Information Technology

Microsoft has disclosed a series of vulnerabilities in Netgear routers which could lead to data leaks and full system compromise.

On June 30, Jonathan Bar Or, a member of Microsoft’s 365 Defender Research Team, revealed the vulnerabilities, which were patched prior to public disclosure.  Bar Or said that the trio of bugs impacted DGN-2200v1 series routers — running firmware prior to v1.0.0.60 — which “opened the gates for attackers to roam untethered through an entire organization.” Microsoft’s security team discovered the vulnerabilities after noting strange behavior in the router’s management port. While communication was protected with TLS encryption, it was still flagged as an anomaly when machine learning models were applied.  Upon further investigation of the router firmware, the security researchers found three HTTPd authentication flaws.  The first allowed the team access to any page on a device — including those that should require authentication, such as router management pages — by appending GET variables in requests within substrings, allowing a full authentication bypass.  The second security flaw permitted side-channel attacks, and this was found in how the router verified users via HTTP headers. If exploited, attackers could extract stored credentials. 

Finally, the third vulnerability utilized the prior authentication bypass bug to extract the router’s configuration restore file which was encrypted using a constant key, “NtgrBak,” allowing remote attackers to decrypt and extract stored secrets.  Netgear was made aware of the security issues privately through the Microsoft Security Vulnerability Research (MSVR) program.  The firmware vulnerabilities have been patched by Netgear, which issued a security advisory in December detailing the security flaws. The bugs have been assigned as PSV-2020-0363, PSV-2020-0364, and PSV-2020-0365 and have been issued CVSS severity scores of between 7.1 and 9.4, rating them critical.  Netgear recommends that customers install the latest firmware available for their routers by visiting Netgear Support, typing their model number into the search box, and downloading the newest firmware version. Alternatively, updates can be accessed via Netgear apps.  “The rising number of firmware attacks and ransomware attacks via VPN devices and other internet-facing systems are examples of attacks initiated outside and below the operating system layer,” Microsoft says. “As these types of attacks become more common, users must look to secure even the single-purpose software that run their hardware — like routers.”

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A ransomware gang installed remote desktop software on over 100 machines across a network, and their plans to encrypt the network were only foiled at the last minute when cybersecurity experts were called into a company after suspicious software was found on its network. The efforts made by criminals to lay the foundations for a ransomware attack, which resulted in legitimate remote access software being installed on 130 endpoints, were discovered when security company Sophos was brought in to investigate the unnamed company after Cobalt Strike was detected on its network. 

Cobalt Strike is a legitimate penetration testing tool, but it’s commonly used by cyber criminals in the early stages of a ransomware attack. One of the reasons it is used by cyber criminals is that is it partially runs in-memory, making it difficult to detect. SEE: Cybersecurity: Let’s get tactical (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic) The goal of the gang was to encrypt as much of the network as possible with REvil ransomware, but because the cyber criminals were detected before they could finalise their preparations, the attack wasn’t successful – although they managed to encrypt data on some unprotected devices and deleted online backups after they noticed they’d been spotted by investigators.  A ransom note left by REvil on one of the few devices that was encrypted revealed a demand of $2.5 million in bitcoin for a decryption key – although this wasn’t paid. But the attackers had managed to gain enough control of the network in the runup to install software on over 100 machines – and the company that was being targeted didn’t notice.

“As a result of the pandemic, it’s not unusual to find remote access applications installed on employee devices,” said Paul Jacobs, incident response lead at Sophos. “When we saw Screen Connect on 130 endpoints, we assumed it was there intentionally, to support people working from home. It turned out the company knew nothing about it – the attackers had installed the software to ensure they could maintain access to the network and compromised devices.” This was just one of several methods that cyber criminals used to maintain their hold on the network, including creating their own admin accounts. But how did cyber criminals get onto the network in the first place in order to use Colbalt Strike, set up remote access accounts and gain admin privileges? “From what we have seen in our investigations, there is a variety of methods used, most commonly it is users being phished often weeks or months earlier, then there is the exploitation over firewall and VPN vulnerabilities or brute forcing RDP if it is exposed to the internet,” Peter Mackenzie, manager of Sophos Rapid Response told ZDNet.

In this instance, the attempted ransomware attack wasn’t successful, but ransomware is so prolific at the moment, organisations are regularly falling victim. REvil, the ransomware used in the incident investigated by Sophos, was deployed in the successful ransomware attack against JBS, with the cyber criminals behind it making off with $11 million in bitcoin. SEE: Security Awareness and Training policy (TechRepublic Premium) However, there are steps that all organisations can take to avoid cyber criminals from being able to gain access to the network in the first place. “Firstly, ensure every single computer on your network has security software installed and managed centrally. Attackers love unprotected machines. Next, make sure they are getting patches regularly and remember if a computer hasn’t rebooted for a year, then it likely hasn’t applied any patches either,” said Mackenzie. But while using technology correctly can help protect against cyberattacks, it’s also useful to have eyes on the network. People who have a good understanding of what’s on the network can detect and react to any potentially suspicious activity – such as the use of Colbalt Strike, which resulted in the ransomware attack detailed in this case being discovered before significant damage was done. “For the best cybersecurity, you need people watching what is happening and reacting to it live, that is what can make the biggest difference,” said Mackenzie.

MORE ON CYBERSECURITY More

Law enforcement in Colombia has arrested an alleged cybercriminal who apparently acted as a distributor for the Gozi Trojan. 

As reported by the Associated Press, Mihai Ionut Paunescu, also known as “Virus,” was one of three major suspects considered to be responsible for the spread of the virus that impacted over a million PCs between 2007 and 2012. He was recently arrested at Bogotá El Dorado international airport and faces extradition to the United States on charges of running a bulletproof hosting service. Paunescu was arrested in his home country in 2012, but the Romanian national was previously able to avoid extradition. Bulletproof hosting is commonly used by cybercriminals for backend infrastructure in the distribution of spam, malware, exploit kits, and to host stolen data. These murky online services are known for turning a blind eye to the activities of their customers. Paunescu faces allegations of computer intrusion and financial fraud at the Southern District Court of New York, according to Colombian state officials (translated).  First discovered in 2007, the Gozi banking Trojan was spread through weaponized .PDF documents attached to emails. Once downloaded, the malware would lurk in the background and harvest bank account information and account details, which were then sent to the Trojan’s command-and-control (C2) server for operators to use in accessing accounts and conducting fraudulent transactions. 

Threat actors were able to ‘rent’ out the malware and its underlying infrastructure for $500 a week in what was an early form of today’s Malware-as-a-Service (MaaS) criminal setups. Gozi’s source code was leaked in 2010, leading to the creation of variants still in active use today.  In 2016, the Russian creator of Gozi, Nikita “76” Kuzmin, was sentenced in US court to 37 months behind bars and was ordered to pay close to $7 million in restitution after pleading guilty to various computer intrusion and fraud charges.  Another participant in the criminal ring, Latvian Deniss “Miami” Calovskis, was also sentenced in the same year. He served 21 months for writing web injects and contributing to Gozi’s code.  The FBI estimates that the malware caused victims losses amounting to tens of millions of dollars. NASA was one of the most high-profile victims.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A Chinese-speaking hacking group is performing ongoing cyberattacks against the Afghan government by impersonating its president. 

On Thursday, Check Point Research (CPR) said that the Office of the President of Afghanistan, representing President Ashraf Ghani, is being used as a lure in spear phishing emails designed to infiltrate government agencies in the country, of which a successful attack has led to the compromise of the Afghan National Security Council (NSC).It is thought that an advanced persistent threat (APT) group called IndigoZebra is responsible. The Chinese-speaking cyberattackers have targeted former Soviet Republics previously, as noted by Kaspersky.  Dupe email samples seen by the cybersecurity firm pretend to be from the president’s office and ask for an urgent review of modifications to a document relating to an upcoming press conference. The researchers say that these emails are sent from the compromised email inboxes of past, high-profile victims. 
CPR
The file is a password-protected .RAR archive named NSC Press conference.rar. If a victim opens the file, they receive a Windows executable (NSC Press conference.exe), which deploys a malware dropper and the “xCaon” backdoor which maintains persistence by setting a registry key. The backdoor is able to download and upload files, run commands issued through a command-and-control (C2) server, and steal data. Dropbox is being abused as a form of C2 server in the latest version of this backdoor, dubbed “BoxCaon” by CPR.

Every victim secured by the threat actors is assigned a unique and pre-configured folder, named after a victim’s MAC address, which contains instructions for the malware and also acts as a storage bucket for exfiltrated data.  CPR says that by using the Dropbox API, this “masks their malicious activities, as no communication to abnormal websites takes place.” IndigoZebra will also deploy a NetBIOS scanner tool adopted by another Chinese APT, APT10/Stone Panda, and may maliciously execute network utility tools for reconnaissance in the quest for further targets.   Malware utilized by the group also includes Meterpreter, Poison Ivy, xDown, and the xCaon backdoor. CPR says that the APT in question is also likely responsible for attacks dating back to 2014, in which political entities in Kyrgyzstan and Uzbekistan were targeted.  “While the IndigoZebra actor was initially observed targeting former Soviet republics such as Uzbekistan and Kyrgyzstan, we have now witnessed that its campaigns do not dial down, but on the contrary — they expand to the new targets in the region, with a new toolset,” the researchers commented.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The US Financial Industry Regulatory Authority (FINRA) has fined Robinhood close to $70 million for allegedly causing “significant harm” to “millions of customers.”

On June 30, the regulator said that Robinhood, a commission-free stock trading app that promises to “democratize finance for all,” must pay a fine of $57 million and an additional $12.6 million in restitution, plus interest, to thousands of customers. According to FINRA, the penalty is the largest imposed on a company to date.  Robinhood has been accused of systematic failures including major outages in March 2020, as well as the impact on millions of customers who “received false or misleading information” from the company.  In addition, Robinhood allegedly allowed thousands of customers to trade options when it was not “appropriate” for them to do so — relying on an algorithm and bots to make this decision, rather than performing due diligence to determine eligibility.  FINRA says that these actions caused “widespread and significant harm.” In relation to the claim that users received false information, the regulator cited “negligent” communication sent to clients since 2016 — including whether or not users could place trades on margin, how much positive or negative buying power customers had, and what the risk of loss was in relation to some options trades and margin calls. 

A tragic case was that of a user who took his own life in June last year after becoming confused concerning margins and securities purchases. The 20-year-old user’s account incorrectly showed a negative balance of $730,000. “Due to Robinhood’s misstatements, thousands of other customers suffered more than $7 million in total losses,” FINRA says. “As part of this settlement, Robinhood is required to pay more than $7 million in restitution to these customers.” Customers impacted by technical outages are eligible for over $5 million in damages.  Additionally, Robinhood has been held to account for allegedly failing to submit reports properly to FINRA between 2018 and 2020.  “Robinhood failed to report to FINRA tens of thousands of written customer complaints that it was required to report,” the regulator claims. “Robinhood’s reporting failures were primarily the result of a firm-wide policy that exempted certain broad categories of complaints from reporting, even though those categories fell within the scope of FINRA’s reporting requirements.” Robinhood has neither admitted nor denied the charges. FINRA’s penalty is the latest blow to the organization, which is already under scrutiny over the GameStop fiasco, in which Robinhood was accused of helping hedge funds by preventing users from trading in the stock during January. In a blog post on Wednesday, the trading app said that “we continue to grow and enhance our legal, compliance, and risk functions and programs, and have hired dozens of experienced professionals in the past year alone.” The company says that customer support services have been expanded — including those for clients able to perform options and margin calls — as well as increased phone support and new education resources. The root cause of the March 2020 outages is also being addressed.  “Our customers are at the forefront of every decision we make and we’re committed to making continuous improvements so that investing can be accessible to all,” the company added. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Australian eSafety Commissioner Julie Inman Grant is set to receive sweeping new powers in early 2022 as part of the Online Safety Act that passed Parliament last month. Among other things, the new Act extends the Commissioner’s cyber takedown function to adults, giving the commissioner the power to issue takedown notices directly to the services hosting the content and end users responsible for the abusive content.The new powers have been labelled as overbearing. As one Twitter user put it, the Commissioner is imminently receiving the “master on/off switch to the internet”. Of concern to many is that it is not yet known what the test or criteria will be for determining if content warrants removal. There is much to take into account, especially when much of “Australian culture” includes the use of a curse word as a term of endearment; that tone, for example, can be hard to ascertain from a character-limited post.  The Act will formalise a voluntary scheme that eSafety has in place. The agency has received 3,600 adult cyber abuse-related requests since it began taking them informally in 2017. Only 72 of them, however, were considered by eSafety to be reaching its existing threshold for “real harm”. One of them, Inman Grant told the Senate in May, was “horrific”, and a few of them involved domestic violence and stalking.  This week, Inman Grant found herself amid a Twitter dispute when she stepped in to offer advice to an individual who explicitly tagged her for help. The incumbent eSafety Commissioner then allegedly blocked another individual who claimed they were simply disagreeing with the first individual’s vaccination opinions. “Part of eSafety’s role is to provide education, support, and advice. We frequently offer information to those in distress — including offering advice about using the reporting tools available on the platforms,” an eSafety spokesperson told ZDNet.”Although we don’t yet have laws in place that allow us to deal with serious adult cyber abuse, currently we can help informally by providing support and guidance on what to do.”The eSafety spokesperson did not respond to questions, however, on whether a banhammer would be waved in a short amount of time when the scheme is formalised.

“In this case, the eSafety Commissioner was tweeted at by a person in distress, and the Commissioner provided our standard advice, including encouraging people to report an issue to the platform in the first instance,” they said. “This information is also available on the eSafety website, and advice that Twitter provides through its safety centre. This advice did not involve use of the Commissioner’s powers, as tweeting at us (as described above) does not constitute a report that enlivens our powers.”The spokesperson then reiterated the office would take its obligations seriously under the Act and said the new laws would be critical in helping more Australians who are experiencing online harm. They also said the complaints mechanism for reporting adult cyber abuse would be robust and that a simple tag of eSafety or the eSafety Commissioner in posts or comments on social media would not be treated as a formal report, as per its current practice.MORE ONLINE SAFETY ACTAI bias and discrimination aplenty: Australian Greens want Online Safety Bill repealedAustralian Greens have put forward an amendment that seeks to withdraw the Bill and have it re-drafted to address its rushed nature.Protecting women in the cloud: eSafety hopes the Online Safety Act will do just thatThe commissioner said a lot of online abuse is rooted in misogyny and intended to silence women’s voices. She hopes the new Online Safety Act will go some way to prevent such abuse.Australia’s eSafety and the uphill battle of regulating the ever-changing online realmThe eSafety Commissioner has defended the Online Safety Act, saying it’s about protecting the vulnerable and holding the social media platforms accountable for offering a safe product, much the same way as car manufacturers and food producers are in the offline world. More

New data security rules governing how money changes hands in the US have gone into effect today, forcing major digital money processors to render deposit account information unreadable in electronic storage.The National Automated Clearinghouse Association (NACHA), the body that passed the rules, governs the ACH Network, the payment system that drives direct deposits and direct payments for nearly all US bank and credit union accounts. The national automated clearing house processes massive amounts of credit and debit transactions in the US and handles financial transactions for consumers, businesses, and federal, state, and local governments.Starting on June 30, if an account number is used for any ACH payment — consumer or corporate — it must be rendered unreadable while stored electronically, according to NACHA, which added that any place where account numbers related to ACH entries are stored is in the rule’s scope.”This includes systems on which authorizations are obtained or stored electronically, as well as databases or systems platforms that support ACH entries. As an example, for a Third-Party Service Provider whose client is a financial institution, these can include platforms that service ACH transaction warehousing and posting, and client information reporting systems,” NACHA explained. “For Originators and their Third-Party Service Providers, accounts payables and accounts receivables systems will be impacted, as may be other systems (for example, claims management systems for insurance companies).”The rule also applies to paper authorizations or other documents containing ACH account numbers that are scanned for electronic record retention and storage purposes.In 2020, there were almost 27 billion ACH Network payments made at a value of close to $62 trillion. The body processed $17.3 trillion just for Q1 of 2021 and managed the 110 million economic impact payments that came through direct deposit from the federal government.

ACH Network has grown significantly over the years and set a record in February when it averaged more than 118 million payments per day. It set another record in March when ACH volume hit 2.7 billion payments, its largest monthly volume ever. In order to keep the data that is flowing through the system safe and secure, Nacha is requiring ACH originators and third parties that process greater than 6 million ACH payments annually to render deposit account information unreadable in electronic storage. It suggests organizations do this using encryption, truncation, tokenization, destruction, or having the financial institution store, host, or tokenize the account numbers.The first phase of the new rules took effect on June 30 but the second phase, which covers those with ACH volume of 2 million transactions or greater annually, will take effect on June 30, 2022.Those forced to make the changes initially asked for an extension in 2020 and were granted it. NACHA also said it will not enforce the rule “for an additional period of one year from the effective date with respect to covered entities that are working in good faith toward compliance, but that require additional time to implement solutions.””The new requirement applies to non-consumer Originators that are not Participating Depository Financial Institutions (as defined by the Nacha Operating Rules), and to Third-Party Senders and Third-Party Service Providers that perform any function of ACH processing on behalf of an Originator, Third-Party Sender, ODFI, RDFI, or ACH Operator,” NACHA said in a statement. “Financial institutions are not included within the scope of the new requirement to render ACH account numbers unreadable when stored electronically because they are already subject to rigorous data security requirements imposed by their regulators.” NACHA noted that access controls such as passwords do not meet the new standard. Disk encryption is an acceptable protection method only if additional, prescribed physical security steps are taken, the organization added. Alex Pezold, CEO of TokenEx, said his company was recently named as a NACHA Preferred Partner for ACH data security and is currently working with organizations to comply with the new rules. “In terms of ACH data, we render deposit account information (generally bank account and routing numbers) unreadable via tokenization, which is an example technology referenced by NACHA to help satisfy this new requirement,” Pezold told ZDNet. “This replaces the deposit account information with an irreversible token that can be safely stored in place of the original number to prevent data theft in the event of an exposure. The motivation for this change is to build on existing requirements to improve the security and efficiency of the ACH Network by introducing specific standards for the protection of deposit account information stored by originators, third-party service providers, and third-party senders.”Pezold added that it is still unclear what the specific fines or penalties will be but if an egregious violation occurs — a willful or reckless action that involves at least 500 entries or involves multiple entries in the aggregate amount of at least $500,000 — it can result in a $500,000 fine per occurrence and a suspension of use of the ACH Network.Some cybersecurity experts, like comforte AG product manager Trevor Morgan, said the best way to follow through with this rule would be through encryption or tokenization. The new rules, he said, force organizations to know precisely the data being handled, including ACH account information, and also where it is stored, how it travels, and who accesses it. “A complete solution to this problem would entail not only a protection method such as tokenization but also a broader capability to find and classify this type of information. Don’t assume that you know where all your sensitive ACH data is!” Morgan said. Oliver Tavakoli, CTO of Vectra, said similar rules have applied to banks and other financial institutions for a long time, but they are now being applied to large-scale users of banking services. Tavakoli suggested organizations either choose not to keep the data at all or have the financial institutions who are already set up to protect the data store it for them. Enterprises can also encrypt the data before storing it, truncate the data by keeping only the last 4 digits of an account number or obscure the information in some other way. Far too often, data troves are stored in clear text, making the new rules pushed by NACHA evermore important, according to Dirk Schrader, a vice president at New Net Technologies.”Implementing this requirement will likely be an issue for some financial institutions, depending on their data models,” Schrader said. “One solution can be based on HSMs, offloading much of the encryption work to specialized hardware.”Other experts said it took NACHA far too long to put rules like this in place. Netenrich threat intelligence advisor John Bambenek said ACH transactions are possible simply by knowing the account information of a person. “The fact that it’s 2021, and only now is basic security being required on processors of this information, just goes to show how truly insecure our financial transaction systems are,” Bambenek said. “Arguably, this has already been required by law and regulation for years, however, that it has to be reiterated demonstrates that the many companies processing large amounts of financial transactions are committed to doing absolutely nothing to protect consumers until they are forced to.” More

In 1995, when Linux 1.x was the hot new Linux kernel, early Red Hat founding programmers Marc Ewing and Erik Troan created RPM. This software package management system became the default way to distribute software for Red Hat Linux-based distributions such as Red Hat Enterprise Linux (RHEL), CentOS Stream, AlmaLinux OS, and Rocky Linux. Unfortunately, hidden within its heart is a major security hole. 

Dmitry Antipov, a Linux developer at CloudLinux, AlmaLinux OS’s parent company, first spotted the problem in March 2021. Antipov found that RPM would work with unauthorized RPM packages. This meant that unsigned packages or packages signed with revoked keys could silently be patched or updated without a word of warning that they might not be kosher. Why? Because RPM had never properly checked revoked certificate key handling. Specifically, as Linux and lead RPM developer Panu Matilainen explained: “Revocation is one of the many unimplemented things in rpm’s OpenPGP support. In other words, you’re not seeing a bug as such; it’s just not implemented at all, much like expiration is not.” How could this be? It’s because RPM dates back from the days when getting code to work was the first priority and security came a long way second. For example, we don’t know whether the first RPM commit was made by Marc Ewing or Erik Troan because it was done as root. Those were the days! Things have changed. Security is a much higher priority.  Antipov, wearing his hat as a TuxCare (CloudLinux’s KernelCare and Extended Lifecycle Support) team member, has submitted a patch to fix this problem. As Antipov explained in an interview: “The problem is that both RPM and DNF, [a popular software package manager that installs, updates, and removes packages on RPM-based Linux distributions]  do a check to see if the key is valid and genuine but not expired, but not for revocation. As I understand it, all the distribution vendors have just been lucky enough to never have been hit by this.” They have indeed been lucky. Armed with an out-of-date key, it could be child’s play to sneak malware into a Linux desktop or server. 

Joao Correia, a TuxCare Technical Evangelist, asked: “Do you know how long it takes for the distros to pick up the changes that are submitted to the code repositories?” Antipov replied: That’s hard to know. In general, the problem is that crypto is hard. It takes a special background, some special experience, and so on. Package management projects are doing package management, not crypto, so they don’t want, and don’t need to, develop their own crypto libraries to include RPM and DNF. I’m not an expert in the crypto field to be able to fix current DNF and RPM issues. I’ve used the RNP library, a well-known library in the open-source world, already used in Mozilla Thunderbird, for example, but the library itself is not a part of Red Hat or any other RPM-based Linux distribution. So to take my fix as is, for the moment, they need to add it to the library first. This is not so quick, so it’s hard to say how long it will take. He fears though it may be months before the fix is released. At the moment, the security hole is still alive, well, and open for attack. Antipov and his team are considering opening a Common Vulnerabilities and Exposures (CVE) about the issue since, in the end, it’s clearly a security issue.  If I may be so bold: File a CVE with Red Hat. This needs fixing, and it needs fixing now. In the meantime, administrators of RPM-based systems will need to take a closer look at the patch programs to make sure they are legitimate patches. Related Stories: More