Information Technology

Cybersecurity firm Rapid7 said it has signed a deal to acquire Velociraptor, makers of open-source framework used for endpoint monitoring, digital forensics, and incident response. The financial terms of the deal were not disclosed.

Rapid7 said the Velociraptor technology is designed to help SecOps teams hunt for new threats quicker through community-driven technology, allowing for incidents and detections to be easily shared across the broader security industry.”The Velociraptor standalone offering allows incident response teams to rapidly collect and examine artifacts from across a network, and deliver forensic detail following a security incident,” Rapid7 wrote in a blog post. “In the event of an incident, an investigator controls the Velociraptor agents to hunt for malicious activity, run targeted collections, perform file analysis, or pull large data samples. The Velociraptor Query Language (VQL) allows investigators to develop custom hunts to meet specific investigation needs.”Rapid7 said it does not plan to make Velociraptor a commercial offering; however, the company does plan to integrate the technology in its detection and response portfolio, including the Rapid7 Insight platform.Rapid7’s purchase of Velociraptor comes on the heels of its acquisitions of Alcide in January and DivvyCloud in April 2020. The company said both acquisitions are meant to bolster its ability to provide customers with a cloud-native security platform for managing risk and compliance.RELATED STORIES: More

Lessons learned from responses to the SolarWinds and Microsoft Exchange cyber incidents will be used to coordinate action against future cybersecurity and hacking incidents, the White House has said.Both incidents required the United States to react to cyber attacks by nation-state hacking operations affecting thousands of organisations across the country – Russian intelligence compromised SolarWinds in a supply chain attack, while Chinese operatives targeted Microsoft Exchange. The campaigns aren’t related, but both were able to gain access to a number of networks, with attackers remaining under the radar for a significant period of time before they were discovered.The US administration convened two Unified Coordination Groups (UCGs) to drive the government response to the SolarWinds and Microsoft Exchange incidents. Both are now being stood down due to the increase in security patches being applied to prevent the attacks and a reduction in the number of victims.But the way they operated and what was learned will be used to guide future responses to additional cyber incidents in future. SEE: Network security policy (TechRepublic Premium)Lessons learned include ‘integrating private sector partners at the executive and tactical levels’ and involving private sector organisations in the response in order to help deliver fixes smoothly, like Microsoft one-click tool to simplify and accelerate victims’ patching and clean-up efforts, as well as sharing relevant information between firms.

“This type of partnership sets precedent for future engagements on significant cyber incidents,” said Anne Neuberger, deputy national security advisor for cyber and emerging technology.The partnerships also enabled the FBI and Department of Justice to identify the scale of the incidents and determine which organisations were affected, gain a better understanding of who was being targeted and determine the best response.The White House also pointed to the methodology created by CISA to track trends in patching and exposed Exchange servers that enabled the UCG to quantify the scope of the incident.It’s hoped that by learning the lessons of what happened with SolarWinds and Microsoft Exchange, the White House can improve how it responds to significant cybersecurity incidents”While this will not be the last major incident, the SolarWinds and Microsoft Exchange UCGs highlight the priority and focus the administration places on cybersecurity, and at improving incident response for both the U.S. government and the private sector,” said Neuberger.MORE ON CYBERSECURITY More

Instagram’s appeal lies in the ability to share images; indeed, some users known as “influencers” have been able to build businesses purely on these types of posts — but the popular platform, and its users, are not exempt from abuse. 

In the same way as Facebook — which acquired Instagram in 2012 — users are able to communicate privately through direct messages (DMs), rather than just comment on public posts.  For most users, this is nothing more than a useful feature to stay in contact with friends and fans. For others, however, it is an additional conduit to conduct abuse and harassment. If you have an account set to private, you may receive message requests for review. Existing contacts can be blocked from messaging you if conversations turn sour or if they are abusive.  However, this doesn’t stop someone from signing up for a new account and reaching out again and again — a problem Instagram hopes to tackle with new measures preventing users from seeing abusive DMs in the first place.  Users can already set a block for an individual’s account, but soon, they will also be able to pre-emptively select a further block that will try to catch any new accounts the same abusive person creates in the future.   “This is in addition to our harassment policies, which already prohibit people from repeatedly contacting someone who doesn’t want to hear from them,” Instagram says. “We also don’t allow recidivism, which means if someone’s account is disabled for breaking our rules, we would remove any new accounts they create whenever we become aware of it.”

Another new feature is a filter to cover message requests containing “racist, sexist, homophobic, or any other kind of abuse.” Just seeing these types of messages can be upsetting, and while trying to prevent it completely is likely impossible, Instagram’s tool could limit the amount of abuse we see in our inboxes.  Offensive words, phrases, and emojis can automatically be blanketed when they are detected in DM requests.  “Because DMs are private conversations, we don’t proactively look for hate speech or bullying the same way we do elsewhere on Instagram,” the firm says. “[The tool] will work in a similar way to the comment filters we already offer, which allow you to hide offensive comments and choose what terms you don’t want people to use in comments under your posts.” Due to be enabled under Privacy settings and “Hidden Words,” if this feature is turned on, ‘offensive’ terms can be filtered in upcoming DM requests and you will need to proactively open the hidden requests folder to view the message and tap the content to uncover it.  Instagram is keen to emphasize that using the tool won’t send message content back to the firm’s servers, nor share the content directly with Instagram unless users report the account holder.  Lists of offensive terms are being created with the help of anti-discrimination and anti-bullying organizations. Users will also be able to create their own custom lists if they so choose. Instagram’s tools will be rolled out in the coming weeks to a handful of countries before expanding over the next few months to additional areas.  The company is also refining its algorithms for detecting abusive comments. If users choose to disallow ‘offensive’ words in comments made on their content, Instagram is also starting to hide common misspellings of these words.  “We know there’s still more we can do, and we’re committed to continuing our fight against bullying and online abuse,” Instagram says.  Earlier this month, Facebook’s VP of Integrity, Guy Rosen, said that users of both Facebook and Instagram are now able to appeal content left up — including posts, status updates, photos, videos, comments, and shares — through the Oversight Board. The idea behind the board is to maintain a balance between free speech and rights, and is made up of individuals ranging from activists to lawyers. Facebook will have to uphold or reverse content decisions based on the board’s reviews, and the group will also make recommendations to both Facebook and Instagram concerning content policies.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

SonicWall is urging customers to apply patches to resolve three zero-day vulnerabilities in its email security solution that are being actively exploited in the wild. 

In a security alert on Tuesday, the US company said fixes have been published to resolve three critical issues impacting “hosted and on-premises email security products.”SonicWall ES is a solution designed to protect email traffic and communication, such as by preventing phishing emails and business email compromise (BEC) attempts.  There is at least one known case of active exploitation in the appliance that has been recorded.  “It is imperative that organizations using SonicWall Email Security (ES) hardware appliances, virtual appliances or software installation on Microsoft Windows Server immediately upgrade to the respective SonicWall Email Security version listed,” SonicWall says.  The vulnerabilities are tracked as CVE-2021-20021, CVE-2021-20022, and CVE-2021-20023, impacting SonicWall ES/Hosted Email Security (HES) versions 10.0.1 and above. CVE-2021-20021: CVSS 9.4, “Unauthorized administrative account creation”: Crafted HTTP requests sent to a remote host can allow the unauthorized creation of administrator accounts due to an improperly secured API endpoint. CVE-2021-20022: CVSS 6.7, “Post-authentication arbitrary file upload”: Post-authenticated attackers can upload arbitrary files to a remote host prompted by an issue in “branding” functionality. CVE-2021-20023: CVSS 6.7, “Post-authentication arbitrary file read”: Attackers can also read arbitrary files on a remote host, also caused by the “branding” feature. FireEye’s Mandiant team discovered and disclosed the bugs to the SonicWall Product Security Incident Response Team (PSIRT) through an investigation of post-exploitation web shell activity on a client’s system that pointed to SonicWall ES as the original source of compromise.  

According to Mandiant researchers Josh Fleischer, Chris DiGiamo, and Alex Pennino, the vulnerabilities have been exploited in an attack chain to obtain administrative access and to execute code on vulnerable ES products, including the installation of a backdoor, file exposure, and to achieve lateral network movement.  The team added that the explicit case shows “intimate knowledge of the SonicWall application.” CVE-2021-20021 and CVE-2021-20022 were reported privately on March 26, acknowledged on March 21, and a hotfix was applied on April 9. CVE-2021-20023 was reported on April 7, leading to a patch becoming available on April 19.  SonicWall is urging customers to update their Email Security builds to version 10.0.9.6173 (Windows) or 10.0.9.6177 (Hardware/ESXi Virtual Appliance), which contain hotfixes for the vulnerabilities.  Clients signed up for SonicWall Hosted Email Security (HES) products do not need to take further action as patches have been automatically applied in version 10.0.9.6173.  However, the vendor says the critical vulnerabilities also impact SonicWall ES versions 7.0.0-9.2.2, which are end-of-life, legacy products not entitled to security updates. For users of these versions, SonicWall also urges an immediate upgrade.  SonicWall has provided a step-by-step guide for applying security upgrades.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Easy-to-guess default passwords will be banned and smart device manufacturers will be required to tell customers how long their new product will receive security updates under plans to protect Internet of Things (IoT) devices and their users from cyberattacks.Laws will also require manufacturers of smart devices including phones, doorbells, cameras, speakers, TVs and more to provide a public point of contact to make it simpler for security vulnerabilities in the products to be reported – and fixed with software updates.

Internet of Things

Households and businesses are increasingly connecting IoT products to their networks – but while they’re being deployed with the aim of providing benefits, insecure IoT devices can be exploited by cyber criminals.SEE: IoT: Major threats and security tips for devices (free PDF) (TechRepublic)That can lead to malicious hackers using insecure smart devices as a stepping stone onto corporate or personal networks and using that access as a means of conducting cyberattacks, as well as potentially invading the privacy of users.In an effort to protect smart devices, the UK government’s department for Digital, Culture, Media and Sport has announced the the need for IoT devices to be Secure by Design will become law. DCMS had previously proposed the the idea, but now it has moved another step towards actually becoming legislation – and smartphones will be included in the plans.Under the planned new laws, customers must be informed at the point of sale as to the length of time for which a smart device will receive security software updates in a move designed to encourage people to buy devices that are going to receive security patches for a long time – making them more resilient to cyber threats that exploit new vulnerabilities.

This will also apply to smartphones, which are now going to be included in any legislation designed to boost the defences of connected devices. The addition of smartphones comes following a government call for views on smart device security in which respondents suggested the amount of personal information on smartphones, and the way they’re so widely used, means they should be included in smart device safety legislation.Manufacturers will also be banned from using default passwords such as ‘password’ or ‘admin’ in an effort to protect users from opportunistic cyberattacks that take advantage of common or weak passwords to gain control of devices. The proposed legislation builds on a previously published code of practice for IoT device manufacturers – although now the suggestions would be required, not just recommended.”Consumers are increasingly reliant on connected products at work and at home. The COVID-19 pandemic has only accelerated this trend and while manufacturers of these devices are improving security practices gradually, it is not yet good enough,” said Ian Levy, technical director at the National Cyber Security Centre (NCSC).”To protect consumers and build trust across the sector, it is vital that manufacturers take responsibility and pay attention to these proposals now,” he added.SEE: Hackers are actively targeting flaws in these VPN devices. Here’s what you need to doThe NCSC has previously provided advice for consumers on how to keep their IoT devices secure. There’s currently no indication of when the proposals will be made law, but the government says the legislation will be introduced “as soon as parliamentary time allows” and businesses will be given time to adjust to the laws once they’re introduced.There’s also no details as yet about how the legislation will be enforced, or what measures will be taken against smart device manufacturers or retailers that aren’t compliant. MORE ON CYBERSECURITY More

DevOps tool provider Codecov’s security breach has impacted “hundreds” of clients according to new information surrounding the incident. 

US investigators examining the case told Reuters on Tuesday that the attackers responsible for the hack managed to exploit not only Codecov software, but also potentially used the organization as a springboard to compromise a huge number of customer networks.Based in San Francisco, Codecov offers code coverage and software testing tools. The aim is to allow users to deploy “healthier” code during the DevOps cycle, but on or around January 31, 2021, an unknown attacker was able to exploit an error in Codecov’s Docker image creation process to tamper with the Codecov Bash Uploader script.  This has led to the potential export of information stored in users’ continuous integration (CI) environments.  Speaking on condition of anonymity to the news agency, one of the investigators said attackers used automation to collect credentials as well as “raid additional resources,” which may have included data hosted on the networks of other software development program vendors, including IBM.  An IBM spokesperson told Reuters that, as of now, there does not seem to be any “modifications of code involving clients” or the company itself. Codecov accounts for over 29,000 overall enterprise clients. The organization also works extensively with the open source community and startups. 

The initial compromise and backdoor in the Bash Uploader script were discovered on April 1, impacting Codecov’s full set of “Bash Uploaders” including the Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step.  It is possible that the supply chain attack, made possible by compromising a resource used by other organizations, may have resulted in the theft of credentials, tokens, and keys running through client CIs, as well as “services, datastores, and application code that could be accessed with these credentials,” according to Codecov.  In addition, URLs of origin repositories using the Bash Uploaders may have been exposed.  Codecov said the issue has since been fixed and impacted customers were notified via email addresses on file on April 15. It is recommended that users roll their credentials if they have not already done so. Codecov is also rotating internal credentials and has pulled in a third-party cyberforensics firm to conduct an audit. A new monitoring system is also being created to pretend such “unintended changes” from happening in the future.  “Codecov maintains a variety of information security policies, procedures, practices, and controls,” commented Jerrod Engelberg, Codecov CEO. “We continually monitor our network and systems for unusual activity, but Codecov, like any other company, is not immune to this type of event.” Due to the potential ramifications of this attack, the FBI is also involved. The ongoing federal investigation has led to suggestions the Codecov situation could be likened to SolarWinds, in which the software vendor’s network was compromised in order to deploy a malicious software update to clients in a separate supply chain attack.  Last week, the FBI, NSA, CISA, and UK government formally blamed cyberattackers working for Russian intelligence for the SolarWinds incident. ZDNet has reached out to Codecov and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cybersecurity firm FireEye and the the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning over attackers exploiting a newly discovered flaw in Pulse Connect Secure VPN products. FireEye reported it has been investigating multiple incidents of compromises of the devices that use a bug tracked as CVE-2021-22893 that was discovered in April. It’s an extremely valuable bug with a severity score of 10 out of a possible 10 and the malware being deployed is designed to bypass two-factor authentication. 

The vulnerability includes an authentication bypass that can “allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway,” according to Pulse Secure’s advisory. SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)FireEye’s incident response unit Mandiant says it is tracking 12 malware families linked to attacks on Pulse Secure VPN appliances that use this bug in combination with older bugs affecting the software. FireEye has attributed the activity to a group it labels UNC2630, a suspected China state-sponsored hacking group that has allegedly targeted the US Defense industry and European organizations. US-based IT asset management firm Ivanti has released the Pulse Connect Secure Integrity Tool and other mitigations for the bug that’s under attack. 

CISA said the attacks on this VPN product began in June 2020: other bugs the attackers have used include CVE-2019-11510, CVE-2020-8260, and CVE-2020-8243, which allow them to install web shells to gain persistence on the device. As ZDNet reported last August, attackers have been scanning the internet for Pulse Secure VPN servers with these flaws since June because the VPNs are used by staff to remotely access internal apps. “The threat actor is using this access to place web shells on the Pulse Connect Secure appliance for further access and persistence. The known web shells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching,” CISA warned in its alert. According to FireEye, the threat actor was snatching credentials from Pulse Secure VPN login processes, allowing them to use legitimate credentials to move within a compromised network. Carnegie Mellon University’s US CERT Coordination Center has also issued an alert over the attacks and, until a patch is released, it recommends disabling the features Windows File Share Browser and Pulse Secure Collaboration on Pulse Connect Secure (PCS) gateway instances. “An unspecified vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable Pulse Connect Secure gateway system. Products affected by this vulnerability are PCS version 9.0R3 and higher,” it noted. SEE: Best VPN 2021: Expert reviews of the best VPN servicesFireEye is tracking two groups using these vulnerabilities and a variety of web shells that share common traits. It’s tagged the other group UNC2717, but says it cannot verifiably connect that the two groups’ activities are connected. “Due to a lack of context and forensic evidence at this time, Mandiant cannot associate all the code families described in this report to UNC2630 or UNC2717,” said FireEye. “We also note the possibility that one or more related groups is responsible for the development and dissemination of these different tools across loosely connected [Advanced Persistent Threat] actors. It is likely that additional groups beyond UNC2630 and UNC2717 have adopted one or more of these tools.” More

Image: Getty Images
The Australian government has launched a new strategy aimed at uplifting the cybersecurity capabilities of the nation and its international neighbours, pledging an additional AU$37.5 million in funding alongside a handful of greater Indo-Pacific initiatives.Australia’s international Cyber and Critical Technology Engagement Strategy, according to Minister for Foreign Affairs Marise Payne, sets out the goals for a “safe, secure, and prosperous Australia, Indo-Pacific, and world, enabled by cyberspace and critical technology”.It is hoped the strategy [PDF] will strengthen national security, protect Australia’s democracy and sovereignty, promote economic growth, and pursue international peace and stability. The strategy supersedes the 2017 International Cyber Engagement Strategy and is centred on three main pillars — values, security, and prosperity — to guide Australia’s international cyber and critical technology engagement.The first goal is for technology to be used to “uphold and protect liberal democratic values”, the strategy outlined. To achieve this goal, the strategy said Australia will advocate for cyberspace and critical technologies to uphold and protect democratic principles and processes; promote and protect human rights online and in the design, development, and use of critical technologies; support the ethical design, development, and use of critical technologies consistent with international law, including human rights; and advocate for diversity, gender equality, and women’s empowerment in the design, development and use of cyberspace and critical technology.Under the values banner, the strategy pointed to a handful of initiatives that Australia is a part of, including the global partnership on AI and the AI ethics framework that was released in November 2019 to help guide businesses and governments seeking to design, develop, deploy, and operate AI in Australia, as well as the women in international security and cyberspace fellowship that was launched in February 2020 alongside Canada, the Netherlands, New Zealand, and the United Kingdom.

Security, the strategy stated, has the goal of “secure, resilient, and trusted technology.”The Australian government is hopeful that shaping the development and use of critical technology, including cyberspace, will help support international peace and stability. To achieve this, it will aim to build international resilience to digital disinformation and misinformation and their effects; build a strong and resilient cybersecurity capability for Australia, the Indo-Pacific, and the world; strengthen cooperation for enhanced prevention, detection, investigation, and prosecution of cybercrime; and enable a safe and inclusive online environment that will help it achieve such a goal.As part of the strategy, expanding on its “security” pillar, Australia will co-sponsor a proposal to establish a new United Nations program of action for responsible state behaviour in cyberspace. Also under security, the strategy said the government will continue to attribute malicious cyber activities to states, calling it “one tool in Australia’s toolkit”. The government has on eight occasions publicly attributed activity.Further, the government’s existing Cyber Cooperation Program will be renamed as the Cyber and Critical Tech Cooperation Program and will see an additional AU$20.5 million to “strengthen cyber and critical technology resilience in Southeast Asia”. The program, which previously received AU$34 million in official development assistance funding from 2016-2023, was previously touted as playing an important role in supporting Australia’s international cyber engagement, championing an “open, free, and secure internet that protects national security and promotes international stability while driving global economic growth and sustainable development.”The government will also contribute a further AU$17 million to support neighbours in the Pacific to strengthen their cyber capabilities and resilience, including for fighting cybercrime, improving online safety, and countering disinformation and misinformation.The “security” chapter of the strategy also pointed to existing initiatives, including those underway by the eSafety Commissioner; a handful of technology-related legislation, such as the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018; work on combating misinformation; and the lacklustre Cyber Security Strategy launched in August. Lastly, under “prosperity”, the strategy stated Australia’s goal would be to use technology to foster sustainable economic growth and development.It aims to do this through supporting a connected and prosperous Indo-Pacific comprised of independent sovereign states enabled by secure and economically viable critical technology; advocating for open, resilient, diverse, and competitive international technology markets and supply chains; strengthening Australian research, industry, and innovation through international cooperation; shaping international critical technology standards that foster interoperability, innovation, transparency, diverse markets, and security-by-design; promoting the multi-stakeholder model of internet governance; and maximising economic growth by shaping an enabling environment for digital trade.Additionally, Australia will also support a partnership with Standards Australia in Southeast Asia, a partnership with the University of Technology, Sydney in Southeast Asia, and a partnership with Trustwave in Fiji, Samoa, Solomon Islands, Tonga, and Vanuatu. “Cyberspace and critical technology is a top foreign policy priority,” Australia’s Ambassador for Cyber Affairs and Critical Technology Dr Tobias Feakin said. “The strategy sets out our goal for a safe, secure, and prosperous Australia, Indo-Pacific, and world enabled by cyberspace and critical technology. It provides a framework to guide Australia’s international engagement.”SEE ALSO More