Information Technology

A high-impact vulnerability in OMEN Command Center driver software has been patched by HP.

On Tuesday, researchers from SentinelLabs published a technical deep-dive on the bug, tracked as CVE-2021-3437 and issued with a CVSS score of 7.8.  SentinelLabs says the high-severity flaw impacts “millions of devices worldwide,” including a wide variety of OMEN gaming laptops and desktops, as well as HP Pavilion and HP ENVY models.Found by SentinelLabs researcher Kasif Dekel, CVE-2021-3437 is a privilege escalation vulnerability in the HP OMEN Command Center. The gaming hub can be used to adjust settings to a gamer’s preference — including fan speeds and overclocking — as well as to monitor a PC and network’s overall performance. A driver developed by HP and used by the software, HpPortIox64.sys, is the source of the security issue. According to the researchers, code partially comes from WinRing0.sys, an OpenLibSys driver used to manage actions including read/write kernel memory.  “The link between the two drivers can readily be seen as on some signed HP versions the metadata information shows the original filename and product name,” SentinelLabs noted.Privilege escalation bugs have been found in the WinRing0.sys driver in the past, including flaws that allow users to exploit the IOCTLs interface to perform high-level actions.

Several lines of code in the driver’s IOCTL system call function “allow user mode applications with low privileges to read/write 1/2/4 bytes to or from an IO port,” the team says, which could potentially be exploited to allow unprivileged users to conduct system-level actions. “This high severity flaw, if exploited, could allow any user on the computer, even without privileges, to escalate privileges and run code in kernel mode,” the researchers say. “Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products. An attacker with access to an organization’s network may also gain access to execute code on unpatched systems and use these vulnerabilities to gain local elevation of privileges. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement.”HP OMEN Gaming Hub prior to version 11.6.3.0 and the HP OMEN Gaming Hub SDK Package, prior to 1.0.44, are impacted. At the time of writing, there is no evidence that the bug has been exploited in the wild.  SentinelLabs reported its findings on February 17, 2021. By May 14, HP sent a proposed fix to the researchers, but it was found that the patch was not sufficient. The tech giant’s security team then changed its tactic and disabled the vulnerable feature to resolve the security flaw, delivered on June 7. A patched version of the software was made available on July 27 in the Microsoft Store.”We would like to thank HP for their approach to our disclosure and for remediating the vulnerabilities quickly,” the researchers commented. “We urge users of these products to ensure they take appropriate mitigating measures without delay.”HP has published a security advisory on CVE-2021-3437, describing the flaw as a privilege escalation and denial-of-service issue.”We constantly monitor the security landscape and value work that helps us identify new potential threats,” HP told ZDNet. “We have posted a security bulletin. The security of our customers is always a top priority and we urge all customers to keep their systems up to date.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A five-year study has concluded with a sobering fact for businesses using on-premise servers: close to half contain vulnerabilities that may be ripe for exploitation. 

Imperva released the results of the study on Tuesday, which analyzed roughly 27,000 databases and their security posture. In total, 46% of on-premises databases worldwide, accounted for in the scan, contained known vulnerabilities.  On average, each database contained 26 security flaws, with 56% ranked as a “high” or “critical” severity bug — including code execution vulnerabilities that can be used to hijack an entire database and the information contained within.  All it may take, in some cases, is a scan on Shodan to find a target and executing a malicious payload.  “This indicates that many organizations are not prioritizing the security of their data and neglecting routine patching exercises,” Imperva says. “Based on Imperva scans, some CVEs have gone unaddressed for three or more years.” France was the worst offender for unprotected databases, with 84% of those scanned containing at least one vulnerability — and the average number of bugs per database was 72.  Australia followed with 65% (20 vulnerabilities on average), and then Singapore (64%, 62 security flaws per database), the United Kingdom (61%, 37 bugs on average), and China (52%, 74 security issues per database). In total, 37% of databases in the United States contained at least one known vulnerability, and these databases contained an average of 25 bugs. 

The Microsoft Exchange Server hack has highlighted the ramifications of poor security for on-prem servers as well as their owners. In March, Microsoft released emergency patches to resolve four zero-days — known collectively as ProxyLogon – but once exploit code was developed and released, thousands of businesses were compromised.  In other recent database security news, a critical vulnerability impacting Cosmos DB became public in August. The bug, described as “trivial” to exploit by cloud security firm WIZ, gives “any Azure user full admin access (read, write, delete) to another customer’s Cosmos DB instances without authorization.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Singapore and India are working to link their country’s respective real-time payment system, enabling funds to be transferred via mobile numbers and virtual payment addresses. The move aims to support growing remittance traffic and drive cross-border interoperability. Work to connect Singapore’s PayNow and India’s Unified Payments Interface (UPI) infrastructures were targeted for completion by July 2022, according to a statement released Tuesday by the Monetary Authority of Singapore (MAS). It added that the initiative was established in partnership with the Reserve Bank of India.The linkage would enable residents in both countries to make real-time, low-cost fund transfers directly between their respective local bank account. Funds from India could be transferred to Singapore via mobile numbers, while funds from Singapore could be transferred to India using UPI virtual payment addresses. These addresses are used by non-bank financial institutions to connect directly to PayNow and Fast and Secure Transfers (FAST), and enable users to send and receive payments through e-wallets or mobile banking apps. User experience will be similar to how each payment system operates in its domestic market, MAS said.The Singapore central bank added that the interoperability between PayNow and UPI would better facilitate growing remittance traffic and allow more organisations to join the payment ecosystem. It would also help drive automation of capital control rules and establish standardised formats to support future services between participants, it said.Describing the partnership as a milestone in the development of next-generation cross-border payment infrastructures between both countries, MAS said such connectivity was in line with the G20’s financial inclusion priorities of driving “faster, cheaper, and more transparent” cross-border payments. 

MAS’ chief fintech officer Sopnendu Mohanty said: “By reducing the cost and inefficiencies of remittances between Singapore and India, the PayNow-UPI linkage will directly benefit individuals and businesses in Singapore and India that greatly rely on this mode of payment. “Given that PayNow and UPI are integral components of their respective national digital infrastructures, the link between the two systems also paves the way for establishing more comprehensive digital connectivity and interoperability between the two countries,” Mohanty said. Singapore in April 2021 inked a similar pact with Thailand to enable users in both nations to transfer funds using the recipient’s mobile number. The collaboration tapped the respective country’s peer-to-peer payment systems, PayNow and Thailand’s PromptPay, and was part of a regional payment initiative to ease cross-border payments. Singapore earlier this month also announced it was working with the central banks of Australia, Malaysia, and South Africa to develop and test a common platform on which to process cross-border digital payments. The initiative to pilot the use of central bank digital currencies (CBDCs) for international transactions aimed to bypass the need for intermediaries and, hence, slash the time and cost of such transactions. RELATED COVERAGE More

Image: Shutterstock / Berk Can
Kape Technologies has announced it will pick up ExpressVPN for $936 million, consisting of $237 million in Kape shares to ExpressVPN co-founders Peter Burchhardt and Dan Pomerantz, which will hand them a 14% stake in the combined entity, with the remainder to be paid in cash over the next two years. ExpressVPN said it would remain a separate service, and its team would continue to grow. Of its approximately 290 employees, ExpressVPN has 48% involved in research and development. Kape called out ExpressVPN’s OEM arrangements with HP, HMD Global, Acer, Dynabook, and Philips. The VPN service has over 3 million customers, with over 40% in North America. During the 2020 fiscal year, ExpressVPN posted revenue of $279 million, up 37%, and adjusted EBITDA of $75 million, up 35%, Kape said in its regulatory filing. “Significant cross sell and revenue opportunities across the platform; top line and operational synergies greatly improve [customer lifetime value to acquisition cost] ratios and are anticipated to generate cost savings of $19 million in 2022 and $30 million on an annualised cost basis from 2023,” Kape said.See also: Best VPN 2021: Top VPN services reviewed Cross-selling aside, ExpressVPN claimed it would be able to provide better protection from a “wider range of threats”. “We’ve been impressed by Kape’s clear commitment to protecting the privacy of users,” ExpressVPN said in a blog post.

“Their track record with upholding the exacting privacy practices and policies of other privacy protection services under the Kape umbrella is a strong testament to how seriously they take their responsibility to respect user privacy and rights.” In total, the combined company will have around 6 million paying subscribers. This is not Kape’s first VPN purchase — it previously bought VPN companies ZenMate and Cyberghost, and used to specialise in scareware under the Crossrider name. Related Coverage More

Google announced fixes for 11 different bugs in Chrome on Monday, including two zero-days currently being exploited in the wild. Google listed all 11 of the fixes as well as the researchers who discovered them and the bounties handed out. But the two that caused the most stir were CVE-2021-30632 and CVE-2021-30633. “Google is aware that exploits for CVE-2021-30632 and CVE-2021-30633 exist in the wild,” Google explained. The two vulnerabilities were the only ones that were listed as being submitted anonymously on September 8.Google added that CVE-2021-30632 related to an “out of bounds write in V8” and CVE-2021-30633 concerned a “use after free in Indexed DB API.”All of the updates will roll out over the coming days and weeks as part of the Stable channel update to 93.0.4577.82 for Windows, Mac and Linux, Google said.

m

Best Google Chrome extensions

If you are a Google Chrome user and you’re not making use of extensions, then you are really missing out. Here is a selection of extensions aimed specifically at boosting your productivity and privacy.
(Updated April 4, 2017)

Read More

Kevin Dunne, president at Pathlock, said this was the 10th zero-day exploit that Google had patched this year. “This milestone highlights the emphasis that bad actors are putting on browser exploits, with Chrome becoming a clear favorite, allowing a streamlined way to gain access to millions of devices regardless of OS,” Dunne said. 

“Google’s commitment to patching these exploits quickly is commendable, as they operate Google Chrome as freeware and therefore are the sole entity who can provide these updates. We expect to see continued zero-day exploits in the wild, but we are confident Google will continue to place effort on security and providing timely patches to these exploits.”Browser bugs discovered from exploitation in the wild are among the most significant security threats, added John Bambenek, principal threat hunter at Netenrich”Now that they are patched, exploitation will ramp up. That said, almost 20 years on and we haven’t made web browsing safe shows that the rapid embrace of technology continues to leave users exposed to criminals and nation-state actors,” Bambenek said. “Everyone wants to learn how to hack, too few people are working on defense.” More

Apple has released an urgent security update for Mac, iPhone, iPad and Watch users after researchers with Citizen Lab discovered a zero-day, zero-click exploit from mercenary spyware company NSO Group that gives attackers full access to a device’s camera, microphone, messages, texts, emails, calls and more.Citizen Lab said in a report that the vulnerability — tagged as CVE-2021-30860 — affects all iPhones with iOS versions prior to 14.8, all Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina and all Apple Watches prior to watchOS 7.6.2.

ZDNet Recommends

Apple added that it affects all iPad Pro models, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch 7th generation. CVE-2021-30860 allows commands to be executed when files are opened on certain devices. Citizen Lab noted that the vulnerability would give hackers access without the victim even clicking anything. Citizen Lab previously showed that repressive governments in Bahrain, Saudi Arabia and more had used NSO Group tools to track government critics, activists and political opponents. Ivan Krstić, head of Apple Security Engineering and Architecture, told ZDNet that after identifying the vulnerability used by this exploit for iMessage, Apple “rapidly developed and deployed a fix in iOS 14.8 to protect our users.” “We’d like to commend Citizen Lab for successfully completing the very difficult work of obtaining a sample of this exploit so we could develop this fix quickly. Attacks like the ones described are highly sophisticated, cost millions of dollars to develop, often have a short shelf life, and are used to target specific individuals,” Krstić said. “While that means they are not a threat to the overwhelming majority of our users, we continue to work tirelessly to defend all our customers, and we are constantly adding new protections for their devices and data.”

John Scott-Railton, a senior researcher at Citizen Lab, spoke out on Twitter to explain what he and Citizen Lab senior research fellow Bill Marczak found and reported to Apple. They found that the vulnerability has been in use since at least February. Apple credited them with discovering it. “Back in March my colleague Bill Marczak was examining the phone of a Saudi activist infected with Pegasus spyware. Bill did a backup at the time. A recent a re-analysis yielded something interesting: weird looking ‘.gif’ files. Thing is, the ‘.gif’ files…were actually Adobe PSD & PDF files…and exploited Apple’s image rendering library. Result? Silent exploit via iMessage. Victim sees *nothing,* meanwhile Pegasus is silently installed and their device becomes a spy in their pocket,” Scott-Railton explained.”NSO Group says that their spyware is only for targeting criminals and terrorists. But here we are…again: their exploits got discovered by us because they were used against an activist. Discovery is inevitable byproduct of selling spyware to reckless despots. Popular chat apps are the soft underbelly of device security. They are on every device and some have a needlessly large attack surface. Their security needs to be a *top* priority.”In a longer report about the vulnerability, Citizen Lab researchers said that it is the “latest in a string of zero-click exploits linked to NSO Group.” NSO Group has faced significant backlash globally after researchers discovered that governments, criminals and others were using its Pegasus spyware to tacitly track thousands of journalists, researchers, dissidents and even world leaders. “In 2019, WhatsApp fixed CVE-2019-3568, a zero-click vulnerability in WhatsApp calling that NSO Group used against more than 1,400 phones in a two-week period during which it was observed, and in 2020, NSO Group employed the KISMET zero-click iMessage exploit,” the researchers said.They said their latest discovery “further illustrates that companies like NSO Group are facilitating ‘despotism-as-a-service’ for unaccountable government security agencies.” “Regulation of this growing, highly profitable, and harmful marketplace is desperately needed,” they added. Reuters reported that since the concerns about NSO Group were raised publicly earlier this year, the FBI and other government agencies across the world have opened investigations into their operations. NSO Group is based in Israel, prompting the government there to kickstart its own investigation into the company. The company designed tools to specifically get around Apple’s BlastDoor defense that was implemented in iMessage to protect users. Ryan Polk, senior policy advisor with the Internet Society, told ZDNet that the Pegasus-NSO case is a proof point for the dire consequences posed by encryption backdoors. “The tools built to break encrypted communications inherently run the risk of falling into the wrong hands — placing all who rely on encryption in greater danger. Imagine a world where tools like Pegasus come built in every app or device — however, unlike now, companies have no option to remove them and all users are targeted,” Polk said. “End-to-end encryption keeps everyone safe, especially those from vulnerable communities — like journalists, activists, and LGBTQ+ community members in more conservative countries.”In 2016, cybersecurity company Lookout worked with Citizen Lab to discover Pegasus. Hank Schless, senior manager of security solutions at Lookout, said the tool has continued to evolve and take on new capabilities. It can now be deployed as a zero-click exploit, which means that the target user doesn’t even have to tap a malicious link for the surveillanceware to be installed, Schless explained, adding that while the malware has adjusted its delivery methods, the basic exploit chain remains the same. “Pegasus is delivered via a malicious link that’s been socially engineered to the target, the vulnerability is exploited and the device is compromised, then the malware communicated back to a command-and-control (C2) server that gives the attacker free reign over the device. Many apps will automatically create a preview or cache of links in order to improve the user experience,” Schless said. “Pegasus takes advantage of this functionality to silently infect the device.” He added that NSO has continued to claim that the spyware is only sold to a handful of intelligence communities within countries that have been vetted for human rights violations. But the recent exposure of 50,000 phone numbers linked to targets of NSO Group customers was all people needed to see right through what NSO claims, he added. “This exemplifies how important it is for both individuals and enterprise organizations to have visibility into the risks their mobile devices present. Pegasus is an extreme, but easily understandable example. There are countless pieces of malware out there that can easily exploit known device and software vulnerabilities to gain access to your most sensitive data,” Schless told ZDNet.  More

Amid growing concerns about increasing threats in the cybersecurity space, the Brazilian government and the banking sector are discussing the creation of a strategy to address crime in digital environments. The president at the Brazilian Federation of Banks (FEBRABAN), Isaac Sidney, and the Minister of Justice and Public Security, Anderson Torres, have started negotiations for the creation of the National Cybercrime Strategy. The topic was discussed at a meeting at the association’s headquarters in São Paulo on Friday (6). According to FEBRABAN, the discussions around the new plan to tackle cybercrime will be informed by the experiences of the National Strategy Against Corruption and Money Laundering, which is led by the Ministry of Justice and has been in place since 2003.Under the new strategy, the idea will be to “expand the identification and repression” of the actors responsible for cybercrimes, the association said. Another goal is to expand the technical knowledge of the Brazilian security forces and “promote permanent cooperation between public and private agents.”The vision outlined by the banking association also includes the joint development of platforms for sharing fraud data by digital means, as well as supporting the training of security forces in cybersecurity and digital fraud issues and using the association’s cybersecurity laboratory. IThe plan would also include public awareness campaigns on cyber risks and fraud.

According to German consultancy Roland Berger, Brazil currently ranks fifth in a ranking of the world’s main cybercrime targets. A survey carried out by the company shows that the country has exceeded the total number of ransomware attacks seen in 2020 in the first half of 2021, with 9.1 million occurrences. In the private sector, the level of preparedness to deal with cybercrime has been impaired by lack of investment: security teams are in place in less than a third of Brazilian organizations, even though most businesses frequently suffer attacks, recent research has found. Another study, published in February, suggests that most Brazilian companies have not increased their investments in information and cyber security since the Covid-19 pandemic emerged despite an increase in threats.

Attacks targeted at Brazilian public sector organisations have also become increasingly common. Last November, a major cyberattack against the Brazilian Superior Electoral Court brought the Court’s systems to a standstill for over two weeks. More recently, the Brazilian National Treasury was the target of a ransomware attack.Brazil published its first National Information Security Policy, in 2018. The National Security Strategies for Cyber Security and Critical Infrastructure Security were published in 2020. In July, the Brazilian government created a cyberattack response network aimed at promoting faster response to cyber threats and vulnerabilities through coordination between federal government bodies. The Federal Cyber Incident Management Network will encompass the Institutional Security Office of the presidency as well as all bodies and entities under the federal governing administration. Public companies, mixed capital companies and their subsidiaries may become members of the network voluntarily. More

Moody’s Corporation announced on Monday that it would be investing in cybersecurity company BitSight and working with the firm to create a “comprehensive, integrated, industry-leading cybersecurity risk platform.”First reported by CNN, the partnership will see Moody’s invest $250 million in BitSight and the cybersecurity company will acquire Moody’s cyber risk ratings venture VisibleRisk, which they created with global venture group Team8. In a statement, Moody’s CEO Rob Fauber said organizations need a way to accurately measure and quantify cyber risk and exposure as they continue to invest in cyber defense and resilience. “Creating transparency and enabling trust is at the core of Moody’s mission — to help organizations assess complex, interconnected risks and make more informed decisions,” Fauber said. “BitSight is the leader in the cybersecurity ratings space, and together we will help market participants across disciplines better understand, measure, and manage their cyber risks and translate that to the risk of financial loss.”Moody’s said its Investors Service review of cyber vulnerability and impact found 13 sectors that have high or medium-high risk, with “total rated debt exceeding $20 trillion.”Moody’s noted that BitSight has more than 2,300 customers around the world, including dozens of Fortune 500 companies, government agencies, insurers and asset managers.

BitSight said its acquisition of VisibleRisk adds a cyber risk assessment capability and advances its ability to analyze and calculate an organization’s financial exposure to cyber risk. BitSight’s valuation grew to $2.4 billion after the investment. BitSight CEO Steve Harvey added that the partnership with Moody’s and acquisition of VisibleRisk expands the company’s “reach to help customers manage cyber risk in an increasingly digital world.””Cybersecurity is one of the biggest threats to global commerce in the 21st century,” Harvey said.The $250 million deal will make Moody’s the largest minority shareholder in Bitsight, according to CNN. Fauber told CNN Business that the effort was started because of the opacity around cyber risk and the spate of serious cyberattacks that have affected a broader range of industries. More