Information Technology

IBM on Wednesday announced a new suite of security services that aim to help enterprises apply a unified security approach across dispersed hybrid cloud environments. 

IBM said the expanded Security Services for Cloud portfolio is designed to help companies connect and simplify cloud security across ecosystems, bringing together IBM and third-party technologies alongside support to manage security across cloud environments including AWS, Google Cloud, IBM Cloud and Microsoft Azure.The new services leverage AI and automation to help enterprises identify and prioritize risks, respond to potential threats across cloud environments, and connect that data with their broader security operations and on-premises systems, IBM said.”Cloud security can appear daunting, with defenders facing an expansive attack surface, shared responsibility models and rapidly evolving cloud platforms and tools,” said Vikram Chhabra, Global Director of Offering Management and Strategy for IBM Security Services. “We cannot assume that legacy approaches for security will work in this new operating model – instead, security should be modernized specifically for the hybrid cloud era, with a strategy based on zero trust principles that bring together context, collaboration and visibility across any cloud environment.”Updates to the portfolio include new advisory and managed security services that reduce the risk of cloud misconfigurations and provide insights into potential risks and threats. IBM is also rolling out new container security services including integration with IBM Security X-Force Red vulnerability management, which identifies and ranks container-related vulnerabilities in order to prioritize remediation. More

Researchers have discovered hundreds of fleeceware mobile apps on Google Play and the Apple App Store that are earning their developers millions of dollars. 

While stalkerware, spyware, and malvertising apps infect devices for spying, data theft, and in order to bombard users with ads to generate fraudulent revenue, fleeceware apps attempt to lure handset owners to download software before charging them extortionate ‘subscription’ fees. Often enticed with ‘free’ trials, users will then be overcharged to use the app, which in some cases can reach upward of $3,000 per year.  Software subscriptions, such as for professional services, enterprise solutions, and creative platforms can be expensive — but unlike these legitimate offerings, there is generally nothing special about fleeceware.  Developers rake in the proceeds from their creations, and while not illegal, it can be hard for users to figure out how to escape subscription charges — and it appears this method of generating app revenue continues to rise in popularity.  This week, Avast researchers said they have found a total of 204 fleeceware apps on both Apple’s App Store and the Google Play Store.  A total of 134 apps have been found on Apple’s iOS platform with an estimated 500 million downloads and projected revenues of $365 million. 

When it comes to Google Play, 70 fleeceware apps have been discovered with 500 million downloads and a profit margin of $38.5 million for the time they have been active and available.  Predominant fleeceware app trends include astrology, horoscopes, photo and filter software, music lessons, cartoon creation, QR code/PDF document scanners, and video clip editing.  The majority of fleeceware apps examined by Avast offer a three-day trial before subscriptions begin.  “Once the trial is over, the user is charged a recurring high subscription fee, generating substantial revenue for the developers,” the researchers say. “There’s also the possibility that users forget to cancel the free trial, resulting in expensive fees.” These apps do generally provide the features they advertise, but even if just a handful of users fail to notice subscription payments going out, then this creates revenue far beyond what the software is likely to be worth. Subscriptions range from weekly to monthly charges of everything from $4 to $66 a week.  Even if a user deletes the app after they notice outgoing payments, this does not mean their subscription stops — which allows the developer to cash in further. Google and Apple are not responsible for refunds after a certain time period, and while the companies may choose to refund as a goodwill gesture in some cases — such as when children rack up huge bills through in-app purchases — they are not obliged to do so. Therefore, the only options may be to try and contact developers directly or to request a bank chargeback.  Both companies warn of active subscriptions when an app is deleted, but Avast says “it’s evident that fleeceware apps continue to bring in revenue.” Apple and Google have provided support pages to help mobile users manage app subscriptions.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Salt Project has issued a secondary fix for a command injection vulnerability after the first attempt to patch the issue partially failed.

The vulnerability, tracked as CVE-2020-28243, impacts SaltStack Salt before 3002.5. SaltStack Salt is automation and infrastructure software made available to the open source community. “The minion’s restartcheck is vulnerable to command injection via a crafted process name,” the bug’s description reads. “This allows for a local privilege escalation (LPE) by any user able to create files on the minion in a non-blacklisted directory.” The vulnerability was discovered by Immersive Labs’ security researcher Matthew Rollings in November 2020. If exploited, the command injection bug could allow attackers to craft process names and elevate their privileges on a local level. Container escapes were also possible, and as long as particular conditions were met, remote users may be able to tamper with process names — although this would be a difficult attack to pull off.   CVE-2020-28243 was resolved on February 4 as part of a wider security release. At least, in part. According to Rollings, the fix for the LPE security flaw did prevent command injection, but did not go far enough and still allowed argument injections. While not as severe as the original issue, failing to patch this problem could have led to denial-of-service and software crashes. 

The first fix issued by the Salt Project added shlex, a command shell sanitizing library, to prevent command injections.  “The developer that added this fix made an error,” Rollings explained. “Their usage of shlex does not provide any additional protection. The shlex.split function takes an input string and splits it into the command and its arguments using spaces as the delimiter. We control the package variable, which means we can inject additional arguments into the command.” According to the researcher, argument injections can still occur even if sanitization is in place, under the same conditions.  SaltStack’s fix was issued without coordinated disclosure with Immersive Labs, a factor that the cybersecurity firm says prevented the patch from being adequately tested.  “If they had communicated on the solution, the issue would have been spotted and a secondary fix wouldn’t have been necessary,” the company says. However, once the error in the patch was noticed and reported, SaltStack then privately shared the second attempt prior to publication.  The second fix, issued on March 23, now builds arrays to stop package names from being tampered with. “Thankfully, the second time around SaltStack shared the fix for approval before publication,” Rollings says. “This is a step in the right direction and shows more of a proactive than reactive approach to security, which is always better in the long run.” ZDNet has reached out to the Salt Project and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

An upgraded variant of Purple Fox malware with worm capabilities is being deployed in an attack campaign that is rapidly expanding. 

Purple Fox, first discovered in 2018, is malware that used to rely on exploit kits and phishing emails to spread. However, a new campaign taking place over the past several weeks — and which is ongoing — has revealed a new propagation method leading to high infection numbers.  In a blog post on Tuesday, Guardicore Labs said that Purple Fox is now being spread through “indiscriminate port scanning and exploitation of exposed SMB services with weak passwords and hashes.” Based on Guardicore Global Sensors Network (GGSN) telemetry, Purple Fox activity began to climb in May 2020. While there was a lull between November 2020 and January 2021, the researchers say overall infection numbers have risen by roughly 600% and total attacks currently stand at 90,000.  The malware targets Microsoft Windows machines and repurposes compromised systems to host malicious payloads. Guardicore Labs says a “hodge-podge of vulnerable and exploited servers” is hosting the initial malware payload, many of which are running older versions of Windows Server with Internet Information Services (IIS) version 7.5 and Microsoft FTP. Infection chains may begin through internet-facing services containing vulnerabilities, such as SMB, browser exploits sent via phishing, brute-force attacks, or deployment via rootkits including RIG.  As of now, close to 2,000 servers have been hijacked by Purple Fox botnet operators. 

Guardicore Labs researchers say that once code execution has been achieved on a target machine, persistence is managed through the creation of a new service that loops commands and pulls Purple Fox payloads from malicious URLs.  The malware’s MSI installer disguises itself as a Windows Update package with different hashes, a feature the team calls a “cheap and simple” way to avoid the malware’s installers being connected to one another during investigations.  In total, three payloads are then extracted and decrypted. One tampers with Windows firewall capabilities and filters are created to block a number of ports — potentially in a bid to stop the vulnerable server from being reinfected with other malware.  An IPv6 interface is also installed for port scanning purposes and to “maximize the efficiency of the spread over (usually unmonitored) IPv6 subnets,” the team notes, before a rootkit is loaded and the target machine is restarted. Purple Fox is loaded into a system DLL for execution on boot.  Purple Fox will then generate IP ranges and begin scans on port 445 to spread.  “As the machine responds to the SMB probe that’s being sent on port 445, it will try to authenticate to SMB by brute-forcing usernames and passwords or by trying to establish a null session,” the researchers say. The Trojan/rootkit installer has adopted steganography to hide local privilege escalation (LPE) binaries in past attacks.  Indicators of Compromise (IoCs) have been shared on GitHub. 

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft says that 92% of Exchange servers vulnerable to a set of critical vulnerabilities have now been patched or mitigations have been applied.  The Redmond giant’s Security Response team said there is “strong momentum” in patches or mitigation tools being applied to internet-facing, on-prem servers and the latest data shows a 43% improvement worldwide in comparison to last week.  Microsoft cited telemetry from RiskIQ, which is working with the tech giant to manage the fallout of the security incident, in a tweet posted on Monday.  Microsoft released emergency patches for Microsoft Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 on March 2. At the time, the company said that four zero-day vulnerabilities which could lead to data theft and overall server hijacking were being actively exploited in “limited, targeted attacks.”However, it was not long before multiple advanced persistent threat (APT) groups began to join in Exchange Server-based campaigns and it is estimated that thousands of systems belonging to organizations worldwide have been compromised. Alongside the emergency patches, Microsoft has also published a mitigation guide and created a one-click mitigation tool including a URL rewrite for one of the vulnerabilities to stop an attack chain from forming.  In addition, Microsoft Defender Antivirus has been upgraded to include automatic mitigation capabilities for the zero-day vulnerabilities. 

The issue with these vulnerabilities, however, is that applying a patch or mitigations will not remove existing infections. F-Secure says “tens of thousands” of servers have already been breached and others “[are] being hacked faster than we can count.” While patches and mitigations are being applied at a fast rate, IT administrators must check their systems for indicators of compromise (IoCs) and perform security audits to see if their servers have been exploited prior to security updates being applied.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

 
The founder of ProtonVPN, Andy Yen, has jumped onto a soapbox to lambaste Apple over a decision to block an update of the app over its description. “Whether it is challenging governments, educating the public, or training journalists, we have a long history of helping bring online freedom to more people around the world,” stated the text an Apple app reviewer had an issue with. The reviewer suggested the text be modified to not “encourage users to bypass geo-restrictions or content limitations”. Yen used the rejection to claim Apple was stymieing rights in Myanmar, which is in the midst of a brutal crackdown following a coup last month. The founder said the company had used the description for months already. “Actions have consequences, and Apple’s actions are actively hampering the defense of human rights in Myanmar at a time when hundreds of people are dying,” Yen said. See also: Fastest VPN in 2021 Never mind that Apple challenges governments when it suits it — unless it is Beijing calling the shots.

It’s a far cry from its famous 1997 ad when the company said the following words over the top of a montage of government resisters: “Here’s to the crazy ones. The misfits. The rebels. The troublemakers. The round pegs in the square holes. The ones who see things differently. They’re not fond of rules. And they have no respect for the status quo.” Last week, Wired reported that Apple had agreed to begin showing Russian users a phone setup screen where they could install a set of Moscow-approved apps. “Apple’s priority is to preserve access to markets and maintain its profits, so it almost never challenges the policies of dictators or authoritarian regimes,” Yen said. “By giving in to tyrants, Apple is ignoring internationally recognised human rights and preventing organisations such as Proton from defending those in need. What is also troubling is that Apple requested the removal of this language in ALL countries where our app is available. “By doing so, Apple is helping spread authoritarian laws globally, even in countries where freedom of speech is protected.” Apple said in a submission to the Australian Competition and Consumer Commission recently that it was surprised developers took issue with its app review process. “The main purpose of the App Review process is to protect consumers from fraudulent, nonfunctioning, malicious, or scam apps,” Apple said. “Central to the App Review process is the protection of our consumers’ privacy and security.” Related Coverage More

  An example of SmartBlock (right) in action.
Image: Mozilla
Mozilla has launched Firefox 87, with the latest version of the browser boasting “SmartBlock”, a new privacy feature touted as intelligently fixing web pages that are broken by tracking protections, without compromising user privacy.SmartBlock aims to bolster Firefox’s built-in content blocking feature — available across both private browsing and strict tracking protection modes for the past six years — which blocks third-party scripts, images, and other content from being loaded from cross-site tracking companies reported by Disconnect. Explained in a blog post, by blocking these tracking components, Firefox’s private browsing windows prevented these companies from watching users as they browse the internet. Doing so, however, risked blocking components that were essential for some websites to function properly.”This can result in images not appearing, features not working, poor performance, or even the entire page not loading at all,” Mozilla explained. “To reduce this breakage, Firefox 87 is now introducing a new privacy feature we are calling SmartBlock.”SmartBlock does this by providing local stand-ins for blocked third-party tracking scripts. “These stand-in scripts behave just enough like the original ones to make sure that the website works properly. They allow broken sites relying on the original scripts to load with their functionality intact,” the blog said.”We believe the SmartBlock approach provides the best of both worlds: strong protection of your privacy with a great browsing experience as well.”

Over on Chrome, from version 90, the browser’s address bar will use “https://” by default, unless otherwise specified.”Users often type ‘example.com’ instead of ‘https://example.com’ in the address bar. In this case, if it was a user’s first visit to a website, Chrome would previously choose http:// as the default protocol. This was a practical default in the past, when much of the web did not support HTTPS,” the Chromium blog explained.It touted that the move would improve the initial loading speed of sites supporting HTTPS, in addition to being a privacy improvement.This change will roll out initially on Chrome Desktop and Chrome for Android in version 90, with a release for Chrome on iOS to follow soon after.RELATED COVERAGEGoogle Chrome: It’s time to ditch the browserWe created the monster that Google Chrome has become. Only we can destroy it.What about Firefox?Is there a place for the plucky underdog browser any longer?Too many browser tabs? This impressive extension is my favorite solutionIf you regularly find yourself opening so many browser tabs that you can’t keep track of them all, you’re not alone. There are plenty of extensions that promise to conquer tab overload, but my favorite, Workona, offers a feature set that others can’t match. More

Image: AEC
The Australian Electoral Commissioner Tom Rogers has dismissed the proposal to allow a non-government researcher to conduct a security audit on its systems.The prospect of security researcher Vanessa Teague, who has experience in finding holes in electoral systems, was raised by One Nation Senator Malcolm Roberts during Senate Estimates on Tuesday night. Rogers said “frankly” that Teague would not be welcome to perform an audit on the AEC systems. “We work with a range of partners, including the Australian Signals Directorate, the Australian Cyber Security Centre, we’ve had our internal code audited and checked,” he said. “And not being rude, I’m sure that Dr. Teague is a wonderful person, but we’ve had sufficient checks in place to assure ourselves that that system is running smoothly.” Roberts subsequently pushed for the commissioner to give a “resounding guarantee of the cyber integrity” of the system, to which Rogers refused. See also: Tech-augmented democracy is about to get harder in this half-baked world “No one would sit in this chair and give an unequivocal guarantee about that issue,” he said. “I would be cheapening the guarantee by giving it.”

Rogers repeated that the AEC and government cyber agencies were satisfied with the systems’ security and that they followed the prescribed Commonwealth guidelines, but since cybersecurity involves unknown factors, a guarantee could not be made. “But I am very, very, very confident that we’ve got an incredibly robust system in place that’s worked well and continues to work and we continue to assess it, we continue to work with our partner agencies, we comply with all Commonwealth guidelines, cybersecurity guidelines, and I think it’s a fantastically secure system,” he said. “I don’t think anyone would give an unequivocal guarantee about anything, there are factors that I’m not aware of.” The AEC chief also told Estimates that it would be rolling out more electronic certified lists as a way to mark off voters at polling stations, and would push the “vanishingly small” number of people voting multiple times even lower. During the 2019 Australian election, Rogers put the number of apparent multiple voters in the entire country at around 2,000 people, or 0.01% of the voting population. Related Coverage More