Information Technology

The SynAck ransomware gang has released decryption keys for victims that were infected between July 2017 and 2021, according to data obtained by The Record. SynAck is in the process of rebranding itself as the El_Cometa ransomware gang and a member of the old group gave the keys to The Record. Emsisoft’s Michael Gillespie confirmed the veracity of the decryption keys and said they are working on their own decryption utility that they believe will be “safer and easier to use” because there are concerns that SynAck victims may damage their files further using the provided keys. Ransomware expert Allan Liska told ZDNet that the SynAck ransomware group started right before Ransomware-as-a-service began to take off in 2018. “So they never outsourced their ransomware activities. While they continued attacks, there weren’t nearly as many as groups like Conti or REvil were able to conduct, so they got lost in the shuffle,” Liska said. “They also didn’t hit any really big targets.”

A Kaspersky Lab report in 2018 said SynAck differentiated itself in 2017 by not using a payment portal and instead demanding victims arrange payment in Bitcoin through email or BitMessage ID. They generally demanded ransoms around $3,000 and gained notoriety for using the Doppelgänging technique, which targets the Microsoft Windows operating system and is designed to circumvent traditional security software and antivirus solutions by exploiting how they interact with memory processes.

There is little data on victims of the ransomware group but Kaspersky Lab researchers said they observed attacks by the gang in the US, Kuwait, Germany and Iran.”The ability of the Process Doppelgänging technique to sneak malware past the latest security measures represents a significant threat; one that has, not surprisingly, quickly been seized upon by attackers,” said Anton Ivanov, lead malware analyst at Kaspersky Lab. “Our research shows how the relatively low profile, targeted ransomware SynAck used the technique to upgrade its stealth and infection capability. Fortunately, the detection logic for this ransomware was implemented before it appeared in the wild.”A SynAck representative told The Record that the group plans to launch a new Ransomware-as-a-service platform and recruit affiliates to help with their work on El_Cometa. Multiple ransomware groups, like Avaddon and Prometheus, have released decryption tools in recent months, either in an effort to rebrand or due to increased law enforcement activity.  More

Back in 1992, the Berkeley Packet Filter (BPF) was introduced in Unix circles as a new, much faster network packet filter. That was nice, but far from revolutionary. Years later, in 2014, it was modified and brought into the Linux kernel as extended BPF (eBPF). There it would add radical new features to Linux and it’s being used for numerous, useful Linux-based projects and eBPF is moving on from Linux into Windows as well. 

Open Source

What’s so special about it? Simple, eBPF enables you to run programs in the Linux kernel without changing the kernel source code or adding additional modules. In effect, it acts like a lightweight, sandbox virtual machine (VM) inside the Linux kernel space. There, programs that can run in eBPF run much faster, while taking advantage of kernel features unavailable to other higher-level Linux programs. As Thomas Graf, Isovalent’s CTO & Co-Founder and Chair of the eBPF Governing Board explained:  Historically, the operating system has always been an ideal place to implement observability, security, and networking functionality due to the kernel’s privileged ability to oversee and control the entire system. At the same time, an operating system kernel is hard to evolve due to its central role and high requirement towards stability and security. The rate of innovation at the operating system level has thus traditionally been lower compared to functionality implemented outside of the operating system.  EBPF fundamentally changes this formula. By allowing sandboxed programs to run within the operating system, eBPF enables developers to create eBPF programs that add capabilities to the operating system at runtime. The operating system then guarantees safety and execution efficiency as if natively compiled with the aid of a Just-In-Time (JIT) compiler and verification engine. This has led to a wave of eBPF-based projects covering a wide array of use cases, including next-generation networking, observability, and security functionality.This has changed the way operating systems and infrastructure services work together. It bridged the gap between kernel and user-space programs. EBPF has also enabled developers to combine and apply logic across multiple subsystems which were traditionally completely independent.These new programs include Linux kernel debuggers, such as bpftrace; cloud-native security software with Falco, and Kubernetes security applications using Hubble. That’s a lot of new, important programs and more are coming. So, it only made sense to form a new foundation for the project: The Linux Foundation’s sponsored eBPF Foundation. You can judge how important people see it by its founding members. These include Facebook, Google, Isovalent, Microsoft, and Netflix. Why? Because it’s already useful for them. For instance, Facebook is using eBPF as the primary software-defined load balancer in its data centers, and Google is using Cilium to bring eBPF-based networking and security to its managed Kubernetes offerings GKE and Anthos. This explosion of eBPF-based projects is making it one of the most influential technologies in the infrastructure software world. So, Graf said, “the demand is high to optimize collaboration between projects and ensure that the core of eBPF is well maintained and equipped with a clear roadmap and vision for the bright future ahead of eBPF. This is where the eBPF Foundation comes in, and establishes an eBPF steering committee to take care of the technical direction and vision of eBPF. Additionally, with the port of eBPF to the Windows kernel and additional ports to other platforms on the way, the question of eBPF program portability and eBPF runtime requirements becomes more important and requires coordination.”

Want to know more? Go to the free and virtual eBPF Summit, on August 18-19, 2021. You’ll be glad you did. EBPF is bringing fundamental changes to networking, security, and applications across the entire infrastructure stack from PCs to the cloud. Related Stories: More

A cybersecurity researcher has discovered several new vulnerabilities within Wodify’s gym management web application that gives an attacker the ability to extract workout data, personal information and even financial information. Wodify’s gym management web application is used widely among CrossFit boxes in the US and other countries to help them grow. The software is in use at more than 5,000 gyms for things like class scheduling and billing. But Dardan Prebreza, senior security consultant for Bishop Fox, explained in a report that a slate of vulnerabilities “allowed reading and modifying the workouts of all users of the Wodify platform.” Through the attack, access “was not limited to a single gym/box/tenant, so it was possible to enumerate all entries globally and modify them,” Prebreza added, noting that an attacker could hijack a user’s session, steal a hashed password, or the user’s JWT through the Sensitive Information Disclosure vulnerability. “Thus, a combination of these three vulnerabilities could have a severe business and reputational risk for Wodify, as it would allow an authenticated user to modify all their production data, but also extract sensitive PII,” Prebreza said.  “Additionally, compromising administrative gym user accounts could allow an attacker to modify the payment settings, and thus, have a direct financial impact, as the attacker could eventually get paid by the gym members instead of the legitimate gym owner(s). An authenticated attacker could read and modify all other users’ workouts data, extract PII, and eventually gain access to administrative accounts with the aim of financial gains.” Prebreza rated the vulnerability risk level high because it could cause severe reputational damage and financial ramifications to Wodify gyms and boxes that could have their payment settings tampered with. 

Wodify did not respond to ZDNet’s request for comment about the vulnerabilities. Prebreza’s report includes a timeline that shows the vulnerabilities were discovered on January 7 before Wodify was contacted on February 12. Wodify acknowledged the vulnerabilities on February 23 but did not respond to further requests for information. Wodify CEO Ameet Shah was contacted and he connected the Bishop Fox team with Wodify’s head of technology, who held meetings with the company throughout April to address the issues. On April 19, Wodify confirmed that the vulnerabilities would be fixed within 90 days but from there, repeatedly pushed back the patch date for the problems. First the company pledged to release a patch in May but they pushed it to June 11 before pushing it again to June 26.Wodify did not respond to Bishop Fox for another month, admitting that they were pushing the patch back to August 5. With more than half a year passed since the vulnerabilities were uncovered, Bishop Fox said they told Wodify they would publicly disclose the vulnerabilities on August 6, eventually releasing the report on August 13. Wodify has not confirmed if there is actually a patch yet, and Bishop Fox urged customers to get in touch with the company. “The Wodify application was affected by insufficient authorization controls, allowing an authenticated attacker to disclose and modify any other user’s workout data on the Wodify platform,” Prebreza explained. “The data modification example in the report was performed with consent on a collaborator’s account, and the proof-of-concept payload was removed following the screenshot. However, the ability to modify data means that an attacker could modify all workout results and insert malicious code to attack other Wodify users, including instance or gym administrators.”The vulnerabilities ranged from insufficient authorization controls to sensitive information disclosure and stored cross-site scripting, which can be leveraged in other attacks, according to the study. While attackers would be able to change all of a Wodify users’ workout data, profile pictures and names, the attack also allows for the ability to insert malicious code that could go after other Wodify users, including gym administrators.Prebreza said the Wodify application was vulnerable to four instances of stored cross-site scripting, one of which “allowed an attacker to insert malicious JavaScript payloads into workout results.” “Any user that viewed the page with the stored payload would execute the JavaScript and perform actions on behalf of the attacker. If an attacker gained administrative access over a specific gym in this manner, they would be able to make changes to payment settings, as well as access and update other users’ personal information,” Prebreza noted. “Alternatively, an attacker could craft a payload to load an external JavaScript file to perform actions on behalf of the user. For example, the payload could change a victim’s email and take over the account by issuing a password reset (note: changing the email address did not require providing the current password). An attacker could similarly leverage the Sensitive Information Disclosure vulnerability to retrieve a victim’s hashed password or JWT (i.e., session token).”Erich Kron, security awareness advocate at KnowBe4, said this was an unfortunate case of an organization not taking a vulnerability disclosure seriously. “While the initial thought of just wiping someone’s workout history may seem insignificant to many, the fact that an attacker can access the account and associated information, possibly including payment methods and personal information, is a real problem,” Kron said. “Even just the workout information can be sensitive if the wrong person uses it to find patterns, for example the days and times a CEO for an organization typically works out, and uses it for malicious purposes. Organizations that create software should always have a process in place for dealing with reported vulnerabilities such as this, and must take them seriously.” More

S&P Global Market Intelligence and Immuta released a new study this week highlighting how many larger organizations are struggling to manage and use their data. The report, conducted by 451 Research, found that 55% of respondents said the data they get for analysis is often out-of-date or stale by the time it gets to them. 451 Research surveyed 525 data leaders in the US, Canada, UK, Germany and France. All of the survey participants work for organizations that have more than 1,000 employees. The survey’s findings represented the larger debate being had among enterprises about how to balance effective data use with data privacy and security. Of the respondents to the survey, 84% said they thought data privacy and security requirements would limit access to data at their organizations over the next 24 months.Nearly 40% of respondents who work as data suppliers said they lack the staff or skills to handle their positions, with almost 30% citing a lack of automation as a problem. At least 90% of those who answered the survey said data quality and trust were becoming more important than the volume or quantity of data, while the role of chief data officer is becoming increasingly prominent within organizations. A majority of respondents said the chief data officer had direct access to the CEO. According to the survey, 60% of respondents said their organizations have a chief data officer while 40% do not. The numbers also corresponded to organization size, with larger enterprises being more likely to have a chief data officer. “The findings are clear. As data workflows and processes have become more complex over time — and as organizational demand for data grows — there are clear points of friction in the data supply chain,” said Paige Bartley, senior analyst at 451 Research. 

“Chief among them is data suppliers that have limited resources, skills shortages, and little automation being tasked with trying to deliver a steady stream of relevant data to a growing number of data consumers.”Reliance on the cloud is also on the rise according to the survey, which found that 76% of respondents worked for organizations using cloud data technology more frequently for storage, compute and sharing over the next 24 months. For those still struggling to move to the cloud, 43% said it was because of security while 40% cited compliance issues and 35% said data privacy was a concern. Overall, 65% of respondents said data has become more important for their own job now than it ever had been over the last 24 months. More than 71% said the number of data consumers in their organization has steadily increased over time, with another 73% adding that more human and machine data consumers will need access to data over the next two years. The changes to data consumption and deployment are also being affected by legislation, according to the survey, which found that 84% said their enterprise was subject to regulations like GDPR and HIPAA.Data privacy and security are also prompting changes. More than 83% said data security rules will limit their access to data at their organization over the next two years. Respondents also complained about the fact that data was not available in real time, expressing exasperation with ill-equipped data teams unable to deliver self-service data tools. Almost 40% said their data is only available at a point in time. More than 62% of respondents said they used free cloud-based tools to help them handle data-focused tasks. “Respondents from regulated organizations were also much more likely to report their organization had a cloud-first (31%) or cloud-forward (45%) adoption strategy, while respondents from non-regulated organizations were disproportionately more likely to report a cloud-conservative (46%) or cloud-skeptic (9%) strategy,” the report said. “The assumption that regulated industries or firms tend to shy away from cloud technology is outdated at best.”Organizations are also struggling to manage data access and use, according to 65% of respondents. Immuta CEO Matt Carroll said the disconnect between data suppliers and consumers highlights the pressing challenge for businesses and the public sector to improve speed and access to data. “The findings make it clear that insights and business value cannot be quickly and easily generated from data unless it can be shared, modeled, and analyzed in a frictionless manner,” Carroll said. “This report validates what our customers have experienced. The good news is, by understanding these pain points, organizations can address them and move forward to maximize the value of enterprise data and minimize risks. Investing in automation and scalability removes hurdles to cloud adoption and opens the door for more efficient data access and use to improve business outcomes.” More

The cryptocurrency company behind a decentralized finance (DeFi) platform that lost over $600 million to a hacker has received most of the assets back. In a strange turn of events, the hackers who stole the digital assets on Tuesday returned the bulk of it to DeFi platform Poly Network, which provides interoperability services across blockchains including Bitcoin, Ethereum and Binance Smart Chain. On Thursday, Poly Network said in a tweet that “all the remaining user assets on Etherum (except for the frozen USDT) had been transferred” to the Poly Network and to an account controlled by someone apparently called “Mr. White Hat” — a reference to cybersecurity professionals who help defend systems, (versus “Black Hats” who hack systems for fun and profit). DeFi’s like Poly let people exchange tokens across blockchains. Poly Network uses smart contracts to work across Bitcoin, Ethereum, Neo, Ontology, Elrond, Ziliqa, Binance Smart Chain, Switcheo and Huobi ECO Chain.As explained by Reuters, Poly Network works by smart contracts that instruct different blockchains to release the assets to the counterparties. One of Poly Network’s smart contracts was used for liquidity to facilitate swapping tokens between blockchains. Poly Network said the hacker “exploited a vulnerability between contract calls”.   The hackers now returned the majority of what they took in what’s the company described as one of the ‘biggest’ hacks in de-fi history.

The funds have been gradually returning since. Poly Network yesterday said the unknown attacker has so far returned $256 million in BSC, $1 million from Polygon and $3.3 million in Ethereum. The attacker has not returned the $33 million that Tether froze.  According to the BBC, Poly Network offered the attacker $500,000 to return the $600 million in crypto-assets. The DeFI hack happened as the US weighs in on the issue of regulating cryptocurrency players that operate in a $2 trillion market that largely stands outside of existing anti-money laundering laws and the tax system.As The New York Times columnist, Ezra Klein argues, crypto brings scarcity to digital goods — like online art — and that creates value. Government and regulators however haven’t figured out whether there’s a public appetite for regulating this area of finance and technology, nor where to apply pressure on different actors, from those developing the technology to those who control the exchange of assets.  More

Cyber criminals are exploiting Windows PrintNightmare vulnerabilities in their attempts to infect victims with ransomware – and the number of ransomware groups attempting to take advantage of unpatched networks is likely to grow.The remote code execution vulnerabilities (CVE-2021-34527 and  CVE-2021-1675) in Windows Print Spooler – a service enabled by default in all Windows clients and used to copy data between devices to manage printing jobs – allow attackers to run arbitrary code, enabling them to install programs, modify, change and delete data, create new accounts with full user rights and move laterally around networks. 

ZDNet Recommends

Now ransomware gangs are taking advantage of PrintNightmare to compromise networks, encrypt files and servers, and demand payment from victims for a decryption key. SEE: A winning strategy for cybersecurity (ZDNet special report) One of them is Vice Society, a relatively new player in the ransomware space that first appeared in June and conducts hands-on, human-operated campaigns against targets. Vice Society is known to be quick to exploit new security vulnerabilities to help ransomware attacks and, according to cybersecurity researchers at Cisco Talos, they’ve added PrintNightmare to their arsenal of tools for compromising networks. Like many cyber-criminal ransomware groups, Vice Society uses double extortion attacks, stealing data from victims and threatening to publish it if the ransom isn’t paid. According to Cisco Talos, the group has mostly focused on small and midsize victims, notably schools and other educational institutions. The ubiquitous nature of Windows systems in these environments means Vice Society can utilize PrintNightmare vulnerabilities if patches haven’t been applied, to execute code, maintain persistence on networks and deliver ransomware.  

“The use of the vulnerability known as PrintNightmare shows that adversaries are paying close attention and will quickly incorporate new tools that they find useful for various purposes during their attacks,” Cisco Talos researchers wrote in a blog post. “Multiple distinct threat actors are now taking advantage of PrintNightmare, and this adoption will likely continue to increase as long as it is effective”. Another ransomware group actively exploiting the PrintNightmare vulnerabilities is Magniber. This ransomware operation has been active and introducing new features and attack methods since 2017. Magniber initially used malvertising to spread attacks, before moving onto taking advantage of unpatched security vulnerabilities in software including Internet Explorer and Flash. The majority of Magniber campaigns target South Korea.  Now, according to cybersecurity researchers at Crowdstrike, Magniber ransomware is using PrintNightmare in campaigns, again demonstrating how ransomware gangs and other cyber-criminal groups try to take advantage of newly disclosed vulnerabilities to aid attacks before network operators have applied the patch.  SEE: This new phishing attack is ‘sneakier than usual’, Microsoft warnsIt’s likely that other ransomware groups and malicious hacking campaigns will look to exploit PrintNightmare, so the best form of defence against the vulnerability is to ensure systems are patched as soon as possible.  “CrowdStrike estimates that the PrintNightmare vulnerability coupled with the deployment of ransomware will likely continue to be exploited by other threat actors,” said Liviu Arsene, director of threat research and reporting at Crowdstrike. “We encourage organizations to always apply the latest patches and security updates to mitigate known vulnerabilities and adhere to security best practices to strengthen their security posture against threats and sophisticated adversaries,” he added. MORE ON CYBERSECURITY More

SentinelLabs has released a new report about the discovery of a new adware campaign targeting Apple. 

After identifying AdLoad as an adware and bundleware loader currently afflicting macOS in 2019, the cybersecurity company said it has seen 150 new samples of the adware that they claim “remain undetected by Apple’s on-device malware scanner.” Some of the samples were even notarized by Apple, according to the report.Apple uses the XProtect security system to detect malware on all Macs and originally created a protection scheme against AdLoad, which has floated around the internet since at least 2017, according to the report. XProtect now has about 11 different signatures for AdLoad, some of which cover the 2019 version of the adware SentinelLabs found that year. But the latest campaign discovered is not protected by anything in XProtect, according to the company. “In 2019, that pattern included some combination of the words ‘Search,’ ‘Result’ and ‘Daemon,’ as in the example shown above: ‘ElementarySignalSearchDaemon.’ Many other examples can be found here. The 2021 variant uses a different pattern that primarily relies on a file extension that is either .system or .service,” the researchers explained.  “Which file extension is used depends on the location of the dropped persistence file and executable as described below, but typically both .system and .service files will be found on the same infected device if the user gave privileges to the installer.”About 50 different label patterns have been discovered by the researchers and they found that the droppers used share the same pattern as Bundlore/Shlayer droppers. 

“They use a fake Player.app mounted in a DMG. Many are signed with a valid signature; in some cases, they have even been known to be notarized,” the report said. “Typically, we observe that developer certificates used to sign the droppers are revoked by Apple within a matter of days (sometimes hours) of samples being observed on VirusTotal, offering some belated and temporary protection against further infections by those particular signed samples by means of Gatekeeper and OCSP signature checks. Also typically, we see new samples signed with fresh certificates appearing within a matter of hours and days. Truly, it is a game of whack-a-mole.” SentinelLabs cites research from analysts at Confiant confirming that samples in the wild have been notarized by Apple. The samples began to crop up in November 2020 and became more prominent in 2021. There was an even sharper uptick in July and August as more attackers try to take advantage of XProtect’s gaps before they’re closed. XProtect’s last update was on June 18th, according to SentinelLabs. Apple did not respond to requests for comment. Despite the lack of protection from XProtect, other vendors do have systems to detect the malware. “As Apple itself has noted and we described elsewhere, malware on macOS is a problem that the device manufacturer is struggling to cope with,” the report said. “The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet still remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices.” More

Health technology company Philips and cybersecurity company CyberMDX released a new report this week covering cybersecurity spending and trends at mid-sized as well as large hospitals. Working with market research firm Ipsos, researchers surveyed 130 IT healthcare decision-makers to figure out how they were managing the thousands of medical devices that populate most hospitals today. The “Perspectives in Healthcare Security Report” split most of the study between large hospital systems with more than 1,000 beds and mid-sized ones with less than 1,000 beds. More than 31% of respondents worked at hospitals with less than 10,000 medical devices while another 29% worked in hospital systems with less than 25,000. Almost 20% worked for hospital systems deploying under 50,000 devices. While most respondents had a good idea of how many devices were deployed in their hospital system, 15% of mid-sized hospitals and 13% of large hospitals had no way of knowing the number of devices on their network. Almost half of all respondents find the staffing they have for medical device and IoT security “inadequate,” with most reporting a mean cybersecurity staff of around 12 or 13 people. Nearly 40% of all large hospital systems hire IoT security solutions to protect their devices while 16% rely on the security provided by the medical device manufacturer. Some also turn to IT equipment vendors or 3rd party systems integrators. 

The numbers were almost identical for mid-sized hospitals but a larger share rely on medical device manufacturers for security. Respondents listed NotPetya, MDHex, MDHexRay, Ryuk, Wannacry, Apache Struts, BlueKeep as the most common vulnerabilities. More than 51% of respondents said their hospitals “were not protected against the Bluekeep vulnerability, and that number increased 64% for WannaCry and 75% for NotPetya.”The mean annual IT spend is around $3 million to $3.5 million for both larger and mid-size hospital systems. A mean of about $300,000 is spent each year on medical devices and IoT cybersecurity. Nearly 80% of both mid-sized and large hospital systems measured cybersecurity ROI through logs of major attacks while also using “total critical vulnerabilities found” and “amount of time saved” as measures of success. Hospital cybersecurity has never been more crucial. An HHS report found that there have been at least 82 ransomware incidents worldwide this year, with 60% of them specifically targeting US hospital systems. Azi Cohen, CEO of CyberMDX, noted that hospitals now have to deal with patient safety, revenue loss and reputational damage when dealing with cyberattacks, which continue to increase in frequency. Almost half of hospital executives surveyed said they dealt with a forced or proactive shutdown of their devices in the last six months due to an outside attack. Mid-sized hospital systems struggled mightily with downtime from medical devices. Large hospitals faced an average shutdown time of 6.2 hours and a loss of $21,500 per hour. But the numbers were far worse for mid-sized hospitals, whose IT directors reported an average of 10 hours of downtime and losses of $45,700 per hour. “No matter the size, hospitals need to know about their security vulnerabilities,” said Maarten Bodlaender, head of cybersecurity services at Philips. More