Information Technology

A years-old security vulnerability in Microsoft Office is still the most frequently exploited flaw by cyber criminals as a means of delivering malware to victims.Analysis of cyberattacks between October and December 2020 by cybersecurity researchers at HP shows that one exploit accounts for almost three-quarters of all campaigns that attempt to take advantage of known vulnerabilities.

More on privacy

The exploit is CVE-2017-11882, a memory corruption vulnerability in Microsoft Office’s Equation Editor, which was first disclosed in December 2017. When exploited successfully, it allows attackers to execute remote code on a vulnerable machine after the victim opens the malicious document – usually sent via a phishing email – used to run the exploit, providing them with an avenue for dropping malware. SEE: Network security policy (TechRepublic Premium)But despite a security update being available to protect against the vulnerability for over three years, it’s still the most frequent exploit used by cyber criminals to deliver malware via malicious Microsoft Office documents.”The enduring popularity of Equation Editor exploits such as CVE-2017-11882 may be due to home users and businesses not updating to newer, patched versions of Office. We commonly see this vulnerability being exploited by attackers who distribute easily-obtainable [remote access trojans],” Alex Holland, senior malware analyst at HP Inc, told ZDNet.The use of CVE-2017-11882 has dropped compared to the previous quarter, when it accounted for 87% of exploits used – but another vulnerability is gaining popularity, more than doubling in use in just the space of a few months.

CVE-2017-0199 is a vulnerability in Microsoft Word remote code execution, which first came to light in 2017. It allows attackers to download and execute PowerShell scripts on compromised machines, providing them with additional access.Analysis of attacks by HP found that 22% of campaigns attempting to take advantage of unpatched exploits used CVE-2017-0199 during the past three months of 2020 – something that could’ve been prevented if cybersecurity teams had patched against it when a security update was released in 2017. Email remains the key method for cyber criminals distributing malicious attachments in order to deliver malware – but there has been a slight change in the exact method of delivery.SEE: Cybercrime groups are selling their hacking skills. Some countries are buyingBefore the final quarter of 2020, malicious documents counted for just over half of files used to distribute exploits, but that dropped to just under a third. Meanwhile, the use of Excel Spreadsheets as a means of distributing exploits doubled in that period, rising from being used in one in ten instances detected to almost one in five.”Excel appeals to attackers because it supports a legacy macro technology called Excel 4.0 or XLM. These older macros have proven more difficult to detect than their Visual Basic for Application counterparts because security tools struggle to parse them,” said Holland.But no matter the type of file that cyber attackers are attempting to use to distribute malware, there’s a simple thing organisations can do to protect themselves from falling victim – apply the relevant security patches, especially if the updates have been available for many years already.MORE ON CYBERSECURITY More

The US Securities and Exchange Commission (SEC) has charged a Californian trader for allegedly using Twitter to hype up stocks before dumping them for a profit. 

The charges, unsealed on Monday and filed in federal court in the Central District of California on March 2, accuses Andrew Fassari of fraud through the spread of “false and misleading” information.
SEC has also obtained an emergency asset freeze and other emergency relief. 
According to SEC, Fassari, under the Twitter handle @OCMillionaire, used the microblogging platform to allegedly spread false tips relating to the stock of a company, Arcis Resources Corporation (ARCS). 
The Twitter handle is followed by roughly 13,000 users and was active as of March 8, 2021. 
SEC’s complaint says that on December 9, Fassari began purchasing over 41 million shares in the Nevada company before touting the stock on Twitter. 
Among the claims, documented in over 120 messages referencing $ARCS, was the expansion of operations, a CEO that had “big plans” for the company, exciting news was on its way, and the idea that investment could be a “life-changer.”

The US regulator alleges that while the share price rocketed by over 4000%, Fassari then sold his stake and secured profits of over $929,000.
On December 19, Fassari posted a screenshot to Twitter claiming that he had sold for a massive loss. The message read:

“$ARCS / Sold for a huge loss. I don’t care what anyone says about me. I back up what I say. I take my losses like a man. I don’t blame anyone for this. Everyone received the emails and saw their Twitter. This was either [a] calculated pump or a CEO who did things in the wrong order.”

However, some Twitter followers have questioned the authenticity of the trading screenshot.
On March 2, SEC issued a temporary trading ban on ARCS securities (.PDF).  
“We allege that Fassari profited by using social media to deceive investors,” commented Melissa Hodgman, Acting Director of SEC’s Division of Enforcement. “The SEC is committed to protecting investors by proactively monitoring suspicious trading activity tied to social media, and by charging those who use social media to violate the federal securities laws.”
The regulator is seeking a permanent injunction, disgorgement, prejudgement interest, and a civil penalty under charges of violating the antifraud provisions of federal securities law. 
Speaking to Reuters, a lawyer acting on Fassari’s behalf said, “it appears Mr. Fassari has been hit with fallout from the GameStop, Robinhood, Reddit controversy.”
Around the time when GameStop (GME) shares skyrocketed and some retail investors jumped on so-called ‘meme’ stocks, SEC issued an advisory warning of the risks associated with stock trades pumped on social media. 
SEC acknowledged that many may jump on stock options discussed across social media platforms, news aggregators, research websites, and forums, but cautioned that “following the crowd may lead to significant investment losses.”
In March, SEC charged a number of individuals allegedly involved in an Airborne Wireless Network pump-and-dump stock scheme. The agency claims that the publicly-traded firm’s controlling parties were concealed and cash was spent on hyping the stock, only for major holders to dump their stakes — defrauding other investors out of $45 million. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft has released a one-click mitigation tool as a stop-gap for IT admins who still need to apply security patches to protect their Exchange servers. 

Released on Monday, the tool is designed to mitigate the threat posed by four actively-exploited vulnerabilities that have collectively caused havoc for organizations worldwide. 
Microsoft released emergency fixes for the critical vulnerabilities on March 2. However, the company estimates that at least 82,000 internet-facing servers are still unpatched and vulnerable to attack. 
The company previously released a script on GitHub that administrators could run in order to see if their servers contained indicators of compromise (IOCs) linked to the vulnerabilities. In addition, Microsoft released security updates for out-of-support versions of Exchange Server.
However, after working with clients and partners, Microsoft says there is a need for “a simple, easy to use, automated solution that would meet the needs of customers using both current and out-of-support versions of on-premise Exchange Server.”
See also: Everything you need to know about the Microsoft Exchange Server hack
The Microsoft Exchange On-Premises Mitigation Tool has been designed to help customers that might not have security or IT staff on hand to help and has been tested across Exchange Server 2013, 2016, and 2019. 

It is important to note the tool is not an alternative to patching but should be considered a means to mitigate the risk of exploit until the update has been applied — which should be completed as quickly as possible.  
The tool can be run on existing Exchange servers and includes Microsoft Safety Scanner as well as a URL rewrite mitigation for CVE-2021-26855, which can lead to remote code execution (RCE) attacks if exploited. 
“This tool is not a replacement for the Exchange security update but is the fastest and easiest way to mitigate the highest risks to internet-connected, on-premises Exchange Servers prior to patching,” Microsoft says. 
In related news this week, Microsoft reportedly began investigating the potential leak of Proof-of-Concept (PoC) attack code supplied privately to cybersecurity partners and vendors ahead of the zero-day public patch release. The company says that no conclusions have yet been drawn over attack spikes related to the vulnerabilities. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Services Australia on Friday sent an email to over 600 Northern Territory businesses, informing them of the introduction of the divisive Cashless Debit Card (CDC) scheme in the territory from Wednesday.
The email, however, was sent with recipient email addresses exposed.
“This email was sent as a Carbon Copy (CC) rather than a Blind Carbon Copy (BCC) as intended. We apologise to these businesses for this human error,” a Services Australia spokesperson told ZDNet.
“The issue was identified quickly and soon after the emails were recalled, with unread copies deleted as a result. A new email was then correctly re-issued with all recipients BCC’d.”
Senator for the Northern Territory Malarndirri McCarthy called the incident a breach of privacy. The Service Australia spokesperson said the email was generic in nature and included no personal information.
“We take our role of protecting the personal information of Australians extremely seriously. We do not send personal details to bulk email addresses. The topic of this stakeholder correspondence was only general information,” they continued.
“We are presently reviewing the situation and we’ll take appropriate steps to prevent this happening again. This will include feedback and training for staff and liaison with the Office of the Australian Information Commissioner as may be required.”

See also: Australian Senate passes two-year extension for ‘racist’ welfare quarantining system
The CDC will start rolling out from Wednesday in the NT and Cape York. There are currently over 23,000 Territorians who are on the Basics Card and transition to the more bank card-like solution is voluntary for those people. In the Cape York, the CDC will replace the Basics Card.
The CDC aims to govern how those in receipt of welfare spend their money, with the idea being to both prevent the sale of alcohol, cigarettes, and some gift cards, and block the funds from being used on activities such as gambling.
Participants of the CDC have 80% of their funds placed on card, which is managed by Indue, with the remaining 20% to be paid into a bank account.
The Bill that allows trials of the card to go on for another two years across Bundaberg and Hervey Bay, the East Kimberley, Ceduna, and Goldfields regions and have it enter the Northern Territory and Cape York, affecting mostly Indigenous Australians, passed the Senate in December.
McCarthy, alongside her fellow Labor Party members, believes there is no evidence that compulsory, broad-based income management actually works.
Similarly, Greens Senator Rachel Siewert previously called the CDC a “discriminatory, racist, punitive approach to income support”.
“It’s not good enough that there’s been a data breach and it’s not good enough if there’s not been any information provided to people in the Territory,” McCarthy said on Monday.
“We have over 23,000 Territorians who are on the Basics Card and they will need to know what the Cashless Debit Card means. And there are other Territorians who could very well be on the Cashless Debit Card before the end of the year.”
HERE’S MORE FROM CANBERRA More

Credit: Microsoft
Microsoft has been providing confidential computing capabilities for Azure for several years. The main benefit: To encrypt data while it’s in use, which is especially important to customers in the finance, government, health care and communications verticals. To date, most, if not all of Microsoft’s confidential computing work has centered around Intel hardware. But that’s about to change.On March 15, Microsoft announced it would be extending its confidential computing options in partnership with AMD — the same day AMD took the wraps off its newest Epyc chip.
Microsoft announced today it would become the first major cloud maker to offer confidential virtual machines on the newly announced AMD Epyc 7003 series processors. Key to that work is the security feature called Secure Encrypted Virtualization-Secure Nested Paging (SEV-SNP), which enables protection of VMs by creating a trusted execution environment and which will be “substantially enhanced” in the third-generation AMD Epyc processor, Microsoft’s blog post says.In other AMD Epyc news today, Microsoft also announced availability plans for AMD Epyc 7003-powered Azure virtual machines, which will be optimized for high-performance-computing (HPC) workloads.  More

One of the good things about Linux is that it supports so much old hardware. With just a bit of work, there’s almost no computing hardware that can’t run Linux. That’s the good news. The bad news is that sometimes ancient security holes can be found within old programs. That’s the case with Linux’s Small Computer System Interface (SCSI) data transport driver.

A trio of security holes — CVE-2021-27365, CVE-2021-27363, and CVE-2021-27364 — was found by security company GRIMM researchers in an almost forgotten corner of the mainline Linux kernel. The first two of these have a Common Vulnerability Scoring System (CVSS) score above 7, which is high. While you may not have had a SCSI or iSCSI drive in ages, these 15 years old bugs are still around. One of them could be used in a Local Privilege Escalation (LPE) attack. In other words, a normal user could use them to become the root user.
Don’t let the word “local” fool you. As Adam Nichols, Principal of Software Security at GRIMM, said: “These issues make the impact of any remotely exploitable vulnerability more severe. Enterprises running publicly facing servers would be at the most risk.”
True, the vulnerable SCSI code isn’t loaded by default on most desktop distros. But it’s a different story on Linux servers. If your server needs RDMA (Remote Direct Memory Access), a high-throughput, low-latency networking technology, it’s likely to autoload the rdma-core Linux kernel module, which brings with it the vulnerable SCSI code. 
Whoops!
Exploiting the hole isn’t easy, but GRIMM has released a proof of concept exploit, which shows how to exploit two of the vulnerabilities. Now that the way has been shown you can count on attackers giving it a try. 
In particular, CentOS 8, Red Hat Enterprise Linux (RHEL) 8, and Fedora systems, where unprivileged users can automatically load the required modules if the rdma-core package is installed, are vulnerable. SUSE Linux Enterprise Server (SLES) can also be attacked. Ubuntu 18.04 and earlier are also open to attack.  And, of course, if you’re actually using SCSI or iSCSI drives you can be assaulted.

Fortunately, these bugs have already been patched. So, unless you like taking chances with your Linux servers, I’d advise you to patch your Linux distributions as soon as possible.
Related Stories: More

Any organisations which have yet to apply the critical updates to secure zero-day vulnerabilities in Microsoft Exchange Server are being urged to do so immediately to prevent what’s described as an ‘increasing range’ of hacking groups attempting to exploit unpatched networks.

Exchange attacks

An alert from the UK’s National Cyber Security Centre (NCSC) warns that all organisations using affected versions of Microsoft Exchange Server should apply the latest updates as a matter of urgency, in order to protect their networks from cyber attacks including ransomware.
The NCSC says it believes that over 3,000 Microsoft Exchange email servers used by organisations in the UK haven’t had the critical security patches applied, so remain at risk from cyber attackers looking to take advantage of the vulnerabilities. 
If organisations can’t install the updates, the NCSC recommends that untrusted connections to Exchange server port 443 should be blocked, while Exchange should also be configured so it can only be accessed remotely via a VPN.
It’s also recommended that all organisations which are using an affected version of Microsoft Exchange should proactively search their systems for signs of compromise, in case attackers have been able to exploit the vulnerabilities before the updates were installed.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
That’s because installing the update after being compromised will not automatically remove access for any cyber attackers that have already gained accessed. NCSC officials said they’ve helped detect and remove malware related to the attack from more than 2,300 machines at businesses in the UK. 

“We are working closely with industry and international partners to understand the scale and impact of UK exposure, but it is vital that all organisations take immediate steps to protect their networks,” said Paul Chichester, director for operations at the NCSC.
“Whilst this work is ongoing, the most important action is to install the latest Microsoft updates,” he added.
Microsoft first became aware of the Exchange vulnerabilities in January and issued patches to tackle them on March 2, with organisations told to apply them as soon as possible.
It’s thought that tens of thousands of organisations around the world have had their email servers compromised by the cyber attacks targeting Microsoft Exchange, potentially putting large amounts of sensitive information into the hands of hackers.
Cybersecurity researchers at Microsoft have attributed the campaign to a state-sponsored advanced persistent threat (APT) hacking group working out of China, dubbed Hafnium.
Since the emergence of the vulnerabilities, a number of state-sponsored and cyber criminal hacking groups have also rushed to target Microsoft Exchange servers in order to gain access before patches are applied.
Cyber criminals have even distributed a new form of ransomware – known as DearCry – designed specifically to target vulnerable Exchange servers, something which could cause a major problem for organisations which haven’t applied the latest Exchange security updates.
“Organisations should also be alive to the threat of ransomware and familiarise themselves with our guidance. Any incidents affecting UK organisations should be reported to the NCSC,” said Chichester.
MORE ON CYBERSECURITY More

Google has failed to have a proposed class-action lawsuit quashed that alleges the company violated user privacy by collecting data in Incognito browser modes. 

The lawsuit, originally filed in June 2020, claims that Google tracks and collects consumer browsing history, among other activities, even when Chrome’s Incognito or other privacy-based browser sessions are in use. 
Filed in the District Court of Northern California, the class-action complaint alleges that when an individual visits a web page served by Google services — such as plug-ins, Google Analytics, and Google Ad Manager — data is collected, no matter the browser mode. 
The lawsuit says that Google is “intercepting, tracking, and collecting communications” and harvesting the data of users without obtaining consent, as noted by sister site CNET.
In total, the class-action lawsuit is seeking $5 billion from Google and parent company Alphabet. 
While Google sought to have the lawsuit shut down, presiding US District Judge Lucy Koh dismissed the request on Friday, saying that the tech giant “did not notify users that Google engages in the alleged data collection while the user is in private browsing mode” in her ruling, as reported by Bloomberg.  
In a statement, a Google spokesperson said the company “strongly dispute[s] these claims” and will “defend ourselves vigorously against them.”

“As we clearly state each time you open a new Incognito tab, websites might be able to collect information about your browsing activity during your session,” the spokesperson added, with such warnings displayed, as below, when a new incognito session in Chrome is launched.

In October, Google became the target of an antitrust lawsuit filed by the US Department of Justice (DoJ). The US agency claims that Google holds an “illegal” monopoly over online search services and advertising, and further accused the firm of “exclusionary practices that are harmful to competition.”
Previous and related coverage
Have a tip? Get in touch via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More