the data through the MEGA website or by installing the MEGA client application directly on a victim’s computer. However, in the past, actors have used other methods of exfiltrating data that leaves less evidence of what was stolen.”Emsisoft released a profile of the ransomware group in July, noting that they operate with the ransomware-as-a-service business model and routinely dump stolen data “even after the victim company has paid the ransom.”They warned victims about cooperating with the group, explaining that Emsisoft’s decryption tool “can safely decrypt data encrypted by Mespinoza, provided the victim has obtained the decryption keys.””Since Mespinoza was first discovered, there have been 531 submissions to ID Ransomware, an online tool that helps the victims of ransomware identify which ransomware has encrypted their files,” Emsisoft researchers wrote in July. “We estimate that only 25 percent of victims make a submission to ID Ransomware, which means there may have been a total of 2,124 Mespinoza incidents since the ransomware’s inception. During this time, the group has also published on its leak site the stolen data of at least 104 organizations.” More

Costco has sent out breach notification letters to an unknown number of victims after multiple people took to social media to complain about fraudulent charges connected to the company.

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

First reported by Bleeping Computer, the letter says payment card information was compromised through a card skimming device at certain Costco locations. “We recently discovered a payment card skimming device at a Costco warehouse you recently visited. Our member records indicate that you swiped your payment card to make a purchase at the affected terminal during the time the device may have been operating,” Costco said in the letter. “If unauthorized parties were able to remove information from the device before it was discovered, they may have acquired the magnetic stripe of your payment card, including your name, card number, card expiration date and CVV. We recommend that you check your most recent bank and or credit card statement related to the card above for charges unauthorized by you.”The company said they discovered the card skimmer after an inspection of its pin pads and said law enforcement has been contacted. The letter added that even if victims have not seen any suspicious charges, they should still call their bank to “discuss possible options for avoiding potential problems in case” their card was inappropriately used. Costco is offering victims IDX identity theft protection services which include 12 months of credit monitoring, a $1 million insurance reimbursement policy and ID theft recovery services.

The letters come after people wrote on Twitter and Reddit that they had discovered fraudulent charges on their Costco cards and accounts. Some said they began noticing the charges after using their card at Costco gas stations. “Noticed a fraudulent charge on my credit card, so I called to get it handled. The guy on the phone asked if I pay at the pump usually for gas, and I said yes. Apparently, skimmers for information are common on pay at pump systems and car washes,” one Reddit user wrote. “That was the only place he saw in my history that was likely to have stolen my information. He recommended paying inside, but Costco doesn’t even have that option. Just a reminder to always check your credit card statements and watch for fraudulent charges!”Card skimmers are a persistent problem on both physical terminals and online e-commerce portals. The problem is so common that Cloudflare created a web security tool to prevent Magecart-style attacks in March.CRITICALSTART CTO Randy Watkins said these types of physical data theft is typically very isolated, noting that most card skimming devices are used on everything from gas pumps to ATMs, and are typically isolated, only posing a threat to patrons of the breached device. “The data that the attacker can obtain from the magnetic strip on a card actually depends on the card itself. While things like the credit card number, full name, expiration, and country code is universal, other cards can contain additional information like billing address or rewards account numbers. Consumers should make a habit of checking card slots for any foreign devices (internal or external) before swiping their card,” Watkins told ZDNet. Armen Najarian, chief identity officer at Outseer, said the Costco breach underscores the urgency for better payment security anywhere a transaction happens. “As we head into the holiday season, hackers and other bad actors will target retailers made vulnerable by short staffing and high transaction volumes,” Najarian said.  “All of this, unfortunately, will be amplified this year as pandemic-induced labor shortages reach unprecedented levels. If retailers want to keep their customers safe and happy this holiday season, they need to prioritize payment authentication software for in-store and online transactions alike.”Costco is the fifth largest retailer in the world and fourth largest in the US, with 810 stores worldwide. More

ZDNet Recommends

Google’s Threat Analysis Group (TAG) has revealed that hackers targeting visitors to websites in Hong Kong were using a previously undisclosed, or zero-day, flaw in macOS to spy on people.  Apple patched the bug, tracked as CVE-2021-30869, in a macOS Catalina update in September, about a month after Google TAG researchers found it being used.  “A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild,” Apple said, crediting Google TAG researchers with reporting the flaw. See also: A winning strategy for cybersecurity (ZDNet special report).Now Google has provided more information, noting that this was a so-called “watering hole” attack, where attackers select websites to compromise because of the profile of typical visitors. The attacks targeted Mac and iPhone users.  “The websites leveraged for the attacks contained two iframes which served exploits from an attacker-controlled server — one for iOS and the other for macOS,” said Erye Hernandez of Google TAG.  The watering hole served an XNU privilege escalation vulnerability at that point unpatched in macOS Catalina, which led to the installation of a backdoor.

“We believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code,” he added.  The attackers were using the previously disclosed flaw in XNU, tracked as CVE-2020-27932, and a related exploit to create an elevation of privilege bug that gave them root access on a targeted Mac.  Once root access was gained, the attackers downloaded a payload that ran silently in the background on infected Macs. The design of the malware suggests a well-resourced attacker, according to Google TAG.  “The payload seems to be a product of extensive software engineering. It uses a publish-subscribe model via a Data Distribution Service (DDS) framework for communicating with the C2. It also has several components, some of which appear to be configured as modules,” notes Hernandez. See also: Cloud security in 2021: A business guide to essential tools and best practices.The backdoor included the usual-suspect traits of malware built for spying on a target, including device fingerprint, screen captures, the ability to upload and download files, as well as execute terminal commands. The malware could also record audio and log keystrokes.  Google didn’t disclose the websites targeted but noted that they included a “media outlet and a prominent pro-democracy labor and political group” related to Hong Kong news. More