Information Technology

Apple has released security updates for macOS that patches a flaw in its privacy preferences and “may have been actively exploited”, according to Apple and which could have allowed malicious apps to record a Mac’s screen It’s a rather large update addressing 73 vulnerabilities, including one in Transparency Consent and Control (TCC) framework, which allows malware to bypass system privacy controls.  Apple addressed the TCC bypass in macOS Big Sur version 11.4.

ZDNet Recommends

“Apple is aware of a report that this issue may have been actively exploited,” it said of the bug CVE-2021-30713 affecting TCC. SEE: Network security policy (TechRepublic Premium)TCC provides the dialog prompts for security and privacy sensitive actions, such as an application recording a computer’s screen, or when giving apps access to the webcam and microphone.Security firm Jamf has posted a report on the bug and says it found the bypass being actively exploited while analyzing the XCSSET malware. “The detection team noted that once installed on the victim’s system, XCSSET was using this bypass specifically for the purpose of taking screenshots of the user’s desktop without requiring additional permissions,” it said.

In August, Trend Micro found XCSSET was targeting Mac developers via infected Xcode projects.The malware finds an app on the system and piggybacks on it, inheriting its permissions. “During Jamf’s testing, it was determined that this vulnerability is not limited to screen recording permissions either. Multiple different permissions that have already been provided to the donor application can be transferred to the maliciously created app,” Jamf noted.”The exploit in question could allow an attacker to gain Full Disk Access, Screen Recording, or other permissions without requiring the user’s explicit consent – which is the default behavior.”Apple also released security fixes in the iOS 14.6 update for iPhones and iPads, which included 30 security fixes.SEE: This malware has been rewritten in the Rust programming language to make it harder to spotThe UK’s National Cyber Security Centre (NCSC) contributed one vulnerability report for the bug CVE-2021-30715, which allowed a maliciously crafted message to create a denial of service on an iOS device. Apple’s May 24 updates include Safari 14.1.1, which fixes 10 security flaws that could be exploited by malicious websites.    More

A Russian national has been jailed for 2.5 years for operating deer.io, a platform designed for the sale of stolen data and accounts.

This week, the US Department of Justice (DoJ) said that Kirill Victorovich Firsov, 30, will spend 30 months behind bars for acting as the administrator of Deer.io, a now-defunct website that offered a form of ‘Shopify’ front for criminal activity. Deer.io, thought to have been in operation since at least 2013, hosted over 24,000 online stores on a subscription basis over the course of its lifetime, with prices set at approximately $12 per month. According to the DoJ, at the time of its seizure, Deer.io catered to 3,000 active stores with sales exceeding $17 million.  The FBI’s complaint said that despite claims deer.io was only used for legitimate businesses, a search on the website — which did not need any special access privileges — revealed that the bulk of the sales were made by cybercriminals.  Law enforcement found stolen accounts on sale, alongside PII including names, addresses, telephone numbers, and Social Security numbers. Many victims were located in the US and Europe. If a cybercriminal wished to open a deer.io store, they would upload their ‘products’ and link a cryptocurrency wallet to their storefront. The subscription fee, required monthly, was paid through cryptocurrency or payment methods such as WebMoney.  US Attorney Robert Brewer called the platform a “one-stop shopping for criminals.”

During the FBI’s investigation, on March 4, 2020, the agency purchased 1,100 compromised gamer accounts, and then on March 5, the FBI purchased PII belonging to over 3,600 US citizens.  Firsov was arrested in New York City after flying into JFK airport from Moscow, Russia.  On January 21, 2021, Firsov pleaded guilty to the “Unauthorized Solicitation of Access Devices,” a charge which carries a maximum penalty of 10 years in prison and a $250,000 fine.  “At sentencing […] the prosecutor asserted that Firsov knew deer.io was selling stolen and counterfeit accounts, because he built the platform, which included a number of icons for US-based companies that anyone setting up a store on deer.io could click on to then sell stolen accounts from those US companies,” prosecutors say. “Even though it sold stolen accounts, deer.io was not cloaked in secrecy and required no special password for access, because everything was run out of Russia, and American law enforcement could gain no foothold.” While deciding on an appropriate sentence, presiding US District Judge Cynthia Bashant acknowledged that Firsov has already spent 15 months in the US prison system — and during the COVID-19 pandemic — and he would likely remain incarcerated when deportation procedures begin after he has served his term.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The UK Government Communications Headquarters (GCHQ) used bulk interception to unlawfully breach citizens’ privacy and free expression rights, Europe’s highest human rights court has ruled. The ruling is the culmination of three lawsuits that had accused the GCHQ’s bulk interception regime of being incompatible with the right for people to have privacy, which arose in 2013 following revelations from Edward Snowden that the GCHQ was running a bulk interception operation to tap into and store huge volumes of data, which included people’s private communications. In addition to wrapping up those three lawsuits, the landmark judgment also marks the first ruling on UK mass surveillance since Snowden’s revelations. Bulk interception is the process of targeting and collecting communications from targeted bearers through simple selectors, such as an email address. Any communications which match the simple selectors are collected from that bulk interception process, with those that do not match the simple selectors being automatically discarded.  According to the Grand Chamber of the European Court of Human Rights, the bulk interception regime contained “fundamental deficiencies”, such as lacking independent authorisation as bulk interception was approved by UK’s secretary of state; the GCHQ did not have to include categories of search terms defining what communications they would examine when applying for a search warrant; and search terms linked to an individual did not require prior internal authorisation to be used. As such, the Grand Chamber found the regime did not contain sufficient “end-to-end” safeguards and was incompatible with the right to privacy. With the decision, the Grand Chamber has ordered for bulk surveillance in the UK and across Europe to now require independent authorisation from the outset, which checks for adequate end-to-end safeguards, from the initial collection of data to the selection of items for storage.

The court has also ordered for all bulk interception operations to be subject to supervision and independent ex post facto review, as well as assessments at “each stage of the process” of the necessity and proportionality of the measures being taken. While the court concluded that there was considerable potential for bulk interception, in its current form, to be abused, it disagreed with the applicants’ claim that bulk interception should be banned altogether. Instead, it accepted the UK’s government’s claim that bulk interception is of vital importance in helping states for identifying threats to national security, a claim that was backed by the French, Dutch, and Norwegian governments in third party submissions. In a dissenting opinion, Judge Pinto de Alburquerque said non-targeted bulk interception should be scrapped as it could target anyone as a potential suspect. “Admitting non-targeted bulk interception involves a fundamental change in how we view crime prevention and investigation and intelligence gathering in Europe, from targeting a suspect who can be identified to treating everyone as a potential suspect, whose data must be stored, analysed, and profiled,” he said. “A society built upon such foundations is more akin to a police state than to a democratic society. This would be the opposite of what the founding fathers wanted for Europe when they signed the Convention in 1950.” Big Brother Watch director Silkie Carlo said the judgment confirmed that the UK has been mass spying citizens for decades and vindicated Snowden’s whistleblowing.  “Mass surveillance damages democracies under the cloak of defending them, and we welcome the Court’s acknowledgement of this. As one judge put it, we are at great risk of living in an electronic ‘Big Brother’ in Europe,”  he said. Liberty lawyer, Megan Goulding, who represented the applicants of the lawsuit, called the judgment a victory as it recognises that governments have to respect the right to privacy and freedom of expression. “Bulk surveillance powers allow the State to collect data that can reveal a huge amount about any one of us — from our political views to our sexual orientation. These mass surveillance powers do not make us safer,” Goulding said. “Our right to privacy protects all of us. Today’s decision takes us another step closer to scrapping these dangerous, oppressive surveillance powers, and ensuring our rights are protected.” Related Coverage More

The Australian Transaction Reports and Analysis Centre (Austrac) in late 2017 gained authorisation to extend anti-money laundering and counter-terrorism financing (AML/CTF) regulation to cryptocurrency exchanges.Exchanges are required to enrol with Austrac and register on the Digital Currency Exchange (DCE) Register and adopt and maintain a program to identify, mitigate, and manage the money laundering and terrorism financing risks they may face. Similar to a bank, the exchange must also identify and verify the identities of their customers, and report suspicious matters, international transactions, and transactions involving physical currency that exceeds AU$10,000 to Austrac.Appearing before Senate Estimates on Tuesday, Austrac CEO Nicole Rose said her agency was expecting about 30 exchanges to register; that figure is currently 456.She said Austrac is currently looking into how it can extend regulation to the DCE space.”Austrac’s not responsible for regulating digital currencies, just in the way it’s not responsible for regulating physical currency — ie the Australian dollar — we’re interested in businesses that exchange fiat currency to digital currency, and visa versa,” Rose explained.”We register those, but that’s only one part of the cryptocurrency environment, so we’re working with the RBA and the other regulators — ASIC, APRA, and a range of other regulators in Treasury — to actually work out how broader regulation could be done throughout the regulator population, and then what possible legislative change we might need to look at to grapple with some of these issues that obviously no one had even thought about five years ago.”

Rose said her agency and its colleagues are interested in regulating the exchanges that “turn cash into cryptocurrency” because they want the AML/CTF procedures to be in place to ensure money laundering is not occurring at that junction.Austrac deputy CEO Peter Soros said while he couldn’t guarantee that all 17,000 entities his agency deals with are fully complying, he said cryptocurrency exchanges are a sector that is “working quite hard” and is “quite enthusiastic” about ensuring compliance with their arrangements.Soros also confirmed Austrac has not taken any formal investigations against DCE’s, but that it has conducted compliance checks and supervision activities to “identify areas where they need to improve”.”It wouldn’t be a usual practice within a couple of years of a new sector coming onboard, unless the failures were so egregious or had such a massive risk to money laundering that we would be looking to be very heavy handed,” he said.The Financial Action Task Force (FATF) earlier this year began consultation on proliferation financing risk, and on digital currencies and digital currency exchange providers. FATF is the global standard-setting body for AML/CTF. One of the recommendations it has put forward is the “travel rule”.”Recommendation 16 was developed with the objective of preventing terrorists and other criminals from having unfettered access to electronically-facilitated funds transfers for moving their funds and for detecting such misuse when it occurs,” the FATF said in a consultation document [PDF]. “At the time of drafting, the FATF termed such transfers ‘wire transfers’. In accordance with the functional approach of the FATF Recommendations, the requirements relating to wire transfers and related messages under Recommendation 16 apply to all providers of such services. This includes VASPs [virtual asset service providers] that provide services or engage in activities, such as VA [virtual asset] transfers, that are functionally analogous to wire transfers.””It gives us visibility of the payer and payee primarily, which at the moment we don’t have,” Rose clarified.FINTEL ALLIANCE KICKING GOALSAustrac in early 2017 stood up a public-private initiative to follow the money trail in a bid to “harness and turbo-charge the collective knowledge of government and industry”.There are currently 29 members comprising the alliance, including ASIC, Border Force, the ACCC, the Crime Commission, AFP, ATO, Home Affairs, NSW Police Force, ANZ Bank, Bendigo and Adelaide Bank, the Commonwealth Bank, HSBC Australia, MoneyGram, Macquarie, NAB, Paypal, Tabcorp, Western Union, and Westpac.The Australian Financial Crimes exchange also shares fraud data with the alliance and it also draws on expertise of specialists from Deakin University.Austrac chief operations officer Dr John Moss said the alliance now boasts two operation hubs, one each in Sydney and Melbourne, where around 30 analysts frequent Austrac’s officers to work alongside the agency.He said in this current financial year, 4,200 suspicious matter reports have been generated by the team.”There’s a 55% increase on previous reporting from those Fintel Alliance partners,” Moss said. “We receive about 850 of those a day … we focus on wildlife trafficking, fraud against government programs, highest-risk criminal targets such as outlaw motorcycle gangs or at the highest priority, organised crime targets and professional money laundering syndicates. “We’ve also done recently a lot of work on COVID-19 in initiatives such as fraud against early release or superannuation, and Jobkeeper and Jobseeker payments.”Work of the Fintel Alliance has this year resulted in the rescue of around 14 children from the Philippines.”That intelligence actually came from Austrac in the first instance, working with Fintel Alliance partners, looking at remittance-type payments from Australia into the Philippines, and matching that with other law enforcement data,” Rose explained. “And once we had that information, we provided actionable intelligence so that Border Force and AFP then picked up that job and went further to investigate and it resolved in arrest last week.”The federal government has provided Austrac with AU$2.9 million in the 21-22 Budget to strengthen financial intelligence efforts to disrupt the cash flow behind child sexual abuse, part of an AU$11.9 million four-year package.”AU$2.9 million over four years will fund five FTE specialist analysts who will work with the Australian Centre for Child Exploitation to counter it,” Moss said. “It will allow us to do deeper analysis of our data holdings to support active law enforcement investigations.”Austrac also received AU$104 million to modernise its reporting systems and to enhance industry compliance. “That’s going to be a new IT system interacting with all of our registered entities, to nearly 17,000 entities,” Rose said. “The system that Austrac currently uses was set up about 20 years ago, and didn’t have any consideration, of course, about the huge increase in data that we would be ingesting from all of those entities.”It will also fund five offshore placements in the United Kingdom, United States, Kuala Lumpur, and China, as well as an additional intelligence team to help support the increased data flows, Moss said.MORE FROM AUSTRAC More

Image: MaboHH / Getty Images
VMware is urging its vCenter users to update vCenter Server versions 6.5, 6.7, and 7.0 immediately, after a pair of vulnerabilities were reported privately to the company. The most pressing is CVE-2021-21985, which relates to a remote code execution vulnerability in a vSAN plugin enabled by default in vCenter that an attacker could use to run whatever they wished on the underlying host machine, provided they can access port 443. Even if users do not use vSAN, they are likely to be affected because the vSAN plugin is enabled by default. “The vSphere Client (HTML5) contains a remote code execution vulnerability due to lack of input validation in the Virtual SAN Health Check plug-in which is enabled by default in vCenter Server,” VMware described the issue in an advisory. In its FAQ, VMware warned that since the attacker only needs to be able to hit port 443 to conduct the attack, firewall controls are the last line of defence for users. “Organisations who have placed their vCenter Servers on networks that are directly accessible from the internet may not have that line of defence and should audit their systems for compromise,” the company states. “They should also take steps to implement more perimeter security controls (firewalls, ACLs, etc.) on the management interfaces of their infrastructure.”

To fix the issue, VMware recommends users update vCenter, or if not possible, the company has provided instructions on how to disable vCenter Server plugins. “While vSAN will continue operating, manageability and monitoring are not possible while the plugin is disabled. A customer who is using vSAN should only consider disabling the plugin for short periods of time, if at all,” VMware warned. Users are warned that the patches provide better plugin authentication, and some third-party plugins may break and users are directed to contact the plugin vendor. “This needs your immediate attention if you are using vCenter Server,” VMware said in a blog post. “In this era of ransomware it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible.” Even having perimeter controls may not be enough, and VMware suggested users look at better network separation. “Ransomware gangs have repeatedly demonstrated to the world that they are able to compromise corporate networks while remaining extremely patient, waiting for a new vulnerability in order to attack from inside a network,” it said. “This is not unique to VMware products, but it does inform our suggestions here. Organisations may want to consider additional security controls and isolation between their IT infrastructure and other corporate networks as part of an effort to implement modern zero-trust security strategies.” The second vulnerability, CVE-2021-21986, would allow an attacker to perform actions allowed by plugins without authentication. “The vSphere Client (HTML5) contains a vulnerability in a vSphere authentication mechanism for the Virtual SAN Health Check, Site Recovery, vSphere Lifecycle Manager, and VMware Cloud Director Availability plug-ins,” VMware said. In terms of CVSSv3 scores, CVE-2021-21985 hit an 9.8, while CVE-2021-21986 was scored as 6.5. Earlier this year, a pair of ESXi vulnerabilities were being used ransomware gangs to take over virtual machines and encrypt virtual hard drives. Related Coverage More

The Australian Criminal Intelligence Commission (ACIC) has taken the opportunity to revise the claims it made in a submission earlier this month around the unlawful use of encrypted communications, saying it has its sights on devices that are specifically used for illegal purposes rather than encrypted messaging apps, such as WhatsApp or Signal.In a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) as part of its inquiry into the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020, the commission said, “ACIC observation shows there is no legitimate reason for a law-abiding member of the community to own or use an encrypted communication platform”. Also: Cops are the only ones being lawful on the dark web, AFP declaresFacing Senate Estimates on Tuesday, ACIC CEO Mike Phelan was questioned on ZDNet’s article that highlighted the claims the submission made and said in response, “That’s not true”. “I mean, we all need encryption,” he said. “The legislation as designed — and it is absolutely our intention to not go after over-the-top apps, so I’m not after WhatsApp, Signal, Telegram, all those sorts of things. What we’re after is to get deep inside criminal networks that exist on the platforms within Australia.”Phelan clarified what he’s after are dedicated encrypted devices on closed networks, specifically, those that are only designed for criminal communications.”So, you know, it’s public, where we are after things like Cipher and also similar networks that were taken down overseas; EncroChat, Phantom Secure, Sky ECC, these are dedicated devices — you can’t even make phone calls on, only text messages within a closed network,” he said.

See also: Police take down encrypted criminal chat platform EncroChat | Phantom Secure criminals indicted in global joint law enforcement ‘smash'”That’s what we’re after and that’s my understanding of what the legislation will enable us to do — to get behind and try and get into the encryption for intelligence purposes, not to get into networks that are, quite frankly, if it’s WhatApp or whatever.””I don’t think any legislation is going to give us the ability to do that nor could I get in behind it anyway.”The Bill, if passed, would hand the Australian Federal Police (AFP) and ACIC three new computer warrants for dealing with online crime.The first of the warrants is a data disruption one; the second is a network activity warrant; and the third is an account takeover warrant.Phelan further clarified that what he considers as illegitimate are not encrypted messaging apps, but encrypted devices.”The devices that we’re talking about — so far, the commission, through law enforcement in Australia and overseas, has not found one of them in the hands of a legitimate person,” he said.”However, I can envision a time when the technology can be used for encrypted communications legitimately, of course … It’s just that the ones — the dedicated networks — that we’re after, we haven’t seen any in the hands of people like you and me.”Devices, he reiterated, that you can’t walk into a shop and purchase.”These are networks that are financed by criminals — imported devices, imported by criminals, resold by criminal networks,” he said. “You can’t walk into a Telstra store and say I want [a] Cipher device please.”  Earlier in the day, the head of the Australian Security Intelligence Organisation (ASIO), Mike Burgess, lashed out at tech giants for running interference and handing a free pass to Australia’s adversaries and “some of the worst people in our society”.”Through the use of encryption social media and tech companies are, in effect, creating a maintaining a safe space for terrorists and spies,” Burgess said.”Encryption is a fundamental force for good as a society, we need to be able to shop, bank, and communicate online with confidence. But even a force for good can be hijacked exploited and abused.”In the case of encryption, we need to recognise how it is being used by terrorist and spies. End to end encryption is degrading our ability to protect Australia and Australians from threats, from the greatest threats.”MORE ON THE ‘HACKING BILL’ More

Cyber-security firm Zscaler this afternoon reported fiscal Q3 revenue and profit that both topped Wall Street analysts’ expectations, and an outlook that was higher as well, and said it will acquire Mumbai, India-based Smokescreen Technologies, a six-year-old startup specializing in what’s known as “active defense” technology. Terms of the deal were not disclosed.The Smokescreen technology can help block attacks such as the Colonial Pipeline ransomeware attack that took place earlier this month, Zscaler said.The report sent Zscaler shares surging by 7% in late trading. CEO and founder Jay Chaudhry, remarked, “With the addition of Smokescreen to our Zero Trust Exchange, our customers will be able to change the economics of cyberattacks by making them far more costly, complex and difficult for the adversary both before and during their attempted intrusions”For those unfamiliar with active defense, Zscaler remarks that, In contrast to traditional reactive security measures, active defense uses proactive tactics to thwart the most advanced attackers with high-confidence detections across the lifecycle of an attack. It allows businesses to rebalance the defensive equation in their favor; identifying intrusions before attackers compromise vital company data and resources. Smokescreen is fully aligned with MITRE Shield, a framework for organizations to apply active defense effectively in their security operations workflows.Revenue in the three months ended in April rose 60%, year over year, to $176.4 million, yielding a profit of 15 cents a share, excluding some costs.

Analysts had been modeling $163.7 million and 7 cents per share.For the current quarter, the company sees revenue of $185 million to $187 million, and EPS in a range of 8 cents to 9 cents, again, in a non-GAAP basis. That compares to consensus for $174 million and a 9-cent profit per share.For the full year, the company sees revenue in a range of $660 million to $664 million, and EPS of 47 cents per share. That compares to consensus of $638 million and a 40-cent profit per share.

Tech Earnings More

In a letter to New Hampshire Attorney General John Formella, audio equipment company Bose revealed that it was hit with a ransomware attack on March 7. 

The letter does not say what kind of ransomware or identify which group was behind the attack, but it explains that the company “experienced a sophisticated cyber-incident that resulted in the deployment of malware/ransomware across Bose’s environment.”By April 29, Bose and forensic analysts determined that those behind the attack managed to access internal administrative human resources files that contained the social security numbers, addresses, and compensation information of some employees, including six people who live in New Hampshire. The company said it could not confirm that the people behind the take did not take files or information out of the system. It is unclear if a ransom was paid. Bose is now working with a private company and the FBI to search the dark web for any leaked information but hasn’t found any indication that its data has been leaked, according to the letter. The company has now implemented “enhanced malware/ransomware protection” on endpoints and servers, blocked malicious files used during the attack, put in place monitoring tools to watch for subsequent attacks, and more. The six employees living in New Hampshire were offered free identity protection services through IdentityForce for just 12 months while being told to “remain vigilant” and monitor their own accounts in a letter sent out to those affected on May 19.  

Cybersecurity experts said the public notifications forced on companies hit with ransomware attacks were important as other organizations try to protect themselves from similar attacks.Saryu Nayyar, CEO of Gurucul, commended Bose for publicly disclosing the attack but noted that the timeline of events the company described in the letter was problematic. “It’s important to share what thieves are doing as they are doing it to engage the necessary authorities and cyber defense experts to lessen the ripple effect of the attack. The notification letter was pretty thorough, however, the timelines are concerning. It took Bose 1.5 months to discover which data was accessed and potentially exfiltrated. It took another 3 weeks for the company to notify the affected individuals, which is a lifetime for an attacker to use that data for malice,” she said. Other experts also noted the lengthy response time from Bose, which may have endangered the people affected by the breach. Pathlock president Kevin Dunne said Bose could have reacted faster and taken more responsibility for the attack while also laying out a clear plan for how they would prevent these future attacks from happening. “There is a lesson learned from this attack for all enterprises — keep your business-critical data in the applications where it can be managed and monitored, not in spreadsheets or other unmanaged databases,” Dunne said. “Employee data is sensitive data just like customer, financial, or IP-related data. Enterprises should invest in an HRM system and make sure that they have good access control and data loss prevention in place to limit the risk of potential damage from employee data loss.”He added that there is a great divide in attitudes when it comes to stakeholders involved in a cybersecurity attack.  Some companies, he explained, are overly cautious when reporting attacks on their systems because they want to avoid attracting further attacks or tipping their hand to ransomware groups that prey on a company’s need to solve a problem quickly.  But the employees affected by the attack will want to be notified as quickly as possible so they can monitor for any unusual activity in their compromised accounts, Dunne added. “Shareholders are often torn, as making information about a breach public can often sink a stock price dramatically, but on the flip side, expectations can be managed better when the public is informed as early as possible about a breach,” he told ZDNet. Jack Mannino, CEO at nVisium, said different states and industries have different requirements for reporting incidents. But he urged any attacked companies to be proactive about notifying victims in order to limit the scrutiny that inevitably comes after a breach. Some experts, like Shared Assessments CISO Tom Garrubba, said there was a misperception among some companies that they only have to disclose breach information if they are publicly traded or operate in a regulated environment. “Regardless of your industry, trying to keep such cards close to the chest can hinder the long-term ability of improving your cyber hygiene to fend off future events. By believing lightning doesn’t strike twice, therefore, the organization may refuse to properly fund needed improvements to your cyber hygiene,” he said. “This poses a false sense of security that by dodging the bullet of ‘going public’ the attitude may be one of ‘it won’t happen again’ since no one really knows about it. And if it does happen again and details leak of a previous breach? You may then see a rot in both your consumer base along with your business dealings as your reputation tarnishes. The overall key to success in this instance is transparency. It truly is a ‘currency’ in this world.”  More