Information Technology

It is not often in the cybersecurity realm that an indicator is headed in a happy direction, but that is what the overall incident number in the ACSC Annual Cyber Threat Report is doing. For the 2020-21 fiscal year, the Australian Cyber Security Centre (ACSC) responded to 1,630 incidents, which works out to around 31 a week. Compared to the previous financial year, the total number of cybersecurity incidents in the 2020–21 financial year decreased by 28%.Other good news included ACSC not having to respond to any incidents in the top third of its six incident grading categories. In the year prior, it reported a single category 1 incident and four category 2 incidents.Now for the bad news that typically make up these reports. In total, ACSC is seeing a higher category grade being the most reported, with category 4 replacing category 5. Category 4 accounts for 49% whereas last year it accounted for 35% of all incidents. “The highest proportion of incidents the ACSC responded to related to low-level malicious activity such as targeted reconnaissance, phishing, or non-sensitive data loss, accounting for more than half of the cybersecurity incidents,” the report said. The report highlighted the increasing amount of financial losses related to business email compromises (BEC) despite the number of BEC incidents heading lower. Total losses hit to AU$81.5 million, an increase of 15%, and the average loss for each successful BEC transaction jumped 54% to AU$50,600.

ACSC highlighted the bankruptcy of the hedge fund Levitas after false invoices saw it transfer AU$8.7 million to malicious actors. “While the business recovered the majority of its funds, it suffered significant reputational damage and its main client withdrew,” the report said. “This forced the hedge fund to go into receivership and resulted in its bankruptcy. This was likely Australia’s first bankruptcy case as a direct result of a cybercrime incident.” See also: Get patching: US, UK, and Australia issue joint advisory on top 30 exploited vulnerabilitiesThe establishment of a multi-agency BEC taskforce under the Australian Federal Police dubbed Operation Dolos was able to prevent AU$8.5 million being lost to business email compromises. “Despite the headlines, many of the compromises experienced by Australians will continue to be fuelled by a lack of adequate cyber hygiene. This delivers a significant advantage to adversaries and lowers the technical barrier to targeting victims in Australia, highlighting the need to uplift cybersecurity maturity across the Australian economy,” the ACSC said. “Given the prevalence of malicious cyber actors targeting Australian networks — which is often under-reported to the ACSC — there is a strong need for greater resilience, and for Australian organisations and individuals to prepare to respond to and recover from any cyber attack to their networks.” In an area that the Australian Labor Party enjoys banging on about — ransomware — the report said there was a 15% increase to almost 500 ransomware reports for the year. Shadow Assistant Minister for Cyber Security Tim Watts took the opportunity to have another whack at the government. “The Morrison-Joyce Government has utterly failed to take meaningful action to prevent ransomware attacks on Australian organisations despite twelve months of warnings,” he said. “But while the Morrison-Joyce government never misses an opportunity for a dramatic press conference on cybersecurity, it’s missed every opportunity to take the basic actions needed to combat the urgent threat of ransomware despite growing warnings. “Instead, it’s simply blamed the victims, telling businesses it’s up to them to protect themselves against increasingly sophisticated and well-resourced cyber-criminals.” In total terms, ACSC said it experienced a 13% increase in cybercrime reports over 2020-21 to 67,500, with its report per minutes metric dropping from one report every 10 minutes down to every 8 minutes. “A higher proportion of cybersecurity incidents this financial year was categorised by the ACSC as ‘substantial’ in impact. This change is due in part to an increased reporting of attacks by cybercriminals on larger organisations and the observed impact of these attacks on the victims, including several cases of data theft and/or services rendered offline,” the report said. “The increasing frequency of cybercriminal activity is compounded by the increased complexity and sophistication of their operations. The accessibility of cybercrime services — such as ransomware-as-a-service — via the dark web increasingly opens the market to a growing number of malicious actors without significant technical expertise and without significant financial investment.” Going against the population distribution in Australia, Queensland led the way on cybercrime reports followed by Victoria, New South Wales, Western Australia, and South Australia. Although trailing on the absolute numbers, WA and SA reported higher average financial losses. Overall, self-reported financial losses topped AU$33 billion. The report was also far from rosy on the outlook of supply chain compromises like those involving SolarWinds and Microsoft Exchange, describing them as “the new norm”. “Over the next 12 months, additional supply chain compromises will likely come to light, major vulnerabilities will continue to emerge and Australia will experience more major financially motivated cyber incidents, some of which could disrupt critical services,” it said. Related Coverage More

Image: Wiz.io
Users of Azure who are running Linux virtual machines may not be aware they are have a severely vulnerable piece of management software installed on their machine by Microsoft, that can be remotely exploited in an incredibly surprising and equally stupid way. As detailed by Wiz.io, which found four vulnerabilities in Microsoft’s Open Management Infrastructure project, an attacker would be able to gain root access on a remote machine if they sent a single packet with the authentication header removed. “This is a textbook RCE vulnerability that you would expect to see in the 90’s — it’s highly unusual to have one crop up in 2021 that can expose millions of endpoints,” Wiz security researcher Nir Ohfeld wrote. “Thanks to the combination of a simple conditional statement coding mistake and an uninitialized auth struct, any request without an Authorization header has its privileges default to uid=0, gid=0, which is root.” If OMI externally exposes port 5986, 5985, or 1270 then the system is vulnerable. “This is the default configuration when installed standalone and in Azure Configuration Management or System Center Operations Manager. Fortunately, other Azure services (such as Log Analytics) do not expose this port, so the scope is limited to local privilege escalation in those situations,” Ohfeld added. The issue for users, as described by Ohfeld, is that OMI is silently installed when users install log collection, has a lack of public documentation, and runs with root privileges. Wiz found over 65% of Azure customers running Linux it looked at were vulnerable.

In its advisory on the four CVEs released today — CVE-2021-38647 rated 9.8, CVE-2021-38648 rated 7.8, CVE-2021-38645 rated 7.8, and CVE-2021-38649 rated 7.0 — Microsoft said the fix for the vulnerabilities was pushed to its OMI code on August 11 to give its partners time to update before detailing the issues. Users should ensure they are running OMI version 1.6.8.1, with Microsoft adding instructions in its advisories to pull down the OMI updates from its repositories if machines are not updated yet. “System Center deployments of OMI are at greater risk because the Linux agents have been deprecated. Customers still using System Center with OMI-based Linux may need to manually update the OMI agent,” Wiz warned. The vulnerabilities were part of Microsoft’s latest Patch Tuesday. Like many vulnerabilities these days, a catchy name must be attached to them, in this case, Wiz dubbed them OMIGOD. Related Coverage More

Microsoft has released over 60 security fixes and updates resolving issues including a remote code execution (RCE) flaw in MSHTML and other critical bugs.The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, landed on September 14.Products impacted by September’s security update include Azure Open Management Infrastructure, Azure Sphere, Office Excel, PowerPoint, Word, and Access; the kernel, Visual Studio, Microsoft Windows DNS, and BitLocker, among other software.  Read on: On September 7, Microsoft said a remote code execution flaw in MSHTML had been identified and was being used in a limited number of attacks against Windows systems. The zero-day vulnerability, tracked as CVE-2021-40444, has been resolved in this patch round and the firm is urging users to accept the security fix immediately. Some other notable vulnerabilities resolved in this update are: CVE-2021-38647: With a CVSS score of 9.8, this is the most critical bug on September’s list. This vulnerability impacts the Open Management Infrastructure (OMI) program and allows attackers to perform RCE attacks without authentication by sending malicious messages via HTTPS to port 5986.”Some Azure products, such as Configuration Management, expose an HTTP/S port for interacting with OMI (port 5986 also known as WinRMport),” Microsoft says. “This configuration where the HTTP/S listener is enabled could allow remote code execution. It is important to mention that most Azure services that use OMI deploy it without exposing the HTTP/S port.”CVE-2021-36968:  A publicly disclosed Windows DNS privilege escalation zero-day vulnerability, issued a CVSS score of 7.8. Microsoft has not found any evidence, as of yet, of exploitation in the wild.CVE-2021-26435: A critical flaw (CVSS 8.1) in the Microsoft Windows scripting engine. However, this memory corruption flaw requires user interaction to trigger.CVE-2021-36967: A vulnerability, deemed critical and issued a CVSS score of 8.0, in the Windows WLAN AutoConfig service which can be used for elevation of privileges. 

According to the Zero Day Initiative (ZDI), the 66 CVEs — including three critical, one moderate, and the rest deemed important — reveal a volume slightly higher than the average patch rate across 2021, while this is still below 2020 volume. In addition, 20 CVEs were patched by Microsoft Edge (Chromium) earlier in September. In total, 11 of these vulnerabilities were submitted through the Zero Day Initiative, for a total of 86 CVEs.On Wednesday, Microsoft warned of “Azurescape,” a vulnerability mitigated by the Redmond giant that impacts Azure Container Instances (ACI). The bug was reported by a researcher from Palo Alto Networks. Last month, Microsoft resolved 44 vulnerabilities in the August batch of security fixes. In total, three were categorized as zero-day flaws, and 13 allowed attackers to perform RCE attacks. Included in the patch release was a fix for a well-publicized Windows Print Spooler vulnerability which could be weaponized for the purposes of local privilege escalation.A month prior, the tech giant tackled 117 bugs during the July Patch Tuesday.In other security news, Apple has patched a zero-day vulnerability reportedly exploited by NSO Group to spy on users of Mac, iPhone, iPad, and Watch products. In addition, Google has pushed out a security update resolving two zero-day bugs being actively exploited in the wild. Alongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below. More

Hollow core fiber has a hollow center filled with air, which runs the entire length of the cable and is encased in a ring of glass.   
Image: BT / Lumenisity
A new type of optical fiber filled with nothing but thin air has been found to be particularly effective to carry out quantum key distribution (QKD), a security protocol that is in principle un-hackable and could play a key role in protecting sensitive data against ever-more sophisticated cyber-attacks. BT experimented with QKD over a six-kilometer-long cable of hollow core fiber, a technology that it has been working on for the past few months as an alternative to traditional fiber optic cables.  Optical fiber is typically made of solid strands of glass that carry information by channeling light signals emitted by laser transmitters. Hollow core fiber, on the other hand, has a hollow center filled with air, which runs the entire length of the cable and is encased in a ring of glass. It turns out that this configuration is better suited to QKD, because it reduces the possibility that different signals interfere with each other and spoil the whole process. 

Quantum Computing

QKD works in a similar way to traditional cryptography: data is encoded into an unreadable message thanks to a cryptography key that the recipient needs to decrypt the information. The method works by encoding the cryptography key onto a quantum particle (or qubit) that is sent to the other person, who measures the qubit in order to obtain the key value. This approach is particularly interesting to security researchers because it is based on the laws of quantum physics, which dictate that qubits collapse as soon as they are measured. This means that if a third-party eavesdrops on the exchange and measures the qubits to figure out the cryptography key, they would inevitably leave behind a sign that they have intruded.  Cryptographers, therefore, call QKD “provably” secure. The method is expected to bring an additional level of safety to data exchanges, especially as hackers develop better tools to crack existing security protocols. 

The technology is nascent, and researchers are looking at various ways to carry out QKD; but one of the most established approaches consists of using optic-fiber cables to send both the qubits that are loaded with the cryptography key, and the actual encrypted message. But when using traditional optical fiber, which is made of glass, the effectiveness of the protocol is limited. This is because the light signals that carry information are likely to spread their wavelengths when travelling through glass, an effect called “crosstalk” that causes channels of light to leak into other channels. For this reason, the encrypted message cannot be sent through the same cable as the qubits, which are exceptionally fragile and susceptible to the noise caused by crosstalk. The whole process, says BT, is comparable to trying to have a whispered conversation next to an orchestra. This is where hollow core fiber could make a big difference. In an air-filled channel, light signals don’t scatter as much, and less crosstalk occurs between channels. In other words, there can be a clear separation between the encrypted data stream and the faint quantum signal that carries the encryption key – even if they are both travelling over the same fiber. Ultimately, therefore, hollow core fiber could be a more efficient candidate for QKD – an “all-in-one” solution that requires less infrastructure to be built. “We know now that if we were to put hollow core fiber in, it could enable us to put quantum channels potentially anywhere we like, without having to worry,” Catherine White, a researcher at BT, tells ZDNet. “Whereas with standard fiber, we either have to assign separate fibers for the QKD system or we have to be really careful not to have too much classical power when doing the planning.” What’s more, in previous trials of the technology, BT has also demonstrated that sending light signals through an air-filled core is much faster than through glass: according to the company, hollow core fiber enables data to travel up to 50% faster than in traditional optical cables.  This means that the technology could also significantly reduce latency in the transmission of data. “This trial shows us the material we can work with, and it has wonderful properties like low latency and low scattering,” says White. BT’s trial remains limited: the experiment didn’t go so far as exchanging actual encrypted data, and instead looked at the behavior of the quantum particle when it was sent alongside a high-power classical channel, in this case a light signal. The success of the trial, says White, lies in the fact that both channels remained healthy, which wouldn’t be the case with standard fiber.  “We were just proving key exchange, not testing encryption in this case,” says White. But parameters from the trial, such as quantum bit error rate, indicate that the system effectively generated a key that could be used to protect data, continued the researcher. Experiments are now underway to apply the configuration to the exchange of data.The next challenge will be to find out whether the technology can be scaled up. BT trialed QKD on a six-kilometer-long cable – still far off other experiments with the protocol in which researchers have managed to deliver quantum particles over hundreds of kilometers.  Earlier this year, for example, researchers from Toshiba Europe’s Cambridge Research Laboratory demonstrated QKD on optical fibers exceeding 600 kilometers in length. White explains that, for all its low-latency and low-scattering properties, the hollow core fiber used in BT’s trial is not low-loss, which is a crucial property to extend the reach of QKD. Researchers, however, are working on fine-tuning the material to improve its performance in that respect. “Findings show that, when tuning the fiber for particular wavelengths, we are able to have astoundingly low loss,” says White. “This is very promising and we will see further developments.” “It does mean that hollow core fiber could potentially help reach longer reaches of QKD than we’ve seen,” she added. 

Innovation More

Banks have been “disproportionately affected” by a surge in ransomware attacks, clocking a 1,318% increase year-on-year in 2021.

Ransomware has become one of the most well-known and prevalent threats against the enterprise today. This year alone, we have seen high-profile cases of ransomware infection — including against Colonial Pipeline, Kaseya, and Ireland’s health service — cause everything from business disruption to fuel shortages, declarations of national emergency, and restricted medical care.  These attacks are performed for what can end up being multi-million dollar payouts and now these campaigns are becoming easier to perform with initial access offerings becoming readily available to purchase online, cutting out the time-consuming legwork necessary to launch ransomware on a corporate network.  There are a number of trends in the ransomware space of note, including: Payouts: After DarkSide forced Colonial Pipeline to take fuel pipes out of operation, prompting panic-buying across the US, the firm paid a $4.4 million ransom. CEO Joseph Blount said it was the “right thing to do for the country.” The largest ransom payment stands at over $30 million. High revenue: After analyzing online criminal activity, KELA says that organizations with annual revenue of over $100 million are considered the most attractive. Initial Access Brokers (IABs): IABs have become an established criminal business, often sought-after by ransomware groups looking for their next target.Preferred methods of access include RDP and VPN credentials or vulnerabilities. English speakers are also in high demand to take over the negotiation aspects of a successful attack.Leak sites: Ransomware groups will now often threaten to leak sensitive data stolen during an attack if a victim does not pay. Cisco Secure calls this a “one-two-punch” extortion method. Cartels: Researchers have found that ‘cartels’ are also forming, in which ransomware operators share information and tactics.In a cybersecurity threat roundup report published on Tuesday, researchers from Trend Micro said that during the first half of this year, ransomware remained a “standout threat” with large companies particularly at risk — due to their revenue and the prospect of big payouts — in what is known as “big-game hunting.” During the first six months of 2021, 7.3 million ransomware-related events were detected, the majority of which were WannaCry and Locky variants.  However, this is approximately half the number of detections during the same period in 2020, a decline the researchers have attributed to a shift away from low-value attempts to big-game hunts. 

“An incident with the DarkSide ransomware [Colonial Pipeline attack] brought heightened attention to ransomware operators, which might have prompted some of them to lie low,” the researchers say. “Meanwhile, law enforcement agencies across the world conducted a series of ransomware operations takedowns that might have left an impact on wide-reaching active groups.” Banking, government entities, and manufacturing remain top targets for ransomware operators today.
Trend Micro
Open source and legitimate penetration testing or cybersecurity tools are also being widely abused by these threat actors. Cobalt Strike, PsExec, Mimikatz, and Process Hacker are noted in the report as present in the arsenals of Ransomware-as-a-Service (RaaS) groups including Clop, Conti, Maze, and Sodinokibi. In addition to ransomware, Business email compromise (BEC) rates have also increased slightly, by 4%, and cryptocurrency miners are now one of the most common strains of malware detected in the wild.  Trend Micro has also explored how misinformation relating to the COVID-19 pandemic is being used to spread malware. Phishing, social media, and social engineering are commonly employed to lure users into clicking on malicious attachments or visiting fraudulent domains, and coronavirus-related themes generally relate now not to the disease itself, but to testing and vaccination projects.  Malicious apps are part of the spread, some of which are spreading banking Remote Access Trojans (RATs) including Cerberus and Anubis.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new cybercrime report from LexisNexis Risk Solutions has found that bot attacks are up significantly in 2021, growing by 41% in the first half of the year.The biannual report found that the financial services industry and media businesses are facing the brunt of bot attacks while human-initiated attacks fell by 29%. According to the report, financial services companies saw 683 million bot attacks from January to June, while media companies dealt with 351 million, up 174% year over year. The LexisNexis Risk Solutions Cybercrime report is compiled by analysing 28.7 billion transactions over the six-month period through LexisNexis’ Digital Identity Network. Digital transactions overall are up nearly 30% this year.LexisNexis Risk Solutions researchers wrote that the United States still leads the way as the largest originator of automated bot attacks by volume, followed by the UK, Japan, Canada, Spain, Brazil, Ireland, India, Mexico and Germany. Stephen Topliss, vice president of fraud and identity for LexisNexis Risk Solutions, said the report confirms that cybercriminals are increasingly relying on automated processes but also highlights that fraudsters are further establishing sophisticated and expansive networks to conduct fraud.”Explosive transaction and user growth rates in industry sectors such as virtual banks and buy now pay later are likely exposing emergent risks for these newer businesses as they grab the attention of fraudsters,” Topliss said. “The digital businesses that survive and thrive will be those that deploy layered cybercrime prevention solutions as they scale.”Bot attacks increased worldwide, with every region recording growth in bot volume in the first half of 2021. The Asia Pacific region saw the most growth alongside South America. 

Cybercriminals are industrializing fraud by “leveraging mass data breaches, sophisticated automated tools, and deep dark-web intelligence,” according to the report, which explained that due to limited in-person banking options at the beginning of the COVID-19 pandemic, many people turned to digital financial products and never looked back. Financial services companies are increasingly attacked through payment transactions, which “continue to be attacked at a higher rate than any other industry.” Media companies also face a significant number of new account creation attacks, with criminals using media organizations as a way to test stolen identity data. The report notes that there has also been an increase in attacks on cryptocurrency wallets. The researchers added that the future looks uncertain as economies around the globe look to rebuild after the COVID-19 pandemic.”Where fraud had been so heavily targeted on COVID-related stimulus packages and related scams, how will this approach evolve as support is wound up and economies start to rebuild? Will fraudsters start to capitalize on the fruits of their bot labors and use validated credentials in higher-volume human-initiated attacks?” the researchers wrote. “Will scams, targeting vulnerable and new-to-digital customers, continue to proliferate? How vulnerable will new payment methods and digital platforms — such as buy-now-pay-later — become in the face of economic uncertainty?” More

A high-impact vulnerability in OMEN Command Center driver software has been patched by HP.

On Tuesday, researchers from SentinelLabs published a technical deep-dive on the bug, tracked as CVE-2021-3437 and issued with a CVSS score of 7.8.  SentinelLabs says the high-severity flaw impacts “millions of devices worldwide,” including a wide variety of OMEN gaming laptops and desktops, as well as HP Pavilion and HP ENVY models.Found by SentinelLabs researcher Kasif Dekel, CVE-2021-3437 is a privilege escalation vulnerability in the HP OMEN Command Center. The gaming hub can be used to adjust settings to a gamer’s preference — including fan speeds and overclocking — as well as to monitor a PC and network’s overall performance. A driver developed by HP and used by the software, HpPortIox64.sys, is the source of the security issue. According to the researchers, code partially comes from WinRing0.sys, an OpenLibSys driver used to manage actions including read/write kernel memory.  “The link between the two drivers can readily be seen as on some signed HP versions the metadata information shows the original filename and product name,” SentinelLabs noted.Privilege escalation bugs have been found in the WinRing0.sys driver in the past, including flaws that allow users to exploit the IOCTLs interface to perform high-level actions.

Several lines of code in the driver’s IOCTL system call function “allow user mode applications with low privileges to read/write 1/2/4 bytes to or from an IO port,” the team says, which could potentially be exploited to allow unprivileged users to conduct system-level actions. “This high severity flaw, if exploited, could allow any user on the computer, even without privileges, to escalate privileges and run code in kernel mode,” the researchers say. “Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products. An attacker with access to an organization’s network may also gain access to execute code on unpatched systems and use these vulnerabilities to gain local elevation of privileges. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement.”HP OMEN Gaming Hub prior to version 11.6.3.0 and the HP OMEN Gaming Hub SDK Package, prior to 1.0.44, are impacted. At the time of writing, there is no evidence that the bug has been exploited in the wild.  SentinelLabs reported its findings on February 17, 2021. By May 14, HP sent a proposed fix to the researchers, but it was found that the patch was not sufficient. The tech giant’s security team then changed its tactic and disabled the vulnerable feature to resolve the security flaw, delivered on June 7. A patched version of the software was made available on July 27 in the Microsoft Store.”We would like to thank HP for their approach to our disclosure and for remediating the vulnerabilities quickly,” the researchers commented. “We urge users of these products to ensure they take appropriate mitigating measures without delay.”HP has published a security advisory on CVE-2021-3437, describing the flaw as a privilege escalation and denial-of-service issue.”We constantly monitor the security landscape and value work that helps us identify new potential threats,” HP told ZDNet. “We have posted a security bulletin. The security of our customers is always a top priority and we urge all customers to keep their systems up to date.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A five-year study has concluded with a sobering fact for businesses using on-premise servers: close to half contain vulnerabilities that may be ripe for exploitation. 

Imperva released the results of the study on Tuesday, which analyzed roughly 27,000 databases and their security posture. In total, 46% of on-premises databases worldwide, accounted for in the scan, contained known vulnerabilities.  On average, each database contained 26 security flaws, with 56% ranked as a “high” or “critical” severity bug — including code execution vulnerabilities that can be used to hijack an entire database and the information contained within.  All it may take, in some cases, is a scan on Shodan to find a target and executing a malicious payload.  “This indicates that many organizations are not prioritizing the security of their data and neglecting routine patching exercises,” Imperva says. “Based on Imperva scans, some CVEs have gone unaddressed for three or more years.” France was the worst offender for unprotected databases, with 84% of those scanned containing at least one vulnerability — and the average number of bugs per database was 72.  Australia followed with 65% (20 vulnerabilities on average), and then Singapore (64%, 62 security flaws per database), the United Kingdom (61%, 37 bugs on average), and China (52%, 74 security issues per database). In total, 37% of databases in the United States contained at least one known vulnerability, and these databases contained an average of 25 bugs. 

The Microsoft Exchange Server hack has highlighted the ramifications of poor security for on-prem servers as well as their owners. In March, Microsoft released emergency patches to resolve four zero-days — known collectively as ProxyLogon – but once exploit code was developed and released, thousands of businesses were compromised.  In other recent database security news, a critical vulnerability impacting Cosmos DB became public in August. The bug, described as “trivial” to exploit by cloud security firm WIZ, gives “any Azure user full admin access (read, write, delete) to another customer’s Cosmos DB instances without authorization.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More