Information Technology

Researchers have provided insight into China Chopper, a web shell used by the state-sponsored Hafnium hacking group.

Hafnium is a group of cyberattackers originating from China. The collective recently came into the spotlight due to Microsoft linking them to recent attacks exploiting four zero-day vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — in Microsoft Exchange Server.
Microsoft says that Hafnium tends to strike targets in the United States, focusing on industries including defense, research, law, and higher education. While believed to be based in China, the group uses leased virtual private servers (VPS) in the US.
Due to the renewed interest in Hafnium, on Monday, Trustwave published an analysis of one of the group’s tools, China Chopper, which is a web shell widely used for post-exploitation activities. 
The web shell has been detected in Exchange Server-related attacks alongside DearCry ransomware deployment.
China Chopper is not new and has been in the wild for at least a decade. The tiny web shell — coming in at only four kilobytes (.PDF) — contains two key components; a web shell command-and-control (C2) client binary and a text-based web shell payload, the server component. 
“The text-based payload is so simple and short that an attacker could type it by hand right on the target server — no file transfer needed,” the team notes.

FireEye calls the tool a “slick little web shell that does not get enough exposure and credit for its stealth.”
There are different variants of China Chopper in the wild that are written in different languages — such as ASP, ASPX, PHP, JSP, and CFM — but they all have similar functions. The Active Server Page Extended (ASPX) variety, once it lands on a server already compromised via an exploit, for example, is typically no more than one line of code. 
Red Canary notes that the .aspx web shell names are generally made up of eight random characters. 
Upon examination of a China Chopper sample, Trustwave describes how when an HTTP POST request is made, the script calls the “eval” function to execute the string inside a POST request variable.
“The POST request variable is named “secret,” meaning any JScript contained in the “secret” variable will be executed on the server,” the researchers say. “JScript is implemented as an active scripting engine allowing the language to use ActiveX objects on the client it is running on. This can be and is abused by attackers to achieve reverse shells, file management, process execution, and much more.”
A client component of China Chopper is usually hosted on an attacker’s system to facilitate communication, which can be used for tasks such as running a virtual terminal to launch commands based on cmd.exe, downloading files, and executing other malicious scripts.
The researchers also noted corresponding .NET DLLs to China Chopper generated by ASP.NET runtime on compromised servers. 
TEMP.Periscope/Leviathan, APT41/Double Dragon, and Bronze Union, among other advanced persistent threat (APT) groups, have been connected to the use of this popular web shell in the past.
Red Canary has also identified a cluster of Microsoft Exchange Server attacks building from the use of this backdoor. Dubbed “Sapphire Pigeon,” multiple web shells are being dropped on compromised servers at different times — and in some cases, days before post-exploit activities begin. 
At least 10 APTs are thought to be exploiting the critical Exchange Server vulnerabilities, of which at least 82,000 servers remain unpatched, according to Microsoft. 
Last week, Check Point Research said the rate of attacks leveraging the vulnerabilities was doubling every two to three hours. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has released a proof of concept (PoC) code to demonstrate the practicality of Spectre side-channel attacks against a browser’s JavaScript engine to leak information from its memory. 
Google in 2018 detailed two variants of Spectre, one of which – dubbed variant 1 (CVE-2017-5753) – concerned Javascript exploitation against browsers. Spectre targeted the process in modern CPUs called speculative execution to leak secrets such as passwords from one site to another malicious site.
SEE: Hiring Kit: Python developer (TechRepublic Premium)
Web developers can visit Google’s new page – at https://leaky.page – to see a demo of Spectre in JavaScript, a video demo on YouTube and a detailed write up of the PoC on GitHub. 
[embedded content]
Google released the PoC for developers of web applications to understand why it’s important to deploy application-level mitigations. At a high level, as detailed in a Google document on W3C, a developer’s “data must not unexpectedly enter an attacker’s process”.      
While the PoC demonstrates the JavaScript Spectre attack against Chrome 88’s V8 JavaScript engine on an Intel Core i7-6500U ‘Skylake’ CPU on Linux, Google notes it can easily be tweaked for other CPUs, browser versions and operating systems. It was even successful on Apple’s M1 Arm CPU with minor modifications. The attack can leak data at a rate of 1kB per second. 
The chief components of the PoC are a Spectre version 1 “gadget” or code that triggers attacker-controlled transient execution; and a side-channel or “a way to observe side effects of the transient execution”. 

“The web platform relies on the origin as a fundamental security boundary, and browsers do a pretty good job at preventing explicit leakage of data from one origin to another,” explained Google’s Mike West. 
“Attacks like Spectre, however, show that we still have work to do to mitigate implicit data leakage. The side-channels exploited through these attacks prove that attackers can read any data which enters a process hosting that attackers’ code. These attacks are quite practical today, and pose a real risk to users.”

While Google and other browser vendors have developed mitigations for Spectre, such as Site Isolation, they don’t prevent exploitation of Spectre, explain Stephen Röttger and Artur Janc, Google information security engineers. 
SEE: Cybercrime groups are selling their hacking skills. Some countries are buying
“Rather, [these mitigations] protect sensitive data from being present in parts of the memory from which they can be read by the attacker,” they note in a blogpost.  
“While operating system and web browser developers have implemented important built-in protections where possible (including Site Isolation with out-of-process iframes and Cross-Origin Read Blocking in Google Chrome, or Project Fission in Firefox), the design of existing web APIs still makes it possible for data to inadvertently flow into an attacker’s process,” they explain. 
Google has also released a new prototype Chrome extension called Spectroscope that scans an application to find resources that may require enabling additional defenses.  
Röttger and Janc note that the Variant 1 gadget can be mitigated at a software level. However, the V8 team has found that mitigation of Spectre Variant 4 or Speculative Store Bypass (SSB) is “simply infeasible in software”.   More

Microsoft is reportedly investigating a potential partner leak that could have exacerbated the current wave of attacks against Microsoft Exchange servers. 

The Redmond giant is examining whether potentially “sensitive information” required to conduct the attacks was obtained through “private disclosures it made with some of its security partners,” according to the Wall Street Journal. 
On March 2, Microsoft issued emergency patches to tackle four zero-day vulnerabilities in Microsoft Exchange Server which were being actively exploited in the wild. 
The critical bugs were disclosed privately in January, and since then, exploit usage has gained traction to the point researchers estimate that tens of thousands of businesses worldwide have been impacted.
The suspected state-sponsored Chinese hacking group Hafnium was originally attributed to exploitation of the zero-days. Now, however, proof-of-concept (PoC) code has been released and more advanced persistent threat (APT) groups are attempting to capitalize on the situation. Ransomware, too, is now being deployed in some attacks. 
It is PoC code that is also reportedly the subject of Microsoft’s latest investigation. Microsoft is examining whether concept attack code sent privately by the company to partners of the Microsoft Active Protections Program (Mapp) was leaked, whether deliberately or accidentally. 
PoC attack code was sent to antivirus and other cybersecurity firms on February 23, prior to patch release, to give partner companies information in advance. However, it appears that some of the tools used in connected attacks, starting a week later, have “similarities” to the private PoC, according to the publication. 

Approximately 80 organizations participate in the Mapp program. 
In a blog post dated March 12, Microsoft said that protecting vulnerable Exchange servers is now a “critical” issue and this is why the company recently released patches to also fix out-of-support versions of Exchange. 
However, applying patches isn’t enough as it will not eradicate existing infections. As a result, Microsoft also recommends investigating for signs of compromise on Exchange servers.
Microsoft is now working with RiskIQ to track the number of servers that are online-facing, unpatched, and still vulnerable to attack. As of March 12, approximately 82,000 servers are still yet to be updated. 
“Microsoft is deeply committed to supporting our customers against these attacks, to innovating on our security approach, and to partnering closely with governments and the security industry to help keep our customers and communities secure,” the company commented.
The Biden Administration has warned organizations that they have “hours, not days” to patch their systems. Private sector players have been invited to participate in a task force dedicated to investigating the situation. 
Update 12.32 pm GMT: A Microsoft spokesperson told ZDNet:
“We are looking at what might have caused the spike of malicious activity and have not yet drawn any conclusions. We have seen no indications of a leak from Microsoft related to this attack.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Exchange attacks More

The indicted chief executive of the Sky Global encrypted chat service has claimed that accusations of his participation in criminal activity are an attempt to erode “the fundamental right to privacy.”

On Friday, the US Department of Justice (DoJ) revealed an indictment, filed in the Southern District of California, against Sky Global’s CEO, Jean-Francois Eap, as well as a former distributor of Sky Global devices, Thomas Herdman. 
US prosecutors claim the pair “knowingly and intentionally participated” in a criminal ring that distributed narcotics by facilitating the “sale and service of encrypted communications devices.”
The international distribution of heroin, cocaine, and methamphetamine is specifically mentioned in the complaint. 
The indictment, returned by a federal grand jury, accuses the pair of conspiracy to violate the federal Racketeer Influenced and Corrupt Organizations Act (RICO), and warrants have now been issued for their arrest. 
Canada-based Sky Global is a provider of custom handsets and the developer of Sky ECC, a subscription-based end-to-end encrypted messaging application. 
Last week, Europol announced that law enforcement had broken the encryption of the network and had used client communication records to initiate a criminal takedown on March 9, leading to a “large number of arrests” as well as the seizure of cash and drugs.

In its turn, Sky Global denied these claims, instead, blaming a “disgruntled” former reseller of Sky devices and a scheme to distribute a fake — and, therefore, insecure — version of the Sky ECC app via skyecc.eu. 
According to the US indictment, “Sky Global’s devices are specifically designed to prevent law enforcement from actively monitoring the communications between members of transnational criminal organizations involved in drug trafficking and money laundering,” and the vendor “guarantees that messages stored on its devices can and will be remotely deleted by the company if the device is seized by law enforcement or otherwise compromised.”
The DoJ alleges that Sky Global has made hundreds of millions of dollars in profit by “facilitating” criminal activity. 
Suzanne Turner, FBI Special Agent in Charge of the San Diego Field Office, said that the indictment is “another major strike against transnational crime.”
Eap and Herdman, both said to be in Vancouver, Canada, face a maximum penalty of life in prison if arrested and found guilty. 
In response, Eap published a statement on Sunday, claiming that he only found out about the US indictment through media reports. The CEO has branded the allegations as false, adding that the situation highlights the “erosion of the right to privacy.”
“Sky Global’s technology works for the good of all. It was not created to prevent the police from monitoring criminal organizations; it exists to prevent anyone from monitoring and spying on the global community,” Eap commented. “The indictment against me personally in the US is an example of the police and the government trying to vilify anyone who takes a stance against unwarranted surveillance.”
Furthermore, Eap says that he and his company are being “targeted” because they “build tools to protect the fundamental right to privacy.”
Over the coming days, the executive intends to put his efforts toward clearing his name of the allegations. 
“We do not condone illegal or unethical behavior by our partners or customers,” Eap says. “To brand anyone who values privacy and freedom of speech as a criminal is an outrage.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A US federal court has temporarily blocked the Department of Defense from placing restrictions on the ability for domestic companies to invest in Xiaomi.
The presiding judge, District Judge Rudolph Contreras, issued an initial injunction [PDF] over the weekend to temporarily stop Xiaomi from being added to the Communist Chinese military companies (CCMC) list.
Companies placed on the CCMC list are subject to a Donald Trump executive order that came into force in November last year. The executive order prohibits US persons from trading and investing in any of the listed companies and bans trading in any new companies once the US has placed the CCMC label on them.
The injunction was handed out as the judge found that Xiaomi was likely to suffer “irreparable harm” in the absence of the relief.
In making his decision, Contreras explained that the factors of Xiaomi’s stock price dropping by 9.5% since the CCMC designation, various banks including Morgan Stanley, JP Morgan Chase, and Goldman Sachs suspending trading of Xiaomi shares, and the company losing contracts around the world, when viewed together, indicated the company had already suffered “irreparable harm” as a result of the designation.
Contreras added that Defense’s memorandum, which is what led to Xiaomi being added to the CCMC list, was made on “shaky ground”.
“[The memorandum] does not explicitly identify the agency’s source of authority that governs the CCMC designation process, and when the memo does invoke the relevant statutory language, the excerpted language is quoted incorrectly. These errors do not inspire confidence in the fastidiousness of the agency’s decision-making process,” he said.

Xiaomi was placed onto the CCMC list in mid-January after Defense accused the company of “appearing to be [a] civilian entity” in order to procure advanced technologies in support of the modernisation goals of the Chinese military. 
Referring to these national security concerns, Contreras said he was “somewhat skeptical that weighty national security interests are actually implicated here”.
“Taken together, the Court concludes that Defendants have not made the case that the national security interests at stake here are compelling,” he wrote.
Since the new year, US entities, such as the New York Stock Exchange, have struggled to handle the consequences and interpretation of the CCMC list. Across the month of January, the exchange said it would delist a trio of Chinese telcos, before changing its mind, and then it reverted to its original decision.
Other Chinese companies currently on the list include Huawei, Hikvision, Inspur, Panda Electronics, and Semiconductor Manufacturing International Corporation.
In a statement, Xiaomi said it was pleased with the outcome, but would continue its legal fight with the Department of Defense until Xiaomi was officially taken off the CCMC list.
“We believe that the inclusion of Xiaomi in the list of Chinese military-related enterprises is an arbitrary and arbitrary decision, and the judge also agreed with it. We will continue to ask the court to finally rule that the decree is invalid for Xiaomi,” it said.
RELATED COVERAGE More

Australia’s new Online Safety Bill was introduced to Parliament on February 24, eight business days after consultation on the draft legislation closed and before the submissions to the consultation were published. It was handed to a Senate committee on February 25 and after holding one public hearing, the committee has handed down its report.
Despite testimony from tech companies and civil liberties groups, the Environment and Communications Legislation Committee has made a total of two recommendations.
One of the recommendations simply state: “The committee recommends that the Bills be passed”.
The Online Safety Bill 2021 contains six key priority areas: A cyberbullying scheme to remove material that is harmful to children; an adult cyber abuse scheme to remove material that seriously harms adults; an image-based abuse scheme to remove intimate images that have been shared without consent; basic online safety expectations for the eSafety Commissioner to hold services accountable; an online content scheme for the removal of “harmful” material through take-down powers; and an abhorrent violent material blocking scheme to block websites hosting abhorrent violent material. 
The Online Safety (Transitional Provisions and Consequential Amendments) Bill 2021, meanwhile, repeals the Enhancing Online Safety Act 2015 upon commencement of the new Online Safety Act.
370 submissions were made to the draft consultation; at the time of publishing, 135 of the submissions made to the committee were public.
Google, Twitter, and Twitch all raised concerns that the definitions contained within the Bill were too broad; Electronic Frontiers Australia (EFA) joined the tech giants in considering the powers given to the eSafety Commissioner as too overreaching; and the Australian Digital Rights Watch highlighted the many negative impacts on the country’s adult industry, as some examples.

Setting these concerns aside, the committee’s other recommendation was that the government consider amending the Bill’s explanatory memorandum to clarify the requirement for an industry code to be registered within six months. It explained that this would be “for best endeavours and that the Commissioner has the discretion to work with industry over whatever timeframe is deemed necessary to achieve an effective outcome”.
Labor’s notes on the Bill include pointing to ZDNet’s article, which highlights that key operational elements of the Bill are yet to be worked through.  
“Labor Senators consider that finding the balance between free speech and protections against certain kinds of speech is a complex endeavour and we are concerned that this Bill represents a significant increase in the eSafety Commissioner’s discretion to remove material without commensurate requirements for due process, appeals, or transparency over and above Senate estimates, annual reporting and AAT appeals,” they add, even though no committee recommendations actually reflect their concerns.
The opposition does, however, want the government to consider further amendments to clarify the Bill in terms of its scope and to “strengthen due process, appeals, oversight and transparency requirements given the important free speech and digital rights considerations it engages”.
The Australian Greens, meanwhile, raised concerns with the Bill being rammed through the Parliament through a truncated inquiry process without consideration by either the Senate Standing Committee for the Scrutiny of Bills, or the Parliamentary Joint Committee on Human Rights.
As a result, the Greens recommend the Bill be withdrawn and redrafted to take account of concerns such as the use of the National Classification Code, which is currently under review; potential for elements of the Bill to be used against lawful online content and content creators; inadequate rights of appeal and remedy for businesses and individuals whose content is wrongly blocked or removed; inadequate transparency and accountability regarding discretionary decisions made by a single, unelected officer; powers covering restricted access/encryption services; and potential significant and detrimental effects on sex workers.
A second and final recommendation by the Greens has called for the introduction of a constitutionally or legislatively enshrined Charter of Rights, which includes privacy and digital rights consistent with the European Union’s General Data Protection Regulation.
HERE’S MORE ON THE BILL More

We’re now living in the era of the mega-hack. More than ever, software flaws are being seized on by sophisticated hackers who take these bugs – and use them to create attacks that compromise the computer systems of thousands of organisations, all at once.
Newly discovered vulnerabilities in Microsoft’s Exchange Server provide a good example of this evolution. The flaws were seized on by (likely China-backed) hackers as a way to attack networks, with tens of thousands of systems apparently compromised in a widespread attack. At least 10 other groups are thought to be attempting to use the same exploits, and now cyber criminals are piggy-backing on the original attack in an attempt to deliver ransomware too.
Bugs exists wherever there is software, despite attempts to eradicate them. What we’re seeing now is an growing ability and desire from hackers to turn these bugs into attacks. Increasingly, the same software applications and tools are being used by companies around the world. Some may not even be aware of the software code they are relying on, such is the interconnected world of tech products. And even if they do know the software they are using, too many companies fail to update it even when warned about vulnerabilities by software vendors.
Hacking groups have different motivations: state-backed hackers want to gain access to as many systems as possible before deciding which have strategic value (either a source of intelligence or as a stepping-stone to compromising other systems); cyber criminals want to break in where they can to either steal data or deliver money-making ransomware. Either way, threat actors are now sophisticated enough to respond to weaknesses quicker than ever before. That’s bad for everyone.
A software flaw doesn’t affect just one company, but can put thousands or even tens of thousands at risk as hacking groups seize on a new bug and race to exploit it, breaking into as many systems as possible before a fix is found and applied. Some companies used to think they were too small to be targeted, but will sadly discover that crooks will attack – and potentially destroy — their business, just on the off-chance that a ransom will be paid. Others will find that cutting costs by not patching software flaws is a false economy, to say the least.
So what can be done? Projects that aim to fix bugs in everything — starting with programming languages and the basic code (often open-source) that underpins software applications — are a start. Encouraging secure code as a standard is a must. Companies must also understand that legacy systems may contain vulnerabilities, and that patching is not optional. Longer-term, the ransomware threat must be addressed and better international rules around state-backed hacking put in place. Neither of those are going to be easy problems to tackle.
Right now, we need to realise that the stakes are increasing – and rapidly.
ZDNET’S MONDAY MORNING OPENER 

The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet’s global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.
PREVIOUSLY ON MONDAY MORNING OPENER:   More

Okta, well known for its cloud-based identity management technology, has partnered with automated data governance firm Immuta, both companies announced today. Okta Ventures has also made an investment in Immuta, funding product innovation and joint go-to-market initiatives. The tie-up makes clear both that cloud data lakes/warehouses are here to stay, and that securing them is an enterprise necessity.
ZDNet spoke with Immuta CEO Matthew Carroll, and Okta Ventures director Austin Arensberg. The two provided context and color around the partnership and explained that it encompasses several touch points.
Partnership and synergy
These nodes of partnership include integration of Immuta with Okta’s System for Cross-domain Identity Management (SCIM), extending authorization to cloud data sources including Immuta partners Snowflake and Databricks; Dynamic Policy Creation, wherein Immuta data policies can be informed by Okta identities; implementation of attribute-based access control (ABAC) and purpose-based access control (PBAC) fine-grained security, which work at the row, column, or cell level; and auditing/reporting, where Immuta’s audit logs and reporting can be combined with Okta’s identity and authorization.
A joint customer of the two companies makes the use case and requirements tangible: the Covid Alliance/Center for New Data, which tracks COVID-19 research and shapes public policy. Facilitating the collaboration that Center for New Data relies on requires that researchers have access to just what they’re authorized to, when combined data sets are created. Privacy rights can’t be violated, and data sovereignty must align with researchers’ geographic locations. 
The problem is a complex one, but researchers’ access to data needs to be seamless, nevertheless. Ryan Naughton, the Center for New Data’s co-founder/co-executive director, says “the combination of Okta and Immuta allows us to confidently authenticate a diverse set of users and authorize different levels of analyses, while preserving privacy and ensuring compliance with regulations and contractual data rights.”
Old requirements, new dimensions
It’s clear that older, conventional on-premises data analytics platforms aren’t sufficient for workloads where data sources are varied, data volumes are large, and frequency of updates are too. But it’s also the case that the level of rigor and security in those older systems is absolutely still needed. Just as integration of Active Directory/LDAP and Kerberos into the open source big data sphere has been necessary, it’s now also time to integrate identity management systems like Okta’s, which allows a single identity to be used for authorization to multiple cloud services.
In other words, building and operating cloud data lakes and warehouses requires single sign-on, across clouds, applications and services. The Okta-Immuta partnership makes this possible. While the union may be less than “sexy,” it’s a big deal in terms of cloud data analytics maturity. More