Information Technology

A Linux backdoor recently discovered by researchers has avoided VirusTotal detection since 2018.

Dubbed RotaJakiro, the Linux malware has been described by the Qihoo 360 Netlab team as a backdoor targeting Linux 64-bit systems. RotaJakiro was first detected on March 25 when a Netlab distributed denial-of-service (DDoS) botnet C2 command tracking system, BotMon, flagged a suspicious file. At the time of discovery, there were no malware detections on VirusTotal for the file, despite four samples having been uploaded — two in 2018, one in 2020, and another in 2021.    Netlab researchers say the Linux malware changes its use of encryption to fly under the radar, including ZLIB compression and combinations of AES, XOR, and key rotation during its activities, such as the obfuscation of command-and-control (C2) server communication.  At present, the team says that they do not know the malware’s “true purpose” beyond a focus on compromising Linux systems. There are 12 functions in total including exfiltrating and stealing data, file and plugin management — including query/download/delete — and reporting device information. 

However, the team cites a “lack of visibility” into the plugins that is preventing a more thorough examination of the malware’s overall capabilities.  Netlab described the backdoor’s functions and encryption, as below: “At the coding level, RotaJakiro uses techniques such as dynamic AES, double-layer encrypted communication protocols to counteract the binary & network traffic analysis. At the functional level, RotaJakiro first determines whether the user is root or non-root at run time, with different execution policies for different accounts, then decrypts the relevant sensitive resources using AES & ROTATE for subsequent persistence, process guarding and single instance use, and finally establishes communication with C2 and waits for the execution of commands issued by C2.” In addition, RotaJakiro will treat root and non-root users on compromised systems differently and will change its persistence methods depending on which accounts exist.  For example, when running under a root account, a new process may be created to automatically respawn configuration files, whereas in a non-root scenario, two separate processes are created to monitor and, if necessary, restore each other.  Netlab has also suggested links to the Torii botnet due to some coding similarities in commands and traffic management.  At the time of writing, six out of 61 VT engines now detect the backdoor’s files as malicious. Further analysis can be found at Intezer.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Accenture has announced its intention to acquire French cybersecurity firm Openminded.

Announced on Thursday, the services and consultancy company said the purchase will expand the Accenture security arm’s presence in France and into Europe as a whole. Financial terms of the deal were not disclosed.  Founded in 2008, Openminded provides cybersecurity services including management, consultancy, and cloud & infrastructure solutions with a focus on risk analysis, remediation, and regulatory compliance.   Openminded reported a €19 million turnover during the 2020 financial year. The company has roughly 105 employees and 120 clients including Sephora, Talan, and Thales.  Once the deal has been finalized, Openminded’s staff will join Accenture Security’s existing workforce.  “Joining forces with Accenture is a great opportunity for our teams and our clients,” commented Hervé Rousseau, Openminded founder and CEO. “The alliance of our talent and capabilities perfectly leverages our expertise and would allow us to deliver on a global scale. Today, the fight against cyberattacks requires the implementation of the most advanced technologies, as well as the human resources to make them efficient.”

The deal is subject to standard closing conditions.  Earlier this month, Accenture acquired cloud analytics firm Core Compete. The vendor leverages machine learning (ML) and artificial intelligence (AI) to provide managed services, cloud data warehousing, data analysis tools, and SAS on cloud services.  The latest acquisition builds upon the purchase of Businet System, Real Protect, and Wolox this year, among other companies.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Senate committee probing Australia’s pending data-sharing laws has asked for further protections to be inserted before legislation is passed.The Data Availability and Transparency Bill 2020 establishes a new data sharing scheme which will serve as a “pathway and regulatory framework” for sharing public sector data for three permitted purposes, subject to new safeguards and enforcement mechanisms.The three purposes are: Improving government service delivery, informing government policy and programs, and research and development. However, the Bill also precludes data sharing for certain enforcement related purposes, such as law enforcement investigations and operations.The Bill also does not authorise data sharing for purposes that relate to or could jeopardise national security, including the prevention or commission of terrorism and espionage.Before data is shared, the data custodian must be content the recipient fulfils the requirements of accepting that data.In a report [PDF] on the Bill, the Senate Finance and Public Administration Committee said it is of the view that a “proportionate and balanced data sharing scheme with appropriate privacy and security safeguards would help bring Australia into line with international best practice for data sharing in regard to government service delivery, policy and program development, and research purposes”.However, the committee is mindful that for a data sharing scheme to be successful and trusted by the community it must be underpinned by strong and effective safeguards and protections for privacy and security.

The committee made three recommendations to the government, with the first asking for assurances to be provided regarding appropriate ongoing oversight by security agencies of data sharing agreements and the potential security risks.”The committee considers that it is imperative that national security concerns related to access to data have been fully considered and appropriately managed, particularly given the current concerns about cybersecurity and the covert influence of foreign actors in the university and research sector,” the report says.The second recommendation asks that any relevant findings of the Parliamentary Joint Committee on Intelligence and Security’s current inquiry into national security risks affecting the Australian higher education and research sector are taken into account as part of the development of any additional data codes and guidance material, and that they inform continued engagement with the national security community.The committee also asks that consideration is given to whether amendments could be made to the Bill, or further clarification added to the explanatory memorandum, to provide additional guidance regarding privacy protections, particularly in relation to the de-identifying of personal data that may be provided under the Bill’s data-sharing scheme.”The committee notes that the intention of the Bill is to provide a high-level, principles-based framework to facilitate the sharing of government data, and that in addition to the proposed legislative privacy protections in the Bill, many other potential privacy concerns would be addressed through further protections prescribed in regulation and guidance material, and in the exercise of appropriate judgement and controls by scheme users,” it wrote.”However, despite these layers of protection, it is evident that some stakeholders believe further privacy protections should be prescribed in legislation or specifically addressed in the EM to the Bill.”The Bill, as well as the Data Availability and Transparency (Consequential Amendments) Bill, were both introduced to Parliament in December, after two years of consultation.Critics have labelled the data-sharing scheme as reflecting the ongoing erosion of Australian privacy law in favour of bureaucratic convenience.MORE ON THE BILLCommissioner content transparency measures are enough to deter data-sharing Act breachesAustralia’s pending data-sharing Act will require Commonwealth entities to be satisfied with a proposal before sharing data and the reason for obtaining that data will need to be made public.Critics label data-sharing Bill as ‘eroding privacy in favour of bureaucratic convenience’The Australian Privacy Foundation and the NSW Council for Civil Liberties are among those labelling the country’s pending data-sharing Bill as a threat to basic fairness and civil liberties.Privacy Commissioner wants more protections for individuals in Data Availability BillAdditionally, the Australian Information Commissioner and Privacy Commissioner’s office is concerned about the proposed exemption of scheme data from the Freedom of Information Act. More

Apple has issued a slew of security fixes resolving issues including an actively exploited zero-day flaw and a separate Gatekeeper bypass vulnerability. 

The Cupertino, Calif.-based giant’s latest security patch round was issued on Monday, macOS Big Sur 11.3. One of the most notable fixes is for a vulnerability found by Cedric Owens. Tracked as CVE-2021–30657, the vulnerability allows attackers to bypass Gatekeeper, Apple’s built-in protection mechanism for code signing and verification.  In a Medium blog post, Owens describes how threat actors could “easily craft” a macOS payload that is not checked by Gatekeeper. “This payload can be used in phishing and all the victim has to do is double click to open the .dmg and double-click the fake app inside of the .dmg — no pop-ups or warnings from macOS are generated,” the researcher said.  Working with security expert Patrick Wardle, the duo then realized the root of the issue is a logic bug in the policy subsystem (syspolicyd) that permitted malicious apps to bypass Apple’s security mechanism.  “Though unsigned (and unnotarized) the malware is able to run (and download & execute 2nd-stage payloads), bypassing all File Quarantine, Gatekeeper, and Notarization requirements,” Wardle noted.

According to Wardle and Jamf researchers, the vulnerability has unfortunately been exploited in the wild as a zero-day for months.  The malware in question is Shlayer, adware which has recently been re-packaged to exploit CVE-2021-30657. It is thought the vulnerability may have been exploited from January 9 this year. The vulnerability was reported on March 25 and was patched on March 30.  “Kudos to Apple for quickly fixing the bug I reported to them,” Owens said on Twitter.  Apple said within its security advisory that the vulnerability was patched through “improved state management.” A separate vulnerability of note is CVE-2021-1810, discovered in late 2020 by F-Secure researchers. This security flaw can also be used to bypass macOS Gatekeeper’s code signature and notarization checks. The company has chosen not to release the technical details of the bug until users have more time to update their software. However, the team says that a crafted, malicious .zip file, sent via phishing, for example — is all that is required to trigger the vulnerability.  “Any software distributed as a .zip file could contain an exploit for this vulnerability,” F-Secure says. “There are a few mitigating factors though. For one, applications downloaded via Apple’s App Store are not affected by this issue. Similarly, applications delivered as macOS Installer packages (.pkg, .mpkg) contain an installer certificate which is verified independently from Gatekeeper.” There is currently no evidence of CVE-2021-1810 being exploited in the wild.  In February, Apple issued a fix for a vulnerability in the installer for Big Sur 11.2/11.3 which could have led to severe data loss.  Alongside security fixes for macOS, Apple also introduced data collection limitations in iOS 14.5, a feature that is proving to be controversial.  The system, dubbed App Tracking Transparency (ATT), has now been rolled out following a lengthy beta. ATT requires apps to obtain explicit consent to track users across different apps and services beyond their own platforms. As a result, the move is likely a blow to organizations that offer targeted advertising, only made possible by creating detailed profiles of users and their online habits.  Facebook has proven to be one of ATT’s most vocal critics.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The FBI has handed over 4.3 million email addresses that were harvested by the Emotet botnet to the Have I Been Pwned (HIBP) service to make it easier to alert those affected.  HIPB, run by Australian security research Troy Hunt, is a widely trusted breach alert service that underpins Mozilla’s Firefox own breach-alert notifications. 

ZDNet Recommends

The FBI collected the email addresses from Emotet’s servers, following a takedown in January. The Emotet malware botnet was taken down by law enforcement in the US, Canada and Europe, disrupting what Europol said was the world’s most dangerous botnet that had been plaguing the internet since 2014.  SEE: Security Awareness and Training policy (TechRepublic Premium) Emotet was responsible for distributing ransomware, banking trojans and other threats through phishing and malware-laden spam.  In January, law enforcement in the Netherlands took control of Emotet’s key domains and servers, while Germany’s Bundeskriminalamt (BKA) federal police agency pushed an update to about 1.6 million computers infected with Emotet malware that this week activated a kill switch to uninstall that malware.    Hunt says in a blogpost that the FBI handed him “email credentials stored by Emotet for sending spam via victims’ mail providers” as well as “web credentials harvested from browsers that stored them to expedite subsequent logins”. 

The email addresses and credentials have been loaded in to HIPB as a single “breach”, even though it’s not the typical data breach for which the site collects credentials and email addresses.  HIBP currently contains 11 billion ‘pwned’ accounts from a range of data breaches that have happened over the past decade, such as MySpace and LinkedIn’s 2012 breach, as well as huge credential-stuffing lists found on the internet that are used by criminals to hijack accounts with previously breached email addresses and passwords. Credential stuffing takes advantage of people using common passwords like 1234567, or reusing passwords across multiple accounts.   SEE: Hackers are actively targeting flaws in these VPN devices. Here’s what you need to do Hunt has tagged this breach as “sensitive” on HIBP, which means the email addresses are not publicly searchable.  “HIBP enables you to discover if your account was exposed in most of the data breaches by directly searching the system. However, certain breaches are particularly sensitive in that someone’s presence in the breach may adversely impact them if others are able to find that they were a member of the site. These breaches are classed as “sensitive” and may not be publicly searched, the site states in its definition of “sensitive breach”. “Individuals will either need to verify control of the address via the notification service or perform a domain search to see if they’re impacted,” noted Hunt.  “I’ve taken this approach to avoid anyone being targeted as a result of their inclusion in Emotet,” he added. “All impacted HIBP subscribers have been sent notifications already.” ZDNet has reached out to Hunt who was not available at the time of publishing.  For individuals or organisations that find their details in the data, Hunt suggests: Keep security software such as antivirus up to date with current definitions. Change your email account password, and change passwords and security questions for any accounts you may have stored in either your inbox or browser, especially those for services such as banking.For administrators with affected users, refer to the YARA rules released by DFN Cert. More

An information disclosure vulnerability in the Linux kernel can be exploited to leak data and act as a springboard for further compromise. 

Disclosed by Cisco Talos researchers on Tuesday, the bug is described as an information disclosure vulnerability “that could allow an attacker to view Kernel stack memory.”The kernel is a key component of the open source Linux operating system. The vulnerability, tracked as CVE-2020-28588, was found in the proc/pid/syscall functionality of 32-bit ARM devices running the OS. According to Cisco, the issue was first found in a device running on Azure Sphere. Attackers seeking to exploit the security flaw could read the /syscall OS file via Proc, a system used for interfacing between kernel data structures.  The /syscall procfs entry could be abused if attackers launch commands to output 24 bytes in uninitialized stack memory, leading to a bypass of Kernel Address Space Layout Randomization (KASLR).  The researchers say this attack is “impossible to detect on a network remotely” as it is a legitimate Linux operating system file being read.  “If utilized correctly, an attacker could leverage this information leak to successfully exploit additional unpatched Linux vulnerabilities,” Cisco added. 

Linux kernel versions 5.10-rc4, 5.4.66, and 5.9.8 are impacted and a patch was merged on December 3 to tackle the bug. Users are urged to update their builds to later versions.  In related news this month, the Linux Foundation has banned University of Minnesota (UMN) developers from submitting work to the Linux kernel after a pair of graduate students were caught deliberately submitting buggy patches to the project.  Submitted for the purposes of a research paper, “On the Feasibility of Stealthily Introducing Vulnerabilities in Open-Source Software via Hypocrite Commits,” the incident did result in a swift apology from UMN — but forgiveness for the act, considered as made in ‘bad faith,’ is far from assured.  The paper was due to be presented at the 42nd IEEE Symposium on Security and Privacy but has since been withdrawn.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Microsoft is reportedly considering revisions to a threat and vulnerability sharing program suspected of being a key factor in widespread attacks against Exchange servers. 

The Microsoft Active Protections Program (MAPP) is a program for security software providers and partners which gives participants early access to vulnerability and threat intelligence. MAPP, which includes 81 organizations, was intended to give other companies the chance to develop strategies and to deploy necessary protections before vulnerabilities are made public.  “MAPP partners receive advance security vulnerability information for those vulnerabilities slated to be addressed in Microsoft’s regularly scheduled monthly security update releases,” the company says. “This information is provided as a package of documents that outline what Microsoft knows about the vulnerabilities. This includes the steps used to reproduce the vulnerability as well as the steps used to detect the issue. Periodically, Microsoft might also provide proof-of-concept or tools to further illuminate the issue and help with additional protection enhancement.”However, MAPP has recently come under scrutiny as the potential source of a leak of exploit code — either accidentally or deliberately — later weaponized during the Microsoft Exchange Server incident.  Microsoft issued emergency patches for the now-infamous four critical zero-day bugs (“ProxyLogon”) in Exchange on March 2.See also: Everything you need to know about the Microsoft Exchange Server hack

According to six people close to the matter, as reported by Bloomberg, Microsoft is considering revisions to the program that could alter how and when information concerning vulnerabilities in the vendor’s products are shared.   The publication says that Microsoft fears participants may have “tipped off” threat actors after critical Exchange Server vulnerabilities were shared with partners privately in February. At least two Chinese companies are involved in the probe.  At the time, reports suggested that Proof-of-Concept (PoC) code shared with MAPP participants contained “similarities” to exploit code later used in attacks. MAPP sets out different tiers for participants which determines what information is shared, and when — ranging from weeks ahead of disclosure to days. Potential revisions to the program could include shuffling participants and their level of entry, a reassessment of what Microsoft will share in the future, or potentially the inclusion of code-based ‘watermarks’ that could be used to trace data distribution — and any subsequent leaks.  The company attributed the first wave of attacks against Exchange servers to Hafnium, a Chinese state-sponsored threat group — later joined by at least 10 other advanced persistent threat (APT) groups including LuckyMouse, Tick, and Winnti Group.  It wasn’t long before an estimated 60,000 organizations were compromised, and as of March 12, roughly 82,000 internet-facing servers remained unpatched.  Post-exploit activities include the installation of backdoors, web shells, ransomware deployment, and cryptocurrency miners.  Microsoft declined to comment.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Over the weekend at a Christian convention, Australian Prime Minister Scott Morrison declared social media could be used as a weapon by the “evil one” against young people.Answering questions following his address to the National Press Club (NPC) on Wednesday, former Opposition Leader Bill Shorten took the opportunity to expand on where he thinks Morrison should take such a remark.”I was interested to the reference to the ‘evil one’ in social media. What I’d like to do is take that fairly unspecified reference and — something I’ve been thinking about for a while, is that there are some evil things on the internet,” he said. “Children have too easy access to pornography in this country online … I think a lot of parents are oblivious.”According to Shorten, the average age that “little Australian boys” are exposed to porn online is 13. He said simply saying to parents, “Watch what your kid’s eyeballs are on the whole time” is a “tad unrealistic as we’ve created the iPad babysitter”.”I think that if Mr Morrison wants to perhaps materialise that general reference to evil, let’s make it harder for our Aussie kids to access pornography online — I’m not making a reflection about adults and pornography, I’m not a censor, I’m not going down that path at all, but children shouldn’t be getting their sex education from hardcore pornography — and it’s something that I know I’m going to take up and I’m sure others will,” the Shadow Minister for Government Services said.”This could be something that Mr Morrison could turn from Sunday service into seven days a week campaign.”Shorten pointed to work underway by the eSafety Commissioner Julie Inman Grant as helping thwart this “evil”.

The House of Representatives Standing Committee on Social Policy and Legal Affairs closed its inquiry into age verification for online wagering and online pornography last year, tabling a report [PDF] in February 2020.Making a total of six recommendations, the committee asked the Digital Transformation Agency (DTA), in consultation with the Australian Cyber Security Centre, to develop standards for online age verification for age-restricted products and services. It said these standards should specify minimum requirements for privacy, safety, security, data handling, usability, accessibility, and auditing of age-verification providers.It further asked the DTA extend its Digital Identity program to include an age-verification exchange for the purpose of third-party online age verification. This was despite eSafety saying on many occasions there are no “out of the box technology solutions” that will solve this issue and it is her opinion that age verification should not be seen as a panacea.The government is yet to provide a response to the report.RELATED COVERAGE More