Information Technology

Microsoft has implemented an automatic mitigation tool within Defender Antivirus to tackle critical vulnerabilities in Exchange Server.

On March 18, the Redmond giant said the software will automatically mitigate CVE-2021-26855, a severe vulnerability that is being actively exploited in the wild.This vulnerability is one of four that can be used in a wider attack chain to compromise on-premise Exchange servers. Microsoft released emergency fixes for the security flaws on March 2 and warned that a state-sponsored threat group called Hafnium was actively exploiting the bugs, and since then, tens of thousands of organizations are suspected to have been attacked. At least 10 other advanced persistent threat (APT) groups have jumped on the opportunity slow or fragmented patching has provided.  The implementation of a recent security intelligence update for Microsoft Defender Antivirus and System Center Endpoint Protection means that mitigations will be applied on vulnerable Exchange servers when the software is deployed, without any further input from users.  According to the firm, Microsoft Defender Antivirus will automatically identify if a server is vulnerable and apply the mitigation fix once per machine. 

If automatic updates aren’t turned on, it is recommended that users manually install the new update and make sure their software is upgraded to at least build 1.333.747.0, or newer. Cloud protection is not required to receive the mitigation fix but the company recommends that this feature is enabled as a matter of best practice.  Earlier this week, Microsoft released a one-click mitigation tool designed to be a way to reduce the risk of exploit on vulnerable servers before full patches can be applied and this update to the firm’s antivirus software has been released under the same principle.  The mitigation tool is still readily available as an alternative way to mitigate risk to vulnerable servers if IT admins do not have Defender Antivirus.  “The Exchange security update is still the most comprehensive way to protect your servers from these attacks and others fixed in earlier releases,” Microsoft says. “This interim mitigation is designed to help protect customers while they take the time to implement the latest Exchange Cumulative Update for their version of Exchange.” On March 17, Microsoft launched the firm’s quarterly cumulative updates for Exchange Server 2016 and Exchange Server 2019 which also contains the security patches required to tackle the critical vulnerabilities.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Australian National Audit Office (ANAO) has published its findings of an investigation into the effectiveness of cybersecurity risk mitigation strategies implemented by seven government entities, declaring none have fully implemented all the mandatory benchmarks.The Attorney-General’s Department (AGD); Australian Trade and Investment Commission (Austrade); Department of Education, Skills, and Employment; Future Fund Management Agency; Department of Health; IP Australia; and Department of the Prime Minister and Cabinet (PM&C) were all under the microscope.The Australian Signals Directorate (ASD) and Department of Home Affairs (DHA) were also probed by ANAO, but they were not included in this assessment. Instead, they were examined only in their roles as cyber policy and operational entities.Since 2013, non-corporate Commonwealth entities have been required to undertake an annual self-assessment against the Top Four strategies, which are mandated by the AGD’s Protective Security Policy Framework (PSPF). Entities report their overall compliance with mandatory requirements to AGD.The Top Four are: Properly implementing application whitelisting, patching applications, patching operating systems, and restricting administrative privileges.In addition to none of the seven entities implementing all of the mandatory Top Four mitigation strategies, ANAO found that of the three entities that had self-assessed full implementation for one or more of the mitigation strategies in their 2018-19 PSPF assessment, PM&C and AGD had not done so accurately. PM&C assessed itself as having fully implemented all the mandatory Top Four mitigation strategies in its 2018-19 PSPF self-assessment.

PM&C was assessed by ANAO as fully implementing the requirements for application control, for patching applications, and for patching operating systems. However, ANAO assessed that PM&C only partially implemented the requirements for restricting administrative privileges.”While PM&C has a process for validating privileged access on an annual basis, it does not sufficiently ensure that privileged access is restricted to personnel that require it to undertake their duties,” the report declared. “Weaknesses in PM&C’s validation processes increases the risk that a cyber intrusion could result in an adversary acquiring privileged access to its systems and subsequently change and bypass other security measures to compromise the system.”In its 2018-19 PSPF self-assessment, AGD reported that it had fully implemented two of the Top Four: Patching operating systems and restricting administrative privileges.ANAO assessed that AGD has “substantially” implemented the requirements for patching operating systems but further improvements needed to be made to reach full implementation. ANAO was happy with AGD’s assessment that it has fully implemented the requirements for restricting administrative privileges, however.The Future Fund Management Agency escaped ANAO’s wrath for accurately self-assessing the two Top Four mitigation strategies for which it reported full implementation.”Future Fund has not fully implemented all of the Top Four mitigation strategies, but is internally resilient as it has effective controls in place to support its ability to detect and recover from a cybersecurity incident,” ANAO said.The report also showed five of six selected entities that had self-assessed to have not fully implemented any of the Top Four mitigation strategies have established strategies and implemented activities to manage their cyber risks and to progress toward a “Managing” maturity level for PSPF Policy. The five entities have also included the implementation of the remaining four strategies that comprise the Essential Eight in their cybersecurity improvement programs.See also: ASD Essential Eight cybersecurity controls not essential: CanberraAustrade and the Department of Education were additionally asked by ANAO to set a timeframe to improve their respective cybersecurity maturity.AGD and DHA are the key regulatory entities where cybersecurity is concerned. The AGD is responsible for setting government protective security policy guidance, including for information security, through the PSPF. ASD, meanwhile, developed the Top Four mitigation strategies.ANAO said all three “could do more to improve support for the implementation of cybersecurity requirements”.Making five recommendations, ANAO has asked AGD to ensure the maturity levels under the PSPF maturity assessment model are fit-for purpose and effectively align with the maturity levels under ASD’s Essential Eight Maturity Model. In addition, it has sought for AGD to provide additional clarity on the PSPF supporting guidance and implement measures to obtain assurance on the accuracy of entities’ PSPF self-assessments, while asking for ASD to provide assistance to AGD to support its assurance processes.ANAO’s final recommendation was that the Australian government strengthen arrangements to hold entities to account for the implementation of mandatory cybersecurity requirements.Such lack of accountability has been the subject of many parliamentary inquiries, with the Joint Committee of Public Accounts and Audit, as one example, highlighting there is no mechanism that allows the individual performance of Commonwealth entities to be probed.ANAO also said in the period July 2019 to June 2020, there were 436 cybersecurity incidents reported to the Australian Cyber Security Centre by Australian government entities. RELATED COVERAGE More

Australia’s contentious encryption laws were used 11 times between 1 July 2019 and June 30 2020, by three of the nation’s law enforcement bodies.Revealed in the Department of Home Affairs’ latest Telecommunications (Interception And Access) Act 1979 — Annual Report 2019-20, New South Wales Police used the powers seven times, the Australian Federal Police (AFP) three times, and the Australian Criminal Intelligence Commission (ACIC) once.

All 11 instances were Technical Assistance Requests (TAR), which are voluntary requests for the designated communications providers to use their existing capabilities to access user communications. The laws, passed in 2018, also create Technical Assistance Notices and Technical Capability Notices, which are compulsory notices to compel communications providers to use or create a new interception capability, respectively.NSW Police used the notices in six cases of illicit drug offences and one of robbery. Two of the AFP’s three TARS given in the period were not given for specific offences, but rather were given to be used against all serious offences as the need arose. These two TARs were then revoked prior to assistance being utilised, the report said. The Federal Police’s remaining TAR was used for cybercrime offenses.The ACIC, meanwhile, used its one TAR for illicit drug offences.

See also: Intelligence review recommends new electronic surveillance Act for AustraliaDuring the reported period, there were just over 310,000 authorisations for retained data, up from the 296,000 issued last year. NSW Police had the most, with just shy of 120,000 authorisations, followed by Victoria Police with around 89,000, and WA Police with almost 27,000.More than 227,000 of these authorisations involved subscriber data rather than traffic data.Australia’s 20 enforcement agencies made 306,995 authorisations for the disclosure of historical telecommunications data, an increase of 17,358 from the 289,637 authorisations made in the previous year. NSW Police again accounted for the most authorisations with 116,968, followed by Victoria Police with 88,526, WA Police with 26,512, and Queensland Police with 25,221. The report said of these, 306,995 were made to enforce the criminal law.The majority of criminal law offences for which historical telecommunications data was requested were illicit drug offences, with 78,142 requests, followed by 32,827 requests for fraud and related offences, and 24,834 requests for robbery offences.3,028 authorisations were made by agencies for the purpose of locating a missing person, and 1,209 for the enforcement of a law imposing a pecuniary penalty or for the protection of the public revenue.3,677 interception warrants were issued to interception agencies, an increase of 116 from 2018-19. 737 were renewals of interception warrants and only 12 of the total requests were refused. “The majority of serious offences that were specified in interception warrants issued were serious drug and trafficking offences (2,096 times specified), followed by loss of life or personal injury offences (616 times specified) and murder (303 times specified),” the report states.NSW Police had all of its 1,613 requests issued; while WA Police had seven of its 364 requests refused. Information obtained under interception warrants was used in 2,685 arrests, 5,219 prosecutions, and 2,652 convictions.1,385 stored communications warrants were issued to criminal law-enforcement agencies, an increase of 132 on the 1,253 issued the year prior.Law enforcement agencies made 542 arrests, conducted 568 proceedings, and obtained 298 convictions involving evidence obtained under stored communications warrants, the report said.32,856 authorisations were made by criminal law-enforcement agencies for the disclosure of prospective telecommunications data, an increase of 5,085 on the 27,7712 authorisations made in 2018-19.One journalist information warrant was issued to the QLD Crime and Corruption Commission, under which one historical data authorisation was made for the enforcement of the criminal law.The report also revealed the cost of compliance since 2015-16 with Australia’s data retention scheme topped AU$238 million, with 2019-20 costs coming it a little over AU$21.2 million. Total costs recovered came in at AU$50.3 million.The AFP and ACIC are gearing up to be issued three new computer warrants for dealing with online crime through the pending passage of the Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020.The first of the warrants is a data disruption one; the second is a network activity warrant; and the third is an account takeover warrant.Senators have raised concerns with the “scope creep” the warrants could result in, the country’s privacy commissioner has called the powers “too wide-ranging”, while the Human Rights Law Centre and the Law Council of Australia have asked that the federal government redraft the Bill, calling its contents “particularly egregious” and “so broad”.RELATED COVERAGE More

VMware on Thursday announced it plans to acquire Mesh7, a company that secures cloud-native applications and miroservices by monitoring application behavior at the API layer. The terms of the deal were not disclosed.  Once the acquisition is finalized, VMware plans to integrate Mesh7’s contextual API behavior security product with the VMware Tanzu Service Mesh. The integration “will enable VMware to deliver high fidelity understanding of which applications components are talking to which using APIs,” Tom Gillis, VMware SVP and GM of the Networking and Security Business Unit, wrote in a blog post. “Developers and Security teams will each gain a better understanding of when, where and how applications and microservices are communicating via APIs, even across multi-cloud environments, enabling better DevSecOps.”The Mesh7 solution is based on Envoy, an open-source Layer 7 proxy designed for large, modern service-oriented architectures. Envoy is also a foundational component of Tanzu Service Mesh. “Early on, VMware realized Envoy would become the platform for next-generation security services,” Gillis wrote. More

Cyberattackers involved in worldwide hacking campaigns are using the compromised systems of high-profile victims as playgrounds to test out malicious tool detection rates. 

On Thursday, Swiss cybersecurity firm Prodaft said that SilverFish (.PDF), an “extremely skilled” threat group, has been responsible for intrusions at over 4,720 private and government organizations including “Fortune 500 companies, ministries, airlines, defense contractors, audit and consultancy companies, and automotive manufacturers.”Attacks are geared toward US and European entities and there is a specific focus on critical infrastructure and targets with a market value of over $100 million.   SilverFish been connected to the recent SolarWinds breach as “one of many” threat groups taking advantage of the situation, in which malicious SolarWinds Orion updates were pushed to customers, leading to the compromise of thousands of corporate networks.  In December, following the disclosure of the SolarWinds breach, Prodaft received an analysis request from a client and created a fingerprint based on public Indicators of Compromise (IoCs) released by FireEye.  After running IPv4 scans, the team found new detections within 12 hours and then began combing the web for command-and-control servers (C2s) used in the operation while refining fingerprint records. Prodaft says that after obtaining entry to the management C2 control panel, the company was able to verify links to existing SolarWinds security incidents and known victims by way of IP, username, command execution, country, and timestamp records.  Victims verified by the company include a US military contractor, a top COVID-19 testing kit manufacturer, aerospace and automotive giants, multiple police networks, European airport systems, and “dozens” of banking institutions in the US and Europe. 

SilverFish is focused on network reconnaissance and data exfiltration and uses a variety of software and scripts for both initial and post-exploitation activities. These include readily-available tools such as Empire, Cobalt Strike, and Mimikatz, as well as tailored rootkits, PowerShell, BAT, and HTA files. Prodaft says that SilverFish attackers tend to follow particular behavioral patterns while enumerating domains, including running commands to list domain controllers and trusted domains, as well as displaying stored credentials and admin user accounts.   Scripts are then launched for post-exploit reconnaissance and data theft activities. Hacked, legitimate domains are sometimes used to reroute traffic to the C2. However, perhaps the most interesting tactic observed is the use of existing enterprise victims as a sandbox.  “The SilverFish group has designed an unprecedented malware detection sandbox formed by actual enterprise victims which enables the adversaries to test their malicious payloads on victim servers with different enterprise AV and EDR solutions, further expanding the high success rate of the SilverFish group attacks,” the company says.  The C2 panel also revealed some interesting hints about how SilverFish operates. Panels are set for “Active teams” and appear to account for multiple groups such as Team 301, 302, 303, and 304, with both English and Russian used to write comments on victim records.  Work hours appear to stay within 8 am – 8 pm UTC, with far less activity taking place on weekends. Attacker teams seem to cycle every day or so between victims and whenever a new target is snared, the server is assigned to a particular working group for examination.  A ‘test run’ of the SolarWinds Orion compromise was conducted in 2019, whereas Sunburst malware was deployed to clients between March and June 2020. SilverFish-SolarWinds attacks began at the end of August 2020 and were conducted in three waves that only ended with the seizure and sinkhole of a key domain. However, the team expects other spying and data theft-related attacks to continue throughout 2021.SilverFish infrastructure has also revealed links to multiple IoCs previously attributed to TrickBot, EvilCorp, WastedLocker, and DarkHydrus. Prodaft cautions that “security analysts should not fully-automize their threat intelligence protocols [..] as acting strictly upon IoC intelligence from third-party resources may be one of the main reasons that prevent researchers from realizing the actual scope of large-scale APT attacks.” “SilverFish are still using relevant machines for lateral movement stages of their campaigns,” the company added. “Unfortunately, despite being large critical infrastructure, most of their targets are unaware of the SilverFish group’s presence on their networks.” As a “very sensitive matter,” Prodaft told ZDNet that victims were not contacted directly. However, the firm’s findings have been shared “with all responsible CERTs, and different law enforcement agencies; so that they can get in touch with the victims as the authorized body and share their findings.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new spear-phishing campaign is attempting to infect PCs with Trickbot, one of the most prevalent and potent forms of malware around today, a joint advisory from the FBI and Cybersecurity and Infrastructure Security Agency (CIA) has warned. Trickbot started life as a banking trojan but has become one of the most powerful tools available to cyber criminals, who are able to lease out access to infected machines in order to deliver their own malware – including ransomware. Now its authors are using a new tactic to attempt to deliver it to victims, warns the joint FBI and CISA alert – phishing emails which claim to contain proof of a traffic violation. The hope is that people are scared into opening the email to find out more. The malicious email contains a link which sends users to a website hosted on a server compromised by the attackers which tells the victim to click on a photo to see proof. They click the photo, they actually download a JavaScript file which, when opened, connects to a command and control server which will download Trickbot onto their system.Trickbot creates a backdoor onto Windows machines, allowing the attackers to steal sensitive information including login credentials, while some versions of Trickbot are capable of spreading itself across entire networks. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)The modular nature of Trickbot means it’s highly customisable, with additional attacks by the malware known to include dropping further malware – such as Ryuk or Conti ransomware – or until recently, serving as a downloader for Emotet malware. Trickbot is also able to exploit infected machines for cryptomining.

A coalition of cybersecurity companies attempted to disrupt Trickbot in October last year, but the malware didn’t stay quiet for long, with its cyber criminal authors quickly able to resume their operations. “The takedown efforts in October were unlikely to permanently disrupt or disable this very capable commodity malware that has been active on the threat landscape at scale for years. It has a strong infrastructure and the ability to continue operating,” Sherrod DeGrippo, senior director of threat research and detection at Proofpoint told ZDNet.”To completely remove Trickbot from the landscape would be extremely difficult and likely require a coordinated international law enforcement effort like we saw with Emotet. In fact, after the actions of October 2020, we saw Trickbot campaigns resume within weeks, and it has been active continually since,” she added.Trickbot remains a powerful tool for cyber criminals and a clear danger for enterprises and organisations of all sizes – but there are measures recommended by CISA and the FBI which can be taken in order help protect networks from the malware.Providing social engineering and phishing email to employees can help them to avoid threats by being wary of certain types of messages. Organisations should also be implementing a proper cybersecurity programme with a formalised security patch management process so cyber attacks can’t exploit known vulnerabilities to gain a foothold on the network. It’s also recommended that multi-factor authentication is applied across the enterprise, so malware which steals login credentials to move across the network can’t do so as easily.MORE ON CYBERSECURITY More

Google has announce the winners of its $313,337 2020 Google Cloud Platform (GCP) bug bounty prize that was split among just six security researchers. This was the second year Google has run the GCP vulnerability reward program and offered six researchers a share of $313,337, or triple the $100,000 pool it created for the 2019 program. The prizes go to researchers who’ve submitted reports on exceptional security flaws in GCP. So this isn’t a reward for a bug bounty, but an additional prize and recognition for submissions to Google’s vulnerability reward program.  

More on privacy

The first prize of an impressive $133,337 in the 2020 GCP program went to Ezequiel Pereira, a Uruguayan university student and security enthusiast, who found a remote code execution (RCE) flaw in the Google Cloud Deployment Manager. SEE: Security Awareness and Training policy (TechRepublic Premium)Google paid the $133,337 prize to Pereira on top of a $31,337 reward for the original report he submitted last year, meaning he’s landed $164,674 for this one report. “The bug discovered by Ezequiel allowed him to make requests to internal Google services, authenticated as a privileged service account,” writes Harshvardhan Sharma, an information security engineer at Google. It is a server-side request forgery (SSRF) attack.  Pereira started exploring Deployment Manager API methods by enabling it on the Google Cloud Console. From there he went to the metrics page of the console and looked at the Filters section to view a a list called Methods, where he found two documented API versions called “v2” and “v2beta”, and also two undocumented API versions called “alpha” and “dogfood”.   

The “dogfood” API piqued his interest because he knew Google uses the term “dogfooding” for its own teams using their software products internally before releasing them to the public. The second prize of $73,331 went to David Nechuta for another SSRF bug in Google Cloud Monitoring that could be used to leak the authentication of the service account used for the service’s uptime check feature. The prize is on top of $31,000 he received for the original report.  SEE: Cybercrime groups are selling their hacking skills. Some countries are buyingThe third prize of $73,331 was awarded to Dylan Ayrey and Allison Donovan for the report and write-up Fixing a Google Vulnerability. They pointed out issues in the default permissions associated with some of the service accounts used by GCP services.Other recipients included Bastien Chatelard for his report and write-up Escaping GKE gVisor sandboxing using metadata; Brad Geesaman for his report and write-up CVE-2020-15157 “ContainerDrip” Write-up; and Chris Moberly for the report and write-up Privilege Escalation in Google Cloud Platform’s OS Login. More

Facebook is finally expanding its support of physical security keys to mobile devices, the company announced Thursday. Facebook has supported security keys on desktop since 2017 and will now enable iOS and Android users to log in to their account via the physical key.

A security key is a device that generates an encrypted, one-time security code for use in two-factor authentication (2FA) systems. Modern security keys support a variety of hardware formats, such as USB-A and USB-C, Lightning for iPhone users, and even Bluetooth.In most cases, security codes for 2FA are sent to a user’s phone via text-based SMS message. But security keys go the route of hardware-based authentication, requiring an actual physical device that’s inserted into a device as a second form of identification.Security keys are thought to be more effective at preventing phishing attacks and data breaches than 2FA via SMS, because even if someone’s credentials are compromised, account login is impossible without that physical key.In addition to expanding support for security keys to mobile, Facebook said it also plans to expand its Facebook Protect program availability globally and add more groups outside of political campaigns and candidates in the coming year. The social media giant launched Facebook Protect in 2019 in the US.Facebook doesn’t manufacture its own security keys but is encouraging users to purchase them directly from vendors.Also: Best VPN service in 2021: Safe and fast don’t come free | Best security key in 2021

“Since 2017, we’ve encouraged people that are at high risk of being targeted by malicious hackers: politicians, public figures, journalists and human rights defenders,” Facebook said in a blog post. “We strongly recommend that everyone considers using physical security keys to increase the security of their accounts, no matter what device they use.” More