Information Technology

Vulnerabilities that could allow XSS, CSRF, and one-click account takeovers in Atlassian subdomains have been patched. 

On Thursday, Check Point Research (CPR) said that the bugs were found in the software solutions provider’s online domains, used by thousands of enterprise clients worldwide. The Australian vendor is the provider of tools including Jira, a project management system, and Confluence, a document collaboration platform for remote teams.  The vulnerabilities in question were found in a number of Atlassian-maintained websites, rather than on-prem or cloud-based Atlassian products.  Subdomains under atlassian.com, including partners, developer, support, Jira, Confluence, and training.atlassian.com were vulnerable to account takeover.  CPR explained that exploit code utilizing the vulnerabilities in the subdomains could be deployed through a victim clicking on a malicious link. A payload would then be sent on behalf of the victim and a user session would be stolen.  The vulnerable domain issues included a poorly-configured Content Security Policy (CSP), parameters vulnerable to XSS, SameSite and HTTPOnly mechanism bypass, and a weak spot that allowed cookie fixation — the option for attackers to force users to use session cookies known to them for authentication purposes. 

The researchers say that it was possible to take over accounts accessible by these subdomains through cross-site scripting (XSS) and cross-site request forgery (CSRF) attacks. In addition, the vulnerable domains also allowed threat actors to compromise sessions between the client and web server once a user logged into their account. “With just one click, an attacker could have used the flaws to take over accounts and control some of Atlassian’s applications, including Jira and Confluence,” the researchers said.  The ramifications of these attacks included account hijacking, data theft, actions being performed on behalf of a user, and obtaining access to Jira tickets. Atlassian was informed of the team’s findings on January 8, prior to public disclosure. A fix for the impacted domains was deployed on May 18.  Atlassian told ZDNet:”Based on our investigation, the vulnerabilities outlined impact a limited set of Atlassian-owned web applications as well as a third-party training platform. Atlassian has shipped patches to address these issues and none of these vulnerabilities affected Atlassian Cloud (like Jira or Confluence Cloud) or on-premise products (like Jira Server or Confluence Server).”The research into Atlassian was performed by CPR due to the ongoing issues surrounding supply chain attacks, in which threat actors will target a centralized resource used by other companies.  If this element can be compromised — such as by tampering with update code due to be pushed out to clients in the case of Codecov — then a wider pool of potential victims can be reached with little effort.  SolarWinds, too, is a prime example of how devastating a supply chain attack can be. Approximately 18,000 SolarWinds clients received a malicious SolarWinds Orion software update that planted a backdoor into their systems; however, the attackers cherry-picked a handful of victims for further compromise, including Microsoft, FireEye, and a number of federal agencies.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cyber criminals are increasingly using virtual machines to compromise networks with ransomware.By using virtual machines as part of the process, ransomware attackers are able to conduct their activity with additional subtlety, because running the payload within a virtual environment reduces the chances of the activity being discovered – until it’s too late and the ransomware has encrypted files on the host machine.During a recent investigation into an attempted ransomware attack, cybersecurity researchers at Symantec found the ransomware operations had been using VirtualBox – a legitimate form of open-source virtual machine software – to run instances of Windows 7 to aid the installation of ransomware.

“The motivation behind the tactic is stealth. In order to avoid raising suspicions or triggering antivirus software, the ransomware payload will “hide” within a VM while encrypting files on the host computer,” Symantec said.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  While a virtual machine is run separately to the machine it’s hosted on, it can have access to the host machine’s files and directories via shared folders, which cyber criminals can exploit to allow the payload hosted in the virtual machine to encrypt files on the computer itself.While researchers haven’t been able to fully identify the ransomware discovered running in a virtual machine, clues as to how the malware operated provided strong indications that it was Conti – a notorious form of ransomware used by cyber criminals in a number of high profile campaigns, including the ransomware attack against the Ireland’s HSE health service.

However, this wasn’t the only activity that was detected – researchers found evidence that an attacker had attempted to run Mount Locker ransomware on the host computer. Researchers suggest that the attacker attempted to run Conti via the virtual machine but, when that didn’t work, they switched to using Mount Locker instead.This isn’t the first time ransomware gangs have been spotted using virtual machines to deploy ransomware, but researchers warn that this could make attacks much more difficult to detect.”Groups will often mimic others’ tactics if they think they’ve been successful. There may be a belief that some security solutions cannot reliably and consistently detect the ransomware sample executing from inside a virtual machine (VM),” said Dick O’Brien, principal in the Symantec Threat Hunter Team.SEE: Three billion phishing emails are sent every day. But one change could make life much harder for scammersWhile cyber criminals could target devices that already have virtual machine environments, in this case it appears as if they’re actively downloaded the tools that enable them to run. One way of countering this is to monitor and control what software is installed on machines, so potentially malicious, yet legitimate, tools can’t be downloaded without approval.”Use software inventory and restriction tools that enable them to control what licensed software may be installed. In addition, organizations already using VM software can use enterprise versions of the software that restrict creation of new unauthorized VMs,” said O’Brien. MORE ON CYBERSECURITY More

The Commonwealth Ombudsman’s Report to the Minister for Home Affairs on agencies’ compliance with the Surveillance Devices Act 2004, for the period 1 July to 31 December 2020 appeared this week, with three of the four law enforcement agencies inspected having issues with destroying data.

The report [PDF] looked at the Australian Federal Police (AFP), the South Australian Police, the Australian Criminal Intelligence Commission (ACIC), and the Australian Commission for Law Enforcement Integrity (ACLEI). Only the ACLEI law enforcement watchdog passed with flying colours.

For ACIC, the Ombudsman found three instances where protected information was not destroyed as soon as practicable. It added for each time this occurred, there was a “significant delay” between the authorisation and destruction of data.

“We identified one instance where protection information was not destroyed within five years,” the report said.

“The ACIC disclosed seven additional instances it did not destroy protected information within five years.”

The report also found issues with records kept to detail actions taken under warrant or tracking device authorisations to show agencies are acting lawfully.

“The computer access warrant action sheets we inspected did not provide sufficient information for us to understand what actions were taken under the warrant, or to confirm that the correct devices were accessed,” the report said.

“As a result, we could not verify that the computers the ACIC targeted were those it was authorised to access under the warrant.”

See also: ACIC believes there’s no legitimate reason to use an encrypted communication platform

For the AFP, the Ombudsman found four instances where it did not destroy information after authorisation for more than a month, and one instance where it took over five months.

“Further, the AFP did not destroy protected information or certify it for retention within five years,” the report states.

“In three instances the AFP did not destroy the records until more than five years after the warrant was issued and could not provide files to demonstrate the protected information was certified for retention within five years.

“In the remaining instance, the AFP certified the protected information for destruction within five years but did not complete the destruction until after the five year period.”

The inspection found instances where AFP reported destroying data, but the Ombudsman found the warrant was not executed, or information was not gained from it. The AFP also had issues with its action sheets.

The report found the AFP was still conducting surveillance in foreign jurisdictions without lawful approval.

“While the AFP disclosed this instance of non-compliance, it did not quarantine the associated data until prompted to do so during our inspection,” the report said.

“We suggested the AFP quarantine any unlawfully obtained data as soon as it identifies it.”

“We identified that, while the surveillance device was first used extraterritorially on 17 December 2019, the AFP did not send written correspondence to the Attorney-General until 19 May 2020.”

The report said only after the Ombudsman inspection, did it quarantine the data it retrieved.

The AFP also disclosed two instances where data was collected outside of a warrant. It also disclosed two instances where it failed to inform its overseeing minister of a warrant or authorisation ceasing, with the Ombudsman later finding another two instances.

With the South Australian Police, the Ombudsman found there was no process to destroy records.

“SA Police informed us it does not have staff delegated to perform the functions of the chief officer under s 46(1)(b) of the Act,” the report said.

“SA Police advised it requested internal legal advice about its delegations more than 12 months prior to our inspection and had been told not to proceed with any destructions until that advice was given.”

The SA force said it was gaining the relevant delegation and would start destruction as soon as the instrument was ratified.

Related Coverage More

John McAfee, the developer and programmer behind one of the first commercial antivirus tools, was found dead in a prison cell in Barcelona, according to Spanish newspaper El Pais.Government officials told the newspaper that the 75-year old was being held in Brians 2 prison in Sant Esteve de Sesrovires when guards found him dead and were unable to resuscitate him. El Dario confirmed the announcement. 

“The judicial procession has traveled to the prison and is investigating the causes of death. Everything indicates that it could be a death by suicide,” the statement said, according to El Dario. While the initial notice from the regional Catalan government did not name McAfee, a source within the Catalan government confirmed it was him to the Associated Press.The controversial technologist was awaiting extradition to the US after the Department of Justice indicted him on a litany of charges related to tax evasion and fraud in March. He was facing nearly 30 years in prison. He was arrested by Spanish National Police at El Prat airport in October as he tried to flee to Turkey. Today, the Spanish National Court approved an extradition request for McAfee, according to AFP. “The court agrees to grant the extradition of John David McAfee as requested by the American judicial authorities for the crimes referred to in the tax offense indictments for years 2016 to 2018,” the ruling said, according to AFP. McAfee founded and ran software company McAfee Associates from 1987 to 1994, creating McAfee’s first commercial antivirus software. He resigned from the company and went on to found dozens of other enterprises. He repeatedly caused controversy through statements made on his Twitter account. 

The Department of Justice said McAfee had not paid taxes on millions of dollars made through a cryptocurrency scheme and had defrauded investors in the enterprise. Manhattan US Attorney Audrey Strauss said McAfee used his Twitter account to publish messages touting various cryptocurrencies “through false and misleading statements to conceal their true, self-interested motives.” “McAfee, Watson, and other members of McAfee’s cryptocurrency team allegedly raked in more than $13 million from investors they victimized with their fraudulent schemes,” Strauss said in March. In his last message on Twitter from June 16, McAfee continued to deny the charges. “The US believes I have hidden crypto. I wish I did but it has dissolved through the many hands of Team McAfee (your belief is not required), and my remaining assets are all seized. My friends evaporated through fear of association. I have nothing. Yet, I regret nothing,” he wrote.  More

A new Trojan written in the Go programming language has pivoted from attacks against government agencies to US schools.

The research team from BlackBerry Threat Research and Intelligence said on Wednesday that the malware, dubbed ChaChi, is also being used as a key component in launching ransomware attacks. ChaChi is written in GoLang (Go), a programming language that is now being widely adopted by threat actors in a shift away from C and C++ due to its versatility and the ease of cross-platform code compilation.   According to Intezer, there has been roughly a 2,000% increase in Go-based malware samples over the past few years.  “As this is such a new phenomenon, many core tools to the analysis process are still catching up,” BlackBerry noted. “This can make Go a more challenging language to analyze.” ChaChi was spotted in the first half of 2020, and the original variant of the Remote Access Trojan (RAT) has been linked to cyberattacks against French local government authorities, listed by CERT France in an Indicators of Compromise (IoC) report (.PDF); but now, a far more sophisticated variant has appeared.  The latest samples available have been connected to attacks launched against large US schools and education organizations. 

In comparison to the first variant of ChaChi, which had poor obfuscation and low-level capabilities, the malware is now able to perform typical RAT activities, including backdoor creation and data exfiltration, as well as credential dumping via the Windows Local Security Authority Subsystem Service (LSASS), network enumeration, DNS tunneling, SOCKS proxy functionality, service creation, and lateral movement across networks. The malware also makes use of a publicly accessible GoLang tool, gobfuscate, for obfuscation purposes.  ChaChi is named as such due to Chashell and Chisel, two off-the-shelf tools used by the malware during attacks and modified for these purposes. Chashell is a reverse shell over DNS provider, whereas Chisel is a port-forwarding system. BlackBerry researchers believe the Trojan is the work of PYSA/Mespinoza, a threat group that has been around since 2018. This group is known for launching ransomware campaigns and using the extension. PYSA when victim files have been encrypted, standing for “Protect Your System Amigo.” The FBI has previously warned of an increase in PYSA attacks against both UK and US schools. Generally, the team says that PYSA focuses on “big game hunting” — picking lucrative targets with big wallets able to pay vast amounts when a ransom is demanded. These attacks are targeted and are often controlled by a human operator rather than a task of automated tools.  “This is a notable change in operation from earlier notable ransomware campaigns such as NotPetya or WannaCry,” the researchers say. “These actors are utilizing advanced knowledge of enterprise networking and security misconfigurations to achieve lateral movement and gain access to the victim’s environments.”  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

IT leaders are taking issue with the amount of cybersecurity money their organizations are spending to support remote work, according to a new survey from JumpCloud.On Wednesday, the company released the findings of its 2021 State of the SME IT Admin Report, which featured the responses of 401 IT decision-makers at small and medium-sized enterprises from April. Those surveyed include managers, directors, vice presidents, and executives.More than 60% of respondents said their enterprise was paying “for more tooling than they need” to manage user identities, while another 56% said too much was being spent on enabling remote work. Respondents were more split on the top concerns, with 39% referencing software vulnerabilities, 37% expressing concern about reused usernames and passwords and 36% mentioning unsecured networks. Another 29% said device theft was also a concern. 
JumpCloud
Nearly one-fourth of all respondents said their organization was adopting a Zero Trust security approach, and 33% said they were in the process of incorporating it. MFA is also popular among respondents, with 53% saying they require MFA across everything.Much of the study focused on employees who are now using both personal and work devices while also accessing company resources from devices outside of the corporate security perimeter. Rajat Bhargava, CEO of JumpCloud, attributed the responses to the situation IT administrators faced during COVID-19.

“Remote work put enormous pressure on admins and organizations, and now that the work landscape has changed permanently, the top priority for SMEs is to address those challenges,” Bhargava said. “IT professionals’ 2021 priorities of layered security for more secure work-from-anywhere, making remote work easier, and more efficient device management underscore the need for a more consolidated, platform-based approach to IT that reduces complexities and cost.”According to more than 50% of survey respondents, IT budgets will be devoted overwhelmingly to supporting remote management, security, and cloud services. More than 73% of respondents said remote work allowed employees to develop bad security practices, and managing remote workers has become one of the biggest challenges for IT administrators. Two-thirds of all IT managers reported feeling “overwhelmed” with managing remote workers. “IT admins turn to MSPs in droves: 84% of respondents said they have already or plan to engage an MSP. 34% engaged an MSP to manage the IT stack completely; 30% engaged an MSP to support internal IT teams/individuals, and 21% said they are exploring what an MSP can do to support IT better,” the company explained.  “Most common reasons to use MSPs are: for security (51%); employee hardware (46%); and cloud services (46%). Nearly 75% say their IT budgets increased in the past year, while only 38% saw their own salaries increase. In fact, 26% say they’re being paid less. Despite all they’ve gone through, a clear majority report they’re actually happier in their work (58.6%). Only 17% say they’re less happy.” More

The MITRE Corporation announced the release of a new tool that will help cybersecurity users add their own knowledge and experiences to ATT&CK. Jon Baker, the director of research for the Center for Threat-Informed Defense, wrote a blog post about the tool — named ATT&CK Workbench — explaining that it was built because sophisticated users of MITRE ATT&CK have “struggled to integrate their organization’s local knowledge of adversaries and their tactics, techniques, and procedures with the public ATT&CK knowledge base.”Richard Struse, director of the Center for Threat Informed Defense for MITRE Engenuity, told ZDNet the idea for this project came from conversations with organizations that use ATT&CK as a way to organize their security posture. “Some of them were struggling with managing two different views: the ‘official’ MITRE ATT&CK knowledge base based on publicly-reported adversary behavior and their own internal knowledge of adversaries and their TTPs,” Struse said. “We saw that a lot of time and effort was being spent trying to manually integrate these two and we felt that a solution that gave people a ‘single pane of bits’ that they could look use to manage their threat-intel would have a significant positive impact on the security community. Our members concurred and this led to the creation of this R&D project.” Struse added that having a modern, API-driven platform to organize and manage all adversary TTP-related threat intelligence will make it that much easier for organizations to fully integrate ATT&CK into their processes.”ATT&CK Workbench has the potential to fundamentally improve and accelerate the use of ATT&CK by security practitioners around the world,” Struse said.

The effort was sponsored by Microsoft, Verizon, JPMorgan Chase, AttackIQ, and HCA Healthcare, originally starting as a research project. Baker said Workbench was an easy-to-use open-source tool that allows organizations to manage and extend their own local version of ATT&CK and keep it synchronized with the ATT&CK knowledge base.”Workbench allows users to explore, create, annotate, and share extensions of the ATT&CK knowledge base. Organizations or individuals can initialize their own instances of the application to serve as the centerpiece to a customized variant of the ATT&CK knowledge base, attaching other tools and interfaces as desired,” Baker wrote. “Through the Workbench this local knowledge base can be extended with new or updated techniques, tactics, mitigations groups, and software. Additionally, Workbench provides means for a user to share their extensions with the greater ATT&CK community facilitating a greater level of collaboration within the community than is possible with current tools.”If an organization uses ATT&CK for security operations, actively tracks threats against ATT&CK or plans security investments based on ATT&CK, then the Workbench tool is suggested, Baker added. The center was able to add a note-taking capability to the Workbench platform which allows users to put annotations in their copy of ATT&CK related to matrices, techniques, tactics, mitigations, groups, and software.Baker explained that data created within Workbench can be incorporated into existing ATT&CK data and new groups or software can be connected to existing techniques through procedure examples, or new sub-techniques can be created under existing ATT&CK techniques. Through Workbench, users will also be able to publish their work and share it with others who may be in a similar situation. Other users can then subscribe to certain collections of notes in ATT&CK data. Baker said the center is planning to continue adding to the platform throughout 2021 and was eager to see how users responded to the tool. In addition to Workbench, MITRE announced a new NSA-funded project called D3FEND. In a statement, the NSA said D3FEND is “a framework for cybersecurity professionals to tailor defenses against specific cyber threats is now available through MITRE.”  The NSA worked with MITRE to harden the defenses of the National Security Systems, the Department of Defense, and the Defense Industrial Base.”The D3FEND technical knowledge base of defensive countermeasures for common offensive techniques is complementary to MITRE’s ATT&CK, a knowledge base of cyber adversary behavior,” the NSA said in a statement. “D3FEND establishes terminology of computer network defensive techniques and illuminates previously-unspecified relationships between defensive and offensive methods. This framework illustrates the complex interplay between computer network architectures, threats, and cyber countermeasures.”MITRE added that it released D3FEND as a complement to the ATT&CK framework and said it provides a model of different ways organizations can combat offensive techniques. The creation of D3FEND, according to the NSA, will help “drive more effective design, deployment, and defense of networked systems writ large.” “Frameworks such as ATT&CK and D3FEND provide mission-agnostic tools for industry and government to conduct analyses and communicate findings,” the NSA statement said. “Whether categorizing adversary behavior or detailing how defensive capabilities mitigate threats, frameworks provide common descriptions that empower information sharing and operational collaboration for an ever-evolving cyber landscape.” More

Microsoft’s cybersecurity researchers are now on the hunt for BazarCall, a criminal group that’s using call centers to infect PCs with malware called BazarLoader – a malware loader that’s been used to distribute ransomware.   BazarCall (or Bazacall) actors have been active since January and were notable because they used call center operators to guide victims into installing BazarLoader on to a Windows PC. 

Palo Alto Networks’ Brad Duncan recently detailed the group’s techniques in a blogpost. As he describes, the malware provides backdoor access to an infected Windows device: “After a client is infected, criminals use this backdoor access to send follow-up malware, scan the environment and exploit other vulnerable hosts on the network,” Duncan noted. SEE: Security Awareness and Training policy (TechRepublic Premium)Usually, the attack starts with phishing emails advising the victim that a trial subscription has expired and that they will be automatically charged a monthly fee unless they call a number to cancel the trial. The group’s activity has now caught the attention of Microsoft’s Security Intelligence team. Microsoft’s focus is on the group’s phishing emails that target Office 365 users. The example it shows is an email purporting to be from a tech firm claiming that the victim has downloaded a demo version that will expire in 24 hours, at which point they will be charged for the software. 

We’re tracking an active BazaCall malware campaign leading to human-operated attacks and ransomware deployment. BazaCall campaigns use emails that lure recipients to call a number to cancel their supposed subscription to a certain service. pic.twitter.com/RS5wGSndhv— Microsoft Security Intelligence (@MsftSecIntel) June 22, 2021

“When recipients call the number, a fraudulent call center operated by the attackers instruct them to visit a website and download an Excel file in order to cancel the service. The Excel file contains a malicious macro that downloads the payload,” Microsoft Security Intelligence explain. Microsoft’s security team has also observed the group using the Cobalt Strike penetration testing kit to steal credentials, including the Active Directory (AD) database. Cobalt Strike is frequently used for lateral movement on a network after an initial compromise. The AD theft is a big deal for the enterprise since it contains an organization’s identity and credential information. Microsoft has published a GitHub page for publicly sharing details about the the BazarCall campaign as it tracks it. It’s updating details about the phishing emails, use of Cobalt Strike for lateral movement, malicious Excel macros, Excel delivery techniques, and use of Windows NT Directory Services, or NTDS, to steal AD files.  More