Information Technology

You know the non-profit Internet Security Research Group (ISRG) for its Let’s Encrypt certificate authority, the most popular way of securing websites with TLS certificates. The group wants to do more. Its newest project, Prossimo, seeks to make many basic internet programs and protocols memory-safe by rewriting them in Rust.

Rust, like some other memory-safe programming languages such as Go and Java, prevents programmers from introducing some kinds of memory bugs. All too often memory safety bugs go hand-in-hand with security issues. Unfortunately, much of the internet’s fundamental software is written in C, which is anything but memory safe. Of course, you can write memory-safe programs in C or C++, but it’s difficult. Conversely, you can create memory bugs in Rust if you try hard enough, but generally speaking Rust and Go are much safer than C and C++.Also: The most popular programming languages and where to learn themThere are many kinds of memory safety bugs. One common type is out-of-bounds reads and writes. In these, if you wrote code to track a to-do list with 10 items in C without memory protection measures, users could try to read and write for an 11th item. Instead of an error message, you’d read or write to memory that belonged to another program. In a memory-safe language, you’d get a compile error or crash at run time. A crash is bad news too, but it’s better than giving a hacker a free pass into some other’s program memory. Using that same example, what happens if you delete the to-do list and then ask for the list’s first item? A badly written program in a non-memory-safe language will try to fetch from the old memory location in what’s called a use-after-free error. This trick is used all the time to steal data and wreak havoc on a poorly secured program. Again, with Rust or Go, you must go far out of way to introduce such a blunder. As ISRG’s executive director, Josh Aas, explained in a speech at the Linux Foundation Membership Summit: We’ve only started talking about security seriously recently. The problem is mainly C and C++ code. That’s where these vulnerabilities are coming from. New memory safety vulnerabilities come up in widely used software every day. I think it’s fair to say that this is out of control. 90% of vulnerabilities in Android; 70% from Microsoft and 80% of zero-day vulnerabilities come from old language memory-based. There are real costs to this stuff every day people get hurt.

Why are they doing this now? Because, Aas explained, “We didn’t have great system languages to replace C. Now, we have that option.”So it is that under the Prossimo umbrella, ISRG is sponsoring developers to create memory-safe versions of internet programs. So far this includes a memory-safe TLS library, Hyper, and module, mod_tls, for the Apache webserver; a memory-safe curl data transfer utility; and memory-safe Rustls, a safer OpenSSL alternative.Next up, Prossimo wants to give Network Time Protocol (NTP) the memory-safe treatment. For now, though, this NTP project lacks funding. Of course, replacing critical C-based programs throughout the internet is a gigantic and complex task. But it’s a job that must be done as we grow ever more dependent on the internet for our personal lives, business work, and indeed the entire global economy. Related Stories: More

Microsoft has released 55 security fixes for software including patches that resolve zero-day vulnerabilities actively exploited in the wild. The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for six critical vulnerabilities, 15 remote code execution (RCE) bugs, information leaks, and elevation of privilege security flaws, as well as issues that could lead to spoofing and tampering. 

Products impacted by November’s security update include Microsoft Azure, the Chromium-based Edge browser, Microsoft Office — as well as associated products such as Excel, Word, and SharePoint — Visual Studio, Exchange Server, Windows Kernel, and Windows Defender.   Read on: Some of the most interesting vulnerabilities resolved in this update, all deemed as important, are: CVE-2021-42321: (CVSS:3.1 8.8 / 7.7). Under active exploit, this vulnerability impacts Microsoft Exchange Server and due to improper validation of cmdlet arguments, can lead to RCE. However, attackers must be authenticated.CVE-2021-42292: (CVSS:3.1 7.8 / 7.0). Also detected as exploited in the wild, this vulnerability was found in Microsoft Excel and can be used to circumvent security controls. Microsoft says that the Preview Pane is not an attack vector. No patch is currently available for Microsoft Office 2019 for Mac or Microsoft Office LTSC for Mac 2021.CVE-2021-43209: (CVSS:3.1 7.8 / 6.8). A 3D Viewer vulnerability made public, this bug can be exploited locally to trigger RCE. CVE-2021-43208: (CVSS:3.1 7.8 / 6.8). Another known issue, this 3D Viewer security flaw can also be weaponized by a local attacker for code execution purposes. CVE-2021-38631: (CVSS:3.0 4.4 / 3.9). Also made public, this security flaw, found in the Windows Remote Desktop Protocol (RDP), can be used for information disclosure.CVE-2021-41371: (CVSS:3.1 4.4 / 3.9). Finally, this RDP vulnerability, known before patching was available, can also be exploited locally to force an information leak.According to the Zero Day Initiative (ZDI), historically, this is a relatively low number of vulnerabilities resolved during the month of November.”Last year, there were more than double this number of CVEs fixed,” the organization says. “Even going back to 2018 when there were only 691 CVEs fixed all year, there were more November CVEs fixed than in this month. Given that December is typically a slower month patch-wise, it causes one to wonder if there is a backlog of patches awaiting deployment due to various factors.”

Last month, Microsoft resolved 71 bugs in the October batch of security fixes. Of particular note are patches for a total of four zero-day flaws, one of which was being actively exploited in the wild, whereas three were made public. A month prior, the tech giant tackled over 60 vulnerabilities during the September Patch Tuesday. Among the patches was a fix for an RCE in MSHTML.In recent Microsoft news, Visual Studio 2022 and .NET 6 were made generally available on November 8. Visual Studio 2022 includes a refresh of some features as well as debug improvements for developers. .NET 6 includes performance enhancements and is the first version able to support both Windows Arm64 and Apple Arm64 Silicon.Alongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below. More

One of my favorite parts of our annual predictions process is reviewing the accuracy of Forrester’s predictions from the previous year. This is not simply navel gazing. Looking backward actually makes us far better predictors, keeps us firmly grounded in the reality of our customers, and ensures that our predictions remain firmly embedded in reality. Some teams within Forrester even have a rating system, ranging from “completely missed the mark” to “nailed it.” I won’t lie that it is an absolute thrill when a prediction I’ve contributed to comes true, especially when it has the potential to positively impact our clients, the industry, or even society as a whole. Twelve months ago, we predicted that at least one Asia Pacific (APAC) government would embrace a Zero Trust (ZT) framework in the coming year. In keeping with our rating system, I’m happy to say we nailed it! Since 2009, when ZT was coined by Forrester, large technology companies have adopted it as their security model, and now the US federal government is following suit. In Europe, ZT went from concept to reality for many firms during 2020 and then accelerated in 2021 as COVID-19 hastened the death of traditional security models across the region. Unfortunately, APAC has been a very different story. ZT adoption has been slow; according to the Forrester Analytics Business Technographics® Security Survey, 2021, only 13% of security leaders in APAC cite Zero Trust as a top strategic information/IT security priority. While ZT is slowly gaining momentum in the Asia Pacific region, it faces many adoption challenges: concerns over the nomenclature, paucity of ZT pioneers, under-resourced security teams. With all these challenges in play, predicting that an APAC government would embrace a ZT framework in 2021 was a bold call, indeed. Why’d we make it? We fully expected ZT momentum to accelerate for a number of reasons: 1) the shift to remote work requires a new approach to security; 2) the evolving regulatory landscape across APAC has increased focus on data protection; 3) Forrester Analytics survey data shows that APAC consumers and citizens are prioritizing security and privacy in their purchasing decisions; and 4) the release of the US’s National Institute of Standards and Technology’s publication on ZT architecture, which further validated the approach. I’ve led multiple APAC CISO roundtables on the topic of Zero Trust over the past 12 months. While participants were supportive of the prediction in principal, they were also skeptical — there were no indications in the media or elsewhere to support such a big call. And then in October, exactly one year after we made the prediction, Singapore Senior Minister and Coordinating Minister for National Security Teo Chee Hean announced Singapore’s new cybersecurity strategy. The strategy was supported by Prime Minister Lee Hsien Loong, who acknowledged in the strategy foreword: “Five years ago, we launched the first Singapore Cybersecurity Strategy. The world is now a different place,” noting the need for a new way of thinking about security. The new Singaporean cybersecurity strategy clearly defines ZT as “[a] security framework requiring all end users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data.” The strategy endorses a mindset shift from perimeter defense toward a ZT cybersecurity model, encourages critical infrastructure owners to adopt a ZT cybersecurity posture for critical systems, and states that the government is implementing the Government Trust-based Architecture that translates ZT principles to government context. Looking to the future, we will continue to make important predictions about the state of Zero Trust adoption, particularly in governments. In fact, in our 2022 public sector predictions, we make the call that five governments will adopt Zero Trust to revive public trust in digital services, following the lead of the US and Singapore.  

For more regional insight beyond ZT, check out Forrester’s 2022 Asia Pacific predictions, where trust and values take center stage. We look forward to assessing how we fared this time next year.This post was written by Principal Analyst Jinan Budge, and it originally appeared here. More

Critical vulnerabilities in millions of connected devices used in hospital networks could allow attackers to disrupt medical equipment and patient monitors, as well as Internet of Things devices that control systems and equipment throughout facilities, such as lighting and ventilation systems.

ZDNet Recommends

The vulnerable TCP/IP stacks – communications protocols commonly used in connected devices – are also deployed in other industries, including the industrial sector and the automotive industry. The 13 newly disclosed vulnerabilities in Nucleus Net TCP/IP stacks have been detailed by cybersecurity researchers at Forescout and Medigate. Dubbed Nucleus:13, the findings represent the final part of Project Memoria, an initiative examining vulnerabilities in TCP/IP stacks used in connected devices and how to mitigate them. SEE: A winning strategy for cybersecurity (ZDNet special report)  The vulnerabilities could be present in millions of devices based around Nucleus TCP/IP stacks and could allow attackers to engage in remote code execution, denial of service attacks and even leak data – although researchers can’t say for certain if they’ve actively been exploited by cyber criminals. Now owned by Siemens, the Nucleus TCP/IP stack was originally released in 1993 and is still widely used in critical safety devices, particularly in hospitals and the healthcare industry where they’re used in anaesthesia machines, patient monitors and other devices, as well as for building automation systems controlling lighting and ventilation. Of the three critical vulnerabilities identified by researchers, CVE-2021-31886 poses the greatest threat, with a Common Vulnerability Scoring System (CVSS) score of 10 out of 10. It’s a vulnerability in (File Transfer Protocol) FTP servers that doesn’t properly validate the length of user commands, leading to stack-based buffer overflows that can be abused for denial-of-service and remote code execution.

The remaining two critical vulnerabilities both have a CVSS score of 9.9. CVE-2021-31887 is a vulnerability in FTP servers that doesn’t properly validate the length of PWD or XPWD FTP server commands, while CVE-2021-31888 is a vulnerability that occurs when the FTP server doesn’t properly validate the length of MKD or XMKD FTP commands. Both can result in stack-based buffer overflows, allowing attackers to begin denial-of-service attacks or remotely launch code. Because the stacks are so common, they are easy to identify and target. It’s also possible to find some of the connected devices on IoT search engine Shodan – and if they are publicly facing the internet, it’s possible to launch remote attacks. This is why researchers decided to examine them specifically. “We found some promotional material for the stack that mentions using this for medical applications,” Daniel dos Santos, research manager at Forescout Research Labs, told ZDNet. “Then when you look at some of the data promoting medical devices, they mention the use of the stack directly.” Attackers would need to jump through a number of steps, detailed extensively in the paper, to fully exploit the vulnerabilities. But, as long as they exist, that potential is there – along with the potential for disruption. In hospitals, not only could this affect machines used for patient care, systems in the building such as alarms, lighting and ventilation could be affected. Organisations are recommended to apply the available security patches released by Siemens in order to mitigate the threat. “All vulnerabilities that are being disclosed on Nov 9th have been fixed in the corresponding latest fix releases of active Nucleus version lines,” a Siemens spokesperson told ZDNet.  Researchers also suggest that networks should be segmented in order to limit the exposure of any devices or software that could contain vulnerabilities, but can’t be patched. “Make sure that you know your network, so even if devices are not patched and you know that probabilities exist, you can still live with a network configuration that lets you sleep at night,” said dos Santos.

“The main thing is network segmentation and being able to know and to make sure that devices that are potentially vulnerable and maybe can’t be patched are contained, and can only talk to other devices they’re allowed to.” SEE: Sensor’d enterprise: IoT, ML, and big data (ZDNet special report)  Nucleus:13 represents the final part of Forescout’s Project Memoria, which has worked to uncover and, when possible, help to patch security vulnerabilities in devices, which in some cases are decades old – designed at a time far before the rise of the Internet of Things was even predicted. “Many of these pieces of software are 20, 30 or even more years old. Unfortunately, that means that they were designed in a different age for different requirements and they’re just not up to date with security nowadays,” said dos Santos. “Many of these vulnerabilities are kind of predictable in the sense that they’re repeated over and over again over different pieces of software,” he added. The aim of the year-long project has been to showcase the vulnerabilities in older devices and to push for connected devices to be built with IoT security in mind – and to prevent the same old vulnerabilities causing problems moving forward, particularly as the use of IoT devices continues to grow. “The expanded adoption of these types of technology by every type of organization, and their deep integration into critical business operations, will only increase their value for attackers over the long term,” warns the report.
MORE ON CYBERSECURITY More

Microsoft has sent an alert about a sophisticated Chinese hacker group targeting an obscure bug in Zoho software to install a webshell.

ZDNet Recommends

Microsoft Threat Intelligence Center (MSTIC) has detected exploits targeting systems running Zoho ManageEngine ADSelfService Plus, a self-service password management and single sign-on solution, with the remote code execution bug tracked as CVE-2021-40539. Zoho is best known as a popular software-as-a-service vendor, while ManageEngine is the company’s enterprise IT management software division. It’s a targeted malware campaign, so most Windows users shouldn’t need to worry about it, but Microsoft has flagged the campaign, which it first observed in September, because it’s aimed at the US defence industrial base, higher education, consulting services, and IT sectors. See also: Ransomware: It’s a ‘golden era’ for cybercriminals – and it could get worse before it gets better. MSTIC attributes the activity to a group it is tracking as DEV-0322, which also targeted a zero-day flaw in SolarWinds Serv-U FTP software. The US government attributed an earlier software supply chain attack on SolarWinds to Kremlin-backed intelligence hackers. Palo Alto Networks Unit 42 observed the same Chinese group scanning ManageEngine ADSelfService Plus servers from mid-September to early October.  The bug concerns a REST API authentication bypass that can lead to remote code execution in vulnerable devices. 

Microsoft fleshes out some details on the latest activity of the group’s use of the Zoho bug, which relied on the Godzilla webshell payload. Webshells are generally considered a problem because they can survive a patch on the underlying OS or software.  It notes that the group was involved in “credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network.” See also: Ransomware: Industrial services top the hit list – but cybercriminals are diversifying. The attack group also deployed a Trojan Microsoft calls Trojan:Win64/Zebracon, which uses hardcoded credentials to make connections to suspected DEV-0322-compromised Zimbra email servers. “Godzilla is a functionality-rich webshell that parses inbound HTTP POST requests, decrypts the data with a secret key, executes decrypted content to carry out additional functionality and returns the result via an HTTP response. This allows attackers to keep code likely to be flagged as malicious off the target system until they are ready to dynamically execute it,” notes Palo Alto Networks. More

Researchers have provided a deep dive into the activities of Lyceum; an Iranian threat group focused on infiltrating the networks of telecoms companies and internet service providers (ISPs). 

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

Lyceum, also known as Hexane, Siamesekitten, or Spirlin, has been active since 2017. The advanced persistent threat (APT) group has been linked to campaigns striking Middle Eastern oil and gas companies in the past and now appears to have expanded its focus to include the technology sector.According to a report published on Tuesday by Accenture Cyber Threat Intelligence (ACTI) and Prevailion Adversarial Counterintelligence (PACT), between July and October this year, Lyceum was spotted in attacks against ISPs and telecoms organizations across Israel, Morocco, Tunisia, and Saudi Arabia.  In addition, the APT is responsible for a campaign against an African ministry of foreign affairs.  The cybersecurity teams say that several of the “identified compromises” remain active at the time of publication.  Lyceum’s initial attack vectors include credential stuffing attacks and brute-force attacks. According to Secureworks, individual accounts at companies of interest are usually targeted — and then once these accounts are breached, they are used as a springboard to launch spear-phishing attacks against high-profile executives in an organization. The APT appears to be focused on cyberespionage. The report suggests that not only do these attackers seek out data on subscribers and connected third-party companies, but once compromised, “threat actors or their sponsors can also use these industries to surveil individuals of interest.”

Lyceum will attempt to deploy two different kinds of malware: Shark and Milan (known together as James). Both are backdoors; Shark, a 32-bit executable written in C# and .NET, generates a configuration file for DNS tunneling or HTTP C2 communications, whereas Milan — a 32-bit Remote Access Trojan (RAT) retrieves data. Both are able to communicate with the groups’ command-and-control (C2) servers.  The APT maintains a C2 server network that connects to the group’s backdoors, consisting of over 20 domains, including six that were previously not associated with the threat actors.  The backdoor malware families have previously been disclosed by ClearSky and Kasperksy (.PDF). The ACTI/PACT researchers recently found a new backdoor similar to newer versions of Milan, which sent beacons linked to potential attacks against a Tunisian telecoms company and a government agency in Africa. “It is unknown if the Milan backdoor beacons are coming from a customer of the Moroccan telecommunication operator or from internal systems within the operator,” the researchers say. “However, since Lyceum has historically targeted telecommunication providers and the Kaspersky team identified recent targeting of telecommunication operators in Tunisia, it would follow that Lyceum is targeting other north Africa telecommunication companies.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Robinhood announced that it’s popular app has suffered a breach, exposing millions of email addresses, names and more.In a statement released on Monday, Robinhood said it discovered the incident on the evening of November 3, explaining that an “unauthorized third party” managed to obtain personal information of their customers. The company was quick to say that no Social Security numbers, bank account numbers, or debit card numbers were exposed. But they admitted that about 7 million people had some amount of information leaked in the attack. The customers affected have been emailed. “The unauthorized party socially engineered a customer support employee by phone and obtained access to certain customer support systems. At this time, we understand that the unauthorized party obtained a list of email addresses for approximately five million people, and full names for a different group of approximately two million people,” the company said. “We also believe that for a more limited number of people — approximately 310 in total — additional personal information, including name, date of birth, and zip code, was exposed, with a subset of approximately 10 customers having more extensive account details revealed. We are in the process of making appropriate disclosures to affected people.”Robinhood said the cybercriminal threatened them and demanded “an extortion payment.” They did not say if they paid the sum but noted that they contacted law enforcement and hired cybersecurity firm Mandiant. 

“As a Safety First company, we owe it to our customers to be transparent and act with integrity,” said Robinhood chief security officer Caleb Sima. “Following a diligent review, putting the entire Robinhood community on notice of this incident now is the right thing to do.”Mandiant Chief Technology Officer Charles Carmakal told Bloomberg that they believe the people behind the attack will “continue to target and extort other organizations over the next several months.”Robinhood was fined $70 million in July by the US Financial Industry Regulatory Authority for causing “significant harm” to “millions of customers” for a number of systematic failures including major outages in March 2020, as well as “false or misleading information” sent to customers from the company. For Robinhood customers interested in learning more about how their accounts are kept safe, the company suggested heading to the app and looking through the “Account Security” section. Bob Rudis, chief data scientist at Rapid7, told ZDNet that RobinHood was a victim of an attack back in 2020 and he noted that once a company has been a target, they tend to remain on hit lists. This is particularly true for wildly successful financial services startups like Robinhood, he added. While many organizations have affixed their gazes on ransomware, traditional cybercriminal enterprises continue to pilfer coveted identify information from individuals who likely have — or aspire to have — significant financial assets. This core information — name, email address, and other metadata — are used in highly targeted (and, far too often successful) phishing campaigns and identity theft campaigns, making all exposed potential extended victims of the core attack,” Rudis said. “Anyone who is a RobinHood customer should be extra vigilant and ensure they have unique passwords across their cloud application portfolio and MFA enabled on all of them (anyone who uses any non-trivial internet service that doesn’t support MFA should cease using said service(s) and strive to be as safe as possible as they can online). These attacks persist against all financial services firms, and it only takes one misstep to fall prey to clever, targeted campaigns.” More

VoIP giant Bandwidth.com reported its third quarter earnings on Monday, bringing in a revenue of $131 million. But the company noted in another release that a recent DDoS attack will end up costing them “between $9 million and $12 million” for the full fiscal year. While the company still beat expectations for Q3, the financial cost of the attack — which was first reported by The Record — illustrates how much damage DDoS incidents can cause. 

The company filed a document with the SEC on October 26 explaining that the attack caused a “decrease of approximately $700,000 in third quarter 2021 revenue from lost transaction volume and customer credits.” “Based on preliminary usage data and currently known information, the company estimates that the impact of the DDoS attack may reduce CPaaS revenue for the full year of 2021 by an amount between $9 million and $12 million, inclusive of the aforementioned $0.7 million revenue impact in the third quarter,” the company said in a filing. On an earnings call on Monday, Bandwidth said many of the customers who left the company after the attack have already indicated they may return, and executives noted that they did not pay a ransom to address the attack. In September, Bandwidth CEO David Morken confirmed that it was suffering from outages after reports emerged that the service was dealing with a DDoS attack.Other VoIP vendors like Accent, RingCentral, Twilio, DialPad, and Phone.com were experiencing outages and telling customers that the problems were with an “upstream provider.” 

A source, who asked to have their name withheld, told ZDNet that their customers were having major problems with their ported phone numbers and that they could not make any changes like forwarding phones. The company is a downstream reseller of products hosted by Bandwidth and said they knew of a major telecommunications company that “was in emergency mode” due to the situation with Bandwidth.While the attack caused outages for days and the company reported its expected losses, Morken said it had little impact on the company’s successful quarter. “I am proud of our team’s performance to combat a series of sophisticated DDoS attacks aimed at Bandwidth and our industry. Despite the impact from the DDoS attack at the end of September, our revenue results for the third quarter exceeded our guidance,” Morken said.”Consistent with our ethos to do the right thing for our customers, we helped some of our customers divert traffic from our platform during the attack to mitigate impacts to their businesses. While that traffic is beginning to come back, we believe we will see a top-line impact of that lost volume primarily in the fourth quarter. We believe we are now stronger than ever, and are focused on serving our customers.” Multiple VoIP companies reported DDoS attacks over the last few months, and Cloudflare researchers said they saw several “record-setting HTTP DDoS attacks,” noting the emergence of ransom DDoS attacks on VoIP service providers.Canada-based VoIP provider VoIP.ms said it battled a week-long, massive ransom DDoS attack earlier this year. The REvil ransomware group demanded a $4.5 million ransom to end the attack.  More