Information Technology

Some days, it doesn’t rain, it pours. That’s the case with Linux today. Not one, but two serious security holes have recently been exposed. First, there was a systemd bug which could easily knock out systems. Now there’s this security hole in the Linux kernel’s file system, which any user could use to take over a computer. Like I said, some days it just pours.

The Qualys Research Team, which uncovered the file system bug, also discovered a size_t-to-int type conversion vulnerability in the Linux kernel’s filesystem. This Linux security hole has been named Sequoia and it’s been designated CVE-2021-33909.Doesn’t sound like much, does it? Au contraire! It can be used against most Linux distributions in their default configurations. And, worse still, any — I repeat, any — unprivileged user can abuse it to gain root privileges.Here’s how it works. We all use filesystems every day, but you probably don’t think about how it works. Who, except for developers, does? In Linux’s case, the file system interface is implemented in a three-layered architecture. There’s the user interface layer; the file system implementation; and the storage device drivers. Within the Linux kernel’s seq_file interface produces virtual files containing sequences of records. Each record must fit into a seq_file buffer. When it runs out of space, it’s just enlarged by doubling its size. That’s not a problem. You’ll run out of memory long before you can hack the system with this. The problem shows up because this size_t variable is also passed to functions whose size argument is a signed 32-bit integer, not a size_t. And that, my friend, while a very large number, can be overrun. Then, as Bharat Jogi, Qualys’ Senior Manager of Vulnerabilities and Signatures, explains, “If an unprivileged local attacker creates, mounts, and deletes a deep directory structure whose total path length exceeds 1GB, and if the attacker open()s and read()s /proc/self/mountinfo, then” through a series of other maneuvers you can write to out of bounds memory. And, with that, you can corrupt data, crash the system, or, worst of all, execute unauthorized code. Alas, there are numerous known hacks that use memory overruns to become the root user and grab control of a computer. 

In fact, that’s exactly what Qualys security team did. They developed an exploit, which they then used to obtain full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34. OK, let’s just admit it. Pretty much any Linux distro is vulnerable to this trick.Is this a great day to be a Linus sysadmin or what?The good news is that while this problem is alive and nasty in any system running the Linux kernel 3.16 through 5.13.x before 5.13.4, patches are available. In fact, I patched my Linux Mint desktop for it, before I even started to write this story. Yes, it’s that bad. Eric Sandeen, Red Hat’s top file system developer, came up with a fix for the problem. Greg Kroah-Hartman, the Linux kernel maintainer for the Linux stable branch, subsequently released the kernel patch for Sequoia on July 20th in the Linux kernel 5.13.4 release.If you can’t upgrade your kernel, you can still mitigate the problem by setting /proc/sys/kernel/unprivileged_userns_clone to 0. This prevents an attacker from mounting a long directory in a user namespace. However, the attacker may still be able to mount a poisonously long directory via Filesystem in Userspace (FUSE). You should also set /proc/sys/kernel/unprivileged_bpf_disabled to 1. This prevents an attacker from loading an eBPF program into the kernel. However, there may be other ways to attack. The only sure way to stop this security hole in its track is to update your kernel. This fix is also available in most Linux distributions now. So, if you’ve been sitting on your hands and not updating your Linux computers, it’s time to get off them and start typing in patching commands.Related Stories: More

The Office of the Chief Administrative Officer (CAO) — which provides support services to US House members of both parties — sent a letter to members of Congress announcing that it has terminated all contracts with iConstituent and will no longer be authorizing the platform’s use because of multiple cybersecurity incidents. iConstituent is currently used by about 60 House members and was designed to facilitate communication between politicians and local residents. But in May the platform was hit with a ransomware attack and Chief Administrative Officer of the House Catherine Szpindor told Punchbowl News that the attack targeted iConstituent’s e-newsletter system, which House members buy access to.Szpindor added at the time that no data from the House had been taken or accessed and the network used by the House was not affected.But in a letter to House members first obtained by CNN’s Melanie Zanona, the CAO ripped into iConstituent for multiple security incidents — some that had not been reported before — and for their lackluster response to questions from government officials. On Tuesday, iConstituent was notified that its contracts have been terminated and that the platform will no longer “be authorized to provide CMS, Maintenance, Systems Administration, or Web services to House offices,” according to the letter.House members will have until December 31 to move off of the iConstituent platform. “The CAO is taking this action because of multiple cybersecurity incidents involving iConstituent over the past several years. The CAO recognizes this will significantly impact your Office’s operations. The CAO did not come to this decision lightly,” the letter said, adding that they would provide members of Congress with help in finding replacement systems. 

iConstituent will still be providing its services to Congress while members transition to other approved vendors. The letter explains that part of what caused the cancellation was iConstituent’s response to the ransomware attack in May. According to the CAO, iConstituent waited nearly a week before informing government officials of the ransomware attack on their e-Newsletter service. “This delay in notification was a serious violation of iConstituent’s contractual requirements designed to protect Member and constituent information,” the CAO said. “The CAO’s efforts to obtain additional details from iConstituent since then have been met with conflicting and inconsistent information, further delays, and an overall lack of transparency. While iConstituent has represented that no House information was impacted as a result of the ransomware attack — and the CAO has no evidence to contest that conclusion — the circumstances of the attack and iConstituent’s response raise irreparable doubts about their ability to securely deliver technology services to the House.”The letter goes on to detail multiple iConstituent cybersecurity incidents, including ones in July 2013 and November 2018 where the platform either “failed to secure House web data” or experienced compromise of their eNewsletter platform.The platform compromise happened because iConstituent did not apply “critical” patches to their system, according to the CAO. In the 2018 incident, the root passwords of multiple websites were exposed to the public-facing internet.The CAO said it previously punished iConstituent by withholding payments and banning the company from taking on any more members of Congress as clients. “Based on this latest incident, the vendor still does not appear to have meaningfully improved their security practices,” the CAO said. A list of resources and options were provided to House members at the end of the email and administrators pledged to contact each office to help with the transition process.  Despite the actions taken by the House, iConstituent is still used widely across state governments in Nevada, Georgia, Hawaii and cities like Los Angeles. The New York State Assembly also has a contract with the company for services. More

Credit: Microsoft
Microsoft is acquiring CloudKnox Security to help build out its cloud security and Zero Trust strategy for an undisclosed amount, officials announced on July 21. Officials said they will provide more information on what they’ll be doing with CloudKnox’s technology as they integrate it with Microsoft’s existing identity, security, and compliance services, including Microsoft 365 Defender, Azure Defender, and Azure Sentinel. CloudKnox Security is based in Sunnyvale, CA. Its security platform supports the monitoring and management of identities, actions, and resources in hybrid and multi-cloud environments, according to its web site. CloudKnow has been a big AWS partner. In a blog post announcing the CloudKnox acquisition, Microsoft officials said the CloudKnox technology will further enable Azure Active Directory customers with “granular visibility, continuous monitoring, and automated remediation for hybrid and multi-cloud permissions.” CloudKnox will help bring automated and simplified access policy enforcement in a multi-cloud platform and help with machine-learning-based anomaly detections, officials said. Microsoft has continued snapping up a number of security companies for the past few years, including RiskIQ and ReFirm Labs, both of which the company purchased earlier this year. More

A newly discovered form of malware delivered to victims via adverts in search results is being used as a gateway to stealing passwords, installing cryptocurrency miners and delivering additional trojan malware.Detailed by cybersecurity company Bitdefender, the malware – which targets Windows – has been dubbed MosaicLoader and has infected victims around the world as those behind it attempt to compromise as many systems as possible.

MosaicLoader can be used to download a variety of threats onto compromised machines, including Glupteba, a type of malware that creates a backdoor onto infected systems, which can then be used to steal sensitive information, including usernames and passwords, as well as financial information. SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)Unlike many forms of malware, which get distributed via phishing attacks or unpatched software vulnerabilities, MosaicLoader is delivered to victims via advertising.  Links to the malware appear at the top of search results when people search for cracked versions of popular software. Automated systems used to buy and serve advertising space likely means that nobody in the chain – aside from the attackers – know the adverts are malicious at all. The security company said that employees working from home are at higher risk of downloading cracked software.

“Most likely, attackers are purchasing adverts with downstream ad networks – small ad networks that funnel ad traffic to larger and larger providers. They usually do this over the weekend when manual ad vetting is impacted by the limited staff on call,” Bogdan Botezatu, director of threat research and reporting at Bitdefender, told ZDNet. It’s possible that the malware would be detected by antivirus software, but many users downloading illegally cracked software have likely turned their protections off in order to access and install the download. In order to make the download seem as legitimate as possible to the user, the cracked software mimics the file information of the real software, even down to names and descriptions within file folders.  However, all that’s downloaded is MosaicLoader, which provides the attackers with access to the machine. Researchers note that attackers try to steal usernames and passwords for online accounts, as well as operate cryptocurrency miners and drop trojan malware, which provide backdoor access to machines. It’s suspected that the aim of this campaign is to eventually sell access to compromised Windows machines – although the fact that additional malware is already being installed suggests the attackers are stealing data for themselves. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

“From what we can tell, this new MosaicLoader attempts to infect as many devices as possible, likely to build up market share and then sell access to infected computers to other threat actors,” said Botezatu. SEE: Ransomware: Now gangs are using virtual machines to disguise their attacksAccording to Bitdefender the cyber-criminal group behind MosaicLoader is likely a new operation, without ties to any previously known groups. They’re trying to spread the malware as much as possible – but the current form of distribution means that, so long as users aren’t attempting to download cracked software, they’ll remain safe. Users should also be wary of following instructions to turn off antivirus software, as that can lead to malicious software being allowed to infiltrate the system. “We advise users to never turn off their security solution when it blocks the installation of software downloaded from the internet, as attackers have become adept at bundling legitimate apps with malware,” said Botezatu.  MORE ON CYBERSECURITY More

A lot of you have been asking me where iPadOS 14.7 is, given that iOS 14.7 has been rolling out to iPhones for a while now (long enough for bugs to appear). Doesn’t Apple release iOS and iPadOS updates simultaneously?Also, a whole bunch of tech sites said it was available alongside iOS 14.7.So, where is it?Must read: Don’t make this common, fatal iPhone or Android mistake
No idea.Apple seeded the release candidate versions of both iOS 14.7 and iPadOS 14.7 to developers on July 13, so it seemed like a simultaneous release was on the cards.

And then it was a no-show. I’ve seen random claims that it was “temporarily available” or something about it not being “fully available,” but I’m skeptical. I didn’t see it, no one has a copy of it, it’s not on the usual download sites, and I’ve not seen an iPad running it.It wasn’t released.So, why not?In my mind, it’s either a show-stopping bug, or, more likely, Apple pushed iOS 14.7 out to fix an iPhone security vulnerability, and either that bug is not applicable to iPadOS, or the iPadOS fix isn’t ready.I’m thinking the delay might be the reason why Apple hasn’t yet released details of the security fixes in the updates that have been rolled out.Apple has been approached for comment and I will update the post if a comment is received, but I highly doubt that the company will issue a comment regarding this. Apple will release iPadOS 14.7 (or perhaps 14.7.1) when it’s good and ready. More

Google has released Chrome version 92 with fixes for several high severity security issues and a bevy of new privacy features.First up, via MacRumors, Chrome for iOS now lets users lock their incognito tabs with Touch ID, FaceID, and a passcode. This can be enabled in Settings > Privacy > Lock Incognito tabs. 

Once locked, Incognito tabs won’t be visible after leaving and reopening Chrome until the user authenticates. SEE: Managing and troubleshooting Android devices checklist (TechRepublic Premium)Google is also making it easier to control which sites can access hardware features such as the microphone, location and camera, Google noted in a blogpost. To see which sites you’ve previously given permissions to, you press the lock icon in the address bar. The panel lets you toggle on or off access to these features. In a future release, Chrome will gain the option to delete the site from browsing history. In this release, Google has also fleshed its Chrome Actions, a feature for getting tasks done with fewer keystrokes. Typing “edit passwords,” or “delete history” offers a shortcut to those settings. New actions include “safety check” to check the security of passwords and scan for malicious extensions. Typing “manage security settings” or “manage sync”  will open up the relevant controls.

Google has also beefed up ‘site isolation’, a security feature it introduced to prevent Spectre-style side channel attacks on browsers using malicious JavaScript on the web. A website could use this attack to steal information from other websites.As Google has previously explained, site isolation changes Chrome’s architecture to limit each renderer process to documents from a single site. “Site Isolation will now cover a broader range of sites, as well as extensions, and all of this comes with tweaks that improve Chrome’s speed,” Google noted in a blogpost. Google has also bolstered Chrome’s phishing protection with image processing, where it compares the color profile of a page visited with the color profiles of common pages. “If the site matches a known phishing site, Chrome warns you to protect your personal information and prevent you from exposing your credentials,” Google noted in the Chromium blog. SEE: What is a software developer? Everything you need to know about the programmer role and how it is changingGoogle noted this technique can create a heavy load on CPU resources, so it’s devised methods to make it more efficient. “On average, users will get their phishing classification results after 100 milliseconds, instead of 1.8 seconds,” it added. These seconds count when the purpose of the protection is to prevent people typing their credentials on a phishing page. Google’s optimizations produced a reduction of “almost 1.2% of the total CPU time used by all Chrome renderer processes and utility processes, it said. Finally, Google patched 35 security flaws in versions of Chrome prior to version 92. There were nine high severity security flaws addressed.   More

Another day, another iOS bug. This one affects those who have upgraded an older iPhone equipped with Touch ID to iOS 14.7, and who also use an Apple Watch.

If you have your iPhone set to unlock your Apple Watch automatically, then this feature may no longer work. Must read: Don’t make this common, fatal iPhone or Android mistake According to a support document published by Apple, “an issue in iOS 14.7 affects the ability of iPhone models with Touch ID to unlock Apple Watch.” This is not a big deal, and typing the passcode into the Apple Watch is hardly a hardship, but muscle memory is a strange thing, and you may have gotten used to your Apple Watch being unlocked automatically by now. So why did Apple publish a support document so quickly for such an obscure bug?

Because this bug affects enterprise users. And for those users, things are more complicated. If the Apple Watch is paired to an iPhone with a Mobile Device Management (MDM) profile that requires an alphanumeric passcode, then users won’t be able to type the passcode into the Apple Watch. The solution here is cumbersome — users will have to request that the MDM administrator remove the alphanumeric passcode requirement from the iPhone, then unpair and erase the Apple Watch before setting it up again. That’s a lot of faff. The support document also reminds MDM administrators that they can defer updating affected iPhones until a patch is released. More

Researchers have spotted a cheap malware variant, once focused on Windows machines, that has been upgraded to infect Mac PCs.

On Wednesday, Check Point Research (CPR) said the malware, dubbed “XLoader,” originates from a Windows-based variant known as Formbook.  Formbook was once available in underground forums for as little as $29 a week on a subscription basis. However, this malware was pulled from sale roughly four years ago by the developer, known as ng-Coder, and did not reappear until 2020 — while also bearing the new name XLoader.  It should be noted, however, that although sales ended, Formbook remains a prevalent threat in the wild.  CPR has been analyzing the malware over the past six months. The researchers have found the same code base as Formbook is in play, but substantial changes have been implemented by the developer — including new capabilities for compromising macOS systems. Infection chains begin through phishing, in which spoofed emails contain malicious attachments such as weaponized Microsoft Office documents laden with the malware. XLoader is monitoring software with remote access capabilities, keystroke logging, the ability to take screenshots, and also perform data exfiltration such as the theft of account credentials. In addition, the malware has an extensive command-and-control (C2) setup, utilizing close to 90,000 domains in network communication — but only 1,300 are real C2 beacons. 

“The other 88,000 domains belong to legitimate sites the malware sends malicious traffic to them as well,” CPR says. “This presents security vendors with the dilemma of how to determine which are the real C&C servers and not false-positively identify legitimate sites as malicious.” XLoader has been made available in underground forums under license for between $59 and $129, depending on the time period of subscription and whether they want a Windows or macOS version.  
CPR
CPR has found links between ng-Coder and the xloader forum user, the latter of which is thought to just be a seller.It appears that potential threat actors in 69 countries, so far, have requested access to the malware, which is managed by a centralized C2 server. Over half of XLoader victims detected so far are in the United States. “While there might be a gap between Windows and macOS malware, the gap is slowly closing over time,” commented Yaniv Balmas, Head of Cyber Research at CPR. “The truth is that MacOS malware is becoming bigger and more dangerous. Our recent findings are a perfect example and confirm this growing trend.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More