Information Technology

Qualys has revealed that a “limited” number of customers may have been impacted by a data breach connected to an Accellion zero-day vulnerability.

The cloud security and compliance firm said on Wednesday that the security incident did not have any “operational impact,” but “unauthorized access” had been obtained to an Accellion FTA server used by the company. 
Accellion File Transfer Appliance (FTA) is enterprise-grade software used for file transfers. In December 2020, FireEye’s Mandiant discovered that the Clop ransomware group was exploiting previously-unknown vulnerabilities in the legacy software to extort organizations, threatening to leak sensitive data stolen from vulnerable servers unless a ransom was paid. 
Organizations across the US, Singapore, Canada, and the Netherlands were targeted. However, according to Mandiant, ransomware was not deployed in this wave of attacks. 
Qualys is a user of Accellion FTA. The company says that the software was used “to transfer information as part of our customer support system [in] a segregated DMZ environment” but was kept separate from production environments, codebases, and Qualys Cloud. 
A hotfix to patch the vulnerabilities was issued by Accellion on December 21, and Qualys says that its team applied the fix on December 22. 
However, a zero-day vulnerability in the third-party software had already been exploited, and on December 24, the company received an “integrity alert” indicating a potential compromise. 

The impacted server was isolated from its network and an investigation was launched. Qualys found that some customer data contained in the server had been accessed, although the company has not revealed how many customers are involved, or what information was stored. 
Qualys has hired Mandiant, which is also working with Accellion, to investigate. In addition, affected servers have been closed down and alternatives are being offered to customers. 
“As a security company, we continue to look for ways to enhance security and provide the strongest protections for our customers,” the company says. “Qualys is strongly committed to the security of its customers and their data, and we will notify them should relevant information become available.”
Accellion says it has worked “around the clock to develop and release patches that resolve each identified FTA vulnerability and support our customers affected by this incident.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Macro malware has been a popular choice for hackers since the 1990s and even in recent years the technique has continued to be a simple way of delivering malware to the unwary. 
Just last month, Ukraine accused Russian government spies of uploading documents with malicious macros to a Ukrainian government document-sharing site. And amid the first wave of the COVID-19 pandemic, Microsoft warned of emails containing Excel files with malicious macros. 

Microsoft Ignite

Microsoft has been using an integration between its Antimalware Scan Interface (AMSI) and Office 365 to knock out macro malware for years, but its successful efforts to take out macro scripts written in Visual Basic for Applications (VBA) ended up pushing attackers to an older macro language called XLM, which came with Excel 4.0 in 1992.  
SEE: Windows 10 Start menu hacks (TechRepublic Premium)
Now Microsoft is expanding the integration of its AMSI with Office 365 to include the scanning of Excel 4.0 XLM macros at runtime, bringing AMSI in line with VBA.
AMSI allows applications to integrate with any antivirus on a Windows machine to enable the antivirus to detect and block a range of malicious scripts in Office documents. Microsoft notes its Defender anti-malware is using this integration to detect and block XLM-based malware and is encouraging other anti-malware providers to adopt it, too. 
Although XLM was superseded by VBA in 1993, XLM is still used by some customers and so it remains supported in Excel.  

“While more rudimentary than VBA, XLM is powerful enough to provide interoperability with the operating system, and many organizations and users continue to use its functionality for legitimate purposes. Cybercriminals know this, and they have been abusing XLM macros, increasingly more frequently, to call Win32 APIs and run shell commands,” explain Microsoft’s security teams. 
The arrival of AMSI’s VBA runtime scan in 2018 “effectively removed the armor that macro-obfuscation equipped malware with, exposing malicious code to improved levels of scrutiny,” says Microsoft. 
“Naturally, threat actors like those behind Trickbot, Zloader, and Ursnif have looked elsewhere for features to abuse and operate under the radar of security solutions, and they found a suitable alternative in XLM,” it continues. 
SEE: Cybercrime groups are selling their hacking skills. Some countries are buying
If the antivirus detects a malicious XLM macro, the macro won’t execute and Excel is terminated, thus blocking the attack. 
Runtime inspection of XLM macros is now available in Microsoft Excel and is enabled by default on the February Current Channel and Monthly Enterprise Channel for Microsoft 365 subscription users.
Microsoft More

I regularly read the Linux Mint Blog, not only because it is useful to keep up with what is happening with the Linux Mint distribution but also because it occasionally gives very interesting insights into the development and maintenance of a Linux distribution in general, and the Linux Mint distribution(s) in particular.  
To be honest, I was disappointed some years ago when Clem (Clement Lefebvre) discontinued his Segfault blog, because it always contained good technical information and interesting insights.

Open Source

Anyway, two recent posts to the Mint Blog are very good examples of the kind of thing I am talking about. The first, titled Update Your Computer!, is a discussion of the importance of installing updates, but in my opinion it is one of the best posts I have read in quite some time, because it is not just the usual “security updates are important/easy/safe” sermon, it also includes examples and statistics taken from the Mint distribution itself, and it examines some of the issues around running end-of-life versions that generally don’t get any updates at all.
SEE: Hiring Kit: Python developer (TechRepublic Premium)
The Linux Mint Update utility is one of the best available in my opinion, and it is obvious that the Mint developers have put a lot of effort into it over many years, continuously improving and extending it. It not only does the basic job of downloading and installing updates, it puts a lot of effort into making the update process clear and easier to understand and manage, and monitoring various aspects of the system to try to help with effective and secure administration. I am old and stubborn, and I still tend to use CLI utilities for updates on most systems (apt on Debian and derivatives, dnf on Fedora, pacman on Arch and derivatives), but I realized quite some time ago that Mint Update did a better job overall than I could do manually.
I strongly recommend reading this blog post, and not only for those who actually run or manage Linux Mint systems. There is a lot of food for thought – and reasons for action – in it.
The other Mint Blog post was the regular Monthly News – February 2021. It discusses some of the upcoming improvements in the Mint Update Manager, again including not only the “what” but also the “why” behind them. It also goes into more detail about some of the most recent bug fixes, with a lot more information about the cause and effect of a few of them. For example, I mentioned the UsrMerge update in my recent post about Linux Mint 20.1; this blog post explains a rather nasty bug, which is caused by that relating to reproducible builds.

Reading those blog posts, and thinking about the issues that they bring up and the actions they have produced, got me thinking about Linux distributions in general. Mint is based on Ubuntu (I know, don’t worry about LMDE for this discussion), which in turn is itself based on Debian GNU/Linux. 
That means a lot of the low-level stuff, such as the package base, the repositories, and most of the integration and compilation issues, are handled by those “upstream” distributions. The Mint developers concentrate on integration of other packages from other sources that are not included in the upstream base distribution, such as non-FOSS or other third-party packages, and the Mint development team actually produces significant new portions of the distribution, such as the Cinnamon desktop, the Mint Update Manager, and XApps to name just a few. That requires a lot of human resources – just take a look at the Linux Mint Teams page, where it lists five teams responsible for various aspects of the distribution.
While other distributions, which are derived from larger upstream distributions, such as the numerous Ubuntu derivatives, or Arch Linux derivatives, or even others derived directly from Debian, generally do a lot less original development, they are still able to concentrate their efforts on things like desktop integration, artwork and third-party package integration, while building on the solid and (hopefully) stable foundation of their upstream distribution.
On the other hand, my last couple of posts were about “independent” Linux distributions (such as Solus and KaOS), which are not based on or derived from any other distribution. 
They take on the responsibility of creating the entire distribution from scratch – compiling, packaging, integrating, creating and maintaining repositories and much more. There are decisions to be made about package format, software update mechanisms, desktop(s) to be supported, and on and on. That in itself requires a lot of work, and a lot of technical expertise and experience.
So what does all of this mean to someone who is trying to decide on a Linux distribution to use, or at least to try out?  
Well, at one end of the scale the large, established distributions such as Debian, Fedora, openSUSE and their major derivatives, such as Linux Mint, offer stability, predictability and very extensive testing before release (note that I omitted Ubuntu here, because in my opinion they lose out on predictability due to their very serious ‘not invented here’ syndrome, and their tendency over the years to unnecessarily reinvent things and go wandering off on a long tangent before suddenly deciding to scrap it and jump back onto the mainstream path after all). End-user support from these distributions is likely to be good, but rather slow-moving from the user perspective.
SEE: Hands-On: Adventures with Ubuntu Linux on the Raspberry Pi 4
At the other end of the scale, the independent distributions such as Solus, KaOS and PCLinuxOS are generally more focused on their original concept, which might be a specific desktop/development environment, or a specific target audience or application. If that focus matches your interest, then you are likely to feel much closer to the developers, rather than feeling like you are “just one of the potentially large number of users”. Because of the smaller size of the development/maintenance team, independent distributions are likely to be more “agile”, getting updates and new developments integrated and released faster, and end-user support is generally more responsive and often more personal.
In closing, I would say that I admire a lot of the people at both ends of this scale. It takes a great deal of talent, knowledge, dedication and plain old hard work to produce a good Linux distribution. 
Clem, in particular, has been one of my heroes for a very long time (since about release 2.something), and Adam W. since the Mandriva days. Those who have established and maintained independent distributions for years are deserving of just as much credit and appreciation, but they often don’t get it.  
Kudos to them. More

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive following the release of fixes for zero-day vulnerabilities in Microsoft Exchange. 

ZDNet Recommends

The US agency’s Emergency Directive 21-02, “Mitigate Microsoft Exchange On-Premises Product Vulnerabilities,” was issued on March 3. 
This week, Microsoft warned that four zero-day vulnerabilities in Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 are being actively exploited by a suspected state-sponsored advanced persistent threat (APT) group from China called Hafnium. 
Exchange Online is not affected by the bugs. However, Exchange Server is software used by government agencies and the enterprise alike, and so Microsoft’s warning to apply provided patches immediately should not be ignored. 
In light of this, CISA’s directive — made through legal provisions for the agency to issue emergency orders to other US government bodies when serious cybersecurity threats are detected — demands that federal agencies tackle the vulnerabilities now. 
CISA says that partner organizations have detected “active exploitation of vulnerabilities in Microsoft Exchange on-premise products.”
“Successful exploitation of these vulnerabilities allows an attacker to access on-premises Exchange Servers, enabling them to gain persistent system access and control of an enterprise network,” the agency says. 

CISA believes the vulnerabilities present an “unacceptable risk to Federal Civilian Executive Branch agencies,” and so action is now required. 
The emergency directive has stipulated that agencies must begin triaging their network activity, system memory, logs, Windows event logs, and registry records to find any indicators of suspicious behavior. 
If there are no indicators of compromise (IoCs), patches need to be immediately applied to Microsoft Exchange builds. However, if any activity is of note, US departments must immediately disconnect their Microsoft Exchange on-premises servers and report their findings to CISA for further investigation.
“This Emergency Directive remains in effect until all agencies operating Microsoft Exchange servers have applied the available patch or the Directive is terminated through other appropriate action,” the agency added. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Okta’s $6.5 billion purchase of Auth0 is based on the idea that there will be only a handful of clouds within companies in the years ahead. Identity will be one of those clouds joining functions like collaboration, CRM, infrastructure, HR and communication.
That vision hasn’t played out just yet, but if it does the all-stock transaction that makes Auth0 a unit of Okta will look like a value. Okta estimates that its core workforce identity market is worth $30 billion and Auth0’s customer identity market is $25 billion. With more integration, signals and data, Okta with Auth0 can create new use cases.
On a conference call, Okta CEO Todd McKinnon made the case that Auth0’s developer-first approach to identity rhymes with Twilio’s approach in communications and Stripe in payments. McKinnon said:
We view a world where cloud adoption continues to proliferate and that 5-plus years from now, there will be just a few primary clouds that really matter inside an organization. These clouds might be for collaboration, CRM, infrastructure and ERP, for example. We firmly believe that identity will be one of these primary clouds. Identity is the connected tissue to all of the other primary clouds as it facilitates choice and flexibility while enhancing security and reducing risk in all other technologies.
McKinnon added that Okta wants to be the standard in digital identity and Auth0 can accelerate that plan on many fronts.

Analysts questioned the purchase a good bit on Okta’s fourth quarter earnings conference call. Analysts asked about why run the two companies separate initially as well as the competition. McKinnon said building internal identity systems remained the biggest competitor. However, Gartner’s Magic Quadrant for access management also highlights why Okta bulked up.

There’s little question that Okta has thrived in the enterprise as it now has more than 10,000 customers, triple the tally from 4 years ago. And those customers are spending more money with Okta amid digital transformation, remote work and zero trust projects. But future growth for Okta required the parts to build out identity as a core cloud on its own. The concept is interesting considering Microsoft is a big rival to Okta but can bundle identity with other applications including Office 365.

So why do the deal now (other than Okta shares make a great currency after a nice run in 2020)? Here are some moving parts.
Access management tools are likely to face “cost optimization for IT spending” in 2021, according to Gartner. By acquiring Auth0, Okta creates a larger total addressable market since identity and access management touches everything from security to user experiences and interfaces.
Auth0 also gives Okta a way to reach developers and extend its platform. Auth0  has a free plan and then developer versions for the B2C and B2B markets.
Okta’s customer base is largely in the US, but Auth0’s revenue is 40% international.
Auth0 brings a specialization in customer identity and access management as well as multiple integrations.
Okta has expanded into identity and access analytics based on usage patterns. Auth0 will bring new patterns as well as signals to analyze.
Add it up and Okta and Auth0 make a promising pair, but like all mergers there’s what’s in the PowerPoint and then there’s the actual execution. The biggest question surrounding this deal is whether the tech ecosystem ultimately sees identity as an independent cloud.    More

The Maza cybercriminal forum has reportedly suffered a data breach leading to the leak of user information. 
On March 3, Flashpoint researchers detected the breach on Maza — once known as Mazafaka — which has been online since at least 2003. 
Maza is a closed and heavily-restricted forum for Russian-speaking threat actors. The community has been connected to carding — the trafficking of stolen financial data and payment card information — and the discussion of topics including malware, exploits, spam, money laundering, and more. 
Once the forum was compromised, the attackers who took the forum over posted a warning message claiming “Your data has been leaked / This forum has been hacked.”
Flashpoint
Information including user IDs, usernames, email addresses, messenger app links — including Skype, MSN, and Aim — and passwords, both hashed and obfuscated — were included in the data leak. 
Flashpoint told ZDNet roughly 2,000 accounts were exposed.
During discussions concerning the breach, some users say they are intending to find another forum, whereas others claim the database leaked is old or “incomplete,” according to the researchers.

Flashpoint does not know at this time who hijacked the forum, beyond the likelihood that an online translator may have been used to post the warning message — implying it may not have been a Russian-speaker unless mistakes were deliberate in an effort at misdirection. 
Maza was previously hacked in 2011. Reports suggested at the time that the forum was compromised by a rival group, DirectConnection, and data belonging to over 2,000 users was leaked. Shortly after, DirectConnection was attacked in its turn. 

Aleksei Burkov, who has been tied to the alias ‘Kopa,’ is thought to have served as an admin for both forums. Burkov was sentenced to nine years behind bars by US authorities in 2020 for operating the CardPlanet carding forum.
In January, Russian forum Verified was taken over without warning. The introduction of new domains, temporary open registration, and the silence of old moderators has raised suspicion among some users as to the intentions of the new owners. 
Users may be justified in such concerns, especially considering law enforcement is now posting ‘friendly’ warnings on hacking forums to discourage illegal activities. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Twitter and live streaming service Twitch have joined the mounting list of service providers, researchers, and civil liberties groups that take issue with Australia’s pending Online Safety Bill.
The Bill, labelled “rushed” in various ways by many providing submissions to the committee now probing its contents, contains six key priority areas: A cyberbullying scheme to remove material that is harmful to children; an adult cyber abuse scheme to remove material that seriously harms adults; an image-based abuse scheme to remove intimate images that have been shared without consent; basic online safety expectations for the eSafety Commissioner to hold services accountable; an online content scheme for the removal of “harmful” material through take-down powers; and an abhorrent violent material blocking scheme to block websites hosting abhorrent violent material.  
Of concern to both Twitter and Twitch is the absence of due regard to different types of business models and content types, specifically around the power given to the relevant minister to determine basic online safety expectations for social media services, relevant electronic services, and designated internet services.
“In order to continue to foster digital growth and innovation in the Australian economy, and to ensure reasonable and fair competition, it is critically important to avoid placing requirements across the digital ecosystem that only large, mature companies can reasonably comply with,” Twitter said [PDF].
Likewise, Twitch believes it is important to consider a sufficiently flexible approach that gives due regard to different types of business models and content types.
“As evidenced by Australia’s own ongoing content classification review, classification is difficult and fluid,” it wrote [PDF].
“Twitch is primarily focused on live, user-generated content, which is not submitted for classification. 

“It is our experience that an enforcement approach based on comprehensive Community Guidelines is most effective for such diverse, interactive, and ephemeral content.”
Twitter also took issue with the shortening of takedown times from 48 hours to 24 hours.
It said given the vast types of content covered under the Bill, there may be frequent factors that necessitate a longer review period.
“The shortened time frame will make it difficult to accommodate procedural checks on possible errors in reports, the removal of legitimate speech, and providing necessary user notices,” it said, commenting that if the idea is to protect the user, this should be understood by the government.
Pointing to the comment from the eSafety Commissioner that in the administration of current content schemes, her office already experiences prompt removal from online service providers when they are issued with a report, Twitter is confused why it is necessary to further reduce and codify the turnaround time from 48 to 24 hours.
“As currently drafted, the Bill essentially confers quasi-judicial and law enforcement powers to the eSafety Commissioner without any accompanying guidelines or guardrails around which cases would constitute grounds for the Commissioner to exercise these powers other than the very broad ‘serious harm’ definition,” Twitter noted.
“Thus, the expansion of the eSafety Commissioner’s powers that are currently proposed under the Bill should be coupled with concomitant levels of oversight.”
Also on the overreaching powers the eSafety Commissioner is set to get, Twitch said the Bill must be proportionate in the types of content for which notice non-compliance triggers upstream disruption.
“The app and link deletion powers are appropriately reserved for issues relating to class 1 content. This same proportionate threshold should be replicated in the Commissioner’s power to apply for a Federal Court order, which currently applies to the entire online content scheme (including class 2),” Twitch explained.
“The most substantial powers should be reserved for the worst content and limited to systemic non-compliance with class 1 notices.
“Regardless of what threshold is selected, any scheme that justifies mandating the complete removal of a service on the basis of its non-compliance with notices should also take considerable steps to establish confidence that the service is demonstrating actual noncompliance, before proceeding to upstream disruption powers.”
FACEBOOK WANTS PRIVATE MESSAGING OUT
Consultation on the draft Bill received 370 submissions, according to Minister Paul Fletcher, but the department has only just begun making them public.
In the first batch of submissions, hidden among the 52 marked as anonymous, Facebook provided its concern with three areas of the Bill, with one being the expansion of cyberbullying takedown schemes to private messaging.
It said [PDF] extending the scheme to the likes of its Messenger app is a disproportionate response to bullying and harassment, given the existing protections and tools already available
“The eSafety Commissioner and law enforcement already have powers around the worst risks to online safety that can arises in private messages … [most services] provide tools and features to give users control over their safety in private messaging, like the ability to delete unwanted messages and block unwanted contacts,” Facebook wrote.
“Despite the fact that existing laws allow the most serious abuses of private messaging to be addressed, the draft legislation extends regulatory oversight to private conversations between Australians. Whilst no form of bullying and harassment should be tolerated, we do not believe this type of scheme is suitable for private messaging.”
The social media giant said human relationships can be very complex and that private messaging could involve interactions that are highly nuanced, context-dependent, and could be misinterpreted as bullying, like a group of friends sharing an in-joke, or an argument between adults currently or formerly in a romantic relationship.
“It does not seem clear that government regulation of these types of conversations are warranted, given there are already measures to protect against when these conversations become abusive,” it said.
“Moreover, the policy rationale of the Australian government’s cyberbullying scheme for social media does not apply in the same way to private messaging. Bullying over private messaging cannot go viral in the same way as a piece of bullying content on a public social media platform; and regulators will rarely have the full context to determine whether a private conversation genuinely constitutes bullying.”
While Facebook’s submission to the inquiry is yet to be published, the company highlighted that what it prepared in its draft response echoed much of what it submitted at the start of the Bill’s initial consultation, as the draft was near identical to the original consultation paper.
The Bill before Parliament remains mostly unchanged, too.
MORE ON THE BILL More

Young and rising Linux security developer Alexander Popov of Russia’s Positive Technologies discovered and fixed a set of five security holes in the Linux kernel’s virtual socket implementation. An attacker could use these vulnerabilities (CVE-2021-26708) to gain root access and knock out servers in a Denial of Service (DoS) attack.

With a Common Vulnerability Scoring System (CVSS) v3 base score of 7.0, high severity, smart Linux administrators will patch their systems as soon as possible. 
While Popov discovered the bugs in Red Hat’s community Linux distribution Fedora 33 Server, it exists in the system using the Linux kernel from November 2019’s version 5.5 to the current mainline kernel version 5.11-rc6. 
These holes entered Linux when virtual socket multi-transport support was added. This networking transport facilitates communication between virtual machines (VM) and their host.  It’s commonly used by guest agents and hypervisor services that need a communications channel that is independent of the VM network configuration. As such, people who are running VMs on the cloud, which is pretty much everyone these days, are especially vulnerable.
The core problem is race conditions in the CONFIG_VSOCKETS and CONFIG_VIRTIO_VSOCKETS kernel drivers. These are shipped as kernel modules in all major Linux distributions. The reason why this is such a serious problem is whenever an ordinary user creates an AF_VSOCK socket, the vulnerable modules are automatically loaded.  A race condition exists when a system’s substantive behavior depends on the sequence or timing of uncontrollable events. 
Popov said, “I successfully developed a prototype exploit for local privilege escalation on Fedora 33 Server, bypassing x86_64 platform protections such as SMEP and SMAP. This research will lead to new ideas on how to improve Linux kernel security.”
In the meantime, Popov also prepared the patch and revealed the vulnerabilities to the Linux kernel security team. Greg Kroah-Hartman, the stable Linux kernel chief maintainer, accepted the patches into Linux 5.10.13 on February 3. Since then the patch has been merged into mainline kernel version 5.11-rc7 and backported into affected stable trees.

The patch has also already been incorporated into such popular Linux distributions as Red Hat Enterprise Linux (RHEL) 8, Debian, Ubuntu, and SUSE.
This is far from the first time Popov discovered and fixed Linux kernel vulnerabilities. Previously, he’s found and repaired CVE-2019-18683 and CVE-2017-2636. Keep up the good work, Popov! 
Related Stories: More