Information Technology

CISA has released a second advisory about several Apache HTTP server vulnerabilities. Cisco sent out a notice about the vulnerabilities in November, explaining that the Apache Software Foundation disclosed five vulnerabilities affecting the Apache HTTP Server (httpd) 2.4.48 and earlier releases on September 16.The IDs are CVE-2021-33193, CVE-2021-34798, CVE-2021-36160, CVE-2021-39275, CVE-2021-40438. Cisco noted that one of the vulnerabilities in the mod_proxy module of Apache HTTP Server (httpd) could allow an unauthenticated, remote attacker to make the httpd server forward requests to an arbitrary server. Another could allow an attacker to exploit a vulnerability by sending a crafted HTTP request to a vulnerable device and a successful exploit could allow the attacker to get, modify, or delete resources on other services that may be inaccessible otherwise.Cisco said in November, the Product Security Incident Response Team “became aware of exploitation attempts of the vulnerability identified by CVE-2021-40438.”Cisco said the products that are affected by the vulnerabilities include Cisco Cloud Services Platform 2100, Cisco Wide Area Application Services (WAAS), Cisco Wireless Gateway for LoRaWAN, Cisco TelePresence Video Communication Server (VCS), Cisco Expressway Series, Cisco UCS Manager, Cisco Network Assurance Engine, Cisco UCS Director Bare Metal Agent, Cisco UCS Central Software, Cisco Security Manager, Cisco Prime Optical for Service Providers, Cisco Prime Infrastructure, Cisco Prime Collaboration Provisioning, Cisco FXOS Software for Firepower 4100/9300 Series Appliances, Cisco Policy Suite and the Cisco Firepower Management Center.The company added that it is investigating the following products: Cisco DNA Center, Cisco Unified Communications Domain Manager, Cisco Unified Communications Manager IM & Presence Service (formerly CUPS) and Cisco Smart Net Total Care – On-Premises. 

Some of the fixes are available now but others will be released in February, March, May and June of 2022. Administrators can find product-specific workarounds in the Cisco notice. Casey Ellis, CTO at Bugcrowd, said the vulnerabilities are critical in their impact and appear to be fairly easy to exploit.Netenrich principal threat hunter John Bambenek told ZDNet that what stood out to him about the advisory is that the vulnerabilities were first known in August and an update to Apache was released in September. “Only now has Cisco issued their own advisory and begun the process to remediate the issue in their devices. Open source software makes up key components in many commercial offerings, however, patch and vulnerability management still pose problems, even for large enterprises,” Bambenek said. “Devices with large control over environments the way Cisco devices do really ought to have come with more responsible scrutiny over updates to key components to their products.” More

In a statement released on Thursday, Japanese tech giant Fujitsu attributed a Japanese government data breach earlier this year to its ProjectWEB tool. In May, multiple government agencies — including the Ministry of Land, Infrastructure, Transport, and Tourism; the Cabinet Secretariat; and Narita Airport — were hacked through the software-as-a-service platform. 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

A Fujitsu spokesperson at the time confirmed to ZDNet’s Campbell Kwan that there was “unauthorized access to ProjectWEB, a collaboration and project management software, used for Japanese-based projects.” They suspended use of the tool and informed all impacted customers. After an investigation, Fujitsu said on Thursday that it appointed a CISO in October and put in place “measures to prevent reoccurrence… under a new information security management and operation framework.”Fujitsu added that the cause of the incident is still being verified by a committee of internal experts as well as Japan’s National Center of Incident Readiness and Strategy for Cybersecurity (NISC), which will sign off on releasing any more information about the incident. Fujitsu plans to “introduce a new project information sharing tool that addresses the issues raised by this incident with robust information security measures, including those in line with zero-trust practices, and will be migrating project management tasks to the new tool.”Japanese news outlets said more than 75,000 emails from the Ministry of Land, Infrastructure, Transport, and Tourism were leaked in the attack in May. Information on business partners, employees, and the inner workings of government cybersecurity services, as well as Narita Airport, were also stolen during the attack.  

Today’s news was first reported by Bleeping Computer.  More

DevOps security firm JFrog discovered 17 new malicious packages in the npm (Node.js package manager) repository that intentionally seek to attack and steal a user’s Discord tokens.Shachar Menashe, senior director of JFrog security research, and Andrey Polkovnychenko said the packages intentionally seek to hijack a user’s Discord token, effectively giving them full control over the user’s account.”This type of attack has severe implications if executed well and in this case public hack tools made such an attack easy enough for even a novice hacker to perform,” Menashe said. “We recommend organizations take precaution and manage their use of npm for software curation, to reduce the risk of introducing malicious code into their applications.”The two explained that the packages’ payloads are varied, ranging from infostealers to full remote access backdoors. They added that the packages have different infection tactics, including typosquatting, dependency confusion and trojan functionality.The packages have been removed from the npm repository and the JFrog security research team said they were taken down “before they could rack up a large number of downloads.”JFrog noted that there has been an increase in malware aimed at stealing Discord tokens due to the fact that the platform now has more than 350 million registered users and can be used as anonymous command & control (C2) servers and for social engineering purposes. “Due to the popularity of this attack payload, there are quite a lot of Discord token grabbers posted with build instructions on GitHub. An attacker can take one of these templates and develop custom malware without extensive programming skills – meaning any novice hacker can do this with ease in a matter of minutes,” the researchers explained. 

“As mentioned, this can be used in tandem with a variety of online obfuscation tools to avoid basic detection techniques. It’s important to note these payloads are less likely to be caught by antivirus solutions, versus a full-on RAT backdoor, since a Discord stealer does not modify any files, does not register itself anywhere (to be executed on next boot, for example) and does not perform suspicious operations such as spawning child processes.”Their report on the situation notes that JFrog has found a “barrage of malicious software hosted and delivered through open-source software repositories,” adding that public repositories like PyPI and npm have become a handy instrument for malware distribution.”The repository’s server is a trusted resource, and communication with it does not raise the suspicion of any antivirus or firewall. In addition, the ease of installation via automation tools such as the npm client, provides a ripe attack vector,” the researchers said. The Record explained that npm does not manually review package uploads, giving cybercriminals free reign to upload whatever they want.John Bambenek, principal threat hunter at Netenrich, said cybersecurity experts have seen for a while attempts to insert malicious code or set up malicious libraries into PyPI and npm for some time. “Automation is the next logical step for the attackers to increase the number of victims they have control of,” Bambenek said. “The malicious code usually is not in place for very long, but if you do it at scale, odds are you are collecting victims at a rapid pace.” More

Saudi human rights activist Loujain al-Hathloul has filed a lawsuit against spyware maker DarkMatter Group and three former US intelligence operatives for their role in helping the United Arab Emirates hack into her iPhone and track her movements. al-Hathloul is one of several people the DarkMatter Group hacked, and three executives at the firm — 49-year-old Marc Baier, 34-year-old Ryan Adams and 40-year-old Daniel Gericke — were fined by the Justice Department in September for their role in helping oppressive governments like the UAE violate several US laws. 

The three were part of Project Raven, an effort by the UAE to spy on human rights activists, politicians, journalists, and dissidents opposed to the government during the Arab Spring protests. In 2019, both Reuters and The Intercept conducted in-depth investigations into the work of Project Raven and DarkMatter after members of the team raised concerns about the hacking UAE officials were requesting. The case sparked widespread concern about how former officials at the National Security Agency (NSA) and other US spy agencies were spreading the tactics they learned while hacking for the US government. al-Hathloul’s lawsuit was filed by the Electronic Frontier Foundation (EFF) and law firms Foley Hoag LLP and Boise Matthews LLP. EFF said DarkMatter was working for the UAE but hacked al-Hathloul’s iPhone on behalf of the Kingdom of Saudi Arabia, noting that the DarkMatter used an iMessage vulnerability to monitor people’s devices. EFF attorney Mukund Rathi said this is a “clear-cut case” of device hacking, where DarkMatter operatives broke into al-Hathloul’s iPhone without her knowledge to insert malware, with horrific consequences. 

“This kind of crime is what the Computer Fraud and Abuse Act was meant to punish,” Rathi said, adding that the lawsuit includes claims that DarkMatter is liable for crimes against humanity for helping the UAE hack many human rights defenders.Baier, Adams, and Gericke bought the malicious code from a US company during their time building out the UAE cybersurveillance program, according to EFF. “No government or individual should tolerate the misuse of spy malware to deter human rights or endanger the voice of the human conscious. This is why I have chosen to stand up for our collective right to remain safe online and limit government-backed cyber abuses of power,” al-Hathloul said. “I continue to realize my privilege to possibly act upon my beliefs. I hope this case inspires others to confront all sorts of cybercrimes while creating a safer space for all of us to grow, share, and learn from one another without the threat of power abuses.”al-Hathloul gained prominence in 2014 when she pledged to drive across the border from the UAE into Saudi Arabia, where it was illegal for women to drive until 2018. She was stopped at the Saudi border and detained for 73 days. al-Hathloul also campaigned for women’s rights in Saudi Arabia, where women face significant discrimination and violence in addition to legal rules mandating male permission for work and travel. In the lawsuit, EFF lawyers said al-Hathloul’s iPhone was hacked by DarkMatter in 2017, violating the Computer Fraud and Abuse Act because the malicious code was directed to Apple services in the US. DarkMatter gained access to all of al-Hathloul’s emails, texts and real-time location, according to EFF. al-Hathloul was eventually arrested while driving in Abu Dhabi and extradited to Saudi Arabia, where she was jailed, electrocuted, flogged, and threatened with rape and death. “Companies that peddle their surveillance software and services to oppressive governments must be held accountable for the resulting human rights abuses,” EFF civil liberties director David Greene said. “The harm to Loujain al-Hathloul can never be undone. But this lawsuit is a step toward accountability.”The Justice Department faced backlash in September for not imposing harsh enough penalties on Baier, Adams, and Gericke after their work was revealed by several news outlets. The three “entered into a deferred prosecution agreement” that allows them to avoid prison sentences in exchange for paying $1,685,000 “to resolve a Department of Justice investigation regarding violations of US export control, computer fraud, and access device fraud laws.”Baier will be forced to pay $750,000, Adams will pay $600,000, and Gericke will pay $335,000 over a three-year term. All three will also be forced to cooperate with the FBI and DOJ on other investigations and to relinquish any foreign or US security clearances. They are also permanently banned from having future US security clearances and will be restricted from any jobs involving computer network exploitation, working for certain UAE organizations, exporting defense articles, or providing defense services.EFF Cybersecurity Director Eva Galperin noted that Project Raven went beyond even the tactics deployed by the NSO Group, which has been caught repeatedly selling its spyware to authoritarian governments.”DarkMatter didn’t merely provide the tools; they oversaw the surveillance program themselves,” Galperin said.  More

Meta announced this week that it is expanding its ban on members of the Myanmar military, known as the Tatmadaw. This comes after Rohingya refugees filed two class action lawsuits against Meta in the US and UK for about $150 billion.Meta said it will now “remove Pages, Groups and accounts representing military-controlled businesses.” The company made a similar statement earlier this year when the military staged a coup and removed democratically-elected leader Aung San Suu Kyi. 

Government

“This builds on our existing ban on these entities advertising on Facebook, which was announced in February, and the various enforcement actions we’ve taken since then which are outlined below,” said Rafael Frankel, director of policy for Meta in APAC-Emerging Countries, referencing this Meta newsroom post. “We’re taking this latest action based on extensive documentation by the international community of these businesses’ direct role in funding the Tatmadaw’s ongoing violence and human rights abuses in Myanmar.”Meta did not say how this move differentiates from the one in February, and many online criticized it as a cynical ploy to deflect criticism coming from the billion-dollar lawsuit. Frankel noted that the move was made in light of the sanctions handed down by the US, EU, and other governments. But Frankel added that the Tatmadaw “has far-reaching commercial interests which are not always possible to definitively determine.”Meta is basing its business bans on the UN Fact-Finding Mission on Myanmar’s 2019 report on the economic interests of the Tatmadaw, according to Frankel. 

Facebook has long faced backlash and condemnation for not doing more to stop generals in the Myanmar military from using the platform to incite and organize violence against the Rohingya ethnic group. Around 2013, the generals began using their Facebook pages to stoke hatred against the racial minority within the country and justify the rape, torture, abuse, and murder of thousands of people. The US lawsuit from Rohingya refugees this week illustrates how Facebook’s algorithm often recommended extremist groups and violent content to regular citizens of Myanmar, effectively radicalizing the country and spreading support for the ongoing genocide.”At the core of this complaint is the realisation that Facebook was willing to trade the lives of the Rohingya people for better market penetration in a small country in Southeast Asia,” the lawsuit said. The military violently drove millions of Rohingya out of the country into a number of neighboring countries including Bangladesh, where most are still living in squalid refugee camps. Facebook eventually banned the generals from using the platform and admitted that senior military leaders in Myanmar did other things to spread misinformation about the Rohingya in 2018, but refugees have said the move came far too late. The Myanmar military has since expanded its campaign of violence beyond the Rohingya, staging a coup earlier this year and inflicting unrestrained violence on anyone living in the country. Since February, the military has arrested and killed thousands, sparking a revolt that has now spread throughout the country. Facebook previously expanded its ban on posts by the military in April, pledging to remove any praise for the military’s violence against the country’s population. 

Social Networking More

With IoT botnets continuing to cause problems and attacks on critical infrastructure a ongoing menace, Microsoft has conducted research to find out whether edge network devices are a threat to enterprise systems. The Microsoft-commissioned survey, conducted by the Ponemon Institute, looked at Internet of Things (IoT) and Operational Technology (OT) devices and what security threats they posed to IT systems that were once separated from edge network devices. OT device include devices and software used to monitor and control industrial equipment, bringing a physical element to cybersecurity. The survey of 615 IT, IT security, and OT security practitioners across the United States found that 51% of OT networks are connected to corporate IT networks. Microsoft details key findings in a blogpost and has released a report. Some 88% of respondents said their business IoT devices are connected to the internet for things like cloud printing services while 56% reported devices on their OT network were connected for remote access. Microsoft points to the Mozi P2P IoT botnet, which, for example, targets vulnerabilities in video recorders and other IoT products, including popular network gateways, to spread. Microsoft reckons Mozi demonstrates how business networks can be breached by compromised edge devices that were once assumed to be air-gapped from internal platforms. The Ponemon Institute survey found that only 29% of respondents had a complete inventory of IoT and OT devices. Most respondents (64%) had low or average confidence that their IoT devices are patched – and the same proportion admitted they did not know if the devices had been compromised.Multiple attacks on VPN appliances over the past year have also demonstrated these can be a soft spot in enterprise and industrial networks. The US Cybersecurity and Infrastructure Agency (CISA) this week warned organizations of a new set of critical flaws in SonicWall’s popular mobile remote access SMA 100 Series appliances.

The survey suggests there is awareness among IT managers since 39% of respondents said they’re experienced an attack on IoT or OT devices in the past two years. Additionally, 35% said they’d experienced an incident where an IoT device was used to conduct a broader attack, such as ransomware, or to gain persistence on a network. And most respondents (63%) believe attacks on IoT/OT device will significantly increase in coming years.  More

SonicWall is warning customers to apply firmware updates to its SMA 100 Series appliances for remote access from mobile devices, in order to patch vulnerabilities of critical and medium severity. SonicWall says in an advisory that it “strongly urges” customers to apply new fixes to address eight flaws that the US Cybersecurity and Infrastructure Agency (CISA) warns would allow a remote attacker to take control of an affected system. CISA recommends customers apply the necessary firmware updates “as soon as possible”, in part because they’ve historically been popular targets for attackers.    

ZDNet Recommends

The eight bugs range from critical to medium severity and affect a sensitive piece of the network since they provide employees with remote access to internal resources. SEE: A winning strategy for cybersecurity (ZDNet special report)The eight bugs were discovered by researchers at Rapid7 and NCC Group. The most dangerous of them has a severity rate of 9.8 out of a possible 10.SonicWall’s Secure Mobile Access (SMA) SMA 100 Series appliances for small and medium businesses enable secure remote access from mobile devices anywhere via its NetExtender and Mobile Connect VPNs. Affected SMA 100 series appliances include SMA 200, 210, 400, 410 and 500v products. SonicWall notes its SMA 100 series appliances with WAF enabled are also impacted by the majority of the vulnerabilities.

“There are no temporary mitigations. SonicWall urges impacted customers to implement applicable patches as soon as possible,” SonicWall notes. It adds that there was no evidence of these vulnerabilities being exploited in the wild. However, now that the bugs have been publicly disclosed, attackers may soon develop exploits for them, especially since bugs in SMA 100 appliances have been exploited quickly in the past. Rapid7 says it “will release the technical details and proof-of-concept code in January 2022 as part of our coordinated vulnerability disclosure process.”CISA emphasizes that it warned in July that attackers were actively targeting a previously patched vulnerability in SonicWall SMA 100 series appliances. FireEye’s incident response group Mandiant in May reported that threat actors linked to the notorious Darkside ransomware-as-a-service were exploiting the flaw (CVE-2021-20016) in SMA 100 seres appliances. Highlighting the speed with which attackers exploit new flaws in key equipment, SonicWall had released firmware to address the issues in late April. DarkSide was network responsible for the Colonial Pipeline ransomware attack that downed its US east cost fuel distribution network for nearly a week in May.   More

A Google Pixel user last week found a bug that prevented them from being able to call 911 on their device. Initially reported on the GooglePixel subreddit forum by /u/KitchenPictures5849, the user said in a thread that the bug arose whenever a call was made to 911, which would lead to their Pixel device freezing. According to Google, it appears the glitch is due to the Microsoft Teams app being installed on Pixel devices after it conducted an investigation into the matter. The spokesperson said the bug only occurred for Pixel devices running Android 10 or above, whenever Microsoft Teams was installed but an account was not logged into the app. “We believe the issue is only present on a small number of devices with the Microsoft Teams app installed when the user is not logged in, and we are currently only aware of one user report related to the occurrence of this bug. We determined that the issue was being caused by unintended interaction between the Microsoft Teams app and the underlying Android operating system,” a Google spokesperson wrote in the thread. The Google spokesperson said both Google and Microsoft have prioritised resolving the issue and that a Microsoft Teams app update would be rolled out soon. In the meantime, Google has advised users with Microsoft Teams installed on any Pixel device running Android 10 or above, and where an account is not logged into the app, to uninstall and reinstall the app. This fix will only address the bug in the interim, however, and a Microsoft Teams app update will still be required to fully resolve the issue. “We advise users to keep an eye out for an update to the Microsoft Teams app, and ensure it is applied as soon as available,” the Google spokesperson said.  Related Coverage More