Information Technology

Microsoft’s Security Response Center has released a blog explaining its response to the “NotLegit” bug in Azure that was discovered by cloud security company Wiz.io.Wiz.io said all PHP, Node, Ruby, and Python applications that were deployed using “Local Git” on a clean default application in Azure App Service since September 2017 are affected. They added that all PHP, Node, Ruby, and Python applications that were deployed in Azure App Service from September 2017 onward using any Git source, after a file was created or modified in the application container, were also affected.Microsoft clarified in their response that the issue affects App Service Linux customers who deployed applications using Local Git after files were created or modified in the content root directory. They explained that this happens “because the system attempts to preserve the currently deployed files as part of repository contents, and activates what is referred to as in-place deployments by deployment engine (Kudu).” “The images used for PHP runtime were configured to serve all static content in the content root folder. After this issue was brought to our attention, we updated all PHP images to disallow serving the .git folder as static content as a defense in depth measure,” Microsoft explained. “For these languages since the application code controls whether it serves static content, we recommend customers review the code to make sure that only the relevant code is served out.”They noted that not all users of Local Git were impacted by the vulnerability and that the Azure App Service Windows was not affected. Microsoft has notified the customers that are affected by the problem, including those that were impacted due to the activation of in-place deployment and those who had the .git folder uploaded to the content directory. They also updated their Security Recommendations document with an additional section on securing source code and updated the documentation for in-place deployments.

The Wiz Research Team said on Tuesday that it first notified Microsoft of the issue on October 7 and worked with them through the month to address it. The fix was deployed in November and customers were notified by December. Wiz was paid a bug bounty of $7,500.Microsoft did not say if the vulnerability has been exploited but Wiz said “NotLegit” is “extremely easy, common, and is actively being exploited.””To assess the chance of exposure with the issue we found, we deployed a vulnerable Azure App Service application, linked it to an unused domain, and waited patiently to see if anyone tried to reach the .git files. Within 4 days of deploying, we were not surprised to see multiple requests for the .git folder from unknown actors,” the researchers explained. “Small groups of customers are still potentially exposed and should take certain user actions to protect their applications, as detailed in several email alerts Microsoft issued between the 7th – 15th of December, 2021.”The Wiz Research Team noted that accidentally exposing the Git folder through user error is a security issue that has impacted organizations like the United Nations and a number of Indian government sites. Vectra CTO Oliver Tavakoli said the impact of the vulnerability will be highly variable. Accessing the source code underlying an application (and possibly other files which might have been left in the same directory) may provide information that could be leveraged for other attacks, Tavakoli said. “The fact that the researchers set up what amounts to a honeypot and saw the vulnerability exploited in the wild is of particular concern as it means that the vulnerability was not a well-kept secret,” Tavakoli explained. JupiterOne field security director Jasmine Henry told ZDNet that leaked source code puts an organization in an incredibly vulnerable position to threat actors who can instantly steal intellectual property or launch an exploit tailored to unique weaknesses in the source code. “The NotLegit vulnerability is especially eye-opening since it highlights the growing security risk caused by privileged accounts and services, even in the absence of developer error,” Henry said.  More

Spyware from Israeli tech company NSO Group has been implicated in the hack of a leading opposition politician in Poland and several others, according to University of Toronto nonprofit Citizen Lab. 

In partnership with the Associated Press, Citizen Lab revealed on Thursday that Polish Senator Krzysztof Brejza was hacked using NSO Group’s Pegasus spyware 33 times between April 26, 2019 and October 23, 2019.Brejza helped run the opposition campaign against the right-wing government of Prime Minister Mateusz Morawiecki that is currently in power. Doctored photos from Brejza’s smartphone falsely implicated him in several scandals and were shared by government-backed news outlets. Morawiecki eventually won the election by a razor-thin margin.  Brejza, who has gained popularity as a hardliner against corruption, was horrified to learn of the hack. Access to his phone would provide anyone with information about his campaign strategy as well as the corruption whistleblowers who put their trust in him.  Earlier this week, Citizen Lab revealed that Pegasus was also used to hack into the phones of outspoken Polish prosecutor Ewa Wrzosek and Roman Giertych, a lawyer for Brejza’s party Civic Platform.While Morawiecki and the Polish government have denied any involvement in the hacking, EU member states have begun to speak out about the incident. “EU governments using spyware on political opponents and critics is unacceptable. ⁦EU Commission ⁩has to stop ducking the issue. Such practices have no place in the EU and must be banned,” Dutch EU parliamentarian Sophie in ‘t Veld tweeted on Wednesday. 

The news adds to disastrous stories about NSO Group. Citizen Lab provided the Washington Post with evidence showing the UAE used Pegasus to hack and track the phone of Hanan Elatr, wife of deceased Saudi journalist Jamal Khashoggi. Her phone was hacked months before her husband was assassinated by Saudi officials. Also: NSO Group’s spyware used against journalists and political activists worldwideNSO Group chief executive Shalev Hulio in July denied that Elatr and Khashoggi were ever targets of Pegasus customers. Even with the new forensic information, NSO Group continued to deny that Elatr was ever targeted. That story came after Citizen Lab provided information to The Guardian showing that UN war crimes investigator Kamel Jendoubi was hacked with Pegasus while he served as chairman of the Group of Eminent Experts in Yemen. NSO Group was blacklisted by the US government last month after it was revealed Pegasus was used to hack into the phones of several US State Department officials in Uganda. NSO Group is now facing significant trouble, including lawsuits from Apple and a potential default on more than $300 million in loans. Citizen Lab has worked with multiple news outlets throughout the year to reveal the scale of NSO Group’s work. In July, the “Pegasus Project” used information from Amnesty International, Citizen Lab, and Forbidden Stories to uncover that the NSO Group’s spyware was used to target at least 65 business executives, 85 human rights activists, 189 journalists, and at least 600 politicians. The Israeli government’s spy agency used the tool to hack the phones of six Palestinian human rights activists. The ruler of the UAE used Pegasus to spy on his ex-wife and her British lawyers. Targeted government officials included French President Emmanuel Macron, South African President Cyril Ramaphosa, and Iraqi President Barham Salih. Cabinet ministers from dozens of countries, including Egypt and Pakistan, were also targeted. John Scott-Railton, senior researcher at Citizen Lab, told ZDNet that the Polish victims of Pegasus were particularly notable because they suggest that Pegasus is being used for political purposes in a European democracy. The Khashoggi case reinforces the knowledge that there were Pegasus infections in the Washington Post reporter’s close circle prior to his murder, according to Scott-Railton. He added that the case further undermines NSO Group’s credibility because it directly contradicts multiple statements they have made. Overall, the stories revealed researchers’ worst fears: Pegasus was being used profusely to impact politics and human rights. “Pegasus is also being used to erode key international institutions and the people who work at them. Taken together, alongside NSO’s dismal recent economic news, the picture is of a company that behaves recklessly and ignored the tremendous harms it was causing,” Scott-Railton said, noting that NSO Group is not the only spyware company causing damage. He explained, “The problem extends far beyond NSO. NSO has just made itself the poster child for how bad the industry is.” More

Cybersecurity firm ReasonLabs is warning eager fans of “Spider-Man: No Way Home” to beware of cryptominers if they decide to torrent the film instead of heading to theaters for it. In a new report, the ReasonLabs research team says it found Monero miners attached to Russian torrent files of the new film, which brought in more than $750 million worldwide since it debuted last week. The miner adds exclusions to Windows Defender, creates persistence, and spawns a watchdog process to maintain its activity, according to ReasonLabs. “The malware is not signed and written in .net, and as of this date, it is not present in Virus Total. The malware tries to stay away from examining eyes, by using ‘legitimate’ names for the files and processes that it creates. We recommend taking extra caution when downloading content of any kind from non-official sources — whether it’s a document in an email from an unknown sender, a cracked program from a fishy download portal, or a file from a torrent download,” the team explained. “One easy precaution you can take is to always check that the file extension matches the file you are expecting e.g. in this case, a movie file should end with ‘.mp4’, not ‘.exe’. Try to gather information about the file, and always think twice before double-clicking on it. To make sure you see the real file extension, open a folder, go to ‘View’ and check ‘File name extensions.’ This will make sure you see the full file type.” The researchers added that although the malware does not compromise personal information, cryptominers cause other kinds of damage.The added electricity will cost victims of the malware and the researchers noted that the miner runs for long periods, slowing down your device while requiring high CPU usage. 

When asked how they discovered the cryptominer, the ReasonLabs team told ZDNet that they have amassed a large malware database over the years that allows them to research their origins, flag them, and cross check with other databases such as Virus Total. One of their users downloaded this “Spider-Man: No Way Home” file and it got flagged within their database as a new threat.They do not know how many times the file has been downloaded but noted that it has been around for some time. “The Spiderman malware is actually a new ‘edition’ of a previously known malware that was disguised as various popular apps in the past such as ‘windows updater,’ ‘discord app,’ and now the Spiderman movie. This suggests that it’s been downloaded a lot. No one else has identified this ‘edition’ of the malware,” the team said. BreachQuest CTO Jake Williams said threat actors have used torrents as a distribution mechanism for malware long before cryptominers were a thing. “I remember seeing a wave of threat actors compromising victims with screen savers celebrating Whitney Houston’s career in the wake of her passing. Given that cryptominers are the easiest way for threat actors to cash out, it’s not surprising that threat actors will use these as their malware payload of choice,” Williams explained. Digital Shadows’ Sean Nikkel noted that there are likely lots of Gen Xers and Millennials who remember the days of downloading random files from strangers across Kazaa and Limewire in search of rare or free MP3 or video files and ending up with a Trojan or similar nastiness. The tactic, he said, carried into the torrent world. In addition to malware being attached to popular movies or shows, this same thing occurs with popular applications like those from Adobe, Microsoft, or specialized music programs like Ableton or Fruity Loops, which are themselves often pirated. “Sometimes the key generators themselves were malicious or the application’s executable. There have been plenty of office workers looking to cut corners or use programs they’re familiar with on their work computer. These users run the risk of downloading ‘free’ versions or versions hosted on bad sites and end up getting burned,” Nikkel said. Bugcrowd CTO Casey Ellis explained that from the threat actor’s perspective, using a delivery system where users are less likely to reach out for “technical support” if something seems off or even admit to peers or family that their computer might be acting strange, gives them an increased chance of their malware executing in the first and, once it does, a lower risk of it being discovered and removed. ReasonLabs said it is still researching the origins of the miner but noted that they are constantly seeing miners deployed as common programs, files of interest, popular apps, current events, etc. “Miners got very popular in the past years because it’s easy money and attackers are trying to gain as many victims as possible — by any way possible, including fooling users to download files that are not what they seem,” ReasonLabs told ZDNet.  More

StackCommerce
Cybercrimes are getting worse every day, so the demand for cybersecurity skills is through the roof. If you’d like to switch to a new well-paid career in 2022, you can start training now with the All-In-One 2022 Super-Sized Ethical Hacking Bundle. And it’s on sale for just $42.99.Jump right in with an overview of the field with “All-in-One Hacking Guide: From Zero to Hero.” Then “Bug Bounty: Web Hacking” teaches you how to hack big-name online apps. And you’ll get a solid foundation from the comprehensive guides “Complete Ethical Hacking & Penetration Testing Course” and “Learn Network Attacks & Security.” “Hack People, Systems & Mobile Devices: Advanced Social Engineering” teaches you in detail how hackers crack mobile devices.Python skills are always valuable, and two courses teach you how to hack using it: “Introduction to Python & Hacking with Python” and “Complete Python 3 Ethical Hacking Course: Zero to Mastery.” Another two cover Burp: “Learn Burp Suite for Advanced Web Penetration Testing” and “Mastering Burp Suite Community Edition: Bug Hunters Perspective.”You can build an arsenal of tools for different platforms. Crowd favorite “Learn Server Security with BitNinja” was rated 4.8 out of 5 stars. Instructor Gabriel Avramescu likes to challenge assumptions, strategies and techniques by emulating attackers. Then you can turbocharge your skills by advancing with “PenTesting with OWASP ZAP: Mastery Course,” “Kali Linux Hacker Tools, Tricks & Techniques,” “Master in Hacking with Metasploit” and “Complete NMAP: Learn Ethical Hacking with NMAP.”You’ll get lots of practice with “Hacking in Practice: Certified Ethical Hacking Mega Course,” “Website Hacking In Practice: Hands-On Course 101” and “Hacking Wireless Networks: Theory & Practice.” Then, get a certification that will make your resume shine with the “Ethical Hacker Certification Course.”Any one of these courses will provide you with the skills needed to apply for well-paid ethical hacking positions. It won’t be long before you’re rewarding yourself with some new gaming glasses, or something equally fun.

Don’t pass up this opportunity to become an ethical hacker with the All-In-One 2022 Super-Sized Ethical Hacking Bundle.Prices subject to change.

More ZDNet Academy Deals More

The Apache Software Foundation has released an update to address a critical flaw in its hugely popular web server that allows remote attackers to take control of a vulnerable system. The foundation has released version 2.4.52 of the Apache HTTP Server (web server) that addresses two flaws tracked as CVE-2021-44790 and CVE-2021-44224, which have respective CVSS severity scores of 9.8 (critical) and 8.2 (high) out of a possible 10. A score of 9.8 is very bad, and in recent weeks has only been topped by the Log4j vulnerability known as Log4Shell, which had a severity score of 10 out of 10.    

ZDNet Recommends

The first Apache web server flaw is a memory-related buffer overflow affecting Apache HTTP Server 2.4.51 and earlier. The Cybersecurity and Infrastructure Security Agency (CISA) warns it “may allow a remote attacker to take control of an affected system”. The less serious flaw allows for server side request forgery in Apache HTTP Server 2.4.7 up to 2.4.51.  SEE: A winning strategy for cybersecurity (ZDNet special report)This release of Apache HTTP Server is the latest generally available release of the new generation 2.4.x branch of Apache HTTPD from Apache’s 26-year-old HTTP Server Project, which maintains an important and modern open-source HTTP server for Unix and Windows platforms. Apache HTTP Server is the second most widely used web server on the internet behind Nginx, according to W3Techs, which estimates it’s used by 31.4% of the world’s websites. UK security firm Netcraft estimates 283 million websites used Apache HTTP Server in December 2021, representing 24% of all web servers. The critical bug is apparently not under attack yet but the HTTPD team believes it has the potential to be weaponized.  

“The Apache httpd team is not aware of an exploit for the vulnerability though it might be possible to craft one,” the Apache HTTPD team said.”A carefully crafted request body can cause a buffer overflow in the mod_lua multipart parser (r:parsebody() called from Lua scripts),” Apache Foundation’s Steffan Eissing explained on a mailing list .As Netcraft notes, Apache HTTP Server wasn’t directly impacted by the Java-based Log4j error messaging library as it was written in C. However, even web servers written in non-Java languages may still have integrated the vulnerable Log4j library in a technology stack. IBM’s web server, WebSphere, integrates Log4j and was vulnerable, but Netcraft found only 3,778 sites using it. The Apache Software Foundation has released three updates in the past week in the wake of the widespread Log4Shell vulnerability in Log4j version 2 branch. Cybersecurity agencies from the US, Australia, Canada, New Zealand and the United Kingdom yesterday released guidance for organizations to address the bug. The bug is expected to take months to resolve because the Log4j library has been integrated as a component into hundreds of software products from major vendors, including IBM, Cisco, VMware, RedHat and Oracle. The library also ships with important frameworks, such as Apache’s Struts2.   More

AvosLocker, a newcomer to the ransomware service scene, is ramping up attacks while using some new techniques to try and evade security software.Security firm Sophos warns that AvosLocker, a human-operated ransomware gang that emerged this summer, is on the hunt for partners – such as ‘access brokers’ who sell access to already-hacked machines – in the hope of filling the gap left by REvil’s withdrawal.  

ZDNet Recommends

One of the key features of AvosLocker is using the AnyDesk remote IT administration tool and running it Windows Safe Mode. The latter option was used by REvil, Snatch and BlackMatter as a way to disable a target’s intended security and IT admin tools. As Sophos points out, many endpoint security products do not run in Safe Mode – a special diagnostic configuration in which Windows disables most third-party drivers and software, and can render otherwise protected machines unsafe.SEE: A winning strategy for cybersecurity (ZDNet special report)AnyDesk, a legitimate remote admin tool, has become a popular alternative among criminals to TeamViewer, which offered the same functionality. Running AnyDesk in Safe Mode while connected to the network allows the attacker to maintain control of infected machines. While AvosLocker merely repackages techniques from other gangs, Peter Mackenzie, director of incident response at Sophos, described their use as “simple, but very clever”.    Mackenzie says that while Avos copied the Safe Mode technique, installing AnyDesk for command and control of machines while in Safe Mode is a first. 

The AvosLocker attackers reboot the machines into Safe Mode for the final stages of the attack, but also modify the Safe Mode boot configuration to allow AnyDesk to be installed and run.Sophos notes in a blogpost that legitimate owners might not be able to remotely manage a computer if it is configured to run AnyDesk in Safe Mode. An admin might need physical access to the infected computer to manage it, which could pose problems for a large network of Windows PCs and servers. Sophos has detected several more curious techniques used by AvosLocker. A Linux component, for example, targets VMware ESXi hypervisor servers by killing any virtual machines (VMs), then encrypting the VM files. Sophos is investigating how the attackers obtained the admin credentials needed to enable the ESX Shell or access the server. SEE: Hackers are turning to this simple technique to install their malware on PCsThe attackers also used the IT management tool PDQ Deploy to push several Windows batch scripts to intended target machines, including Love.bat, update.bat, and lock.bat. As Sophos explains, in about five seconds, these scripts disable security products that can run in Safe Mode, disable Windows Defender, and allow the attacker’s AnyDesk tool to run in Safe Mode. They also set up a new account with automatic login details and then connects to the target’s domain controller to remotely access and run the ransomware executable, update.exe.      Sophos warns: “Ransomware, especially when it has been hand-delivered (as has been the case in these Avos Locker instances), is a tricky problem to solve because one needs to deal not only with the ransomware itself, but with any mechanisms the threat actors have set up as a back door into the targeted network. No alert should be treated as “low priority” in these circumstances, no matter how benign it might seem.”  More

Chinese media outlets have reported that Alibaba Cloud is facing backlash from government regulators after they reported the Log4J vulnerability to Apache before the Ministry of Industry and Information Technology (MIIT).21st Century Business Herald said local reporters were informed on Wednesday that the Cyber Security Administration of the MIIT was suspending its information-sharing partnership with Alibaba Cloud for six months, specifically citing the failure to report Log4J as the reason why. 

more Log4j

Chen Zhaojun, a security engineer at Alibaba Cloud, was identified by Bloomberg News as the first person to discover the Log4J vulnerability and report it to Apache. Zhaojun told Apache on November 24 and a third party later informed the MIIT in a report on December 9, according to Reuters. “Recently, after discovering serious security vulnerabilities in the Apache Log4j2 component, Alibaba Cloud failed to report to the telecommunications authorities in a timely manner and did not effectively support the Ministry of Industry and Information Technology to carry out cyber security threats and vulnerability management,” the local media report said. The Protocol noted that China recently put into effect a new law that makes it mandatory for all companies to report vulnerabilities to state regulators within two days.   The Chinese government has sought to get a better handle on cybersecurity and privacy in recent months, passing multiple laws and issuing warnings to major companies about the need to protect data shared outside of China. Alibaba was hit with a record 18.2 billion yuan fine and 33 other mobile apps have faced criticism from Beijing for their data collection policies. Didi has faced a major cybersecurity review, while Alibaba and Tencent have come under government scrutiny in recent months as well.  

In November, the Cyberspace Administration of China unveiled a new set of laws that reclassified data and laid out multiple sets of fines for violations of cybersecurity policy. More

A hospital system in West Virginia has suffered a data breach resulting from a phishing attack, which gave hackers access to several email accounts. Monongalia Health System — which runs Monongalia County General Hospital Company and Stonewall Jackson Memorial Hospital Company — said that hackers had access to several email accounts from May 10 to August 15. These accounts contained sensitive information from patients, providers, employees, and contractors. The company concluded its investigation into the incident on October 29, finding that the attack resulted from an email phishing incident.”Mon Health first became aware of the incident after a vendor reported not receiving a payment from Mon Health on July 28, 2021. In response, Mon Health promptly launched an investigation, through which it determined that unauthorized individuals had gained access to a Mon Health contractor’s email account and sent emails from the account in an attempt to obtain funds from Mon Health through fraudulent wire transfers,” the company explained. “Upon learning of this, Mon Health secured the contractor’s email account and reset the password, notified law enforcement, and a third-party forensic firm was engaged to assist with the investigation.”The attack did not include information from their other hospitals, including Mon Health Preston Memorial Hospital and Mon Health Marion Neighborhood Hospital. The company claims that “the purpose of the unauthorized access to the email accounts was to obtain funds from Mon Health through fraudulent wire transfers and to perpetrate an email phishing scheme, not to access personal information.”

Mon Health started sending breach notification letters to victims on December 21 and said a toll free call center was created for those with questions. Dozens of healthcare organizations have had to send out breach notification letters to patients due to cyberattacks or ransomware incidents that exposed sensitive data.  More