Information Technology

CISA has updated its Known Exploited Vulnerabilities Catalog with eight vulnerabilities, two of which have remediation dates of February 11. The list includes an Apple IOMobileFrameBuffer Memory Corruption vulnerability, a SonicWall SMA 100 Appliances Stack-Based Buffer Overflow vulnerability, a Microsoft Internet Explorer Use-After-Free vulnerability, a Microsoft Windows Background Intelligent Transfer Service (BITS) Improper Privilege Management vulnerability and two GNU Bourne-Again Shell (Bash) Arbitrary Code Execution vulnerabilities.
CISA
The Apple and SonicWall vulnerabilities have a remediation date for February 11 and the rest have remediation dates of July 28. Apple released patches for the vulnerability — tagged as CVE-2022-22587 — last week, noting that a malicious application may be able to execute arbitrary code with kernel privileges. Apple said it is “aware of a report that this issue may have been actively exploited” and added that it was discovered by a member of Mercedes-Benz Innovation Lab and two other researchers. Rapid7 said earlier this month that CVE-2021-20038 — the SonicWall vulnerability — has a suggested CVSS score of 9.8 out of 10, explaining in a blog post that by exploiting this issue, “an attack can get complete control of the device or virtual machine that’s running the SMA 100 series appliance.” “This can allow attackers to install malware to intercept authentication material from authorized users, or reach back into the networks protected by these devices for further attack. Edge-based network control devices are especially attractive targets for attackers, so we expect continued interest in these kinds of devices by researchers and criminal attackers alike,” Rapid7 said. Vulcan Cyber CEO Yaniv Bar-Dayan said digital business has a cyber debt problem, telling ZDNet that this latest batch of eight CVEs added by CISA “proves the adage that ‘vulnerabilities age like milk.'” 

“Three of the eight vulnerabilities were first disclosed in 2014, and the average age of the CVEs added to the CISA database today is more than four years. Our IT security teams are struggling to mitigate decade-old risk, much less the threat du jour,” Bar-Dayan said. Netenrich’s John Bambenek said he understood the need to quickly patch the iOS vulnerability but questioned some of the other additions. “If the federal government needs another six months to patch an 8-year-old Bash shell vulnerability, then we might as well surrender our IT to North Korea now and save the taxpayers some money,” Bambenek said. “What I fail to understand is why ancient vulnerabilities are put on this list with such long periods of time to remediate.” More

Multiple vulnerabilities have been discovered in the SureMDM device management solution sold by 42 Gears, prompting the company to release a series of updates to address the issues. Immersive Labs published a detailed breakdown of the vulnerabilities — one of which is critical — that affect SureMDM’s Linux agent and the web console. Kevin Breen, director of cyber threat research at Immersive Labs, told ZDNet that the company says it has more than five million successful deployments worldwide and 18,000 customers. 

ZDNet Recommends

It is unclear how many use the products affected by the issues they discovered, but Breen said anyone using the Linux version listed in the post was vulnerable to those vulnerabilities. Anyone who used the web console was also vulnerable until December. “The more concerning set of vulnerabilities were the ones affecting the web console. These vulnerabilities could have allowed an attacker to gain code execution over individual devices, desktops or servers using the SureMDM web dashboard. By chaining the vulnerabilities affecting the web console together, an attacker could disable security tools and install malware or other malicious code onto every Linux, MacOS or Android device with SureMDM installed. An attacker does not need to know customer details to achieve this or even have an account on SureMDM,” Breen explained.”Once the attacker has sent the exploit to every customer account, they would simply need to wait for the first user to log into the SureMDM web console for the payload to be executed. Upon login, the web application would automatically start the infected jobs that would affect every managed device in the organization.”Breen added that the second set of vulnerabilities affecting hosts running the Linux Agent for SureMDM would have allowed attackers to gain remote code execution on hosts as the root user. The issue “could also be exploited with local access to the affected hosts in order to escalate privileges from standard to root user,” Breen noted. 42 Gears released updates in November and January after working with Immersive Labs on the issue since July 2021. Immersive Labs noted that the company released multiple updates throughout the summer before finally addressing the vulnerabilities they found.

Casey Bisson, head of product growth at BluBracket, said the vulnerabilities are a big deal because individually, they are all problematic, but collectively, they constitute a serious risk for users. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

“Additionally, the workflow that led to a team building and shipping an app with so many vulnerabilities is particularly worrisome, even if we do not yet know how widespread the impact of these vulnerabilities is. Vulnerabilities like these are the unfortunate byproduct of the speed with which software is developed and shipped,” Bisson said. “It’s easy to criticize each of them as obvious or easy to avoid with good engineering, but the reality is that many of these types of vulnerabilities are fairly common. Organizations have no idea what risks they have in their code because they don’t scan for them. There is a systemic breakdown of processes and the application of key technologies that are allowing these vulnerabilities to get to market. Vulcan Cyber engineer Mike Parkin noted that the series of issues discovered highlights the fact that vulnerabilities are often found in clusters rather than as a standalone problem. That researchers found new problems as the developer fixed the ones that had been reported is something threat actors also do, Parkin said. “The timeline is notable for the back and forth between the research team and the vendor, how long it took to get fixes in place, and how new vulnerabilities came to light during the process,” Parkin told ZDNet. Bugcrowd founder Casey Ellis took a more positive view of the situation, noting the timeline provided by Immersive Labs. The timeline and associated narrative demonstrates openness from 42 Gears in responding to external security feedback as well as highly organized and professional conduct from Immersive Labs to ensure their research — and the subsequent protection of the users of 42 Gears — was as complete and conducted in as safe a manner as possible, Ellis explained. “42 Gears is used widely enough to attract the attention of Immersive Labs, which is the data point which is most relevant here. These vulnerabilities look to be fairly impactful, but the thing that is striking to me about these issues is the amount of cooperation and collaboration in the timeline,” Ellis said. “Ideally, software would be perfect — but we know this isn’t always the case. After all, humans are responsible for writing it.”  More

Google is the world’s number one search engine, with a 92.4% market share, according to Statista. It is not surprising then that the number of takedown requests made to Google by countries around the world continues to grow as our reliance on the internet keeps us online.

Since 2009, Google has announced the number of content removal requests it receives from governments around the world in its annual Transparency Report — and there are some interesting trends in the report. Netherlands-based VPN company Surfshark has analysed these files to see which countries have asked Google to remove the most content and the most common reasons for those requests. It filtered the data from the Transparency Report by location, the volume of requests between 2011 – 2020, the volume of requests in 2020 alone, and the top reason for requests in each country and globally. Its goal was to reveal which government bodies around the world submit the most requests to Google to remove content and why.As a company, Google covers far more than just search engine requests and responses. Content removal can be requested across Google Docs, Google Play, Gmail, Maps, Photos, Ads and YouTube. But one of its products, YouTube, dominates takedown requests.Interestingly, YouTube receives more takedown requests than Google Search does. It tops the list of takedown requests in 2020 with 19,775 requests, with web search results not far behind at 19,198.

There were even 37 requests for content removal on Google Maps. From 2011 to 2020, there were 101,015 takedown requests for YouTube, so requests in 2020 showed a significant jump in numbers.
Surfshack
Surfshack’s findings show that Russia has sent Google more takedown requests over the past decade than all other countries combined, with 123,606 requests in total over the past ten years. Over one in three takedown requests cite national security as the main reason for the takedown request.
Surfshack
The US has made a total of 9,627 content removal requests since 2011, citing defamation — the act of damaging the reputation of someone due to verbal or written communication — as the main reason for the request. Although China has only issued 1,252 takedown requests over the past ten years, over three out of four requests (76.04%) cite violence as the main reason for the takedown request.Defamation is the most prevalent cause for requests made, with 10 of the 25 countries citing this reason the most. However, more uncommon reasons for takedown requests include Religious Office (Pakistan), Violence (China), Fraud (Canada) and Government Criticism (Thailand and Vietnam).Removal requests from the US spiked in the Trump administration’s first year due to a 285.47% rise in fraud-related complaints. Almost one in ten of America’s 3,039,200 fraud victims in 2017 were tricked via internet or phone services. Now US Government removal requests have fallen by 67.23% since 201.Google is not the only company to receive takedown requests. Other companies such as Twitter also produce similar transparency reports. And Google, whilst dominating search and video viewings, does not control everything according to the Transparency Report. The report explained one of the reasons that it did not remove content was “the content has already been removed by the content owner”. Sometimes, Google even receives requests to ‘remove content from the internet’. Not even Google is that powerful, after all. More

Over half of ransomware attacks are targeting one of three industries; banking, utilities and retail, according to analysis by cybersecurity researchers – but they’ve also warned that all industries are at risk from attacks. The data has been gathered by Trellix – formerly McAfee Enterprise and FireEye – from detected attacks between July and September 2021, a period when some of the most high profile ransomware attacks of the last year happened. According to detections by Trellix, banking and finance was the most common target for ransomware during the reporting period, accounting for 22% of detected attacks. That’s followed by 20% of attacks targeting the utilities sector and 16% of attacks targeting retailers. Attacks against the three sectors alone account for 58% of all of those detected.  Utilities is a particularly enticing industry for ransomware gangs to target, because the nature of the industry means it provides vital services to people and businesses and if those services can’t be accessed, it has an impact – as demonstrated by the ransomware attack against Colonial Pipeline, which led to gas shortages in the North Eastern United States. The incident saw Colonial paying a ransom of millions to cyber criminals in order to receive the decryption key.  SEE: A winning strategy for cybersecurity (ZDNet special report)Ransomware attacks against retailers can also have a significant impact, forcing shops to be restricted to taking cash payments, or even forcing them to close all together while the issue is resolved, preventing people from buying everyday items they need. Other sectors which were significant targets for ransomware include education, government and industrial services, serving as a warning that no matter which sector they operate in, all organisations could be a potential target for ransomware.  

“Despite the financial, utilities and retail sectors accounting for nearly 60% of all ransomware detections – no business or industry is safe from attack, and these findings should act as a reminder of this,” said Fabien Rech, VP EMEA for Trellix.   “As cybercriminals adapt their methods to target the most sensitive data and services, organisations must shore up their defences to mitigate further threats.” While several high-profile ransomware groups of 2021 seem to have disappeared or gone dark, particularly following arrests, new gangs and malware strains are emerging all the time and ransomware remains a key cybersecurity threat to organisations around the world. In order to help protect networks against ransomware and other cyber attacks, it’s recommended that organisations regularly apply the required security updates to operating systems, applications and software, something which can prevent hackers from exploiting known vulnerabilities to launch attacks. It’s also recommended that organisations apply multi-factor authentication across all accounts and that security teams attempt to scan for credential stealing attacks and other potential suspicious activity in order to prevent attacks before they happen.MORE ON CYBERSECURITY More

An unsecured server has exposed sensitive data belonging to airport employees across Colombia and Peru. 

ZDNet Recommends

The best security key

While robust passwords help you secure your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

On Monday, the SafetyDetectives cybersecurity team said the server belonged to Securitas. The Stockholm, Sweden-based company provides on-site guarding, electronic security solutions, enterprise risk management, and fire & safety services.  In a report shared with ZDNet, SafetyDetectives said one of Securitas’s AWS S3 buckets was not appropriately secured, exposing over one million files on the internet.  The server contained approximately 3TB of data dating back to 2018, including airport employee records. While the team was not able to examine every record in the database, four airports were named in exposed files: El Dorado International Airport (COL), Alfonso Bonilla Aragón International Airport (COL), José María Córdova International Airport (COL), and Aeropuerto Internacional Jorge Chávez (PE). The misconfigured AWS bucket, which did not require any authentication to access, contained two main datasets related to Securitas and airport employees. Among the records were ID card photos, Personally identifiable information (PII), including names, photos, occupations, and national ID numbers. In addition, SafetyDetectives says that photographs of airline employees, planes, fueling lines, and luggage handling were also found in the bucket. Unstripped .EXIF data in these photographs was exfiltrated, providing the time and date the photographs were taken as well as some GPS locations. 
SafetyDetectives
“Considering Securitas’ strong presence throughout Colombia and the rest of Latin America, companies in other industries could have been exposed,” the researchers say. “It’s also probable that various other places that use Securitas’ security services are affected.”

Application IDs listed within mobile apps were also stored in the bucket. The IDs were used for airport activities, including incident reports, pointing the researchers to the likely owner in the first place.  The cybersecurity researchers reached out to Securitas on October 28, 2021, and followed up on November 2 after receiving no response. Securitas engaged in conversation with the team and secured the server on the same day. Swedish CERT was also informed, ZDNet has reached out to Securitas, and we will update when we hear back. 
See also Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has revealed that it stopped what it described as the largest distributed denial of service (DDoS) attack ever reported in history in November, which at 3.47 terabytes (Tbps) per second outsized a mega 2.4 Tbps DDoS it thwarted last year that was then thought to be the largest DDoS in history. DDoS attacks harness the connectivity of many compromised devices and direct packets of data at a specific target, such as a website or internet service, with the aim of knocking it offline.  

ZDNet Recommends

Massive DDoS attacks measured in Tbps are becoming more common. According to Alethea Toh, a product manager on the Microsoft Azure networking team, Microsoft stopped two other DDoS attacks that exceeded 2.5 Tbps in December. SEE: A winning strategy for cybersecurity (ZDNet special report)The record-breaking 3.47 Tbps DDoS attack originated from approximately 10,000 sources from connected devices in the United States, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan. “We believe this to be the largest attack ever reported in history,” said Toh.The largest attacks last year used the User Datagram Protocol (UDP), while attacks focusing on gaming servers were carried out using variants of the Mirai DDoS botnet malware, which relies on compromised PCs and Internet of Things (IoT) devices. Like last year’s huge DDoS attack, the attack vector in the 3.47 Tbps DDoS attack was a UDP “reflection attack”, where UDP request and response packets are reflected within a local network using a source Internet Protocol (IP) address that’s been spoofed by the attacker. 

An attacker abuses UDP by creating a valid UDP request that falsely lists a target’s IP address as the UDP source IP address. The attacker sends the spoofed UDP request to a middleman server, which sends a larger number of UDP response packets to the target’s IP address rather than to the attacker’s actual IP address. The technique amplifies the size of a DDoS attack, but UDP is just one of several internet protocols that can be abused for amplification, including Domain Name System (DNS), and Network Time Protocol (NTP), and memcached. The 3.47 Tbps UDP reflection attack lasted only 15 minutes, Toh explains in a blogpost. The two other attacks that surpassed 2.5 Tbps were were also short bursts targeting servers in Asia. UDP was used in all three cases. The protocol has proved popular for these attacks because online-gaming servers can’t withstand high-volume attacks, even in short bursts. Also, UDP is commonly used in gaming and streaming applications. “The majority of attacks on the gaming industry have been mutations of the Mirai botnet and low-volume UDP protocol attacks. An overwhelming majority were UDP spoof floods, while a small portion were UDP reflection and amplification attacks, mostly SSDP, Memcached, and NTP,” notes Toh.”Workloads that are highly sensitive to latency, such as multiplayer game servers, cannot tolerate such short burst UDP attacks. Outages of just a couple seconds can impact competitive matches, and outages lasting more than 10 seconds typically will end a match,” Toh explains. SEE: DDoS attacks that come combined with extortion demands are on the riseThe gaming industry has been hit with multiple DDoS attacks this year affecting Titanfall, Escape from Tarkov, Dead by Daylight, and Final Fantasy, Microsoft notes. Voice over IP (VoIP) service providers were another heavily targeted group for DDoS attacks. The two other December attacks exceeding 2.5 Tbps were UDP attacks. One was a UDP attack on port 80 and 443 in Asia that lasted 15 minutes with four main peaks, at 3.25 Tbps, 2.54 Tbps, and 0.59 Tbps, and a final peak at 1.25 Tbps. The other attack lasted just five minutes and was a 2.55 Tbps UDP flood on port 443 with one single peak, Toh notes. Some 55% of DDoS attacks relied on UDP spoofing in 2021 and it became the main vector in the second half of 2021. The US was the target of 54% of DDoS attacks, followed by 23% of attacks targeting India. DDoS activity in Europe, however, dropped from 19% in the first half of 2021 to just 6% in the second half, putting it behind East Asia, which was the target of 8% of DDoS attacks. Last year’s 2.4 Tbps attack was aimed at European Azure cloud users. Again, gaming adoption in East Asia made it a popular target.  More

StackCommerce

Your data is not only in danger when you go online. It’s also at risk from hackers who can crack your passwords by using social engineering. So it’s absolutely necessary that you provide yourself with the strongest protection possible against both, and that’s exactly what The Lifetime Password Manager & Privacy Subscription Bundle offers.This deal comes with a lifetime subscription to KeepSolid’s VPN Unlimited, which is arguably the best service you could use to stay safe online. In addition to a zero-log policy, military-grade encryption and a kill switch, you have no limits on speed or bandwidth. With access to more than 400 blazing-fast servers in over 80 locations, you don’t have to worry about being prevented from watching your favorite content because of your location.But KeepSolid offers even more convenience with 24/7 customer service, as well as features such as Favorite Servers, Ping Tests, Trusted Networks and a whole lot more. Even better, all of this is available for as many as five of your devices. As VPN Special observes, “KeepSolid VPN Unlimited offers amazing services and its advanced features make it a solid VPN service provider.”Of course, as mentioned above, you still have to deal with protecting your passwords. Sticky Password Premium allows you to securely keep all of your passwords together, either on local storage or in the cloud, where you can access them with one master password. But the app can also automatically generate unique, encrypted passwords so that you won’t share the same one across multiple accounts.Sticky Password also lets you store other pieces of personal information, which you can use to fill out forms instantly. Although supremely secure, Sticky Password is easy to use, and it even lets you share passwords with others if necessary.Don’t pass up this opportunity to have maximum protection for your data. Get The Lifetime Password Manager & Privacy Subscription Bundle while it’s on sale for only $29.99.Prices are subject to change.

More ZDNet Academy Deals More

StackCommerce

If you’re disappointed with the way your tech career is progressing, it may be because your resume doesn’t have all of the certifications that employers are looking for. One way to turn recruiters heads is by earning a CompTIA certification, but you’ll need to pass the vendor’s exams to do so. The 2022 Complete CompTIA Exam Certification Labs & PBQs Training Bundle contains prep material that can help you earn them for $29.99.These DojoLab courses include Performance-based Questions (PBQs) and labs that follow CompTIA’s exam curriculum. There are no lectures, but they give you a chance to practice your existing skills and become familiar with the type of questions you’ll face during the exams. You also get to be part of a community of fellow IT students and subject matter experts.”CompTIA A+ (220-1001)” prepares you for an entry-level certification that validates your ability to use the latest technology to support IT infrastructure at the enterprise level. “CompTIA A+ (220-1002)” covers Core 2, which includes the configuration and installation of operating systems, operational procedures, software troubleshooting, expanded security and more.You can refresh your knowledge of network architecture and validate your skills in deploying networks with “CompTIA Network+ (N10-007 & N10-008)”. The certification you can earn with “CompTIA Linux+ (XK0-004)” not only demonstrates your knowledge of all major Linux distributions but also advances your progress toward the advanced certifications.Cybersecurity skills are in great demand, so you definitely want yours certified in order to stand out among the competition when applying for the best jobs. “CompTIA Security+ (SY0-601)” will help you earn the certification of baseline skills that are required for core security functions.Don’t pass up this chance to learn what you need to know in order to pass your CompTIA exams on your first try. Get lifetime access to the 2022 Complete CompTIA Exam Certification Labs & PBQs Training Bundle while it’s on sale for only $29.99.Prices are subject to change.

More ZDNet Academy Deals More