Information Technology

The security research group for Azure Defender for IoT, dubbed Section 52, has found a batch of bad memory allocation operations in code used in Internet of Things and operational technology (OT) such as industrial control systems that could lead to malicious code execution. Given the trendy vulnerability name of BadAlloc, the vulnerabilities are related to not properly validating input, which leads to heap overflows, and can eventually end at code execution. “All of these vulnerabilities stem from the usage of vulnerable memory functions such as malloc, calloc, realloc, memalign, valloc, pvalloc, and more,” the research team wrote in a blog post. The use of these functions gets problematic when passed external input that can cause an integer overflow or wraparound as values to the functions. “The concept is as follows: When sending this value, the returned outcome is a freshly allocated memory buffer,” the team said. “While the size of the allocated memory remains small due to the wraparound, the payload associated with the memory allocation exceeds the actual allocated buffer, resulting in a heap overflow. This heap overflow enables an attacker to execute malicious code on the target device.” Microsoft said it worked with the US Department of Homeland Security to alert the impacted vendors and patch the vulnerabilities.

The list of affected products in the advisory includes devices from Google Cloud, Arm, Amazon, Red Hat, Texas Instruments, and Samsung Tizen. CVSS v3 scores range from 3.2 in the case of Tizen to 9.8 for Red Hat newlib prior to version 4. As with most vulnerabilities, Microsoft’s primary piece of advice is to patch the affected products, but with the possibility of industrial equipment being hard to update, Redmond suggests disconnecting devices from the internet if possible or putting them behind a VPN with 2FA authentication, have a form of network security and monitoring to detect behavioural indicators of compromise, and use network segmentation to protect critical assets. “Network segmentation is important for zero trust because it limits the attacker’s ability to move laterally and compromise your crown jewel assets, after the initial intrusion,” the team wrote. “In particular, IoT devices and OT networks should be isolated from corporate IT networks using firewalls.” Related Coverage More

The Department of Home Affairs has a dedicated team to find content on social media sites that promotes hate, incites violence, or points to terrorist propaganda. The team then works with social media platforms to have that content removed.In the 12 months to 31 March 2021, 1,559 pieces of terrorist and violent extremist content were referred. 95% of that, or 1,486 items, were in the religiously motivated violent extremism space. 3%, or 51 pieces of content, were defined as being ideologically motivated violent extremist material. The remaining 2% was not defined. The team has a budget of around AU$3 million.Appearing before the Parliamentary Joint Committee on Intelligence and Security (PJCIS) as part of its inquiry into extremist movements and radicalism in Australia, Dr Richard Johnson, first assistant secretary of Home Affairs’ Social Cohesion team, said this isn’t necessarily reflective of the amount of content that’s out there, as the platforms themselves engage in their own takedown procedures.But there are some platforms that don’t have a referral function, which Johnson said points usually to the nature of those particular sites. While the Home Affairs team deals with the more mainstream platforms — such as Facebook and Instagram and Twitter — it also engages the likes of Telegram and 4chan.”We have referred material before, whether we’re successful very much depends on the nature of the platform, how they’re operating in a particular jurisdiction, and also the ethos of the particular platform,” he clarified.

Senators were concerned the 1,559 figure was at odds with other statistics they have seen.See also: Facebook tightens screws on QAnon and US militia groups”Firstly, platforms themselves do a lot of work in the first instance, to remove such materials. Not all platforms do. Secondly, we work in the open source … space. So we’re not seeing everything that’s on the internet — we’re not working in encrypted chat rooms, etc,” he said. “Thirdly … some of the material falls short of the thresholds in the first instance. Some of the platforms that host some of the material just don’t have a referral function. So part of their raison d’etre, so to speak, is to host such content.”Johnson said violent extremist material in particular is what the team is looking for, but it also tracks down the likes of manifestos or content that advocates or instructs on how to commit a terrorist offence.”The online team is principally about understanding the narrative focal points … it’s certainly not tracking individuals in that sense,” Johnson said, responding to questioning on whether an individual displaying symbolism, such as a radical flag, on their own personal Facebook page.That work, he said, falls more in the hands of the teams that work with community leaders, as one example, in prevention activities and material that is counter to extreme ideological perspectives individuals might be exposed to.One such program run on behalf of the Department of Home Affairs by Icon Agency is Rapt!. Rapt!, its website says, celebrates the many ways Muslim Australians contribute to society and its culture, by sharing stories and reflecting on different beliefs and opinions. With a presence already on Facebook and Instagram, as well as the web, Johnson said a YouTube channel will launch soon.Johnson was asked by Shadow Minister for Home Affairs Kristina Keneally in her capacity as a PJCIS member how the department is helping people understand, for example, what “shitposting” is.”We’ve run a couple of digi-engage forums for young people to specifically take them through what they’re seeing on the internet, what some of the tropes are … there’s ironic nodes that some of these groups use, for example, how to see it, to recognise it, and even to engage with it in an attempt to challenge it, if that’s appropriate,” Johnson said. “So we’ve got a capability set of work that we do precisely for that on the online environment.”With Department of Foreign Affairs and Trade counter terrorism ambassador Roger Noble pointing to the “dark web” as making violent and extremist material more accessible in his testimony earlier in the day, Home Affairs was asked what legislation would help law enforcement activities in the space.Must read: Intelligence review recommends new electronic surveillance Act for AustraliaChris Teal, Home Affairs deputy secretary of social cohesion and citizenship and also the counter-terrorism and counter foreign interference coordinator, told Senators the Counter-Terrorism Legislation Amendment (High Risk Terrorist Offenders) Bill 2020 is of need, as is the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 and the Telecommunications Legislation Amendment (International Production Orders) Bill 2020.”One of the flow-ons from Dr Johnson’s evidence is that a lot of this is occurring out of sight, on the dark web … one of the reasons I would contend that the numbers are as they are in relation to takedowns is because we’re on what I think is known as the surface web and apparently there’s a bad thing underneath it,” he said. “I think that the numbers that we’ve been talking about is not demonstrative of what’s out there. It’s demonstrative of what we can see.””The International Production Orders legislation currently before the Parliamentary Joint Committee will create a step change in the way in which Australia can request information directly from US companies and the evidence that Dr Johnson outlined about some of the companies that we work with … this will short circuit what is a very long process in mutual recognition and mutual exchange of information processes,” explained first assistant secretary of Home Affairs’ Cyber, Digital and Technology Policy team, Hamish Hansford.”The committee will consider that our marching orders on that legislation,” PJCIS chair Senator James Paterson declared.Appearing earlier in the day before the PCJIS, Australian Security Intelligence Organisation (ASIO) Director-General of Security Mike Burgess said the security legislation before Parliament would certainly help law enforcement, but said ASIO was content with the powers it is awarded under the Telecommunications and other Legislation Amendment (Assistance & Access) Act 2018 (TOLA Act).”With TOLA, our investments in our capability to deal with this evolving — I’m satisfied at this point in time, we have the right legal mechanisms in place for my agency, noting my federal police colleagues have other needs that they’re prosecuting the case for now,” Burgess said.RELATED COVERAGE More

A popular online resource for paleo recipes and tips was the source of a data leak impacting roughly 70,000 users. 

On Thursday, researchers from vpnMentor revealed a misconfigured Amazon AWS S3 bucket as the central point of the data breach, in which the account was used to store the private data and records of users. Los Angeles-based Paleohacks runs a website containing recipes, meal plans, and articles on the paleolithic lifestyle, including downloadable guides, a forum, and an e-commerce store.  The team, led by Noam Rotem, said that there was a failure to implement “basic data security protocols” on the S3 bucket, and such misconfiguration means that there were no access limits to the public.  The bucket contained roughly 6,000 files containing the records of approximately 69,000 users. According to the researchers, the content spanned from 2015 and 2020 and included personally identifiable information (PII) including full names, email addresses, IP addresses, login timestamps, locations, dates of birth, bios, and profile pictures.  While passwords were hashed, vpnMentor said that some entries also contained password reset tokens for subscription and membership services. These tokens were protected via the BCRYPT hashing algorithm but it could still be possible to abuse the tokens to hijack user accounts.  The unsecured bucket was discovered on February 4. VpnMentor attempted to contact the vendor on February 7, 9, and March 17; however, there was no response. As a result, the team reached out to Amazon as a last resort and the AWS S3 bucket was then secured. 

It is not known if any unauthorized individuals accessed the bucket before it was secured against intrusion.  “Our team was able to access Paleohacks’ S3 bucket because it was completely unsecured and unencrypted,” the company says. “If you’re a customer of Paleohacks and are concerned about how this breach might impact you, contact the company directly to determine what steps it’s taking to protect your data.” Paleohacks has not responded to requests for comment at the time of publication.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A Linux backdoor recently discovered by researchers has avoided VirusTotal detection since 2018.

Dubbed RotaJakiro, the Linux malware has been described by the Qihoo 360 Netlab team as a backdoor targeting Linux 64-bit systems. RotaJakiro was first detected on March 25 when a Netlab distributed denial-of-service (DDoS) botnet C2 command tracking system, BotMon, flagged a suspicious file. At the time of discovery, there were no malware detections on VirusTotal for the file, despite four samples having been uploaded — two in 2018, one in 2020, and another in 2021.    Netlab researchers say the Linux malware changes its use of encryption to fly under the radar, including ZLIB compression and combinations of AES, XOR, and key rotation during its activities, such as the obfuscation of command-and-control (C2) server communication.  At present, the team says that they do not know the malware’s “true purpose” beyond a focus on compromising Linux systems. There are 12 functions in total including exfiltrating and stealing data, file and plugin management — including query/download/delete — and reporting device information. 

However, the team cites a “lack of visibility” into the plugins that is preventing a more thorough examination of the malware’s overall capabilities.  Netlab described the backdoor’s functions and encryption, as below: “At the coding level, RotaJakiro uses techniques such as dynamic AES, double-layer encrypted communication protocols to counteract the binary & network traffic analysis. At the functional level, RotaJakiro first determines whether the user is root or non-root at run time, with different execution policies for different accounts, then decrypts the relevant sensitive resources using AES & ROTATE for subsequent persistence, process guarding and single instance use, and finally establishes communication with C2 and waits for the execution of commands issued by C2.” In addition, RotaJakiro will treat root and non-root users on compromised systems differently and will change its persistence methods depending on which accounts exist.  For example, when running under a root account, a new process may be created to automatically respawn configuration files, whereas in a non-root scenario, two separate processes are created to monitor and, if necessary, restore each other.  Netlab has also suggested links to the Torii botnet due to some coding similarities in commands and traffic management.  At the time of writing, six out of 61 VT engines now detect the backdoor’s files as malicious. Further analysis can be found at Intezer.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Accenture has announced its intention to acquire French cybersecurity firm Openminded.

Announced on Thursday, the services and consultancy company said the purchase will expand the Accenture security arm’s presence in France and into Europe as a whole. Financial terms of the deal were not disclosed.  Founded in 2008, Openminded provides cybersecurity services including management, consultancy, and cloud & infrastructure solutions with a focus on risk analysis, remediation, and regulatory compliance.   Openminded reported a €19 million turnover during the 2020 financial year. The company has roughly 105 employees and 120 clients including Sephora, Talan, and Thales.  Once the deal has been finalized, Openminded’s staff will join Accenture Security’s existing workforce.  “Joining forces with Accenture is a great opportunity for our teams and our clients,” commented Hervé Rousseau, Openminded founder and CEO. “The alliance of our talent and capabilities perfectly leverages our expertise and would allow us to deliver on a global scale. Today, the fight against cyberattacks requires the implementation of the most advanced technologies, as well as the human resources to make them efficient.”

The deal is subject to standard closing conditions.  Earlier this month, Accenture acquired cloud analytics firm Core Compete. The vendor leverages machine learning (ML) and artificial intelligence (AI) to provide managed services, cloud data warehousing, data analysis tools, and SAS on cloud services.  The latest acquisition builds upon the purchase of Businet System, Real Protect, and Wolox this year, among other companies.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Senate committee probing Australia’s pending data-sharing laws has asked for further protections to be inserted before legislation is passed.The Data Availability and Transparency Bill 2020 establishes a new data sharing scheme which will serve as a “pathway and regulatory framework” for sharing public sector data for three permitted purposes, subject to new safeguards and enforcement mechanisms.The three purposes are: Improving government service delivery, informing government policy and programs, and research and development. However, the Bill also precludes data sharing for certain enforcement related purposes, such as law enforcement investigations and operations.The Bill also does not authorise data sharing for purposes that relate to or could jeopardise national security, including the prevention or commission of terrorism and espionage.Before data is shared, the data custodian must be content the recipient fulfils the requirements of accepting that data.In a report [PDF] on the Bill, the Senate Finance and Public Administration Committee said it is of the view that a “proportionate and balanced data sharing scheme with appropriate privacy and security safeguards would help bring Australia into line with international best practice for data sharing in regard to government service delivery, policy and program development, and research purposes”.However, the committee is mindful that for a data sharing scheme to be successful and trusted by the community it must be underpinned by strong and effective safeguards and protections for privacy and security.

The committee made three recommendations to the government, with the first asking for assurances to be provided regarding appropriate ongoing oversight by security agencies of data sharing agreements and the potential security risks.”The committee considers that it is imperative that national security concerns related to access to data have been fully considered and appropriately managed, particularly given the current concerns about cybersecurity and the covert influence of foreign actors in the university and research sector,” the report says.The second recommendation asks that any relevant findings of the Parliamentary Joint Committee on Intelligence and Security’s current inquiry into national security risks affecting the Australian higher education and research sector are taken into account as part of the development of any additional data codes and guidance material, and that they inform continued engagement with the national security community.The committee also asks that consideration is given to whether amendments could be made to the Bill, or further clarification added to the explanatory memorandum, to provide additional guidance regarding privacy protections, particularly in relation to the de-identifying of personal data that may be provided under the Bill’s data-sharing scheme.”The committee notes that the intention of the Bill is to provide a high-level, principles-based framework to facilitate the sharing of government data, and that in addition to the proposed legislative privacy protections in the Bill, many other potential privacy concerns would be addressed through further protections prescribed in regulation and guidance material, and in the exercise of appropriate judgement and controls by scheme users,” it wrote.”However, despite these layers of protection, it is evident that some stakeholders believe further privacy protections should be prescribed in legislation or specifically addressed in the EM to the Bill.”The Bill, as well as the Data Availability and Transparency (Consequential Amendments) Bill, were both introduced to Parliament in December, after two years of consultation.Critics have labelled the data-sharing scheme as reflecting the ongoing erosion of Australian privacy law in favour of bureaucratic convenience.MORE ON THE BILLCommissioner content transparency measures are enough to deter data-sharing Act breachesAustralia’s pending data-sharing Act will require Commonwealth entities to be satisfied with a proposal before sharing data and the reason for obtaining that data will need to be made public.Critics label data-sharing Bill as ‘eroding privacy in favour of bureaucratic convenience’The Australian Privacy Foundation and the NSW Council for Civil Liberties are among those labelling the country’s pending data-sharing Bill as a threat to basic fairness and civil liberties.Privacy Commissioner wants more protections for individuals in Data Availability BillAdditionally, the Australian Information Commissioner and Privacy Commissioner’s office is concerned about the proposed exemption of scheme data from the Freedom of Information Act. More

Apple has issued a slew of security fixes resolving issues including an actively exploited zero-day flaw and a separate Gatekeeper bypass vulnerability. 

The Cupertino, Calif.-based giant’s latest security patch round was issued on Monday, macOS Big Sur 11.3. One of the most notable fixes is for a vulnerability found by Cedric Owens. Tracked as CVE-2021–30657, the vulnerability allows attackers to bypass Gatekeeper, Apple’s built-in protection mechanism for code signing and verification.  In a Medium blog post, Owens describes how threat actors could “easily craft” a macOS payload that is not checked by Gatekeeper. “This payload can be used in phishing and all the victim has to do is double click to open the .dmg and double-click the fake app inside of the .dmg — no pop-ups or warnings from macOS are generated,” the researcher said.  Working with security expert Patrick Wardle, the duo then realized the root of the issue is a logic bug in the policy subsystem (syspolicyd) that permitted malicious apps to bypass Apple’s security mechanism.  “Though unsigned (and unnotarized) the malware is able to run (and download & execute 2nd-stage payloads), bypassing all File Quarantine, Gatekeeper, and Notarization requirements,” Wardle noted.

According to Wardle and Jamf researchers, the vulnerability has unfortunately been exploited in the wild as a zero-day for months.  The malware in question is Shlayer, adware which has recently been re-packaged to exploit CVE-2021-30657. It is thought the vulnerability may have been exploited from January 9 this year. The vulnerability was reported on March 25 and was patched on March 30.  “Kudos to Apple for quickly fixing the bug I reported to them,” Owens said on Twitter.  Apple said within its security advisory that the vulnerability was patched through “improved state management.” A separate vulnerability of note is CVE-2021-1810, discovered in late 2020 by F-Secure researchers. This security flaw can also be used to bypass macOS Gatekeeper’s code signature and notarization checks. The company has chosen not to release the technical details of the bug until users have more time to update their software. However, the team says that a crafted, malicious .zip file, sent via phishing, for example — is all that is required to trigger the vulnerability.  “Any software distributed as a .zip file could contain an exploit for this vulnerability,” F-Secure says. “There are a few mitigating factors though. For one, applications downloaded via Apple’s App Store are not affected by this issue. Similarly, applications delivered as macOS Installer packages (.pkg, .mpkg) contain an installer certificate which is verified independently from Gatekeeper.” There is currently no evidence of CVE-2021-1810 being exploited in the wild.  In February, Apple issued a fix for a vulnerability in the installer for Big Sur 11.2/11.3 which could have led to severe data loss.  Alongside security fixes for macOS, Apple also introduced data collection limitations in iOS 14.5, a feature that is proving to be controversial.  The system, dubbed App Tracking Transparency (ATT), has now been rolled out following a lengthy beta. ATT requires apps to obtain explicit consent to track users across different apps and services beyond their own platforms. As a result, the move is likely a blow to organizations that offer targeted advertising, only made possible by creating detailed profiles of users and their online habits.  Facebook has proven to be one of ATT’s most vocal critics.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The FBI has handed over 4.3 million email addresses that were harvested by the Emotet botnet to the Have I Been Pwned (HIBP) service to make it easier to alert those affected.  HIPB, run by Australian security research Troy Hunt, is a widely trusted breach alert service that underpins Mozilla’s Firefox own breach-alert notifications. 

ZDNet Recommends

The FBI collected the email addresses from Emotet’s servers, following a takedown in January. The Emotet malware botnet was taken down by law enforcement in the US, Canada and Europe, disrupting what Europol said was the world’s most dangerous botnet that had been plaguing the internet since 2014.  SEE: Security Awareness and Training policy (TechRepublic Premium) Emotet was responsible for distributing ransomware, banking trojans and other threats through phishing and malware-laden spam.  In January, law enforcement in the Netherlands took control of Emotet’s key domains and servers, while Germany’s Bundeskriminalamt (BKA) federal police agency pushed an update to about 1.6 million computers infected with Emotet malware that this week activated a kill switch to uninstall that malware.    Hunt says in a blogpost that the FBI handed him “email credentials stored by Emotet for sending spam via victims’ mail providers” as well as “web credentials harvested from browsers that stored them to expedite subsequent logins”. 

The email addresses and credentials have been loaded in to HIPB as a single “breach”, even though it’s not the typical data breach for which the site collects credentials and email addresses.  HIBP currently contains 11 billion ‘pwned’ accounts from a range of data breaches that have happened over the past decade, such as MySpace and LinkedIn’s 2012 breach, as well as huge credential-stuffing lists found on the internet that are used by criminals to hijack accounts with previously breached email addresses and passwords. Credential stuffing takes advantage of people using common passwords like 1234567, or reusing passwords across multiple accounts.   SEE: Hackers are actively targeting flaws in these VPN devices. Here’s what you need to do Hunt has tagged this breach as “sensitive” on HIBP, which means the email addresses are not publicly searchable.  “HIBP enables you to discover if your account was exposed in most of the data breaches by directly searching the system. However, certain breaches are particularly sensitive in that someone’s presence in the breach may adversely impact them if others are able to find that they were a member of the site. These breaches are classed as “sensitive” and may not be publicly searched, the site states in its definition of “sensitive breach”. “Individuals will either need to verify control of the address via the notification service or perform a domain search to see if they’re impacted,” noted Hunt.  “I’ve taken this approach to avoid anyone being targeted as a result of their inclusion in Emotet,” he added. “All impacted HIBP subscribers have been sent notifications already.” ZDNet has reached out to Hunt who was not available at the time of publishing.  For individuals or organisations that find their details in the data, Hunt suggests: Keep security software such as antivirus up to date with current definitions. Change your email account password, and change passwords and security questions for any accounts you may have stored in either your inbox or browser, especially those for services such as banking.For administrators with affected users, refer to the YARA rules released by DFN Cert. More