Information Technology

Microsoft has released 67 security fixes for software including seven critical issues and a zero-day flaw being actively exploited by cybercriminals. In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems in software including Remote Code Execution (RCE) vulnerabilities, privilege escalation security flaws, spoofing bugs, and denial-of-service issues.Products impacted by Microsoft’s December security update include Microsoft Office, Microsoft PowerShell, the Chromium-based Edge browser, the Windows Kernel, Print Spooler, and Remote Desktop Client.  Read on: Some of the most severe vulnerabilities resolved in this update are a total of six zero-days, although only one is known to be actively exploited in the wild: CVE-2021-43890: This Windows AppX Installer Spoofing zero-day vulnerability, issued a CVSS severity score of 7.1 and rated important, is publicly known and under exploitation. Microsoft says that it is “aware of attacks that attempt to exploit this vulnerability by using specially crafted packages” and that the bug is being weaponized to spread the Emotet/Trickbot/Bazaloader malware families. CVE-2021-41333: Issued a CVSS score of 7.8, this Windows Print Spooler Elevation of Privilege vulnerability has been made public and has low attack complexity. CVE-2021-43880: This security flaw is described as a Windows Mobile Device Management Elevation of Privilege (EoP) vulnerability that allows local attackers to delete targeted files on a system.CVE-2021-43893: James Forshaw of Google Project Zero reported this issue (CVSS 7.5), which is described by Microsoft as an EoP in the Windows Encrypting File System (EFS). CVE-2021-43240: Issued a CVSS score of 7.8, Microsoft says this flaw, an NTFS Set Short Name elevation of privilege bug, has proof-of-concept exploit code available and is known publicly.CVE-2021-43883: The final zero-day flaw impacts Windows Installer. This issue, assigned a CVSS score of 7.8, can permit unauthorized privilege escalation. An additional 16 CVEs in the Chromium-based Edge browser were patched earlier this month.  According to the Zero Day Initiative (ZDI), 887 CVE-assigned vulnerabilities have been patched by Microsoft this year. While this figure may seem high, the team notes this is a 29% decrease from 2020 (not including Chromium-based Edge). 

Last month, Microsoft resolved 55 bugs in the November batch of security fixes. In total, six were assigned critical ratings and 15 were remote code execution issues. Zero-day vulnerabilities, too, were resolved by the tech giant.A month prior, the tech giant tackled 71 vulnerabilities during the October Patch Tuesday. This included four zero-day flaws, one of which was being actively exploited in the wild. In other Microsoft security news, the company recently warned that a patched Exchange Server post-authentication flaw, tracked as CVE-2021-42321, is being weaponized in new attacks — adding to the last year’s woes surrounding four zero-days in the server platform. The company also recently published research on Iranian threat actors and their ranking in the cybercriminal space. Microsoft says that there has been a massive surge in Iran state-sponsored attacks this year against IT services, despite being close to non-existent in 2020. Alongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below. More

Credit: Microsoft

Microsoft announced today that it is rolling out end-to-end encryption (E2EE) for one-to-one Teams calls. According to Microsoft’s blog post announcing general availability, admins will have the option to enable and control this feature for their organizations once they receive the update. By default, E2EE won’t be available to all users within a tenant. Once IT configures the policy and enables it for selected users, those users will still need to turn this feature on in Teams settings. IT will be able to disable this feature when needed. Microsoft officials warned that when using E2EE for Teams one-to-one calls, some features will be unavailable. This includes recording; live captions and transcription; and adding participants to make a call a group call. If any of the unavailable features is required, users will need to turn E2EE off.As Microsoft noted in a blog post in October, real-time video and voice data is protected by E2EE. But it doesn’t secure chat or file-sharing, which are both protected at rest and in-transit by other encryption protocols, like HTTPS, for secure connections between a device and a website.  The E2EE Teams call feature is available on the latest version of the Teams desktop client for Windows or Mac, officials said. In other recent Teams news, Microsoft will be introducing a new “Teams Phone with Calling Plan” product on January 1, 2022. This new plan combines Microsoft 365 Business Voice with enterprise capabilities in Teams Calling Essentials. These two products will be discontinued once the new plan is released, officials said. With Teams Phone with Calling Plan — which will be available to Microsoft 365 and Office 365 business users who have subscriptions including Teams — users will get 3,000 minutes for domestic calls in the US and Canada. Users will only get 2,300 minutes for domestic calls in other markets, and calls outside users’ domestic zones will require an add-on calling plan. Teams Phone with Calling Plan will cost $15 per user per month. Teams Phone alone costs $8 per user per month, and domestic calling plan costs another $12 per user per month. More

LogMeIn announced on Tuesday that it is spinning off password manager LastPass into its own company.The cloud-based solutions company explained that the move allows LastPass to invest heavily in “customer experience, go-to-market functions and engineering” as a way to improve its “organic growth in password management,” Single Sign-On (SSO) and multi-factor authentication (MFA). 

ZDNet Recommends

The separation will also help speed up the changes moving forward, with LastPass expecting customers to see the changes in 2022. LogMeIn said LastPass currently has more than 30 million users and 85,000 business customers across the world. LastPass has grown significantly in recent years, with more than 50% revenue CAGR over the last three years. LogMeIn CEO Bill Wagner said the scale, growth, and market position of LastPass make it “a perfect candidate to seize new opportunities as its own standalone company.” “Today’s announcement also reflects our strategic priority to strengthen and invest in our flexible work enablement portfolio across unified communications and collaboration and IT management and support,” Wagner added. LogMeIn owns several other products, including GoToConnect, GoToMeeting and Rescue. 

Investor Andrew Kowal, a partner at Francisco Partners, noted that LogMeIn saw an opportunity to “unlock the full potential” of LastPass and improve the service’s offerings to customers. In a message to users, LastPass reiterated that it could “strategically increase investment and support” in its mission as an independent company. “You will start to see an enhanced LastPass, on an accelerated timeline. We are working on faster, seamless save and fill, a delightful mobile experience, and even more third-party integrations for businesses, among many other updates,” LastPass told users. “This is the same great product, now with even more focus on keeping your data safe.”

Tech Earnings More

Major natural gas supplier Superior Plus announced on Tuesday that it is suffering from a ransomware attack. The billion-dollar propane seller said the incident started on December 12 but did not answer questions about which ransomware group was behind the attack or which systems were affected. “Superior has temporarily disabled certain computer systems and applications as it investigates this incident and is in the process of bringing these systems back online,” the company said, adding that it “took steps to secure its systems and mitigate the impact to the Corporation’s data and operations.” See also: Log4j zero-day flaw: What you need to know and how to protect yourself.The company said it is still figuring out the scope of the impact on its operations and asked customers for “patience” as it responds to the attack. According to the company’s statement, a cybersecurity company was hired to help deal with the attack.Superior brought in more than $1.8 billion in revenue last year and has about 4,300 employees. It provides propane and related services to 780,000 customer locations across the US and Canada. The company also provides natural gas to Canadian customers and is heavily involved in the speciality chemicals industry. Superior becomes the latest oil & gas company to suffer from a ransomware incident this year after the headline-grabbing attack on Colonial Pipeline earlier this year.

The May attack on Colonial Pipeline caused brief gas shortages along the east coast of the US and sparked a more concerted effort by the federal government to address ransomware incidents, which have been plaguing companies and government institutions for years.Colonial Pipeline CEO Joseph Blount said the company ended up paying the DarkSide ransomware group $5 million in ransom to get its systems back online after the incident forced it to shutter its operations and freeze IT systems to isolate the infection. After that attack, the White House pushed a whole-of-government effort to take on ransomware, kickstarting a number of task forces designed to make the government more resilient while going after the people organizing ransomware gangs. The Department of Justice eventually announced that it managed to recover some of the ransom that was paid by Colonial Pipeline to the DarkSide ransomware group. Deputy Attorney General Lisa Monaco said during a press conference that the Justice Department and FBI seized 63.7 Bitcoins of the 75 Bitcoins that Colonial Pipeline admitted to paying. More

The number of attacks aiming to take advantage of the recently disclosed security flaw in the Log4j2 Java logging library continues to grow. The vulnerability (CVE-2021-44228) was publicly disclosed on December 9 and enables remote code execution and access to servers. What makes it such a major issue is Log4j is widely used in commonly deployed enterprise systems.In some cases, organisations may not even be aware that the Java logging library forms part of the applications they’re using, meaning they could be vulnerable without knowing it. Online attackers have been quick to take advantage of the vulnerability – also known as Log4Shell – as soon as they can.There was evidence of attackers scanning for vulnerable systems and dropping malware just hours after Log4J was publicly disclosed At that point it was reported that were over 100 attempts to exploit the vulnerability every minute. “Since we started to implement our protection we prevented over 1,272,000 attempts to allocate the vulnerability, over 46% of those attempts were made by known malicious groups,” said cybersecurity company Check Point.SEE: A winning strategy for cybersecurity (ZDNet special report)And according Check Point, attackers have now attempted to exploit the flaw on over 40 percent of global networks. 

The number of successful exploits is likely to be much lower, but the figure shows that there are those out there who are looking to try their luck against a new – and potentially difficult to patch – vulnerability.”Unlike other major cyber-attacks that involve one or a limited number of software, Log4j is basically embedded in every Java based product or web service. It is very difficult to manually remediate it,” Check Point said in a blog post. Some of the attacks launched by exploiting the Log4j vulnerability include delivering cryptomining malware, as long with delivering Cobalt Strike, a legitimate penetration testing tool which cyber criminals have been known to use to steal usernames and passwords to gain further access to networks.National cybersecurity bodies around the world have been quick to issue warnings as to how dangerous Log4j could be.Jen Easterly, director of CISA described the Log4J vulnerability as “one of the most serious that I’ve seen in my entire career, if not the most serious”.Meanwhile, the UK’s National Cyber Security Centre (NCSC) has urged organisations to install the latest updates wherever Log4j is known to be used.”The key step for organisations is to patch enterprise software quickly, and for developers using Log4j to update and distribute their software as soon as possible,” said an NCSC spokesperson in an email to ZDNet. “For the public it’s important to keep updating devices as developers’ understanding of the vulnerability grows,” they added.  MORE ON CYBERSECURITY More

Industrial networks are among those which are vulnerable to the recently disclosed zero-day in the Log4j2 Java logging library, security researchers have warned. The vulnerability (CVE-2021-44228) was disclosed on December 9 and allows remote code execution and access to servers. Log4j is used in a wide range of commonly used enterprise systems, raising fears that there’s ample opportunity for the vulnerability to be exploited. Within hours of the vulnerability being publicly disclosed, cyber attackers were already making hundreds of thousands of attempts to exploit the critical Log4j vulnerability to spread malware and access networks. Each day on from its disclosure, more is being learned about the flaw and now cybersecurity researchers have warned that it could have significant implications for operational technology (OT) networks which control industrial systems – and for a long time. “Given that Log4j has been a ubiquitous logging solution for Enterprise Java development for decades, Log4j has the potential to become a vulnerability that will persist within Industrial Control Systems (ICS) environments for years to come,” said a blog post by cybersecurity researchers at Dragos. And given how easy it is to exploit the vulnerability, combined with the potentially large number of affected applications, researchers recommend an “assume-breach mentality” and active hunting for post-exploitation activity. Dragos says that it has seen attempted and successful exploitation of the Log4j flaw – and has already coordinated a takedown of one of the malicious domains used in these attacks.

Several cybersecurity researchers have already noted that some attackers are exploiting Log4j to remotely run Cobalt Strike – a penetration testing tool that’s often used in ransomware attacks. Many industrial organisations struggle with visibility into their networks due to their complex nature, but it’s important for those running operational technology to know what their network looks like and counter the possibility of attacks attempting to exploit the vulnerability as a matter of urgency. “It’s important to prioritize external and internet-facing applications over internal applications due to their internet exposure, although both are vulnerable,” said Sergio Caltagirone, vice president of threat intelligence at Dragos, “Dragos recommends all industrial environments update all affected applications where possible based on vendor guidance immediately and employ monitoring that may catch exploitation and post-exploitation behaviors,” he added. Researchers suggest that applying the Log4j patch can help prevent attackers from taking advantage of the vulnerability – although the ubiquitous nature of Log4J means that in some cases, network operators might not even be aware that it’s something in their environment which they have to think about.
MORE ON CYBERSECURITY More

ErickPHOTOPRO — Shutterstock
Apple just released
iOS 15.2 and iPadOS 15.2

. The iPhone and iPad updates are available to install right now, bringing with them a new
Digital Legacy feature

that grants contacts of your choosing access to your iCloud data after your death. There’s also a new Apple Music Voice price plan that’s $4.99 a month and is designed for use through Siri. There’s also another notable change in the update and that’s Apple’s new App Privacy Report feature. Once enabled, you’ll be able to see what private data each app is accessing on your device, and how often it’s happening. My ZDNet colleague Adrian Kingsley-Hughes covered the early beginnings of this feature when iOS 15 was released back in September.Below I’ll walk you through where to find the new App Privacy Report, turn it on, and how to make sense of the information it provides. 
Screenshot by Jason Cipriani/ZDNet
How to turn on the App Privacy Report on your iPhone, iPadBefore you’ll find the switch to turn App Privacy Report on, you’ll first need to update your iPhone or iPad to iOS 15.2 and iPadOS 15.2. To do that, open the Settings app on your device and then go to General  > Software Update and follow the prompts. After your device has updated, once again open the Settings app and then select Privacy from the list of options. Next, scroll to the bottom of the list where you’ll find the App Privacy Report option; tap on it. If you already had Record App Activity turned on, you won’t have to do anything. However, if you hadn’t turned that on, you’ll be presented with a brief description of what App Privacy Report is. Tap Turn On App Privacy Report. Since you just turned it on, you’ll need to wait until apps start accessing your data before you’ll see any information. How to view your App Privacy Report and what it means

To get to your App Privacy Report, go back into the Settings app and then select Privacy and scroll to the bottom of the screen then tap App Privacy Report. After using your iPhone or iPad for a while, or letting it sit idle and allowing apps to access your data (as you’ll see they often do) while running in the background, the App Privacy Report will fill up with data. On the report screen, you’ll see several apps listed under four different categories: Data & Sensor Access, App Network Activity, Website Network Activity, and Most Contacted Domains. Data & Sensor Access
Screenshots by Jason Cipriani/ZDNet
Select an app or tap Show All under the Data & Sensor Access section. Each app that has accessed your private data in the last week will show up here. Tap on an app’s name to view more information about what type(s) of data the app is using, then tap on the category to see a complete timeline of how often it’s being used. For example, the Find My app on my iPhone has accessed my location and contacts during the past week. Both of which I would have fully expected it to use. But what was surprising to me is that it has only checked my location a handful of times over the last week, and it’s not constantly monitoring my movement. I can only guess that each time it’s accessed my location is when someone in my Find My family and friends list has opened the app on their phone, prompting Apple’s servers to query where I’m at and displaying it within their app. At the top of the screen, you can change how the list is organized. By default, you see the most recent apps that have used your data. However, you can change it to alphabetical order. To my surprise, the Mail app frequently accessed my Contacts information. I assume it happens every time I open the app and/or an email arrives so the app can show the proper name and information. But, still, it’s eye-opening. App Network Activity
Screenshots by Jason Cipriani/ZDNet
Under the App Network Activity section you’ll find a list of apps and the domains and similar network activity each app has conducted over the last week. The Facebook app had the most network activity on my phone over the last week. Its number one contacted domain is inappcheck.itunes.apple.com. A quick Google search leaves me with the impression that the domain might be used by Apple to verify in-app purchases, or as some form of verification for app developers. It’s hard to say, and I wish Apple would include information bout commonly used domains — especially the ones it owns. I know this domain is commonly used because if you tap on it, a list of other apps that have also contacted that domain will show up. The list on my iPhone is the bulk of the apps I use regularly. Website Network ActivityEvery time you visit a website, it contacts other domains to do things like serve ads or download pictures and videos that it needs to display a webpage. Apple now tracks which domains a website contacts whenever you visit it and provides a list of them. The number one domain websites have contacted during my normal use is mask.iCloud.com, which is yet again a very vague Apple-related domain. Another Google search makes me believe it has something to do with Apple’s Private Relay feature that’s currently available in beta. However, I have the feature turned off on all of my devices and only The New York Times, Reddit, and Safari are listed as having contacted the same domain. I would think every app or website would use that URL if it were active. 
Jason Cipriani/ZDNet
Most Contacted DomainsFinally, the Most Contacted Domains section is a list of domains your phone or tablet has accessed in the last week. Tap on a domain to see a list of apps and the last time it contacted that URL. Once again, some of the URLs listed on my iPhone appear to be Apple-related, while others appear to be related to serving ads from Google are at the very least collecting user data. It would benefit the end user if Apple added some additional context about known domains. By far my most-used section of the App Privacy Report will be the Data and Sensors section. It’ll be easy to see if Facebook really is listening to conversations to better serve ads (as has been rumored, but never proven for years). Are you going to turn on App Privacy Report? Let me know in the comments below why or why not. More

Brazil’s Ministry of Health has suffered a second cyberattack in less than a week, which has compromised various internal systems, including the platform that holds COVID-19 vaccination data.

ZDNet Recommends

Best security key 2021

While robust passwords go a long way to securing your valuable online accounts, hardware-based two-factor authentication takes that security to the next level.

Read More

The news emerged after a first major ransomware attack three days earlier, from which the department was still recovering. Confirming the second attack on Monday (13) evening, health minister Marcelo Queiroga said the latest event, which took place in the early hours of that same day, was smaller than the first attack. According to Queiroga, the department is working to recover the systems as soon as possible. However, he said the second attack means ConecteSUS, the platform that issues COVID-19 vaccine certificates, would not be back online today (14) as originally planned. Queiroga noted the attack had been unsuccessful and that no data had been compromised, but this second event “caused turmoil” and “got in the way” of bringing systems back online. The minister did not provide an estimate of when the impacted systems would be reestablished. The ministerial confirmation of the second cyberattack was preceded by a statement released by the Ministry of Health saying that Datasus, the department’s IT function, carried out a preventive systems maintenance exercise on Monday, meaning systems would be temporarily unavailable. The second attack meant civil servants had to be sent home on Monday since it was not possible to access the health ministry’s core systems, such as the platforms that generate reports relating to the COVID-19 pandemic. Also, last night, the Institutional Security Office (GSI) of the Brazilian government released a statement that confirmed new attacks against cloud-based systems run by government bodies had taken place. However, it did not specify which departments or services had been targeted. It added teams are being instructed to preserve evidence and that best practices around incident management are being followed.

In the first cyberattack, which became known on Friday (10), all websites under the Ministry of Health became unavailable. According to a message left by the Lapsus$ Group, which has claimed responsibility for the attack, some 50TB worth of data has been extracted from the MoH’s systems and subsequently deleted. Queiroga later said the department holds a backup for the supposedly accessed data in the cyberattack. According to the Federal Police, which is investigating the case, data on COVID-19 case notifications, as well as the broader national vaccination program, was compromised in the first attack, in addition to ConecteSUS. The National Data Protection Authority (ANPD) is also working on the case and has contacted the Institutional Security Office and the Federal Police to collaborate with the investigations. It also notified the Ministry of Health to provide clarifications on the case, as per Brazil’s general data protection rules. More