Information Technology

The Cybersecurity and Infrastructure Security Agency (CISA) has instructed US government agencies with on-premise Exchange systems to run Microsoft malware scanners and report results by April 5. CISA issued supplementary direction to its “ED 21-02” directive; the new request applies to any federal agency that had an Exchange server connected directly or indirectly to the internet at any point since January 1, 2021. 

Exchange attacks

The move follows the discovery of software flaws in on-premise versions of Microsoft Exchange Server being exploited by attackers. Exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network.SEE: Network security policy (TechRepublic Premium)The new CISA orders are aimed at ensuring agencies use newly developed Microsoft tools to identify any compromises that remain undetected. They need to be followed even if all steps in the earlier directive were completed. “Since the original issuance of ED 21-02, Microsoft has developed new tools and techniques to aid organizations in investigating whether their Microsoft Exchange servers have been compromised. CISA also identified Microsoft Exchange servers still in operation and hosted by (or on behalf of) federal agencies that require additional hardening,” CISA says in the supplement. “By 12:00 pm Eastern Daylight Time on Monday, April 5, 2021, download and run the current version of Microsoft Safety Scanner (MSERT) in Full Scan mode and report results to CISA using the provided reporting template,” it notes. 

The Microsoft scanner can use up a lot of a server’s processing capacity, so CISA recommends running the scan during off-peak hours.The other tool agencies are instructed to run is the Test-ProxyLogon.ps1 script, which Microsoft released in mid-March. The script can be run as administrator to check Exchange and IIS logs to discover signs of attacker activity, such as files written to the server and the presence of web shell scripts used for persistence. “This script checks targeted exchange servers for signs of the proxy logon compromise described in CVE-2021-26855, 26857, 26858, and 27065,” CISA explains. CISA also issued hardening instructions for Exchange servers including applying software updates, ensuring that only a supported version of Exchange is being used, and to review permissions and roles. The hardening requirements need to be complete by Monday, June 28, 2021.”Exchange is, by default, installed with some of the most powerful privileges in Active Directory, making it a prime target for threat actors,” CISA warns. Agencies need to “enumerate accounts and groups that are leveraged by Exchange installations and review their permissions and roles.” They will also need to review membership in highly privileged groups such as Administrators, Remote Desktop Users, and Enterprise Admins” and “review sensitive roles such as Mailbox Import Export and Organization Management (e.g. using the Get-ManagementRoleAssignment cmdlet in Exchange PowerShell). Agencies must “ensure that no account on an Exchange server is a member of the Domain Admin group in Active Directory”. Finally, they must prevent the accounts that manage on-premises Exchange from having administrative permissions in any Microsoft Office 365 environment. More

Boardrooms still aren’t taking cybersecurity seriously, leaving organisations vulnerable to cyberattacks – with executives only paying attention after things have gone bad, according to the new National Cyber Security Centre (NCSC) boss Lindy Cameron.”I think in terms of what we want organisations to learn, it is that this is the kind of threat they need to think about. This is the kind of thing that should be as much a regular feature in risk conversations in board rooms as legal risk or financial risk – the CEO see the CISO as often as they see the financial director,” Cameron said. She said it should not be a simply a technical conversation with the IT department, but the kind of conversation that’s held in the boardroom itself.”I want organisations to learn how serious the impact can be when this goes wrong,” Cameron said. And even if an organisation thinks it has a plan in place, things can still go wrong if some basic elements aren’t taken care of.

“I’ve talked to organisations which have walked in on Monday mornings to find they can’t turn on their computers or phones, the backup plan was not printed out so they couldn’t find a phone number,” Cameron said.SEE: Security Awareness and Training policy (TechRepublic Premium)Organisations that fall victim to a cyberattack will often use it to re-prioritise their security strategy.”There’s no doubt that organisations that have experienced that have a much more visceral sense of what it feels like to experience a ransomware attack or cyberattack, and therefore they’re prepared better for that,” Cameron added.

The NCSC offers tools like Exercise-in-a-Box and cybersecurity guidance for boardrooms to help organisations think about cyberattacks. Exercise-in-a-Box, for example, allows organisations to test their network defences against real cyberattack scenarios and take lessons on how to improve their security from that.Meanwhile, boardrooms should be involved when it comes to contingency planning against cyberattacks – they’re more likely to understand the potential threats if they’re discussed not as a technical problem, but a problem with risk, in a similar way to how they’d consider financial risk or legal risk.”It’s the same as any sensible contingency planning. It’s worth thinking through what’s the worst possible scenario, what’s the thing that could go wrong that you need to manage,” she added.SEE: Ransomware: Why we’re now facing a perfect stormThat worst possible scenario depends on the organisation; it could be a data breach, it could be an interruption of services, or it could be disruption to cyber-physical systems. But the important thing is for organisations to think about the cyber risks out there and to have a plan to defend and mitigate against them – and if that happens, hands-on aid from the likes of NCSC won’t be necessary, because solid cybersecurity strategies are in place.”Ideally, more and more instances are handled well and handled without additional help,” said Cameron. MORE ON CYBERSECURITY More

An administrator for the DeepDotWeb (DDW) portal has pleaded guilty to receiving kickbacks for connecting buyers and sellers of illegal goods in the dark web. 

On Wednesday, the US Department of Justice (DoJ) said that Tal Prihar, a 37-year-old Israeli citizen living in Brazil, has admitted to operating DDW alongside co-owner Michael Phan since 2013.DDW, which was seized by law enforcement in 2019, was a portal for news and events surrounding the dark web. However, according to US prosecutors, the co-owners of the domain also received kickbacks for connecting buyers and sellers of illegal products.  The DoJ claims that Phan and Prihar earned themselves over $8 million for providing direct links to marketplaces selling products including firearms, heroin, fentanyl, malware, and stolen data record dumps. The referral links included listings for AlphaBay, Agora, Abraxas, Dream, and Valhalla. These websites are not indexed on the clear web or by typical search engines. DDW was one of a number of resources that provided lists of active underground marketplaces, together with their hidden link addresses that were accessible via the Tor network. To hide the kickbacks, which totaled roughly 8,155 Bitcoins (BTC), Prihar laundered the funds through cryptocurrency wallets and bank accounts registered in the name of shell companies.  Prihar has agreed to forfeit $8,414,173. The former website administrator has pleaded guilty to conspiracy to commit money laundering and he faces a maximum penalty of up to 20 years behind bars. 

Sentencing is due to occur on August 2. Phan faces the same charge.”Tal Prihar served as a broker for illegal Darknet marketplaces — helping such marketplaces find customers for fentanyl, firearms, and other dangerous contraband — and profited from the illegal business that ensued,” commented Acting Assistant Attorney General Nicholas McQuaid of the DoJ’s Criminal Division. “This prosecution, seizure of the broker website, and forfeiture send a clear message that we are not only prosecuting the administrators of Darknet marketplaces offering illegal goods and services, but we will also bring to justice those that aim to facilitate and profit from them.” In September, US law enforcement, together with Europol and other agencies, launched a coordinated takedown of illegal dark web vendors leading to 179 arrests. Dubbed “DisrupTor,” the operation also included the seizure of over $6.5 million and approximately 500kg in drugs such as fentanyl, heroin, cocaine, and ecstasy.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A North Korean hacking group known to have targeted security researchers in the past has now upped its game through the creation of a fake offensive security firm. 

The threat actors, believed to be state-sponsored and backed by North Korea’s ruling party, were first documented by Google’s Threat Analysis Group (TAG) in January 2021. Google TAG, specialists in tracking advanced persistent threat (APT) groups, said at the time that the North Korean cyberattackers had established a web of fake profiles across social media, including Twitter, Keybase, and LinkedIn.  “In order to build credibility and connect with security researchers, the actors established a research blog and multiple Twitter profiles to interact with potential targets,” Google said. “They’ve used these Twitter profiles for posting links to their blog, posting videos of their claimed exploits, and for amplifying and retweeting posts from other accounts that they control.” When members of the group reached out to their targets, they would ask if their intended victim wanted to collaborate on cybersecurity research — before sending them a malicious Visual Studio project containing a backdoor. Alternatively, they may ask researchers to visit a blog laden with malicious code including browser exploits.  In an update posted on March 31, TAG’s Adam Weidemann said that the state-sponsored group has now changed tactics by creating a fake offensive security company, complete with new social media profiles and a branded website.  The fake company, dubbed “SecuriElite,” was set up on March 17 as securielite[.]com. SecuriElite claims to be based in Turkey and offers penetration testing services, software security assessments, and exploits. 

A link to a PGP public key has been added to the website. While the inclusion of PGP is standard practice as an option for secure communication, the group has used these links in the past as a means to lure their targets into visiting a page where a browser-based exploit is waiting to deploy.  In addition, the SecuriElite ‘team’ has been furnished with a fresh set of fake social media profiles. The threat actors are posing as fellow security researchers, recruiters for cybersecurity firms, and in one case, the HR director of “Trend Macro” — not to be confused with the legitimate company Trend Micro.  Google’s team linked the North Korean group with the usage of Internet Explorer zero-day back in January. The company believes that it is likely they have access to more exploits and will continue to use them in the future against legitimate security researchers.  “We have reported all identified social media profiles to the platforms to allow them to take appropriate action,” Google says. “At this time, we have not observed the new attacker website serve malicious content, but we have added it to Google Safebrowsing as a precaution.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Gaming mods and cheat engines are being weaponized to target gamers in new malware campaigns. 

On Wednesday, researchers from Cisco Talos said the gaming tools are being used to deploy a cryptor — code designed to prevent reverse-engineering or analysis — for a variety of malware strains, the majority of which appear to be Remote Access Trojans (RATs).  The attack wave is focused on compromising the systems of gamers and modders. The initial attack vector begins with malvertising — adverts that lead to malicious websites or downloads — as well as YouTube how-to videos focused on game modding that link to malicious content.  There is already a vibrant marketplace for cheats and mods. Online gaming is now an industry worth millions of dollars — only propelled further with the emergence of competitive e-sports — and so some gamers will go so far as to purchase cheats to give them an edge.  Developers have upped their game, too, and will often upload their creations to VirusTotal to see if files are flagged as suspicious or malicious.  The risk in downloading system-modifying files is nothing new and the latest campaign only carries on the trend. Cheats, cheat engines, and mods have been found that contain cryptors able to hide RAT code and backdoors through multiple layers of obfuscation. Once a malicious mod or cheat has been downloaded and installed on a target machine, a dropper injects code into a new process to circumvent basic antivirus tools and detection algorithms. 

The malware is then able to execute. Samples tracked so far include the deployment of XtremeRAT, an information stealer that has been associated with spam campaigns and the deployment of Zeus variants. 
Cisco Talos
Cisco Talos notes that the cryptor uses Visual Basic 6, shellcode, and process injection techniques to make analysis difficult.  “As workers continue to operate remotely during the COVID-19 pandemic and mix work with their private computer usage, enterprises are even more likely to be attacked by compromised personal PC equipment belonging to their employees,” the researchers say. “Employees will sometimes download modding tools or cheat engines from questionable sources to tweak their PC or games running on the same machine they use for their job.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

There is now an end to the mystery of a nonsensical tweet issued by US Strategic Command.  The military agency, also known as USSTRATCOM, is responsible for nuclear operations, global strike management and missile defense, among other duties, sent out a strange message via its Twitter account on March 28. The tweet, simply “;l;;gmlxzssaw,” was liked and retweeted thousands of times and prompted over 1,500 comments in query. While the message was rapidly deleted and the agency asked its followers to disregard the message, journalist Mikael Thalen from the Daily Dot filed a Freedom of Information Act (FOIA) request asking for additional details concerning the tweet. In response to the FOIA request, the agency told Thalen that the US Strategic Command’s Twitter manager, while working from home, left his post for a moment and the account was, unfortunately, open. What happened next would make any parent currently working from home due to the coronavirus pandemic groan: his “very young” child “took advantage of the situation and started playing with the keys, and unfortunately, and unknowingly, posted the tweet,” according to the FOIA response.  When high-profile Twitter accounts start tweeting out nonsense or dubious messages — such as the infamous hijacking of celebrity accounts to promote a cryptocurrency scam in July 2020, there may be the concern that the profiles are under the control of unauthorized individuals. 

While the child in question certainly seized control of the account, even momentarily and — no doubt — without permission, the agency was keen to emphasize that there was nothing “nefarious” and no hacking took place.  “The post was discovered and notice to delete it occurred telephonically,” US Strategic Command added. 

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Photo by Andre Hunter on Unsplash
We all use Facebook because it’s the only way we can know what people we haven’t talked to in years have eaten for dinner. Far too many use Facebook as an echo chamber, providing a definitive source of confirmation bias for the craziest pet conspiracy theories. Facebook is also the primary news source for more than half of all adult Americans.

But Facebook is not without its problems beyond simply being what I have called “a pox on humanity.” There was the Cambridge Analytica scandal, where Facebook shared confidential information on millions of its users to an outside firm. There was Facebook’s little email harvesting operation, where it improperly grabbed email information from millions of users without consent. Then there were the hundreds of millions of passwords Facebook stored in plain text, completely unencrypted. But yet we keep on using Facebook. Last week, I decided I wanted to gather some informal data on what people thought of Facebook and three other companies: Google, Amazon, and Microsoft. I often use Twitter’s polling feature to reach out to my small army of followers and gather sentiment information. Also: Quitting the five tech giants: Could you really flee Facebook? I do this for work, certainly, but I also do this because I have an unhealthy obsession with charts, and Twitter can slake that thirst in a matter of minutes — and definitively after the poll finishes its 24 hour run. Yes, I get as much of a dopamine rush from looking at charts as I do looking at puppies. Who do you trust…least? In any case, I did a poll that asked, “Who do you trust…least?” Now, you have to understand I’ve done a LOT of Twitter polls. I’ve even done highly-charged politics-related Twitter polls. Not once, not in the hundred or so polls I’ve run, has the response been as lopsided as the result was from asking “Who do you trust…least?”

Look at this:

Who do you trust … least?— David Gewirtz (@DavidGewirtz) March 24, 2021

In all the polls I’ve ever done, I’ve never seen one where one answer so completely dominated the others. Even Google, which has turned its earlier motto of “Don’t be evil” into some sort of self-parody, and whose entire business model is sucking up your information so you can be advertised to, is vastly less distrusted than Facebook. The  wildly asymmetrical results of this poll are unprecedented among all my previous polls. Now, I fully understand this isn’t a scientific poll. I did scientific polls when I was working on my graduate degree. I even know how to use regression analysis and p-values to reject the null hypothesis. Also: Tone down the bile on Facebook and Twitter: Your job may depend on it But Twitter polls also aren’t that unscientific. When I use Twitter for polls, I’m polling a specific constituency, in this case my Twitter followers, which means it’s a constituency of people likely interested in tech, coffee, government, snark, and puppies. I reach out to tens of thousands of users, and those who wish to answer, do. Granted, a landline phone poll, which used to be the gold standard of polling until people stopped using landline phones, is slightly more random. But the very fact that someone is reachable at a landline (even in the days before smartphones) immediately set up a demographic weighting towards a particular set of psychographics to the exclusion of others. Also: Big bad Libra: Do we really need (or want) Facebook to reinvent money? So I would argue that my little Twitter poll is just as scientifically valid as more traditional polls — just as long as you understand that my polling audience has a specific coverage bias based on their original decision to follow my tweets. But the fact that the coverage bias is reasonably well known means it can be factored into the results of the poll. What I mean by this is we can’t necessarily say that everyone distrusts Facebook. Instead, we have to limit our population to “tech savvy people distrust Facebook,” which is fair enough. Of course, there are a whole lot of tech savvy people out there. All of this goes to one simple, holy cow-level fact: Facebook’s level of distrust is almost off the charts. Yet, most of us still use Facebook daily — and there’s no sign of that ever ending. Also: Does Facebook cause friends to fight? What do you think? Did you answer my Twitter poll? If not, how would you have voted?  And share with us what you think about Facebook. Are you a regular user? Have you managed to extricate yourself from its reach? Let us know in the comments below.

Social Networking

You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

VMware has patched a pair of severe vulnerabilities that could lead to the theft of administrator credentials in vRealize. 

vRealize Operations is described as an artificial intelligence (AI)-based platform that provides “self-driving IT operations management for private, hybrid, and multi-cloud environments.”On Tuesday, the software vendor published a security advisory for the security flaws which impact VMware vRealize Operations, VMware Cloud Foundation, and vRealize Suite Lifecycle Manager.  The vulnerabilities were reported privately to VMware by Positive Technologies penetration tester Egor Dimitrenko. The first vulnerability, tracked as CVE-2021-21975, is a server-side request forgery (SSRF) bug with a CVSS score of 8.6 out of 10.  Found in the vRealize Operations Manager API, the security flaw permits threat actors with network access to perform SSRF attacks and steal administrator credentials.  The second bug, CVE-2021-21983, was also discovered by Dimitrenko in the same API. This arbitrary write vulnerability, issued a severity score of 7.2, does require an attacker to be authenticated and have network access to exploit. 

If these conditions are met, however — such as by triggering the first vulnerability to steal the necessary credentials — this permits attackers to “write files to arbitrary locations on the underlying photon operating system,” according to VMware.  Patches have been issued for the vulnerabilities, which impact vRealize Operations Manager 7.5.0, 8.0.1, 8.0.0, 8.1.1, 8.1.0, 8.2.0, and 8.3.0 on any type of operating system deployment. The security flaws also impact VMware Cloud Foundation versions 3x and 4x, alongside vRealize Suite Lifecycle Manager 8x.  VMware has provided security patches and workarounds for IT administrators who are unable to immediately apply the fixes.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More