Information Technology

A member of the team at the University of Toronto’s Citizen Lab is questioning the actions of controversial Israeli spyware firm NSO Group in the case of Princess Haya bint al-Hussein, who had her devices and the devices of her lawyers hacked amid a UK custody battle with Sheikh Mohammed bin Rashid al-Maktoum, ruler of the United Arab Emirates. 

ZDNet Recommends

Sheikh Mohammed and Princess Haya are locked in a custody battle over their two children and the ruler ordered agents from the UAE to hack into his ex-wife’s devices using Pegasus, the NSO Group’s widely-criticized spyware. The ruler even ordered her British lawyers’ phones hacked as well, drawing outrage from UK court officials who called the hacks “serial breaches of domestic criminal law,” “in violation of fundamental common law and ECHR rights,” and an “abuse of power” by a head of state. The tool has caused global outrage for months after Citizen Lab revealed that it was being used widely by repressive governments and cybercriminal groups to monitor dissidents, human rights activists and even some world leaders, including French President Emmanuel Macon.William Marczak, a senior research fellow with Citizen Lab, testified in Princess Haya’s case and told ZDNet that he felt compelled to participate in the trial because of how brazen Sheikh Mohammed’s actions were. Marczak was also intimately involved in the case, having notified Princess Haya about Pegasus being used against her hours before NSO Group contacted her lawyers. Marczak explained to ZDNet that he personally confirmed the use of Pegasus by forensically analyzing the phones, but said he first became aware of the possible use of Pegasus when he identified the IP address of the lawfirm Payne Hicks Beach among a set of potential victim IP addresses he developed in his research.During the trial, it was revealed that Princess Haya’s lawyers discovered their devices had been hacked because the wife of former UK Prime Minister Tony Blair, Cherie Blair, works for NSO Group and knows Fiona Shackleton, one of the lawyers involved in the case. On August 5, 2020, Blair was called by an NSO Group employee and told that “it had come to their attention” Pegasus was being used on the phones of Princess Haya and Shackleton. The NSO employee said they cut off access to the phones through Pegasus and needed help contacting Shackleton about the issue. 

But Marczak disputed this retelling of events, saying he was the one who first told Princess Haya’s lawyers about the hack hours before NSO Group tried to contact them. “One interesting detail that emerged in the proceedings was that NSO Group had notified Princess Haya’s lawyers several hours after I did, despite the fact that the court found one of the targets was hacked as early as November 2019,” Marczak said.  “Here’s an interesting question, would NSO Group have notified Princess Haya’s lawyers had I not done my own notification?”What stood out most to Marczak was NSO Group’s atypically robust response, noting that it was not common for the spyware firm to cut off access to their tool.   “Not only did NSO Group notify the targets of the surveillance shortly after I did, but they also claim to have disconnected one of their customers over the matter,” he explained. “Furthermore, NSO Group said that they instituted a policy where their foreign customers are not generally allowed to spy in the UK. We see abuses of NSO Group’s Pegasus spyware all the time, but we almost never see NSO take remediative action like this.” Marczak’s testimony in the case centered on how powerful the Pegasus spyware is and he explained how the tool gives users full access to a person’s device without them knowing. He also confirmed that the phones were hacked by a single operator from the UAE. “This is one of the most naked abuses of government spyware I’ve ever seen. NSO Group and its customers sometimes try to justify surveillance against dissidents and journalists by pointing to national security or terrorism concerns, but it’s a lot harder to paint your ex-wife and her family court lawyers as terrorists,” Marczak said. “When the prospect of the UAE spying on Princess Haya’s lawyers came to light, I felt compelled to notify them and help them make sense of what had happened.”Marczak added that he could not think of another case where forensics confirmed that Pegasus was used this way.  

He noted that there have been a few allegations of rulers using Pegasus for non-political reasons.He mentioned the case of a former Panamanian President, Ricardo Martinelli, who was alleged to have used Pegasus to spy on his mistresses, according to an extradition request from the US.Marczak added that there are now wider concerns that the spyware will be used in personal disputes by repressive world leaders. “It is an ongoing risk, especially when so many of NSO Group’s customers are places where the personal affairs of the leader can often get entangled with national security concerns.””There is nothing that the average person can do to defend against this, but the targets are often not average people.” He recommended that at-risk users consider disabling iMessage, FaceTime, WhatsApp and other messaging apps if they’re not using them because these are popular vectors for phone hacking. He also mentioned that it would help to segregate activity onto different devices, which can mitigate the damage if a single device is hacked. He suggested having one phone for work, one phone for a sensitive project you’re working on and one phone for personal life.NSO Group said it has cancelled its contract with the United Arab Emirates after it discovered how Pegasus was being used. “As the NSO letter of December 2020 makes plain, after its investigation NSO has adopted the extreme remedy of terminating its customer’s use of the Pegasus software. In commercial terms, this step is to be understood as having great significance,” Judge Andrew McFarlane, President of the Family Division in England and Wales, wrote in his ruling.But Marczak said the NSO Group’s flagrant actions prove more cases will emerge of Pegasus being misused in this way.”Without better regulation of the industry and its customers, this is inevitable,” Marczak said.  More

Some of the cybersecurity vulnerabilities most commonly exploited by cybercriminals to help distribute ransomware are years old — but attackers are still able to take advantage of them because security updates aren’t being applied.

Cybersecurity researchers at Qualys examined the Common Vulnerabilities and Exposures (CVEs) most used in ransomware attacks in recent years. They found that some of these vulnerabilities have been known for almost a decade and had vendor patches available. But because many organizations still haven’t applied the available security updates, they remain vulnerable to ransomware attacks.The oldest of the top five vulnerabilities detailed in the analysis is CVE-2012-1723, a vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7, which was detailed in 2012. According to researchers, it’s been commonly used to distribute Urausy ransomware. This ransomware is somewhat basic, but some organizations have remained vulnerable because they haven’t applied the relevant security patches. Two other common vulnerabilities detailed by researchers are from 2013. CVE-2013-0431 is a vulnerability in JRE exploited by Reveton ransomware, while CVE-2013-1493 is a flaw in Oracle Java that is targeted by Exxroute ransomware. In both cases, patches to remedy the vulnerabilities have been available for over eight years. CVE-2018-12808, meanwhile, is a three-year-old vulnerability in Adobe Acrobat, which is used to deliver ransomware via phishing emails and malicious PDF files. Both Ryuk ransomware and what many believe to be its successor, Conti ransomware, have been known to use this attack method.See also: A winning strategy for cybersecurity (ZDNet special report).The most recent vulnerability on the list is Adobe CVE-2019-1458, a privilege escalation vulnerability in Windows that emerged in December 2019 and has been commonly used by the NetWalker ransomware group. Like the other vulnerabilities detailed by researchers, cybercriminals are have been able to continue launching successful attacks because the available security update hasn’t been applied.

For IT and information security teams, applying all the patches needed to keep a network secure is often an uphill battle. “The rate at which vulnerabilities are rising is exponentially higher than the rate at which operations teams are patching. This is the number one driving factor for why vulnerabilities remain unpatched,” Shailesh Athalye, SVP of product management at Qualys, told ZDNet.”It is easy for operations teams to get overwhelmed when they do not have a prioritized list of patches or software listings provided from security teams.”Cyberattackers know that many organizations struggle with patching, so they are actively scanning for vulnerabilities that enable them to lay down the foundations for ransomware and other cyberattacks.  Patch management can be a complex and time-consuming process. Still, information security teams need to take the time to apply critical security updates, particularly if they’re known to be commonly exploited by cybercriminals and ransomware gangs.”There is no silver bullet to prevent ransomware and remediate vulnerabilities, but overall, driving processes for reducing an attack surface should be the goal,” said Athalye.”The important part of vulnerability management is the combination of vulnerability assessment, prioritization and remediation.”More on cybersecurity: More

Researchers say that BrewDog exposed the personally identifiable information (PII) of roughly 200,000 shareholders for the best part of 18 months. 

Special feature

Cyberwar and the Future of Cybersecurity

Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.

Read More

According to PenTestPartners, BrewDog “declined to inform their shareholders and asked not to be named” in the research revealing the security flaw. On October 8, the cybersecurity firm said that the Scottish brewery implemented a hard-coded Bearer authentication token associated with API endpoints designed for BrewDog’s mobile applications.  The tokens were returned, but rather than being triggered once a user has submitted their credentials — therefore, allowing access to an endpoint — as they were hardcoded, this verification step was missed.  PenTestPartners members, who happened to be BrewDog shareholders, appended each other’s customer IDs at the end of API endpoint URLs. During tests, they found they were able to access the PII of Equity for Punks shareholders without a suitable authentication challenge. Names, dates of birth, email addresses, genders, telephone numbers, previously used delivery addresses, shareholder numbers, shares held, referrals, and more were accessible.  However, the customer IDs were not considered “sequential.”  “An attacker could brute force the customer IDs and download the entire database of customers,” the researchers said. “Not only could this identify shareholders with the largest holdings along with their home address, but it could also be used to generate a lifetimes supply of discount QR codes!”

PenTestPartners noted that some of the PII exposed would fall under the GDPR protection banner, and hard-coding authentication tokens is a failure to meet these standards.  Based on an analysis of older versions of the BrewDog app, the researchers say that the security issue was introduced in version 2.5.5, released in March 2020, and was not resolved for roughly 18 months.  After PenTestPartners reached out with its findings, researcher Alan Monie tested a total of six different builds. It took four fix attempts before the issue was resolved in version 2.5.13, released on September 27. 
PenTestPartners
However, the changelog for this version does not appear to mention the vulnerability fix.  “The vulnerability is fixed,” the researcher says. “As far as I know, BrewDog has not alerted their customers and shareholders that their personal details were left unprotected on the internet. I worked with BrewDog for a month and tested six different versions of their app for free. I’m left a bit disappointed by BrewDog both as a customer, a shareholder, and the way they responded to the security disclosure.” Speaking to ZDNet, a BrewDog spokesperson provided the following statement: “We were recently informed of a vulnerability in one of our apps by a third party technical security services firm, following which we immediately took the app down and resolved the issue. We have not identified any other instances of access via this route or personal data having been impacted in any way. There was, therefore, no requirement to notify users. We are grateful to the third-party technical security services firm for alerting us to this vulnerability. We are totally committed to ensuring the security of our user’s privacy. Our security protocols and vulnerability assessments are always under review and always being refined in order that we can ensure that the risk of a cyber security incident is minimized.” BrewDog also told us:”BrewDog was notified of a vulnerability and the potential for data to be compromised. Investigations found no evidence that it was. Therefore there is no requirement to inform the ICO. An independent party documented the case as is required by the ICO.” Previous and related coverage:Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Beijing-backed hackers caused a crisis after hacking Exchange email servers this year with flaws Microsoft didn’t know about, but Microsoft says Russian hackers are far more prolific than those from China, or any other nation.  “During the past year, 58% of all cyberattacks observed by Microsoft from nation-states have come from Russia,” Tom Burt, Microsoft corporate vice president said in a blogpost detailing government-backed hacking over the past year. The US and UK blamed the Russian Foreign Intelligence Service (SVR) for the huge software supply chain attack on US enterprise software vendor, SolarWinds, which affected 18,000 customers including top tech firms and US government agencies. Microsoft, which was also compromised by the hack, calls this group of hackers Nobelium; others call it APT28.Microsoft’s Burt warned that the past year showed Kremlin-backed hackers are becoming “increasingly effective”, with their attacks becoming more successful and driven by spying and intelligence campaigns. Many Russian-attributed attacks targeted enterprise virtual private network (VPN) software.  “Russian nation-state actors are increasingly targeting government agencies for intelligence gathering, which jumped from 3% of their targets a year ago to 53% — largely agencies involved in foreign policy, national security or defense,” he explained. Russia’s hacking is primarily motivated by the nation’s politics, with the top targets being the United States, Ukraine and the UK, according to Microsoft. But other usual suspects also feature in Microsoft’s 2021 Digital Defense Report, including Iran and North Korea. A new entrant is Turkey, which has a developed taste for trojans. Notably absent from Microsoft’s report is work carried about by Israeli cyber teams. Israel is home to NSO Group, infamous for exploits targeting iPhones.

Russian state-based hacking was mostly focused on Ukraine. Meanwhile, Israel was targeted increasingly by Iranian hackers. “Russia-based NOBELIUM raised the number of Ukrainian customers impacted from six last fiscal year to more than 1,200 this year by heavily targeting Ukrainian government interests involved in rallying support against a build-up of Russian troops along Ukraine’s border,” Microsoft notes in its Digital Defense Report.”This year marked a near quadrupling in targeting of Israeli entities, a result exclusively of Iranian actors, who focused on Israel as tensions sharply escalated between the adversaries.”Public sector agencies under fire from hackers are mostly “ministries of foreign affairs and other global government entities involved in international affairs”, according to Microsoft, while phishing attacks seeking to capture credentials affect consumer and enterprise accounts.Russian hackers have evolved supply chain attacks over the past decade. The biggest supply chain attack before SolarWinds was NotPetya in 2017, which spread through a little-known Ukrainian accounting software package and cost industrial giants billions in losses.Software supply chain attacks work because they’re carried out via updates from trusted software vendors, including security companies. SolarWinds may not be a household name, but it’s big in enterprise IT.Now, nearly every major US cybersecurity company is rallying behind US president Jo Biden’s cybersecurity order, which attempts to push the idea that even trusted networks can’t be trusted.However, critical infrastructure is the real change in the targets selected by Russian hackers. Biden reportedly told Russian president Vladimir Putin that critical infrastructure should be “off limits”, although this is a tricky position for the US when it’s widely known that the world’s most capable hackers work at the National Security Agency, which developed Stuxnet to target Iran’s uranium enrichment equipment. Microsoft’s top execs have previously criticised the NSA for hoarding zero-day exploits.”From July 2020 to June 2021, critical infrastructures were not the focal point according to the NSN information that was tracked. China-based threat actors displayed the most interest and Russia-based threat actors accounted for the least in targeting entities in the critical infrastructure sector,” Microsoft notes in its report.”Russian NOBELIUM’s cyber operations are a perfect example of displaying Russia’s interest in conducting operation for access and intelligence collection versus targeting a critical infrastructure for potential disruption operations.” More

Google announced on Friday that it would be delivering a slate of new cybersecurity protection features for high-risk users one day after telling about 14,000 Gmail users that they had been targets of Russian-government group APT28.

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

In a blog post, Google said an increasing number of cyberattacks targeted high profile individuals and groups, forcing them to take extra measures and create a team “dedicated to detecting and stopping the world’s most sophisticated cybercriminals.””We’re excited to be working with these leading organizations to protect high-risk user groups and earn more about the needs of at-risk users and organizations. These collaborations help us make the world’s most advanced security even stronger, more inclusive and easier to use — helping everyone stay safer with Google,” the company explained. In addition to touting the Advanced Protection Program (APP) that users can turn on to beef up their protection from certain attacks, Google said it was partnering with organizations across the globe to provide free security keys to over 10,000 high-risk users throughout 2021. “APP brings Google’s strongest security protections together into a holistic program that is constantly upgraded in response to emerging threats. APP is available to all users but is specifically designed for individuals and organizations at higher risk of targeted online attacks, such as elected officials, political campaigns, human rights activists and journalists,” Google explained. “Users who enroll in APP are protected against a wide variety of online threats, including sophisticated phishing attacks (through the use of security keys), malware and other malicious downloads on Chrome and Android, and unauthorized access to their personal account data (such as Gmail, Drive or Photos).  As new threats are discovered, APP evolves to provide the latest protections.”Google also announced new partnerships with the International Foundation for Electoral Systems (IFES), UN Women and nonprofit Defending Digital Campaigns (DDC). 

Google is working with IFES on global educational security programming for human rights workers and groups online, providing free security keys for attendees of the group’s global cyber hygiene trainings. The group has provided specific support to journalists in the Middle East and women activists in Asia through their virtual “She Leads” series.By next year, Google said it plans to expand its work with the group “through a continued contribution of Titan Security keys and educational materials for their high-risk user trainings.””Equipping our participants with Google Titan Keys alongside the Advanced Protection Program Team has allowed us to improve our participant’s cyber hygiene with a more secure method for protecting and authenticating their accounts,” said Dr. Stephen Boyce, senior global advisory for election technology and cybersecurity at IFES.  Google said it will continue offering consultations on online safety and security workshops to UN Women and the many chapters worldwide that support women who are at higher risk of online attacks, including journalists, activists, politicians and executives. According to the blog, workshop attendees are trained on tools to protect better their organizations and the high-risk women they support.Titan Security Keys were also provided by Google to more than 180 eligible federal campaigns during the 2020 US election season through DDC. They are now working with DDC to provide further protection for state-level campaigns and political parties, committees, and related organizations, including workshops and training on protecting against cyberattacks. By the 2022 US midterm elections, Google said the DDC will have already worked on cybersecurity trainings for members of both political parties in every state in the country. Michael Kaiser, CEO of DDC, said candidates, their family members and close associates, campaign staffers and volunteers, state party staff, vendors to campaigns and virtually anyone who works in the political space are at greater risk for being attacked than most computer users.”DDC’s collaboration with Google around the provision of Titan Keys and training is designed to address the most significant and likely vector of compromise: people’s accounts,” Kaiser said. “The number one recommendation DDC has for any campaign is to use security keys. We know that when a campaign uses security keys and turns on Google’s Advanced Protection Program, they have greatly enhanced their cybersecurity and at the same time  protecting our Democracy.”The DDC has already trained hundreds of local campaign workers, state party staff members, and people who work at related political organizations across 21 states. Google also noted that it partnered with the DDC to deploy a publicly available cybersecurity Knowledge Base to help campaigns and political organizations with cybersecurity information.”The Knowledge Base includes step-by-step instructions for turning on better security protections including APP. Through the Knowledge Base and direct work with eligible campaigns, DDC provides hands-on assistance for getting cybersecurity tools implemented,” Google explained.The announcements come hours after Shane Huntley, director of Google’s Threat Analysis Group, wrote a thread on Twitter warning that it blocked attempts by Russian-government backed groups to attack thousands of high-profile people. “The warning really mostly tells people you are a potential target for the next attack so, now may be a good time to take some security actions. If you are an activist/journalist/government official or work in NatSec, this warning honestly shouldn’t be a surprise. At some point, some govt backed entity probably will try to send you something,” Huntley said. “What we see over and over again is that much of the initial targeting of government-backed threats is blockable with good security basics like security keys, patching and awareness, so that’s why we warn.” More

Keith Alexander before the US Senate Intelligence Committee in 2017
Image: Getty Images
Russian ransomware operators need to be called out and suffer real consequences, according to retired general Keith Alexander, former head of the US National Security Agency (NSA) and US Cyber Command. “Right now, the ransomware guys, in Russia predominantly, get off pretty much free. There is very limited downside for them,” Alexander told a seminar at the Australian Strategic Policy Institute’s International Cyber Policy Centre last week. “We have to attribute who’s doing it and make them pay a price.” We call out cybercrime groups like REvil and DarkSide, but we need to do more, he said. “Imagine if we indicted and put their picture up, and said, ‘That’s the guy, and if we can, we will arrest you. You can’t move out of Russia. You’re gonna have to stay there for the rest of your life’.” Alexander has always sat at the hawkish end of the cyber spectrum. In 2013 he echoed then-McAfee vice-president Dmitri Alperovitch’s description of cybercrime and cyber espionage as the greatest transfer of wealth in history — perhaps forgetting for a moment the vast empires of the European colonial powers.

Now he notes the importance of international cooperation against the cyber forces of nation-states and their puppets. “All the attacks that are going on there [in Australia], here [in the US], in Europe, the theft of intellectual property, this is something that we need to collectively get out in front of,” he said. Alexander described the July 1 speech by China’s president Xi Jinping as “a gauntlet being laid down that said there would be bloodshed and bashing of heads”. If the West pushes China over Taiwan or the South China Sea, “there’s no limit to where they will go”. “I think we have to set that red line, and we have to work together to do it.” That cooperation has to extend into the private sector, he said. Incident response is not a defensive measure “I think the biggest problem that I faced in government, and that we face today, is governments — not just ours but yours as well — can’t see attacks on the private sector. Yet the government is responsible for defending the private sector,” Alexander said. “How are you going to defend that which you can’t see? Incident response is not a defensive measure. That’s after everything bad has happened.” The SolarWinds supply chain attack is a prime example. The government didn’t find out about it until after the fact. “Now people push on the government, ‘Hey, why didn’t you know?’ And the answer is because the government doesn’t have the authority, nor the capability, to see all the attacks on critical infrastructure,” Alexander said. “We need … I’ll call it an event generator, that shows events that are hitting companies at network speed, that can be anonymized, pushed up to the cloud, and create a radar picture, so you can now see all the companies where these types of events are hitting.” Needless to say, the conversation was peppered with words such as “behavioural analytics”, “expert system”, “machine learning” and “artificial intelligence”. Overcoming fears of sharing data with governments This need for cooperation, partnerships, and information sharing has been cited at every conference since the cybers were all in Roman numerals. But if everyone agrees that it’s a good thing, why doesn’t it just happen? “The real key issue is what are we talking about sharing?” Alexander said. If you’re talking about sharing the details of cyber events as we know them today, that is, things that you’re blocking, then that sharing is “almost useless”, because you’re already blocking it. Alexander says we have to share “all the things you don’t know”. To your correspondent, that sounds like private sector organisations having to share a lot more raw data with government agencies. Data about things they don’t yet know are a threat. Data which they might prefer, for whatever reasons, to keep out of government hands. The head of the Australian Cyber Security Centre (ACSC), Abigail Bradshaw, has noted a reluctance for organisations to share data with the agency. Sometimes they even lawyer up to prevent ACSC involvement in a breach investigation. “Perhaps there’s a commercial stigma or reputational stigma about reporting and alerting the public, and therefore shareholders, about a weakness,” Bradshaw said. “We’ve made it super, super clear that the ACSC is not a regulator,” she said. “The consequence of that is I become very boring in media interviews, because I refuse to talk about the juiciest case that’s come along. And apologies to all journalists, but it’s something that I will continue to defend.” It’s no accident that IronNet, the company Alexander founded when he left the NSA in 2014, has developed a “collective defense platform” which “leverages advanced AI-driven network detection and response capabilities to detect and prioritize anomalous activity inside individual enterprise network environments”. The obvious pitch is that governments could engage such a private sector system to correlate both government and non-government data, perhaps allaying some of the fears that would surround a purely government-owned platform. Bradshaw said that one of “the best parts” of the Security Legislation Amendment (Critical Infrastructure) Bill 2020 and its architecture is that there’s a “clear separation” between the regulators and the ACSC in its cyber assistance and response function. The Department of Home Affairs has repeatedly requested for that the Bill be rushed through Parliament. However, the Parliamentary Joint Committee on Intelligence and Security has recommended it be split in two so it’s more controversial aspects can be discussed in more depth. AUKUS and The Quad: not a modern jazz combo Alexander also praised the recently announced AUKUS defence technology agreement between Australia, the US, and the UK. At the heart of AUKUS is an intention for Australia to obtain a fleet of eight nuclear-powered submarines, but other technologies will be shared as well. “Cyber is going to be hugely important for our future,” Alexander said. “It’s the one area where adversaries can attack Australia, and the United States, without trying to cross the oceans. They can do it in cyber, and we have tremendous vulnerability. So getting out in front of that, I think is hugely important.” Alexander envisages a cyber radar picture that covers not just the AUKUS nations but other allies such as the Quadrilateral Security Dialogue (the Quad) of Australia, India, Japan, and the US. “Imagine if we could build, and we built, a radar picture for cyber that covered not only what impacts Australia, but what impacts other countries. And we could share in real time threats that are hitting our countries, and protect from that,” he said. “I think when you start thinking about the Quad and other things, that’s the type of thing I would say, as we move forward, that’s where our partnership has to go.” Related Coverage More

The Japanese Fair Trade Commission (JFTC) is reportedly commencing a new antitrust investigation into Apple and Google-parent Alphabet’s conduct across various technology areas. According to Nikkei, the Japanese competition watchdog will conduct interviews and surveys with OS operators, app developers, and smartphone users to assess whether Apple and Google have created anti-competitive market conditions in the smartphones, smartwatches, and other wearables sectors. The JFTC will reportedly work with the government-run Digital Market Competition Council during the probe. The new investigation comes just over a month after the JFTC closed an investigation into Apple’s in-app purchasing system. In that investigation, the Japanese competition watchdog found Apple acted anti-competitively in requiring developers to pay Apple’s commission on in-app purchases, and that it should allow them to point users to external payment options, like their own websites. To close that investigation, Apple made a deal with JFTC to allow developers of “reader” apps to link to external websites for setting up and managing accounts. The update will take effect sometime next year, Apple said in September. Reader apps are those that provide previously purchased content or content subscriptions for digital magazines, newspapers, books, audio, music, and video, such as Spotify and Netflix. Around the world, regulators have set their eyes on the market dominance of Apple and Google. In Australia, the government is undertaking various probes on the two companies focusing on a wide range of areas, spanning from ad tech to browsers to mobile OS systems. In the US, various states have issued a lawsuit against Google for its alleged anti-competitive control over the app store market. A US probe that wrapped up last October found Amazon, Facebook, Apple, and Google all had an “alarming pattern” of using innovation-stifling practices. In light of those findings, the government in August introduced a Bill into Congress that is aimed at curbing “big tech bullying”.

The European Union, meanwhile, has doled out billions of dollars worth of fines to both Google and Apple for alleged anti-competitive behaviour. Related Coverage More

Apache released additional fixes for CVE-2021-41773 on Thursday as government agencies like CISA warned that one vulnerability related to the Apache HTTP Server issue had been exploited in the wild. As ZDNet reported on Wednesday, developers behind the Apache HTTP Server Project urged users to apply a fix immediately to resolve a zero-day vulnerability. The Apache Software Foundation released Apache HTTP Server version 2.4.50 to address two vulnerabilities that would allow an attacker to take control of an affected system. In a notice on Wednesday, CISA said one of the vulnerabilities, CVE-2021-41773, has already been exploited in the wild.”It was found that the fix for CVE-2021-41773 in Apache HTTP Server 2.4.50 was insufficient. An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration “require all denied”, these requests can succeed. If CGI scripts are also enabled for these aliased pathes, this could allow for remote code execution,” Apache said in a notice.”This issue only affects Apache 2.4.49 and Apache 2.4.50 and not earlier versions.”CISA said that “active scanning of Apache HTTP Server CVE-2021-41773 & CVE-2021-42013 is ongoing and expected to accelerate, likely leading to exploitation.” “These vulnerabilities have been exploited in the wild. Please patch immediately if you haven’t already — this cannot wait until after the weekend,” the government agency added. 

According to Bleeping Computer, about 25% of websites worldwide are backed by the open-source, cross-platform Apache HTTP Server. Sonatype researchers said that approximately 112,000 Apache servers are running the vulnerable version, with roughly 40% located in the United States. Rapid7 Labs said it identified about 65,000 potentially vulnerable versions of Apache httpd exposed to the public internet on Wednesday. Researchers say the issue is actively being scanned for in the wild.
Censys
“The vulnerability itself is not exploitable in normal or default conditions. The biggest impact this issue will have will be on applications that have packaged Apache 2.4.49 and a configuration that enables the vulnerability. One such application is Control Webpanel (also known as CentOS Webpanel), which is used by hosting providers to administer websites, similar to cPanel,” said Derek Abdine, CTO at Censys. “There are currently just over 21,000 of these that are Internet-facing and appear vulnerable.”  Censys senior security researcher Mark Ellzey added that he expects there to be some fallout for this but that it may not be widespread. Compared to recent vulnerabilities related to Confluence or VMware, he said the urgency and effectiveness of exploits for this issue don’t rise to a similar level. “Anything outside of the bad config is probably going to be a targeted attack on specific applications. I’d wager that we might see some code leaks,” Ellzey said. The vulnerabilities were first discovered by Ash Daulton of the cPanel security team and the latest issues were found by Shungo Kumasaka, Dreamlab Technologies’ Juan Escobar and NULL Life CTF’s Fernando Muñoz. Exploits were quickly created and released once the vulnerability was publicized.  More