Information Technology

The maintainers of the widely-used Exim email server are urging admins to update to Exim version 4.94.2 due to 21 newly disclosed security flaws. “All versions of Exim previous to version 4.94.2 are now obsolete. The last 3.x release was 3.36. It is obsolete and should not be used,” the University of Cambridge-backed project said in an update. 

“This is a security release,” the project adds, referring to fixes for 21 flaws that can be exploited by anyone over the internet. SEE: Network security policy (TechRepublic Premium)The new Exim release addresses security flaws reported by researchers at security firm, Qualys.   The bugs are a potentially major threat to internet security given that nearly 60% of internet servers run on Exim mail transfer agent (MTA) software and is by far the most widely used email server. As Qualys points out, IoT search engine Shodan returns 3.8 million results for Exim servers exposed on the internet, of which two million are located in the US. Exim is so widely deployed in part because it often ships as the default email server with popular Linux distributions like Debian.  

“Exim Mail Servers are used so widely and handle such a large volume of the internet’s traffic that they are often a key target for hackers,” said Bharat Jogi, a senior manager of the vulnerability and threat research unit at Qualys.  “The 21 vulnerabilities we found are critical as attackers can remotely exploit them to gain complete root privileges on an Exim system – allowing compromises such as a remote attacker gaining full root privileges on the target server and executing commands to install programs, modify data, create new accounts, and change sensitive settings on the mail servers.”Jogi urged admins — many of whom run Exim servers at ISPs, government agencies, and universities — to apply the patches “immediately” given the breadth of the attack surface for this vulnerability.Such flaws have been rapidly exploited in the past: a previous remote code execution flaw in Exim that was patched in mid-2019 was also discovered by researchers at Qualys. The NSA eventually revealed that attackers had been exploiting the flaw, tracked as CVE-2019-10149, within two months of its public disclosure.  The NSA warned in June 2020 that a hacking group known as Sandworm, within Russia’s intelligence service, GRU, had been exploiting the Exim flaw since at least August 2019. That bug’s impact is the same as the 21 newly disclosed vulnerabilities. The NSA said the attackers exploited the bug on victims’ public-facing MTAs by sending a specially crafted command in the “MAIL FROM” field of an SMTP (Simple Mail Transfer Protocol) message. Victims would then automatically download and execute a shell script from a domain controlled by the Sandworm group.SEE: This malware has been rewritten in the Rust programming language to make it harder to spotMTAs are an attractive target for attackers because they’re generally exposed on the internet. Qualys has posted a blog detailing each of the 21 bugs and says its researchers have developed exploits to obtain full root privileges. The company reported an initial set of bugs to Exim maintainers on 20 October, 2020 and provided 26 patches to Exim.  CVEDescriptionTypeCVE-2020-28007Link attack in Exim’s log directoryLocalCVE-2020-28008Assorted attacks in Exim’s spool directoryLocalCVE-2020-28014Arbitrary file creation and clobberingLocalCVE-2021-27216Arbitrary file deletionLocalCVE-2020-28011Heap buffer overflow in queue_run()LocalCVE-2020-28010Heap out-of-bounds write in main()LocalCVE-2020-28013Heap buffer overflow in parse_fix_phrase()LocalCVE-2020-28016Heap out-of-bounds write in parse_fix_phrase()LocalCVE-2020-28015New-line injection into spool header file (local)LocalCVE-2020-28012Missing close-on-exec flag for privileged pipeLocalCVE-2020-28009Integer overflow in get_stdinput()LocalCVE-2020-28017Integer overflow in receive_add_recipient()RemoteCVE-2020-28020Integer overflow in receive_msg()RemoteCVE-2020-28023Out-of-bounds read in smtp_setup_msg()RemoteCVE-2020-28021New-line injection into spool header file (remote)RemoteCVE-2020-28022Heap out-of-bounds read and write in extract_option()RemoteCVE-2020-28026Line truncation and injection in spool_read_header()RemoteCVE-2020-28019Failure to reset function pointer after BDAT errorRemoteCVE-2020-28024Heap buffer underflow in smtp_ungetc()RemoteCVE-2020-28018Use-after-free in tls-openssl.cRemoteCVE-2020-28025Heap out-of-bounds read in pdkim_finish_bodyhash()Remote More

The Australian Criminal Intelligence Commission (ACIC) believes there is no legitimate reason for a law-abiding member of the community to own or use an encrypted communication platform.”These platforms are used almost exclusively by SOC [serious and organised crime] groups and are developed specifically to obscure the identities of the involved criminal entities and enable avoidance of detection by law enforcement,” the ACIC declared. “They enable the user to communicate within closed networks to facilitate highly sophisticated criminal activity”.Consistency, at least: Cops are the only ones being lawful on the dark web, AFP declaresThe comments were made in a submission [PDF] to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) as part of its inquiry into the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020. It told the committee it intends to use the powers extended to the ACIC under the Bill to focus efforts on understanding and gathering intelligence on SOC groups who are using encrypted communication platforms to conceal their criminal activities.The Bill, if passed, would hand the Australian Federal Police (AFP) and ACIC three new computer warrants for dealing with online crime.The first of the warrants is a data disruption one; the second is a network activity warrant; and the third is an account takeover warrant.

The ACIC said the Bill would allow it, through the collection, assessment, and dissemination of criminal intelligence and information, to inform national strategies to address transnational serious and organised crime.”To deliver on this purpose, the powers and capabilities of the ACIC must keep pace with technological trends and emerging threats to ensure the agency is able to adequately tackle serious cyber-enabled crime and sophisticated criminal groups using encrypted platforms,” it said.”The agency must be enabled to support law enforcement outcomes to protect Australians against the most sophisticated and high-threat actors, who increasingly utilise advanced communications technologies to mask their criminal activities.”Elsewhere: ACIC running into jurisdictional data troubles with new national firearms databaseAccording to the ACIC, the disruption, intelligence collection, and account takeover powers contained within the Bill complement the agency’s existing powers by providing new avenues to gather information and respond to serious crime occurring online and to criminals using dedicated encrypted communication platforms. “The measures in the Bill are grounded in the principle that the powers granted by Parliament to the agencies charged with enforcing the criminal law should not be eroded by advances in technology,” it wrote. “The Bill is designed to provide the ACIC and AFP with the ability to protect the Australian community from harms online in the same way they protect Australians in the physical world.”The ACIC believes the Bill addresses gaps in current electronic surveillance powers.Network activity warrants provided by the Bill will “immediately transform the ACIC’s ability to discover and understand serious criminal groups using the Dark Web and encrypted communication platforms to undertake and facilitate serious crimes”.”Currently, while the ACIC might be able to detect criminal behaviour on a hidden website or computer network, we cannot identify all the individuals participating in the criminal behaviour,” it explained. “For this reason, we require the ability to target and infiltrate the network, or class of computers, in which the crime is occurring so the members of the criminal group can be identified and the full nature and extent of the criminality can be detected through the collection of intelligence.”Data disruption warrants, meanwhile, would enable the ACIC to interfere with the data held on online criminal networks or devices, in order to frustrate the commissioning of serious criminal offences. “This will be particularly powerful in the context of disrupting criminal activity which is largely occurring online,” it wrote.Lastly, account takeover warrants, it said, would allow the agency to take control of an online account in conjunction with other investigatory powers, labelling it an “efficient method for agencies to infiltrate online criminal networks”. “This will play a crucial role in uncovering the identities of otherwise anonymous criminals, as well as gathering evidence of the initiation and commissioning of serious offences online, including on the Dark Web and where encrypted communication platforms are in use,” it said. MORE ON THE ‘HACKING BILL’ More

Image: Getty Images
After revealing late last month it had fallen victim to a cyber incident, UnitingCare Queensland has now named REvil/Sodin as the gang behind the attack.The organisation, which provides aged care, disability supports, health care, and crisis response services throughout the state, suffered the attack on Sunday, 25 April 2021.In a statement issued a few days later, UnitingCare said its systems were still hurting. On Wednesday, it said some of the organisation’s systems have since been inaccessible.The organisation also pointed the blame at REvil/Sodin as the source of the attack.”We can confirm that the external group claiming responsibility for this incident has identified themselves as REvil/Sodin,” it said.”With the assistance of leading experts and advisors, we are conducting a thorough investigation into whether patient, client, resident or employee information has been breached. “This investigation is continuing and we will continue to keep the people we care for updated in this regard, in addition to employees, regulators, and other stakeholders.”

The REvil (Sodinokibi) ransomware gang has been active for quite a while, dwarfing any other similar ransomware operations. Run as a Ransomware-as-a-Service (RaaS), the REvil gang rents its ransomware strain to other criminal groups.The figure demanded of UnitingCare has not been disclosed, but it was reported in March that Taiwanese giant Acer was struck by REvil ransomware, with the culprits demanding $50 million from the company.”Since the incident occurred, as part of our business continuity plan, back-up and downtime procedures have been in place to ensure continuity of our clinical and care services, and these procedures have been working very well,” UnitingCare said.It said at this point in time, there is no evidence that the health and safety of its patients, residents, or clients has been in any way compromised as a result of the attack.”As soon as we became aware of the incident, we engaged the support of leading external technical and forensic advisors. We also notified the Australian Cyber Security Centre of the incident and are continuing to work closely with them to investigate it,” UnitingCare added.”Since the outset of the incident, we have been in pro-active regular contact with all relevant regulatory and government departments.”Last year, the Australian Cyber Security Centre (ACSC) issued an alert to aged care and healthcare providers, notifying them of recent ransomware campaigns targeting the sector.”Cybercriminals view the aged care and healthcare sectors as lucrative targets for ransomware attacks,” the ACSC wrote. “This is because of the sensitive personal and medical information they hold, and how critical this information is to maintaining operations and patient care. A significant ransomware attack against a hospital or aged care facility would have a major impact.”Data breach notification to the Office of the Australian Information Commissioner became mandatory under the Notifiable Data Breaches (NDB) scheme in February 2018.Since the mandate, the private health sector has been the most affected sector. The latest NDB report shows no change, with health accounting for 123 of the total 519 notifications in the six months to December 2020.Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaRELATED COVERAGEEastern Health cyber ‘incident’ cancels some surgeries across MelbourneMeanwhile, the federal government’s COVID-19 booking system suffers day one ‘problems’.Swinburne University confirms over 5,000 individuals affected in data breachUniversity confirms the personal information included in the breach contained names, email addresses, and phone numbers of some staff, students, and external partiesTransport for NSW confirms data taken in Accellion breachIt is the latest government entity to be caught up in the attack on the Accellion file transfer system. More

A fake COVID-19 vaccine website stealing visitors’ data has been shut down by the Justice Department, according to the U.S. Attorney’s Office for the District of Maryland.The people behind “freevaccinecovax.org” made the website look like it for a biotechnology company working on the vaccine for COVID-19, but it actually was being used by cybercriminals for “fraud, phishing attacks, and/or deployment of malware.”The site now has a large banner saying it has been seized by the federal government. “This is the ninth fraudulent website seeking to illegally profit from the COVID-19 pandemic that we have seized,” Acting U.S. Attorney Jonathan Lenzner said in a statement. Lenzner noted that the website is one of thousands that have popped up since the pandemic began in early 2020. Cybercriminals have leveraged the fear and interest around COVID-19 to propagate a variety of scams or efforts to spread malware. Lenzner added that the government is “providing the vaccine free of charge to people living in the United States” and that no one should ever click on anything offering the vaccine for sale. The affidavit filed in court by the Justice Department says the scam was initially uncovered by the HSI Intellectual Property Rights Center and the HSI Cyber Crimes Center. The website was allegedly created from an IP address in Strasbourg, Germany but was registered in Russia, according to the Justice Department. 

It was created on April 27 and the site’s homepage featured the logos of a number of well-known healthcare organizations like the World Health Organization, Pfizer, and the United Nations High Commissioner for Refugees. The website asked visitors to enter their location and then automatically downloaded a PDF file that users could fill out and upload. It is unclear how many people visited the site and filled out the PDF. Eric Howes, principal lab researcher at cybersecurity firm KnowBe4 said both the domain itself and the operation associated with it illustrate just how useful the COVID-19 pandemic has been for malicious actors looking to cash in on other people’s misery. A bogus vaccine website offers bad actors a wide range of potential social engineering schemes, Howes explained, including offers for free access to vaccine supplies to bogus investment schemes. “COVID-19 has been the gift that keeps on giving for fraud artists over the past year,” Howes said. “While authorities are to be lauded for shutting down this domain, one wonders how many more of them pushing similar fraudulent schemes are out there on the internet. Dozens? Hundreds? Thousands? Moreover, how long will it be before the parties behind this operation simply set up another domain and continue their operations?”  More

Since March 2020 there has been an increase of of VPN (Virtual Private Network) discount-related searches as Americans search for a way to feel secure online, according to a new report.

ZDNet Recommends

New York, NY-based coupon engine CouponFollow, part of NextGen Shopping surveyed 1,666 US adults before the pandemic and a further 1,834 US adults in February 2021 to understand how Americans view their internet security and data privacy.Also: What is a VPN and why do you need one? Everything you have to knowThe report showed that almost seven in ten (69%) of Americans are concerned about the security of their data when using public Wi-fi, and nearly two in three (64%) are worried about it when using the internet at home. A similar percentage (65%) are concerned that their medical or financial data might be shared — or sold on — by their ISP.Online privacy worries almost half (47%) of Americans who are concerned about their privacy when using public Wi-Fi. Nearly a third (30%) worry about their privacy even when using the Internet at home.
CouponFollow
Online fraud and hacking is a concern for Americans with over one in three (35%) knowing someone who has had their social media account hacked or hijacked — including them. Almost half of Millennials (48%) reported this happening.

In October 2020 the UK’s data privacy watchdog fined the Marriott hotel chain for a data breach that could have affected up to 339 million guests. Even social media sites like Facebook has suffered data leaks.One in three have had, or know someone who has had their password stolen, and (52%) of Millennials and Gen Z reported the same. Also: How to set up and use a VPN on Windows, Mac, iOS, or AndroidOnly 12% of Baby Boomers reported having their password stolen, and one in five (20%) had a social media account hacked or hijacked — reflecting the amount of time they spend online. Although one in three (35%) Americas use a VPN, 33% reported that they do not know what a VPN is. Men are more likely to know what a VPN is, but almost half of Baby Boomers (49%) do not know what a VPN is. Even two in five (40%) of VPN users do not understand what the term VPN means.
CouponFollow
Using the internet at work does not seem to elicit the same level of concern. This could be due to the levels of antivirus and firewall protections that their employer has implemented on their devices. Perhaps it is due to the type of sites that people browse on their work devices, here, less than one in three (32%) are worried about their security. Less than one in five (18%) are concerned about their privacy when browsing the web from a work device.Over one in ten (12%) started to use a VPN in 2020, and one in five (21%) installed a VPN to enable them to work from home. Also: Stop using your work laptop or phone for personal stuffUp to 35% of Americans already use a VPN for anonymous browsing (45%), work access (45%), or for shopping online (21%). Only 12% use it for Torrenting or P2P file sharing. As hacking attempts and breaches grow Americans have good reason to be cautious. Parler’s data leak exposed millions of posts as 70TB of data was scraped from the platform, and The ParkMobile app data breach exposed data from 21 million users.Being ultra-careful online will be the only way to avoid being a victim of the next breach. More

IBM is rolling out new zero trust capabilities to Cloud Pak for Security, its platform for tackling cybersecurity threats across multicloud and hybrid environments. IBM said the features are aimed at helping customers adopt a zero trust approach to security by applying the principles of least privilege access; never trust, always verify, and assume breach. 

Among the key features are the new IBM Security zero trust blueprints, which are designed around common zero trust use cases. The four new blueprints are meant to provide a framework to help preserve customer privacy, secure hybrid and remote workforces, reduce the risk of insider threats, and protect hybrid cloud environments. IBM also introduced the as a Service version of IBM Cloud Pak for Security. The new consumption model lets customers choose between an owned or hosted deployment model based on their environment and needs.Meanwhile, a new partnership between IBM and Zscaler was announced as part of an effort to address remote work and network security modernization. The alliance will combine IBM Security Services with Zscaler’s network security technology to deliver an end-to-end secure access service edge (SASE) solution. Dow Chemical is an early customer working with IBM Security and Zscaler as part of its remote/hybrid workforce modernization strategy. Launched in 2019 as the foundation of IBM’s open security strategy, Cloud Pak for Security is designed to glean threat information and insights from various sources without having to move data. The system leverages IBM’s investment in Red Hat, including Open Shift, and is designed specifically to unify security across hybrid cloud environments.Over the last year IBM has expanded the capabilities within Cloud Pak for Security to address some of the key components of threat management — such as detection, investigation and response — using AI and automated workflows. In October, IBM added a new integrated data security hub that promises to bring data security insights directly into threat management and security response platforms.  More

The US Department of Defense significantly has expanded its bug bounty program to all publicly accessible information systems, including not just websites but also networks, frequency-based communication, Internet of Things, and industrial control systems. The DoD bug bounty, which is overseen by the DoD’s Cyber Crime Center (DC3), is now much broader than the “Hack the Pentagon” pilot kicked off in 2016 with partner HackerOne. Hackers were restricted to probing DoD’s public-facing websites and applications. Brett Goldstein, director of the Defense Digital Service, said the DoD’s bug bounty “allows for research and reporting of vulnerabilities related to all DoD publicly-accessible networks, frequency-based communication, Internet of Things, industrial control systems, and more”, according to a DoD press release.  “This expansion is a testament to transforming the government’s approach to security and leapfrogging the current state of technology within DoD,” said Goldstein.The DoD says that since the bug bounty launched, it had received more than 29,000 vulnerability reports from hackers. More than 70 percent of them determined to be valid after triage.   Last month DC3 launched another bug bounty pilot called the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP), which aims to improve the security of defense contractors. It’s also being run on HackerOne. Carnegie Mellon University Software Engineering Institute conducted a feasibility study in 2020 and recommended the pilot program proceed. 

“The department has always maintained the perspective that DOD websites were only the beginning as they account for a fraction of our overall attack surface,” said DC3 director Kristopher Johnson.Johnson said he expects the number of bug reports it receives to “drastically increase” due to the broader scope of the program, which now allows security researchers to report bugs they wouldn’t have been allowed to in the past.     More

A massive distributed denial of service (DDoS) attack took down the websites of more than 200 organisations across Belgium, including government, parliament, universities and research institutes. The DDoS attack started at 11am on Tuesday 4 May and overwhelmed the web sites with traffic, rendering their public-facing sites unusable for visitors, while the attack overwhelmed internal systems, cutting them off from the internet.

The attack targeted Belnet, the government-funded ISP provider for the county’s educational institutions, research centres, scientific institutes and government services – including government ministries and the Belgian parliament. Some debates and committee meetings had to be postponed as users couldn’t access the virtual services required to take part. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) Belgium’s central authority for cybersecurity, the Center for Cybersecurity Belgium (CCB), was contacted following the attack in order to help contain and resolve it. One of the reasons the attack was so disruptive was because those behind the disruption kept altering the techniques behind it. “The fact that the perpetrators of the attack constantly changed tactics made it even more difficult to neutralize it,” said Dirk Haex, technical director at Belnet. A day on from the DDoS attack, an update from Belnet said its services are available again but that the service provider is remaining vigilant about potential follow-up attacks.

“We are fully aware of the impact on the organizations connected to our network and their users and we are aware that this has profoundly disrupted their functioning,” said Haex. A DDoS attack is designed purely with the intent of disrupting web sites and services by taking them offline by overwhelming them with an excessive amount of traffic. In many cases, DDoS attacks will exploit servers, computers and Internet of Things devices that have been taken control of by cyber criminals and roped into a botnet – an army of devices controlled by cyber attackers – using that traffic to overwhelm the capabilities of the target to the extent it becomes inaccessible for anyone. SEE: This malware has been rewritten in the Rust programming language to make it harder to spot The intent of the attackers is purely disruption and Belnet have stated that there’s been no data breach or theft of data as a result of the attack, nor did cyber criminals infiltrate the network – they just overwhelmed it with web traffic. According to Belnet, it’s unclear who was behind the attack, but the network provider is investigating it. Belnet has also filed a complaint with the Federal Computer Crime Unit.

MORE ON CYBERSECURITY More