Information Technology

Microsoft has released 96 security fixes including updates to address six zero-day vulnerabilities.In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems including remote code execution (RCE) exploits, privilege escalation flaws, spoofing issues, and cross-site scripting (XSS) vulnerabilities. 

Products impacted by January 2022’s security update include Microsoft Exchange Server, the Office software line, Windows Defender, Windows Kernel, RDP, Cryptographic Services, Windows Certificate, and Microsoft Teams.  The zero-day vulnerabilities resolved in this update are: CVE-2021-22947: HackerOne assigned CVE: An open source Curl RCE allowing for Man-in-The-Middle (MiTM) attacks.CVE-2021-36976: MITRE assigned CVE: An open source Libarchive use-after-free bug leading to RCE.CVE-2022-21874: A local Windows Security Center API RCE vulnerability (CVSS 7.8).CVE-2022-21919: A Windows User Profile Service Elevation of Privilege security issue (CVSS 7.0), PoC exploit code recorded.CVE-2022-21839: Windows Event Tracing Discretionary Access Control List Denial-of-Service (DoS) (CVSS 6.1).CVE-2022-21836: Windows Certificate spoofing, PoC code recorded (CVSS 7.8).None of the zero-day flaws above are known to have been exploited in the wild. A total of 24 vulnerabilities were patched earlier this month in Microsoft Edge (Chromium-based). According to the Zero Day Initiative (ZDI), this volume is unusual for the month of January, with previous years often being roughly half this number. Microsoft has also announced a refreshed Security Update Guide notification system, with standard email addresses now being accepted at signup rather than only Live IDs.Last month, Microsoft published 67 security fixes in the December 2021 Patch Tuesday. Seven critical vulnerabilities were among the issues patched, alongside six zero-day security flaws. One of the zero-days tackled was CVE-2021-43890, a bug in the Windows AppX Installer that is being actively exploited in the wild to spread Emotet, Trickbot, and Bazaloader malware.

A month prior, the tech giant tackled 55 vulnerabilities during the November 2021 Patch Tuesday.In recent Microsoft news, earlier this month the company published an emergency fix for a bug impacting on-premise Exchange Servers. A date-check failure glitch prevented mail to move smoothly through the transport queues of Exchange Server 2016 and Exchange Server 2019.Alongside Microsoft’s Patch Tuesday round, other vendors, too, will publish security updates which can be accessed below.Read on: More

This week, the Cybersecurity and Infrastructure Security Agency (CISA) added 15 vulnerabilities to its Known Exploited Vulnerabilities Catalog. Three of the vulnerabilities need to be remediated by federal civilian agencies before January 24, while the rest have remediation dates of July 10. 

ZDNet Recommends

CISA said the list is “based on evidence that threat actors are actively exploiting the vulnerabilities” and noted that the vulnerabilities are “a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise.”The most urgent additions include a VMware vCenter Server Improper Access Control vulnerability, a Hikvision Improper Input Validation vulnerability and a FatPipe WARP, IPVPN, and MPVPN Privilege Escalation vulnerability. The rest of the list includes vulnerabilities involving Google Chrome, Microsoft Win32K, Microsoft WinVerify, Elastic Kibana, Primetek Primefaces, IBM WebSphere Application Server, Exim Mail Transfer Agent, Palo Alto Networks PAN-OS, Fortinet FortiOS and FortiProxy, Synacor Zimbra and Oracle WebLogic Server. The Known Exploited Vulnerabilities Catalog was created last year through a binding directive that allowed CISA to force federal civilian agencies to address certain vulnerabilities that are being used by cyberattackers. The first version of the list included 306 vulnerabilities commonly exploited during attacks but has grown since then.Joshua Aagard, a vulnerability analyst on the Photon Research Team at Digital Shadows, told ZDNet that CISA’s additions are wide-ranging and likely to come with knock-on effects for infrastructure. “Unauthorized actions and remote execution are cited many times as the consequence of successful exploitation. So are data input via sanitization and proper logical handling,” Aagard said. 

“Those I inspected also tend to share a common theme of centralized command or encompass a single point of failure. From an attacker’s perspective, a server console or critical proxy can serve as a Jenga block that brings down all the rest of the accompanying infrastructure.”The three that stood out most to him were the VMware vCenter Server Improper Access Control vulnerability, the Hikvision Improper Input Validation vulnerability and the FatPipe WARP, IPVPN, and MPVPN Privilege Escalation vulnerability. Aagard explained that the vulnerability in Hikvision CCTV cameras and camera systems relates to a lack of input validation, which leaves servers open to potentially malicious command injection attacks, otherwise known as RCE. “Full control of the target device can be had via nonrestricted shell at the root level, which even supersedes the designated owner level,” Aagard said. The FatPipe networks vulnerability affects their WARP, IPVPN, and MPVPN offerings and allows attackers to gain access to an unrestricted file upload function on the servlet at the URL path /fpui/uploadConfigServlet, which can then be used to drop a webshell/fpui/img/1,jsp for access to root and subsequent elevated privileges, according to Aagard. “Successful exploitation of this vulnerability could lead to pivot access with the internal network. Software versions prior to releases 10.1.2r60p93 and 10.2.2r44p1 are affected by this issue,” Aagard said. For the VMware vulnerability, a malicious actor with common network access to port 443 on vCenter Server could exploit this issue to perform a bypass and gain access to internal endpoints, Aagard explained. Netenrich principal threat hunter John Bambenek echoed Aagard’s concern about the VMWare vulnerability, noting that VMWare servers aren’t just one asset and are typically used to control many of the important assets in an organization. “This vulnerability provides a straightforward path to taking over a vCenter instance and all the assets therein,” Bambenek said. “Another observation is some of these vulnerabilities are quite old (one is from 2013). Why the federal government needs six more months to patch an 8-year-old vulnerability tells me all I need to know about how broken IT security is with the government.” More

There’s been a significant rise in distributed denial-of-service (DDoS) attacks accompanied by threats of extortion, with criminals demanding ransom payments in exchange for calling off an attack.DDoS attacks pose problems for organisations when attackers flood servers and online infrastructure which requests for access, slowing down services or taking them fully offline, thus preventing legitimate users from accessing services at all – and cutting off business for the affected organisation.While they’re not an especially advanced form of cyber attack, DDoS attacks still prove to be effective and cybersecurity researchers at Cloudflare have warned that some of the cyber criminals behind DDoS campaigns are becoming more prolific and more aggressive.This includes large rise in the number of ransom DDoS attacks – when cyber criminals demand a ransom to stop a DDoS attack or to not conduct one in the first place. According to Cloudflare, ransom DDoS attacks increased by almost a third year-on-year between 2020 and 2021 and jumped  by 175% in the final quarter of 2021 compared to the previous three months. This included large-scale ransom DDoS attacks on voice over IP (VoIP) service providers. SEE: A winning strategy for cybersecurity (ZDNet special report) According to a survey by Cloudflare, just over one in five DDoS attacks was accompanied by a ransom note from the attacker during 2021. In December – a prime time for online retailers in the run up to Christmas, one in three of the organisations surveyed said they’ve received a ransom letter relating to a DDoS attack.

Targets on the receiving end of DDoS attacks can commonly include online retailers, online local governments, cloud-based business applications, streaming services and online games.”Over the years, it has become increasingly easier for attackers to launch DDoS attacks,” researchers warned in the blog post.There are number of steps organisations can take to avoid disruption as a result of DDoS attacks; these include using cloud-based hosting providers, deploying IP stresser services to test bandwidth capabilities and employing a DDoS mitigation service.MORE ON CYBERSECURITY More

Microsoft has detailed how malware on macOS can bypass privacy preferences enforced by Apple’s macOS system called Transparency, Consent, and Control (TCC) for controlling apps’ access to sensitive user data. The ‘powerdir’ bug, which Apple fixed in its December 13 update for macOS up to Monterey, lets an attacker bypass TCC to gain access to a user’s protected data. 

The bug was discovered by Microsoft security researcher Jonathan Bar Or. Microsoft is interested in macOS security because Defender for Endpoint can be used in an enterprise to protect non-Windows devices.Microsoft’s 365 Defender Research Team noted in a blog post that Apple introduced a feature to protect TCC that “prevents unauthorized code execution and enforced a policy that restricts access to TCC to only apps with full disk access.”However, Or discovered that it is “possible to programmatically change a target user’s home directory and plant a fake TCC database, which stores the consent history of app requests.””If exploited on unpatched systems, this vulnerability could allow a malicious actor to potentially orchestrate an attack based on the user’s protected personal data,” Microsoft said. An attacker could hijack an already installed app or install their own malicious app to access the microphone to record private conversations or capture screenshots of sensitive information displayed on the user’s screen, Microsoft explained. 

TCC appeared in 2012 in OS X Mountain Lion and is behind the system notifications users see when giving or denying ‘consent’ for specific applications to access private data, which includes access to the device’s camera, microphone, location, and access to the user’s calendar or iCloud account. Apple doesn’t detail TCC directly in its security manual, however, via security firm Sentinal One, TCC’s purpose is described in a section of the manual detailing how macOS and iOS protect app access to user data. Users can manage these privacy protections in macOS within the Security & Privacy section of System Preferences.”Apple devices help prevent apps from accessing a user’s personal information without permission using various technologies including Data Vault. In Settings in iOS and iPadOS, or System Preferences in macOS, users can see which apps they have permitted to access certain information as well as grant or revoke any future access,” Apple explains. Microsoft’s TCC bypass flaw offers a new way to bypass protections Apple has added to previously discovered TCC bypasses, including CVE-2020-9771, CVE-2020-9934, and CVE-2021-30713. To protect TCC from these bypass flaws, Apple introduced a feature that prevents unauthorized code execution and enforced a policy that restricts access to TCC to only apps with full disk access. Those fixes protected TCC.db (database) files from being incorrectly accessed through, for example. Time Machine backups or alternative file paths.  Microsoft bypass Apple’s TCC protections worked by planting a fake TCC.db file and changing the Home directory using a specific ‘superuser’ sudo command in the Directory Services command-line utility.”While requiring root access, we discovered that this works only if the app is granted with the TCC policy kTCCServiceSystemPolicySysAdminFiles, which the local or user-specific TCC.db maintains,” explains Microsoft.  “That is weaker than having full disk access, but we managed to bypass that restriction with the dsexport and dsimport utilities.”Microsoft’s proof of concept demonstrated that attackers could change the settings on any application, potentially allowing them to enable microphone and camera access on any app — hence the bug’s name “Powerdir”.  More

Mozilla is adding new privacy features to Firefox Focus on Android, announcing on Tuesday that it is introducing “Total Cookie Protection” to the platform as a way to stop cookies from tracking you across the web.

your best browser bets

Mozilla told ZDNet that the tool’s goal is to combat cross-site tracking, which allows companies to monitor what websites users visit and what products they search for. “Have you ever signed up for a contest to win a big-screen TV or a vacation to an exotic location? Or have you joined a big retailer loyalty program so you can save money? If you answered yes to either of these questions, you may be exchanging your name, home address, email address, phone number, and sometimes even your birthdate to companies who are building your profile with the information you freely provide,” Mozilla explained. “Companies use those profiles to help them make ads that are targeted at convincing you to purchase, like resurfacing an item you were shopping for. When you go online, there are similar tactics that work behind the scenes to gather information about you and your browsing behavior and track you when you go from site to site.”Mozilla first announced “Total Cookie Protection” last year and said Firefox Focus on Android will be the first Firefox mobile browser to have it. “Total Cookie Protection” is part of a larger set of privacy features that Mozilla calls Enhanced Tracking Protection (ETP).The “Total Cookie Protection” feature effectively creates separate “cookie jars” for all the websites you visit, confining the cookies a website deposits in your browser to a jar assigned specifically to that website. 
Mozilla

“This way, no other websites can reach into the cookie jars that don’t belong to them and find out what the other websites’ cookies know about you. Now, you can say good-bye to those annoying ads following you and reduce the amount of information that companies gather about you whenever you go online,” Mozilla said. The company is also giving Android users of Firefox Focus access to SmartBlock and other privacy features, which Mozilla said help “fix issues related to Total Cookie Protection and other pro-privacy measures.”The additional features are needed because some websites host content on other servers, and if the expected cookies are not sent to those servers because of Total Cookie Protection, some content will not appear. “With a simple workaround, we can allow these maps to appear, without disabling any pro-privacy measures, while still giving sites time to come up with a proper fix,” Mozilla explained. “And for users who opt into stricter tracking protection, SmartBlock also provides replacements for commonly-blocked trackers, keeping websites working. These replacements are bundled with Firefox, minimizing the risk of any tracking taking place.” More

A high-impact vulnerability allowing remote code execution to take place has impacted millions of end-user router devices. 

On Tuesday, SentinelOne published an analysis of the bug, tracked as CVE-2021-45388 and deemed critical by the research team. The vulnerability impacts the KCodes NetUSB kernel module. KCodes solutions are licensed by numerous hardware vendors to provide USB over IP functionality in products including routers, printers, and flash storage devices.  KCodes NetUSB, the subject of a SEC Consult Vulnerability Lab analysis in the past, is proprietary software used to facilitate these connections — and the software is currently “used by a large number of network device vendors,” of which the security flaws “affect millions of end-user router devices,” according to SentinelOne.Researcher Max Van Amerongen discovered the bug while examining a Netgear device. The kernel module, NetUSB, did not properly validate the size of packets fetched via remote connections, allowing a potential heap buffer overflow. According to Amerongen, although a malicious payload would be difficult to write to trigger CVE-2021-45388 due to coding restraints, an exploit could result in the remote execution of code in the kernel.  SentinelOne says that vendors including Netgear, TP-Link, DLink, and Western Digital license the software, and all of them are now aware of the security flaw. 

The researchers disclosed their findings to KCodes directly on September 9, as it made more sense to inform the source who could then distribute a patch for everyone rather than just inform Netgear based on a single product test. A proof-of-concept patch was made available on October 4 and was sent to all vendors on November 17. Firmware updates, such as those detailed in the advisory issued by Netgear, have either been issued or are underway.  At the time of writing, no exploitation has been discovered in the wild.  “While we are not going to release any exploits for it, there is a chance that one may become public in the future despite the rather significant complexity involved in developing one,” the researchers say. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

When it comes to cyberattacks, it’s not so much matter a question of if an organization will be targeted, but when.
Image: perinjo/GETTY
Early in December 2021, the Catalan government suffered its worst distributed denial of service (DDoS) cyberattack ever. In the space of a few hours, attackers routed 350Gbps of data to the Generalitat’s information systems, representing 100 times more traffic than it would typically receive within the same timeframe. The incident was contained within three hours.

ZDNet Recommends

A couple of months prior to the DDoS attack on the Generalitat, the Autonomous University of Barcelona (UAB) was forced to revert to pen, paper and chalkboards when it was hit by a ransomware attack. The connection to the network was reset at the end of December, with most email accounts having been recovered – and a double authentication system applied – which allowed virtual classes to resume. While most systems have since been restored, others aren’t expected to be fully functional until the end of January. SEE: A winning strategy for cybersecurity (ZDNet special report)These incidents are, unfortunately, not outliers. According to the Spanish National Institute of Cybersecurity (INCIBE), Spain has seen more than 150,000 cyberattacks since the beginning of the COVID-19 pandemic. Other high-profile cases include: an attack in April last year on the Spanish government agency that manages unemployment benefits; Catalan hospital Moisés Broggi; Barcelona’s public bicycle service, Bicing; as well as a number of companies including beer company Damm. Security firm Checkpoint reveals Spanish companies are now exposed to 961 threats every week, 61% more than in 2020. Clearly, a worrying trend is emerging.A global nightmareThe latest report from the Cybersecurity Agency of Catalonia, issued in mid-December 2021, points out that “there is an escalation in the magnitude of cyberattacks, the importance of the objectives and the impact they provoke, which constitute a threat to economic and social stability” – not just in Catalonia or Spain, but throughout the world.The report estimates that cyberattacks against critical infrastructures and supplies (water, electricity, gas) during the second quarter of 2021 increased 300% globally compared to the previous quarter. It also highlights the fragility of the education sector, where cyberattacks have increased by 200%. This escalation comes as no surprise. A 2017 report from Cybersecurity Ventures predicted that there would be a ransomware attack against businesses every 11 seconds on average by 2021. The pandemic, which has fostered an ecosystem of working from home that is pretty weak by IT security standards, coupled with the fact that exploits are relatively cheap and easy to attain on the dark markets, are to blame.

Experts have warned repeatedly that cybersecurity is a key issue that companies need to make a priority for economic recovery. While companies in Spain are increasingly taking out insurances against cyber threats, payments demanded by ransomware attackers have increased to an average of €182,000, meaning insurers have bumped up their premiums by 25-40%. Small and medium enterprises (SMEs) are paying the price. Marc Alier, professor and researcher at the Polytechnical University of Catalonia (UPC), tells ZDNet there are many factors that have contributed to the rise in cyberattacks in recent years. For one, web apps, unified systems for authentication, working from home and social engineering have created the perfect recipe for phishing and consequent ransomware attacks, he says. SEE: CIO priorities: 10 challenges to tackle in 2022The malicious program that infected the Autonomous University of Barcelona (UAB) encrypted 650,000 files and folders that contained information relating to the campus going back eight years. In October 2021, Spanish media published that ransomware outfit PYSA was responsible for the attack, which demanded 60 bitcoins from the university – approximately €3 million – in exchange for its data. Only 8% of companies that pay the ransom get the totality of their files back. Dean of UAB, Javier Lafuente, quickly made it clear that the institution was not going to pay up. This is in keeping with the recommendation of the Spanish National Institute of Cybersecurity (INCIBE), which states: “never pay the ransom, as it encourages cyber criminals to continue operating in this way.”UAB speculated that phishing techniques might have been used to capture credentials from students or staff that were then exploited to gain admin status and deploy ransomware tools. Some of the institution’s IT services not only needed to be restored, but entirely reconstructed.

Nico Castellano, cybersecurity teacher and organizer of hacking and IT security conference No cON Name, says the attack on UAB should come as little surprise given its use of out-of-date software that attackers were able to exploit. Social engineering did the rest. Castellano adds that the problem with this kind of attack is that “cyber criminals stay in your system a while to detect vulnerabilities so that they know exactly what to encrypt and [hold to ransom]. Therefore, it’s difficult to know to what extent systems have been compromised.” Marc Alier, from the Polytechnical University of Barcelona, adds that “the perimeter of attack in a university is large” because students, professors and administrative personnel can all be targeted with social engineering. “If mail was hacked, what is the real scope of the UAB attack?”Cryptocurrency has become intrinsically linked with ransomware attacks because it is considered untraceable, meaning finding out who the bad guys are is tricky. Yet Marc Rocas, former president of the Catalan Blockchain Association, believes blaming cryptocurrency is “unjustified” and only reveals “ignorance in this field.” “It’s like wanting to get rid of small banknotes when ransoms were requested in these kinds of notes,” he says. Alier considers that cryptocurrencies and the Blockchain might help people become more cyber-aware. He points out that, 10 years ago, few people knew how Twitter worked. Today, it’s commonplace. “Security will work the same way,” says Alier. SEE: Log4j flaw: This new threat is going to affect cybersecurity for a long timeA little optimism is a good thing – yet organizations and employees working from home should take a diligent approach to protecting themselves. In 2022, ransomware attacks are expected to become even more complex and personalized.Oriol Torruella, director of the Cybersecurity Agency of Catalonia, says organizations should be prepared and be aware of their level of digitization. “Investment in cybersecurity should be a priority and companies and institutions need a plan to implement not only technological measures but also organizational measures and training,” he adds. There is no shortage of reasons for greater vigilance when it comes to IT security. Yet when you consider that 90% of security breaches are a result of human error – combined with a society made considerably more vulnerable by the COVID-19 pandemic – it is becoming increasingly clear why, as Torruella says, cybersecurity involves us all. More

Microsoft has confirmed that suspected China-based cyber criminals are targeting the Log4j ‘Log4Shell’ flaw in VMware’s Horizon product to install NightSky, a new ransomware strain that emerged on December 27. The financially motivated ransomware attacks target CVE-2021-44228, the original Log4Shell flaw disclosed on December 9, and mark one new threat posed by the critical vulnerability that affects internet-facing software, systems and devices where vulnerable versions of the Java-based Log4j application error-logging component are present.

more Log4j

“As early as January 4, attackers started exploiting the CVE-2021-44228 vulnerability in internet-facing systems running VMware Horizon. Our investigation shows that successful intrusions in these campaigns led to the deployment of the NightSky ransomware,” Microsoft notes in an update to its recommendations for mitigating Log4Shell. SEE: Log4j zero-day flaw: What you need to know and how to protect yourselfMicrosoft’s findings add more details to a report last week from the digital arm of the UK’s National Health Service (NHS) that attackers are targeting VMware’s Horizon server software that use vulnerable versions of Log4j. That report noted attackers installed a malicious Java file that injects a web shell into the VM Blast Secure Gateway service, but it didn’t indicate whether ransomware was deployed.   Horizon is one of a number of VMware’s software products affected by Log4j flaws. The case demonstrates the difficulties admins face in identifying systems affected by Log4j. VMware has detailed which versions of Horizon components are or are not vulnerable, and the different remediation steps for each if they are vulnerable. Its advisory indicates that at least one version of each Horizon on-premise component is vulnerable. Vulnerable on-premise components include Connection Server and HTML Access, the Horizon Windows Agent, Linux Agent, Linux Agent Direct Connect, Cloud Connector, and vRealize Operations for Desktop Agent. VMware has released updated versions or provided scripted mitigation workarounds.   

Microsoft says the attacks are being performed by a China-based ransomware operator it’s tracking as DEV-0401, which has previously deployed LockFile, AtomSilo, and Rook. The group has also exploited internet-facing systems running Confluence (CVE-2021-26084) and on-premises Exchange servers (CVE-2021-34473), according to Microsoft.  According to BleepingComputer, malware researchers at MalwareHunterTeam identified NightSky as a new ransomware group on December 27.   However, Czech-based malware analyst Jiří Vinopal, who published an analysis of NightSky on GitHub today, argues NightSky is just a new version of Rook ransomware with a few key design and encryption changes, including that NightSky is delivered as a VMProtect file. BleepingComputer notes that NightSky is using “double extortion”, where the attacker not only encrypts a target’s data but steals it and threatens to leak it if a ransom is not paid. One victim received an $800,000 ransom demand for a NightSky decryptor.SEE: Log4j flaw could be a problem for industrial networks ‘for years to come’As ZDNet reported yesterday, the US Cybersecurity and Infrastructure Security Agency (CISA) on Monday said it had not seen Log4Shell exploitation result in significant intrusions beyond the attack on the Belgian Defense Ministry. However, it also warned the lack of significant intrusions was no reason to reduce the urgency of remediation. Attackers who have already exploited targets can lay low for months afterwards, waiting for defenders to drop their guard before moving on their new access. And big penalties might await firms that don’t apply available patches if vulnerable systems expose consumer data. The FTC last week warned it would come after private sector firms that failed to protect consumer data exposed as a result of Log4j. CISA’s assessment that the Log4j threat is far from over chimes with Microsoft’s assessment, which stresses that Log4j is a “high-risk situation” in part because many organizations can’t easily tell what products and services are affected by Log4j. Microsoft said the Log4j vulnerabilities represent a complex and high-risk situation for companies across the globe: “The vulnerabilities affect not only applications that use vulnerable libraries, but also any services that use these applications, so customers may not readily know how widespread the issue is in their environment.” Microsoft also said customers should use scripts and scanning tools to assess their risk and impact, but warns that it has seen attackers using many of the same inventory techniques to locate targets: “Sophisticated adversaries (like nation-state actors) and commodity attackers alike have been observed taking advantage of these vulnerabilities. There is high potential for the expanded use of the vulnerabilities.” More