Information Technology

Microsoft has released 117 security fixes for software including a remote code execution (RCE) vulnerability in Exchange Server found by participants of the Pwn2Own competition.

The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for 117 flaws tackling RCEs, privilege escalation, spoofing, memory corruption, and information disclosure. Thirteen are considered critical and nine are zero-days — with four under active exploit. Products impacted by Microsoft’s latest security update, issued on July 13, include Microsoft Office, SharePoint, Excel, Microsoft Exchange Server, Windows Defender, Windows Kernel, and Windows SMB.  Read on: Some of the most interesting vulnerabilities resolved in this update are:  CVE-2021-31206: A Microsoft Exchange Server RCE found during Pwn2Own. CVE-2021-34448: An actively exploited scripting engine memory corruption vulnerability, requiring a victim to actively visit a malicious website or to click a malicious link.CVE-2021-34494: A Windows DNS Server RCE, albeit restricted to DNS servers only.CVE-2021-34458: A Windows Kernel RCE which permits a single root input/output virtualization (SR-IOV) device, assigned to a guest, to potentially tamper with PCIe associates. The latest round of patches comes just a week after an emergency fix was issued by Microsoft to rectify a security flaw nicknamed “PrintNightmare.” Tracked under CVE-2021-1675 and CVE-2021-34527, the combination of RCE and a local privilege escalation flaw is already impacting some printers, and exploit code has been released. In total, four of the vulnerabilities — CVE-2021-34527 (PrintNightmare), CVE-2021-34448, CVE-2021-31979, and CVE-2021-33771 — are listed as exploited in the wild. 

Microsoft thanked researchers from Google Security, Checkmarx, the Trend Micro Zero Day Initiative, and Fortinet’s FortiGuard Lab, among other organizations, for reporting the now-patched security flaws, A number of vulnerabilities were also reported by Microsoft Threat Intelligence Center (MSTIC). According to the Zero Day Initiative (ZDI), which reported 17 of the bugs, this month’s volume of fixes “is more than the last two months combined and on par with the monthly totals from 2020.” Last month, Microsoft resolved 50 vulnerabilities in the June batch of security fixes. These included seven zero-day bugs, six of which were reported by the Redmond giant as being actively exploited.  A month prior, the tech giant tackled 55 security flaws during May Patch Tuesday. Four of which were deemed critical, and three were zero-days. Alongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below. More

Security researchers are reporting that all of the dark web sites for prolific ransomware group REvil — including the payment site, the group’s public site, the ‘helpdesk’ chat and their negotiation portal — are offline.It is still unclear what caused the outages but dozens of theories were floated online. On Friday, US President Joe Biden made news when he said he spoke directly to Russian President Vladmir Putin following REvil’s massive ransomware attack on Kaseya that affected almost 1,500 organizations.”I made it very clear to him that the United States expects when a ransomware operation is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is,” Biden said. “And secondly, we’ve set up a means of communication now on a regular basis to be able to communicate with one another when each of us thinks something is happening in another country that affects the home country. And so it went well. I’m optimistic.”White House officials are expected to meet with members of the Russian government to discuss ransomware this week. While some security researchers believe the group may have taken their own websites down, either because of internal squabbles or fear over increased law enforcement scrutiny, others think it may be the result of official actions taken by government agencies. “We all want to believe it is law enforcement, but this is a pretty extensive takedown across multiple providers,” said Allan Liska, a ransomware expert and CSIRT at Recorded Future.

“This early on the more likely scenario is that it is a self-directed takedown. But I wouldn’t rule out ‘self-directed after a conversation with the Kremlin.’ We’ve been speculating about this since the Kaseya attack: Biden gets a win because a major ransomware gang is gone, Putin gets a win because he ‘helped’ and REvil gets to keep all of their money (and their heads). The timing, the day before the next ransomware summit tomorrow, also lines up. But, that is all speculation.”Jake Williams, CTO at BreachQuest, added that Ransomware gangs operating in Russia “were on borrowed time the second Colonial was hit,” explaining that the Russian government didn’t care about the cybercrime occurring within its borders as long as it didn’t impact Russia itself. “That has clearly changed – the Russian government can clearly see they are being impacted by the actions of these actors. Whether REvil was taken out of commission by the Russian government, saw the writing on the wall and took infrastructure down, is simply rebranding like so many groups have (likely including REvil itself), or something else is unknown at this point,” Williams said. 

The Digital Shadows Photon Research Team has been scouring Russian-language forums for chatter about the outage and said that while discussion is limited, “some threat actors have speculated that even if law enforcement agencies have successfully targeted REvil, this will not spell the end of the group’s activities.” “Some predicted that the group will reappear under another name or split into smaller groups to attract less attention,” the team said.”The inaccessibility of the REvil ransomware group’s websites is unusual because the group’s infrastructure has historically been more stable than that of other ransomware groups. The outage could be down to temporary technical issues or upgrades, or it could signify a law enforcement disruption of the group’s operations. REvil’s representatives have not appeared on high-profile Russian-language cybercriminal forums for several days.”Others, like Check Point Software spokesperson Ekram Ahmed, compared the situation to the DarkSide ransomware group, which shut down its operations in May after their attack on Colonial Pipeline drew global headlines and outrage in the US. DarkSide also saw some of its infrastructure disrupted by US law enforcement agencies after the attack. “Though it might be too early to celebrate, another viable possibility is that the ransomware gang has decided to lay low, given all the attention and spotlight they’ve underwent recently from the Kaseya, Colonial Pipeline and JBS attacks,” Ahmed explained. “It’s possible that REvil has gone into ‘retirement’, or at least a temporary one, as they did with the GandCrab ransomware a few years ago.”REvil has attacked at least 360 US-based organizations this year, according to Emsisoft threat analyst Brett Callow. The RansomWhere research site says the group has brought in more than $11 million this year, with high profile attacks on Acer, JBS, Quanta Computer and more.  Egnyte cybersecurity evangelist Neil Jones said people should be wary of celebrating the group’s potential downfall because new ransomware infrastructure can be brought online quickly. Steve Moore, chief security strategist at Exabeam, theorized that the outage “could be criminal maintenance, planned retirement, or, more likely, the result of an offensive response to the criminal enterprise.” “If the outage is the result of an offensive response, this then sends a new message to these groups that they have a limited window in which to work,” Moore said. “Furthermore, if a nation responds to criminals backed by and hosted in another country, this will change the definition of risk for affected private organizations.” More

Facebook is adding a new perk to its bug bounty program that will pay bonus rewards to researchers based on the time it takes the social network to fix a vulnerability after it’s found and reported by bug hunters. 

Essentially, Facebook is acknowledging that it’s sometimes slow to reach a bounty decision and is using this bonus payment to encourage patience among the researchers in its bug bounty community.  The Payout Time Bonus will reward reports that are paid more than 30 days from the time Facebook receives all the necessary information for a successful reproduction of the report and its impact, Facebook said. The bonuses will be paid on a sliding scale, with payouts made between 30-59 days receiving a 5% bonus; payouts made between 60-89 days receiving a 7.5% bonus; and payouts made after 90 days or more receiving a 10% bonus. Reports that require clarification from the researcher will have the payments adjusted accordingly.Facebook has always maintained a friendly relationship with the infosec community, and is one of the few companies managing its own bug bounty program. Facebook is known for offering large payouts on a regular basis, and often open-sourcing many security-focused tools.After the Cambridge Analytica scandal, Facebook intensified its efforts into improving the security of its main platform and mobile apps, but also its adjacent third-party app ecosystem.In 2018, Facebook started paying significant bug bounties to researchers who discovered exposures of user data in popular Facebook third-party apps and games. The following year, the social network expanded its bug bounty program to offer rewards for finding cases where third-party services exposed Facebook user access tokens. Around the same time, Facebook also began offering rewards of up to $40,000 to researchers who found vulnerabilities that could lead to account takeovers.

Facebook stepped up its efforts to woo bounty hunters last year with the launch of Hacker Plus, the first-ever loyalty program for a tech company’s bug bounty platform. Designed after the loyalty programs used by airlines and hotels, Facebook said Hacker Plus would provide extra bonuses and special perks to bug hunters based on their past reports. More

Around half of firms don’t have the technology to prevent or detect ransomware attacks, according to research by cybersecurity company Trend Micro. It suggests that many of organisations don’t have the cybersecurity capabilities required to prevent ransomware attacks such as the ability to detect phishing emails, remote desktop protocol (RDP) compromise or other common techniques deployed by cyber attackers during ransomware campaigns.  For example, the report warns that many organisations struggle with detecting the suspicious activity associated with ransomware and attacks which could provide early evidence that cyber criminals have compromised the network. That includes failing to identify unusual lateral movement across corporate networks, or being able to spot unauthorised users gaining access to corporate data.   The cyber criminals behind ransomware attacks are accessing this data not only just to encrypt it, but also steal it, using the threat of publishing stolen information as extra leverage to pressure ransomware victims into paying the ransom for the decryption key.   In addition to this, the research, commissioned by Trend Micro suggests that under half of organisations can recover quickly following a ransomware attack. In addition to this, two in five could struggle to effectively learn the mitigation processes required to avoid falling victim to a ransomware attack in future, even after falling victim to cyber criminals.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)     “There is still a lot of scope for ransomware to become a larger problem,” warns the research paper. “And if organisations are ill-prepared the first time to defend against an attack, they may be ill-prepared the second and third times too. Until the business model of ransomware and extortion is disrupted, ransomware is an enduring threat that organizations will have to defend against.” The paper, based on interviews with 130 cyber professionals in mid-sized and large organisations in the United States conducted specifically for the research, recommends three cybersecurity procedures which organisations should employ to help protect against falling victim to ransomware and other cyber attacks. They are multi-factor authentication (MFA), rapidly patching security vulnerabilities and storing back ups offline.    

MFA can help a lot, because even if cyber criminals do manage to steal passwords, that extra layer of protection can act as an effective barrier to being able to exploit them.   “While phishing may still result in compromised credentials, MFA reduces the consequential impact,” said the report.   Meanwhile, rapid patching reduces the ability of cyber criminals to exploit known security vulnerabilities as part of the attack chain, while storing back-ups offline provides a method of retrieving data without paying cyber criminals for a decryption key.   Despite this however, restoring the network can be a long and cumbersome process, so the best means of avoiding it is to avoid falling victim to a ransomware attack all together – although the paper acknowledges that no cybersecurity strategy can completely prevent cyber attacks.  However, if an organisation has a pre-prepared strategy on how to react to a cyber attack, it can make damage limitation and recovery much more effective.  MORE ON CYBERSECURITY More

An Iranian cyber espionage campaign used spoofed identities of real academics at a UK university in phishing attacks designed to steal password details of experts in Middle Eastern affairs from universities, think tanks and the media. Detailed by cybersecurity researchers at Proofpoint, who’ve dubbed it Operation SpoofedScholars, the campaign also compromised a university-affiliated website in an effort to deliver personalised credential harvesting pages to targets, under the guise of inviting them to speak in a webinar on Middle Eastern issues.Proofpoint researchers have linked the phishing campaign to an Advanced Persistent Threat (APT) group they refer to as TA453 – also known as Charming Kitten and Phosphorus – a state-backed intelligence gathering operation working on behalf of the Islamic Revolutionary Guard Corps (IRGC), a branch of the Iranian armed forces. The attackers used a Gmail addresses designed to look like they belonged to genuine academics at the University of London’s School of Oriental and African Studies (SOAS), exploiting trust in the names of real staff.The attackers operating the email address sent messages to prospective targets, inviting them to an online conference on “The US Security Challenges in the Middle East”, including the offer to speak to the target on the phone to discuss details, which is unusual.Eventually, the attackers sent a personalised “registration link” to their targets, sending them to what looked like a SOAS webinar platform.  This was hosted on a legitimate but compromised website belonging to University of London’s SOAS Radio – a website SOAS says is separate from the main SOAS website and not part of the official domain – which asked the user to sign in to the platform via an email address, with options of different links to click on depending on the choice of email hosting provider of the victim. 

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)   Options included Google, Yahoo, Microsoft, iCloud, Facebook and others – and if the user clicked on the link, they’d be taken to a spoofed version of the email provider’s login page, which the attackers could use to steal the username and password with the intention of espionage and additional phishing attacks. The researchers are confident that the campaign is working out of Iran. “Attribution specifically for Operation SpoofedScholars is based on similarities to previous TA453 campaigns and consistency with TA453’s historical targeting. TA453 often uses free email providers to spoof individuals familiar to their targets to increase the likelihood of successful compromise,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint told ZDNet. “Additionally, TA453 concentrates their credential phishing to specific individuals of interest to collect intelligence through exfiltration of sensitive email and contacts or initial access for future phishing campaigns”. It’s not known if the attackers have been successful in their attempts to steal information, but after being informed that the website was compromised, SOAS took action to remove it. “Once we became aware of the dummy site earlier this year, we immediately remedied and reported the breach in the normal way. We have reviewed how this took place and taken steps to further improve protection of these sort of peripheral systems,” a SOAS spokesperson told ZDNet. “To be clear, academic staff at SOAS of course have no involvement in this process, nor has any action or statement by SOAS staff led to them being spoofed in this way. There was no suggestion of breach of cybersecurity by any SOAS staff,” they said.Iranian cyber operations have regularly targeted academics in the UK and it’s likely that they’ll return with further campaigns in future. “Educational intuitions will remain prime targets due to high student, faculty and staff populations and turnover, coupled with ongoing independent research and the culture of openness and information-sharing,” said DeGrippo. “It is vital that educational institutions make security awareness training and people-centric cybersecurity solutions a priority to aid staff with the ability to identify phishing pages,” she added. MORE ON CYBERSECURITY More

A vulnerability discovered in Schneider Electric (SE) Modicon programmable logic controllers (PLCs) allows full takeover of the industrial chips.

Discovered by Armis researchers, the vulnerability can be used to bypass existing security mechanisms in PLCs to hijack the devices and potentially impact wider industrial setups. The authentication bypass vulnerability, dubbed Modipwn, has been assigned as CVE-2021-22779. Without authorization, it is possible for attackers to abuse undocumented commands and obtain full control over one of these chips, overwriting memory, leaking a hash required to take over secure connections, and executing code — which, in turn, can impact the security of workstations that manage the PLCs.  SE Modicon PLCs are used to control Industrial Internet of Things (IIoT) devices in the construction, energy, machinery, and utility sectors, among others.  Armis says that to trigger an attack, only network access is required to the target PLC.  Armis says there are inherent security issues in Modbus, an industry-standard protocol — and as SE’s proprietary UMAS is based on the protocol, PLCs linked to UMAS may be beset by known, weak encryption and authentication mechanisms in the original Modbus standard. When chained with CVE-2021-22779, this can result in known UMAS bugs (CVE-2021-22779, CVE-2018-7852, CVE-2019-6829, and CVE-2020-7537), partially mitigated, still being a risk to Modicon M340 and M580 products, as well as “other models.”  “SE has stated in the past its intent to adopt the Modbus Security protocol that offers encryption and authentication mechanisms that are not part of the classic Modbus protocol,” Armis says. “These adoption steps, however, have yet to be implemented.”

Armis informed SE of its findings on November 13, 2020. SE is due to issue clients an advisory with steps toward mitigation, but a full patch is not expected until Q4 2021.  In addition, two further vulnerabilities were found by the research team — both of which were authentication bypass bugs — which SE also needs to resolve.  “Due to inherent shortcomings of the Modbus protocol that powers SE’s Unified Messaging Application Services (UMAS) protocol used by Modicon PLCs, Armis will continue working with SE and additional vendors to address these issues,” the company says.  In 2018, a zero-day vulnerability was exploited in SE Triconex controllers by attackers attempting to disrupt industrial operations in the Middle East. During these attacks, the Triton Trojan was deployed to tamper with emergency shutdown systems.  “As always, we appreciate and applaud independent cybersecurity research because, as in this case, it helps the global manufacturing industry strengthen our collective ability to prevent and respond to cyberattacks,” Schneider Electric said in a statement.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has announced the general availability of the Google Cloud Certificate Authority Service (CAS). 

On Monday, head of solutions strategy Anoosh Saboori said that following a successful public preview announcement in October, the company has observed a “tremendous” reception from the market, as well as many “innovative use cases for the service.” Google CAS is a scalable service for managing and deploying private certificates via automation, as well as manage public key infrastructure (PKI). The tech giant says the platform was created to “address the unprecedented growth in certificates in the digital world” prompted by the popularity of cloud services, Internet of Things (IoT), containers, microservices, smart devices, and next-generation connectivity.   Clients have implemented CAS for use cases including identity management, bolstering security around data transport, and creating digital signature services.  Another use case cited by Google was using CAS as a “pay as you go” solution in IoT.  “We saw small to midsize companies who are building IoT peripherals, like wireless chargers, USB devices, or cables reaching out with a need for certificates,” Saboori commented. “They do not want to invest in PKI and CAs as it is not their core business and the economy of it does not make sense given their market size.” Three new members have now joined the CAS partnership program, Keyfactor, Jetstack and Smallstep. The program’s existing partners were Venafi and AppViewx.  

In a separate blog post announcing the partnership, Keyfactor highlighted two challenges associated with the increased adoption of PKI and digital certificates: the means to scale PKI to cope with demand, and how to manage what could be thousands of certificates across an organization. “To thrive in the era of hybrid and multi-cloud infrastructure, IT and security teams need to seriously rethink how they deploy their PKI and manage digital certificates,” Keyfactor says. “The key to success is simple, repeatable processes for certificate management across all platforms and devices.” In related news, in April, Broadcom said a new strategic partnership would see its Symantec suite and enterprise operations move over to Google Cloud in order to improve service delivery. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The International Criminal Police Organization, Interpol, has called for collaboration between police and industry to prevent a “potential ransomware pandemic”. Ransomware, though not the most costly cybercrime – that title goes to business email compromise, according to the FBI 2020 figures for victim payments – has hit a nerve with world leaders and law enforcement agencies due to a spate of disruptive, high-stakes ransomware attacks in recent months, including on US critical infrastructure. 

ZDNet Recommends

The best cyber insurance

The cyber insurance industry is likely to go mainstream and is a simple cost of doing business. Here are a few options to consider.

Read More

“Ransomware has become too large of a threat for any entity or sector to address alone; the magnitude of this challenge urgently demands united global action,” said Interpol secretary general Jürgen Stock. SEE: Security Awareness and Training policy (TechRepublic Premium)Interpol said more collaboration against ransomware was made in the face of its “exponential growth” in the wider cybercrime ecosystem, with criminals shifting their business model towards providing ransomware as a service.An attack in June shutdown major eastern seaboard fuel distribution network Colonial Pipeline for days. Another attack that month on global meatpacker JBS USA netted its attackers $11 million, and this month’s ransomware supply chain attack on tech firm Kaseya affected the firm’s managed service provider customers and over 1,000 of their customers, including Coop, the fourth largest supermarket chain in Sweden.      According to the newly launched site, Ransomwhere, which tracks payments to ransomware attackers, the most lucrative operation right now is REvil/Sodinokibi – the ransomware-as-a-service platform behind the attacks on JBS and Kaseya. 

The group has demanded $70 million to provide Kaseya a universal decryption tool, but this year alone it has grabbed $11.3 million in bitcoin payments.   “Despite the severity of their crimes, ransomware criminals are continuously adapting their tactics, operating free of borders and with near impunity,” said Stock. “Much like the pandemic it exploits, ransomware is evolving into different variants, delivering high financial profits to criminals,” he added.US president Joe Biden in recent talks with Russian president Vladimir Putin said critical infrastructure should be “off limits”. The White House press secretary said Biden told Putin that “if the Russian government cannot or will not take action against criminal actors residing in Russia, we will take action or reserve the right to take action on our own.”The US stance is that the Russian government is still responsible for cybercriminals operating within its jurisdiction even if the activity is not backed by the Kremlin, which was blamed by the US for the SolarWinds supply chain attack. SEE: Ransomware: Paying up won’t stop you from getting hit again, says cybersecurity chiefExactly what action the US would take in the absence of a Russian-led clampdown remains to be seen. However, last week, asked whether it would make sense for the US to attack the servers used in ransomware attacks, Biden said, “Yes”, according to Reuters. Interpol is looking to partner with private sector cybersecurity firms as well as government agencies and CERTs or computer emergency response teams to disrupt ransomware gangs.    “Policing needs to harness the insights of the cyber security industry, computer emergency response teams and other agencies to identify and disrupt cyber criminals as part of a true coalition, working together to reduce the global impact of cybercrime,” said Stock. More