Information Technology

Apple has released iOS 14.7.1 and iPad iOS 14.7.1 and revealed that it fixes a previously unknown flaw that the company says appears to have been “actively exploited”.  The company also released macOS Big Sur 11.5.1 to address the same issue in the common Apple kernel extension IOMobileFrameBuffer.A malicious app could execute arbitrary code with kernel privileges, Apple warns in both advisories. “Apple is aware of a report that this issue may have been actively exploited,” it says, noting that the memory corruption issue tagged as CVE-2021-30807 was reported by an anonymous researcher. Already, proof of concept exploit code has been posted online.  Separately, Saar Amar, a security researcher and member of Microsoft Security Response Center (MSRC) revealed that he had also discovered the now-patched bug in iOS four months ago. He says he didn’t report the issue to Apple earlier since he was working towards a high quality bug report for Apple’s bug bounty program. After Apple disclosed the bug, he published detailed explanatory notes about the issues he found in IOMobileFrameBuffer. He notes that the the bug “is as trivial and straightforward as it can get”, but adds that “the exploitation process is quite interesting here” and offers more detail than Apple would ever provide in its advisories. Amar describes it as a local privilege escalation (LPE) vulnerability that can be triggered from a the core engine of a Safari WebKit component called WebContent. 

The iOS/iPadOS update is available for iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation). More

Half of security vulnerability reports the Singapore government received via bug bounties and public disclosure schemes have been ascertained to be valid. The public sector also recorded a 44% increase in data incidents over the past year, though, none were assessed to be of “high severity”.  The Singapore government reported 108 data security incidents in its fiscal 2020, ended March 31 this year, compared to 75 in the previous year. Despite the increase, the breaches were determined to be either low or medium in severity, according to a report released Tuesday by the Smart Nation and Digital Government Office (SNDGO). The level of severity was assessed based on the incident’s impact on national security or national interests, and on an individual or business entity. There were five levels of severity ranging from low to very severe.

All data incidents also were addressed within 48 hours, the report stated. Singapore in April 2020 set up the Government Data Security Contact Centre to provide a channel through which members of the public could report data incidents involving government data or government agencies. In its first year of operation, the centre received 119 reports, six of which were flagged as data incidents requiring further investigation. The remaining 113 were not related to government data and were referred to the relevant departments for action, according to the report. These included queries on promotion calls and texts when the individual had opted out of the Do Not Call registry. The government also established a vulnerability disclosure programme in October 2019 for anyone to report vulnerabilities they found on the public sector’s online platforms and mobile applications, which are used by citizens and businesses. To further identify potential security holes, the Singapore government also ran several bug bounty programmes, which previously had involved the Ministry of Defence and GovTech.  

As of March 2021, more than 1,000 vulnerability reports were submitted through the security contact centre and bug bounties, of which 496 were determined to be valid, SNDGO revealed. The smart nation office noted that several initiatives were rolled out over the past couple of years to bolster the sector’s security posture. Highlighting those that were implemented between last October and March 31, 2021, the SNDGO said a privileged identity management (PIM) tool was implemented in November for the government’s commercial cloud infrastructure. “With more government systems migrating to the cloud as part of our “cloud-first” strategy, the Government Commercial Cloud PIM solution will ensure that access by privileged users [including] those whose roles require wide access to data, such as system administrators, will be secured and monitored to prevent unauthorised use of data,” SNDGO said. Data loss protection services also were being developed across the public sector, so technical and process controls would be in place to detect anomalous activities, such as unexpected download of large data volumes to personal computers, that could indicate potential malicious activities. Implementation of these services would begin by end-2021. Civil servants also needed to be prepared to respond to data security incidents, the smart nation office said. In this aspect, central ICT and data incident management exercises would be conducted involving multiple government agencies, with four ministries slated to participate in the first of such initiatives in September this year. This would be in addition to cyber and data security incident exercises that all government agencies were required to hold every year, according to SNDGO. Last year also saw the highest number of complaints made to the Personal Data Protection Commission, which oversees the country’s Personal Data Protection Act (PDPA). Some 6,100 complaints were logged with the commission, compared to 4,500 in 2019 and 2,700 in 2018, noted the SNDGO report.Since the public sector is exempted from the PDPA, these complaints presumably pertain to potential data breaches involving only private organisations. Reported cybercrime cases accounted for almost half of total crimes in Singapore last year, where both ransomware and botnet attacks saw significant spikes. The Singapore Computer Emergency Response Team (SingCERT) handled 9,080 cases, up from 8,491 in 2019 and 4,977 in 2018, revealed the Singapore Cyber Landscape report released earlier this month. The number of reported ransomware attacks climbed 154% with 89 incidents, compared to 35 in 2019. These mostly affected small and midsize businesses in various sectors including manufacturing, retail, and healthcare. RELATED COVERAGE More

Malware developers are increasingly turning to unusual or “exotic” programming languages to hamper analysis efforts, researchers say. 

According to a new report published by BlackBerry’s Research & Intelligence team on Monday, there has been a recent “escalation” in the use of Go (Golang), D (DLang), Nim, and Rust, which are being used more commonly to “try to evade detection by the security community, or address specific pain-points in their development process.” In particular, malware developers are experimenting with loaders and droppers written in these languages, created to be suitable for first and further-stage malware deployment in an attack chain.  BlackBerry’s team says that first-stage droppers and loaders are becoming more common in order to avoid detection on a target endpoint, and once the malware has circumvented existing security controls able to detect more typical forms of malicious code, they are used to decode, load, and deploy malware including Trojans.  Commodity malware cited in the report includes the Remote Access Trojans (RATs) Remcos and NanoCore. In addition, Cobalt Strike beacons are often deployed.  Some developers, however — with more resources at their disposal — are rewriting their malware fully into new languages, an example being Buer to RustyBuer. Based on current trends, the cybersecurity researchers say that Go is of particular interest to the cybercriminal community. 

According to BlackBerry, both advanced persistent threat (APT) state-sponsored groups and commodity malware developers are taking a serious interest in the programming language to upgrade their arsenals. In June, CrowdStrike said a new ransomware variant borrowed features from HelloKitty/DeathRansom and FiveHands, but used a Go packer to encrypt its main payload.  “This assumption is based upon the fact that new Go-based samples are now appearing on a semi-regular basis, including malware of all types, and targeting all major operating systems across multiple campaigns,” the team says.  While not as popular as Go, DLang, too, has experienced a slow uptick in adoption throughout 2021. By using new or more unusual programming languages, the researchers say they may hamper reverse-engineering efforts and avoid signature-based detection tools, as well as improve cross-compatibility over target systems. The codebase itself may also add a layer of concealment without any further effort from the malware developer simply because of the language in which it is written.  “Malware authors are known for their ability to adapt and modify their skills and behaviors to take advantage of newer technologies,” commented Eric Milam, VP of Threat Research at BlackBerry. “This has multiple benefits from the development cycle and inherent lack of coverage from protective solutions. It is critical that industry and customers understand and keep tabs on these trends, as they are only going to increase.”

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft Teams has gained new Defender ‘Safe Links’ phishing protection to protect users against potentially dangeros phishing URLs.The additional phishing protection in Teams is available for organizations using Defender for Office 365 to guard against phishing attacks that use weaponized URLs. While email is the standard medium for delivering phishing links, Teams usage exploded during the pandemic, making it an attractive target for phishing.As Microsoft outlined earlier this year as part of its ‘hybrid work messaging’, time spent in Teams meetings grew 2.5 times globally between February 2020 and February 2021. Teams users now send 45 percent more chats per week on average, and 42 percent more chats per person after hours too.”Safe Links in Defender for Office 365 scans URLs at the time of click to ensure that users are protected with the latest intelligence from Microsoft Defender. We’re super excited to announce that this capability is now generally available,” Microsoft says in a blogpost. Given the massive shift to Teams chat and video over the past year, it’s sensible to make Safe Links — a feature of Defender for Office 365 since 2015 — available to the communications platform. Microsoft previewed the phishing protection feature for Teams in April.  Safe Links click protection can scan links in Teams conversations, group chats, and channels. Safe Links does a real-time scan and verification of URLs at the time a user clicks the link. Each month Microsoft’s ‘detonation systems’ detect almost 2 million unique URL-based payloads created by attackers for phishing. Microsoft monthly blocks over 100 million phishing emails with these booby-trapped URLs.  Microsoft scans URLs at the time they are clicked by a user because, Microsoft explains, attackers have learned to send benign links that redirect post-click to avoid detection.

“As detection technologies evolve to block malicious sites quicker, sending malicious links to users becomes less effective. So attackers evolve their attacks. Instead of sending malicious links to users, attackers now send benign links. Once the link has been delivered, the attacker redirects the link to a malicious site,” Microsoft notes. Admins configure Safe Links to protect Teams users by tweaking the policy in the Microsoft 365 Defender portal. Admins can view Microsoft’s documentation for Safe Links here. More

The Australian National Audit Office (ANAO) has said it considered continued transparency through reporting to Parliament where cybersecurity risk is concerned to be a positive, but it remained concerned that this may not be enough to drive improvement. In documentation [PDF] prepared for the Joint Committee of Public Accounts and Audit (JCPAA), ANAO said it was clear that auditing and reporting alone has not driven improvement in compliance with the government’s cybersecurity policy. “Non-corporate Commonwealth entities have not been held to account for not meeting the mandatory cybersecurity requirements under PSPF Policy 10,” it wrote, in reference to the Protective Security Policy Framework (PSPF) Policy 10, which is centred on safeguarding information from cyber threats. “The current framework to support responsible ministers in holding entities accountable within government is not sufficient to drive improvements in the implementation of mandatory requirements.”The JCPAA last year reviewed a pair of reports from ANAO and handed down a number of recommendations in its own report published in December. One of the recommendations asked ANAO to consider conducting an annual limited assurance review into the cyber resilience of Commonwealth entities.”The review should examine and report on the extent to which entities have embedded a cyber resilience culture through alignment with the ANAO’s framework of 13 behaviours and practices,” JCPAA asked. “The review should also examine the compliance of corporate and non-corporate entities with the Essential Eight mitigation strategies in the Information Security Manual and be conducted for five years, commencing from June 2022.”ANAO said implementing the recommendation has posed a number of practical challenges from an audit perspective, with the first being it considers there to likely be cybersecurity risk concerns raised by ASD.

“ASD has advised that a system-level report would pose cyber risks that it believes would be unacceptable. Given ASD is the technical expert, it is best placed to assess those risks and therefore difficult for the ANAO to take a different view,” it said. ANAO also considers the scope proposed in the recommendation as challenging, given that only non-corporate Commonwealth entities are mandated to apply the PSPF. It said the fact that there are currently 98 non-corporate entities subject to the policy has also created a scope challenge. “The absence of assurance over material reported by entities to AGD in their self-assessments means that audit procedures would need to be conducted across the population of entities’ self-assessments (whole or risk-based sample) to assure accuracy,” ANAO added.It also said limited assurance procedures do not result in a report, which informs the Parliament about the actual implementation of cybersecurity requirement.”Current ANAO work in cybersecurity in both financial statements audits (IT controls) and in performance audits indicate that the ANAO is likely to find issues with the accuracy of self-assessments,” it wrote. “In the event that accuracy issues are found, the ANAO would conclude that the report could not be relied upon, but would not report on whether entities actually do meet the requirements of the PSPF.”RELATED COVERAGEANAO finds two government departments inaccurately self-reported cyber complianceThe Audit Office report shows the Attorney-General’s Department and Department of the Prime Minister and Cabinet did not accurately self-report full implementation of one or more Top Four mitigation strategies.ACSC introduces Essential Eight zero level cyber maturity and aligns levels to tradecraftOverhaul of Essential Eight Maturity Model sees levels aligned with the sophistication of cyber tradecraft to attempt to prevent.Cybersecurity the responsibility of agencies, not us, AGD and ASD sayDespite being responsible for setting cybersecurity policy and monitoring its adherence across the board, the Attorney-General’s Department and the Department of Defence have said it’s the responsibility of Commonwealth entities themselves and any questions should be directed as such. More

Brazil has created a cyberattack response network aimed at promoting faster response to cyber threats and vulnerabilities through the coordination between federal government bodies. Created through a presidential decree signed on July 16, the Federal Cyber Incident Management Network will encompass the Institutional Security Office of the presidency as well as all bodies and entities under the federal government administration. Public companies, mixed capital companies and their subsidiaries may become members of the network on a voluntary basis. The network will be coordinated by the Information Security Department of the Office of Institutional Security of the presidency, through the government’s Center for Prevention, Treatment and Response to Cybersecurity Incidents.The Digital Government Secretariat (DGS), which operates under the the Special Secretariat for Management and Digital Government of the Ministry of Economy, will have a strategic role in the formation of the network. The DGS is the central body of SISP, a system utilized for planning, coordinating, organizing, operating, controlling and supervising the federal government’s information technology resources across more than 200 bodies.

According to the DGS, the information sharing outlined in the decree that creates the network is expected to improve the articulation of SISP in terms of prevention of incidents, as well as actions required in a possible cyberattack. The Secretariat also implied that there is an expectation that public companies such as Dataprev, the government’s social security technology and information company, and Serpro, the federal data processing service, will join the initiative even though their participation is not compulsory.Having immediate knowledge about attacks as well as potential vulnerabilities being exploited will enable the Secretariat to alert other bodies to enforce the necessary containment measures, it noted, adding that another area of focus could include the development of guides and training to address the main issues identified by the network.Mentioning Brazil’s improvement in the latest Global Cyber Security Index by the United Nations, where Brazil rose 53 positions in the ranking from the 70th place in 2018 to the 18th position in 2021 – the best result across all of Latin America – digital government and management secretary Caio Mario Paes de Andrade noted the creation of the network will help the Brazilian federal government to further strengthen its role in confronting cyber threats.

“The advancement of digital transformation must be accompanied by the protection of users and we have ensured this protection”, the secretary noted. “The network’s rational is to further foster the culture of coordinated confrontation within the government, so that we can continue advancing on the issue of cyber security.”According to a survey released earlier this month, Brazilians are concerned about the security of their data. The survey has found that the fear of cyber attacks is high among Brazilian users, with 73% of respondents reported having suffered some kind of digital threat, such as receiving fake messages from companies and stolen passwords. More

Software company Kaseya has denied paying a ransom for a universal decryptor after days of lingering questions about how the tool was obtained. On July 21, the company announced that a universal decryption tool had been obtained “from a third party” and that they were working with security company Emsisoft to help victims of the sprawling ransomware attack. On Monday, Kaseya released a statement denying rumors that they paid a ransom to REvil, the ransomware group that launched the attack. REvil initially released a ransom demand of $70 million but reportedly lowered it to $50 million before their entire operation went dark on July 13.”We are confirming in no uncertain terms that Kaseya did not pay a ransom — either directly or indirectly through a third party — to obtain the decryptor,” Kaseya’s statement said. “While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment.”The statement goes on to address reports suggesting that their “continued silence on whether Kaseya paid the ransom may encourage additional ransomware attacks.” 

Kaseya attack

According to the statement, Emsisoft and Kaseya’s Incident Response team worked through the weekend providing the decryptor to some of the 1,500 victims affected by the attack, which included a major supermarket chain in Sweden, Virginia Tech University and the local government computers in Leonardtown, Maryland. 

The company said it is encouraging any victims to come forward, adding that the tool “has proven 100% effective at decrypting files that were fully encrypted in the attack.”While the news of a universal decyptor was welcomed by hundreds of affected victims, some noted that there was a non-disclosure agreement that Kaseya was forcing companies to sign in exchange for the decryptor. CNN confirmed that Kaseya was requiring the non-disclosure agreement in order to gain access to the decryptor. Kaseya spokesperson Dana Liedholm and multiple cybersecurity companies involved told ZDNet they were unable to comment on the non-disclosure agreement. Former White House Chief Information Officer and cybersecurity expert Theresa Payton said non-disclosure agreements after attacks are more common that one would think but noted that “asking for an NDA from victims is not an everyday, every incident practice.” “When a cyber incident impacts multiple victims in a supply chain attack, sometimes the legal counsel will ask victims to sign an NDA to ensure that the fix for the problem does not get disclosed publicly,” Payton said. Payton added that the reasons behind asking for a non-disclosure agreement are not always nefarious and urged companies to consult their lawyers before signing anything. “If the reason behind the NDA is to ensure that the 3rd party that provided the key is not disclosed and the manner in which the decryption is made available is not disclosed, then the NDA makes a lot of sense,” Payton told ZDNet. “We don’t want to tip our hands publicly to the cyber operatives behind any of the ransomware syndicates. We need to keep the nefarious cyber operatives guessing. If the NDA is not for that reason and is instead a legal maneuver to avoid lawsuits that is disappointing. Given the large impact, it is understandable why their legal counsel might recommend the NDA for legal protections.” Mark Kedgley, CTO at New Net Technologies, said it was an extremely rare set of circumstances considering Kaseya is both the exploited vendor and the provider of the decryption kit. He added that the NDA “will help diminish further analysis and discussion of the attack.” “While you could see this would be desirable for Kaseya, it won’t further the cyber security community’s understanding of the breach,” Kedgley said.  More

Ransomware gangs been prevented from making over a billion dollars following ransomware attacks by free decryption tools made available by the No More Ransom scheme.  The project, founded by Europol, the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky, and McAfee, launched five years ago and has grown to involve 170 partners across law enforcement, cybersecurity companies, academia, and others.  The No More Ransom portal now offers 121 free ransomware decryption tools which can decrypt 151 ransomware families. They’ve helped more than six million ransomware victims recover their encrypted files for free – all without the need to give into the demands of cyber extortionists.  Available in 37 languages, ransomware victims around the world have used the portal to help against ransomware attacks. The website’s ‘Crypto Sheriff’ allows users to upload encrypted files to help identify which form of ransomware they’ve fallen victim to, then directs them to a free decryption tool if one is available.   So far, this has saved victims from paying just over €900 million – or just over a billion dollars – to cyber criminals, disrupting ransomware groups ability to profit from their campaigns.  “Together we will do everything in our power to disrupt criminals’ money-making schemes and return files to their rightful owners, without the latter having to pay loads of money,” says the mission statement on the No More Ransom website.  SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

To mark the five-year anniversary of No More Ransom, the website has been updated to be more user friendly, with updated information on ransomware as well as advice on how to prevent a ransomware infection – for both regular and business users, because as Europol notes, “Anyone can be a target – individuals and companies of all sizes”.  That advice includes regularly making backups of data, so that in case of a ransomware attack, the network can be restored in the least disruptive way possible with the most recent data available.   No More Ransom also suggests that software and operating systems are kept up to date with the latest security patches, to stop cyber criminals from exploiting known vulnerabilities to help carry out ransomware attacks.  It’s also suggested that corporate networks and remote desktop protocol (RDP) services are secured with multi-factor authentication, to provide an extra barrier to help stop cyber criminals from being able to access the network in the first place.  No More Ransom also recommends that despite the disruption caused by ransomware attacks, victims shouldn’t give in and pay. Not only because there’s no reason to trust that criminals will provide a legitimate decryption key, but paying just shows that ransomware works, encouraging further attacks.  “If the ransom is paid, it proves to the cyber criminals that ransomware is effective. As a result, cyber criminals will continue their activity and look for new ways to exploit systems that result in more infections and more money on their accounts,” says the No More Ransom advice.

MORE ON CYBERSECURITY More