Information Technology

Microsoft’s war against private exploit and offensive security sellers continues with a strike against Sourgum. 

On July 15, the Microsoft Threat Intelligence Center (MSTIC) said that the Redmond giant has been quietly tackling the threat posed to Windows operating systems by the organization, dubbed a “private-sector offensive actor” (PSOA).  A tip provided by human rights outfit Citizen Lab led Microsoft to the PSOA, dubbed Sourgum, a company said to sell cyberweapons including the DevilsTongue malware. “The weapons disabled were being used in precision attacks targeting more than 100 victims around the world including politicians, human rights activists, journalists, academics, embassy workers, and political dissidents,” Microsoft says.  Approximately half of DevilsTongue victims are located in Palestine, but a handful has also been traced back to countries including Israel, Iran, Spain/Catalonia, and the United Kingdom. According to the Citizen Lab, Sourgum is based in Israel and counts government agencies across the globe among its customers.  With the assistance of Citizen Lab, Microsoft has examined the unique malware family developed by Sourgum and has now pushed protections against it in Windows security products. This includes patching previously unknown vulnerabilities, CVE-2021-31979 and CVE-2021-33771. 

These two vulnerabilities were listed as actively exploited in Microsoft’s latest security update, known as Patch Tuesday, which is issued on a monthly basis. They are both described as Windows Kernel privilege escalation security flaws.  Microsoft says that the exploits are “key” elements of wider attack chains used by Sourgum to target Windows PCs and browsers in order to deliver DevilsTongue. Browser exploits appear to be used in one of the initial attack stages, where they are served through malicious URLs and sent via messaging services including WhatsApp.  The modular malware is described as “complex” with “novel capabilities.” While analysis is ongoing, Microsoft says that DevilsTongue’s main functionality is stored in encrypted .DLL files, only decrypted when loaded into memory, and both configuration and tasking data are separate from the main payload.  DevilsTongue can be used in both user and kernel modes and is capable of .DLL hijacking, COM hijacking, shellcode deployment, file collection, registry tampering, cookie theft, and the extraction of credentials from browsers. A feature of note is a module dedicated to decrypting and extracting conversations taking place over Signal. The malicious code also contains sophisticated obfuscation and persistence mechanisms.  “With these hacking packages, usually the government agencies choose the targets and run the actual operations themselves,” Microsoft says. “The tools, tactics, and procedures used by these companies only add to the complexity, scale, and sophistication of attacks. We take these threats seriously and have moved swiftly alongside our partners to build in the latest protections for our customers.” Detection data has also been shared with the wider security community.  “We’re providing this guidance with the expectation that Sourgum will likely change the characteristics we identify for detection in their next iteration of the malware,” the company added. “Given the actor’s level of sophistication, however, we believe that outcome would likely occur irrespective of our public guidance.” In related news this week, Microsoft disclosed a third vulnerability impacting the Windows Print Spooler service, joining the duo of security flaws known as PrintNightmare. Tracked as CVE-2021-34481, the bug can be exploited to obtain system-level privileges locally. Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Getty Images
The threat of ransomware dominates the cyber news right now, and rightly so. But this week Rachael Falk, chief executive officer of Australia’s Cyber Security Cooperative Research Centre, made a very good point. Ransomware is “totally foreseeable and preventable because it’s a known problem”, Falk told a panel discussion at the Australian Strategy Policy Institute (ASPI) on Tuesday. “It’s known that ransomware is out there. And it’s known that, invariably, the cyber criminals get into organisations through stealing credentials that they get on the dark web [or a user] clicking on a link and a vulnerability,” she said. “We’re not talking about some sort of nation-state really funky sort of zero day that’s happening. This is going on the world over, so it’s entirely foreseeable.” There are “four or five steps you could take that could significantly mitigate this risk,” Falk said. These are patching, multi-factor authentication, and all the stuff in the Australian Signals Directorate’s Essential Eight baseline mitigation strategies. The latest Essential Eight Maturity Model even comes with detailed checklists for Windows-based networks. “Companies are on notice that this is a risk for them,” Falk said. “There’s a known problem often, and a known fix, but people haven’t done it.”

So given this laziness, given that cyber wake-up calls have been ignored since the 1970s, and given that organisations continue to willfully fail to follow the advice they’re given, your correspondent has a question. Has the time come to let Darwinism loose? Should we let all these lazy organisations get hacked, and just let God sort them out? “I love that approach,” Falk said. “It is glacial-like movement, and I think the only change now that might accelerate it is legislation, which obviously government is potentially seeking to introduce at the moment,” she said, referring to proposed changes to critical infrastructure laws. Maybe we’ll only start paying attention when there’s more 5G, more device-to-device communication, and more personal dependence on the network. “I kind of wonder, though, in a macabre kind of way, will the test be when people just can’t use their phones for half an hour,” Falk said. “That’s when you’ll get people going, oh, we just have to have law about this because we can’t cope with [no] iPhones, internet, fridge, streaming, Netflix, you name it.” OK, we’re joking. Probably. In cybersecurity as in public health, blaming the victim is counterproductive. And in many cases it’s the customers and citizens who’d really suffer from ransomware and other cyber attacks that take out an organisation. “It could really, really impact life, and be a threat and risk to life. So I think people have to start thinking about this as not some sort of a joke,” Falk said. “The fact that we joke about, oh, the internet being down for 30 minutes, it could be the matter of a medical procedure is stopped and someone dies halfway through.” In Germany last year, for example, a patient died following a ransomware attack on a hospital in Duesseldorf, which caused her to be re-routed to a hospital more than 30 kilometres away. A police investigation found that she probably would have died anyway, but next time we may not be so lucky. ASPI’s ransomware policy recommendations Fortunately, a global consensus on how to tackle ransomware does seem to be emerging. Just one example is a new report from ASPI’s International Cyber Policy Centre, Exfiltrate, encrypt, extort: The global rise of ransomware and Australia’s policy options, of which Falk is co-author. On the vexed question of whether organisations should pay a ransom or not, the report recommends that paying them should not be criminalised. Instead, there should be a “mandatory reporting regime … without fear of legal repercussions”. This would be a major step in transparency. Out of all the major ransomware incidents in Australia — Toll Holdings, BlueScope Steel, Lion Dairy and Drinks, legal document-management services firm Law in Order, Nine Entertainment, Eastern Health in Victoria, Uniting Care Qld, and JBS Foods — only JBS has admitted to paying a ransom of $11 million. Such a scheme has already been proposed by Labor in its Ransomware Payments Bill 2021 introduced onto parliament last month as part of its national ransomware strategy. The ASPI report recommends expanding the role of the ASD’s Australian Cyber Security Centre (ACSC) to include the real-time distribution of publicly available alerts. ACSC should also publish a list of ransomware threat actors and aliases, giving details of their modus operandi and key target sectors, along with suggested mitigation methods. The ASD is already known to be using its classified capabilities to warn of impending ransomware attacks. The report also recommends tackling the “low-hanging fruit” of incentivisation and education. This includes incentives such as tax breaks for cyber investment, grants, or subsidy programs; a “concerted nationwide public ransomware education campaign, led by the ACSC, across all media”; and a “business-focused multi-media public education campaign”, also led by the ACSC. “[This campaign should] educate organisations of all sizes and their people about basic cybersecurity and cyber hygiene. It should focus on the key areas of patching, multifactor authentication, legacy technology, and human error.” Finally, the report recommends creating a “dedicated cross-departmental ransomware taskforce”, including state and territory representatives, to share threat intelligence and develop policy proposals. Your correspondent finds none of these recommendations unreasonable, though there are perhaps questions about whether ACSC is currently well-equipped to run an effective and engaging major public information campaign. Nevertheless, given how slowly Australian organisations have adapted to cyber risks over the last couple of decades, maybe we need a little less carrot and a bit more stick. Related Coverage More

After a pair of PrintNightmare vulnerabilities, the last thing the Windows Print Spooler needed was a third vulnerability, and yet it exists. Microsoft has announced CVE-2021-34481 allows for local privilege escalation to the level of SYSTEM. “An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said. “An attacker must have the ability to execute code on a victim system to exploit this vulnerability. “The workaround for this vulnerability is stopping and disabling the Print Spooler service.” Microsoft rates the exploitability of the vulnerability as “more likely”. “Microsoft analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability. Moreover, Microsoft is aware of past instances of this type of vulnerability being exploited. This would make it an attractive target for attackers, and therefore more likely that exploits could be created,” Microsoft’s exploitability index explained.

Microsoft said it was creating a patch, and that the vulnerability was not introduced in its July 13 set of updates. The company has been scrambling to properly patch its Print Spooler service recently. Initially, a critical bug that allowed for remote code execution was announced and labelled as CVE-2021-1675. Exploits were publicly available after Microsoft’s patches failed to fix the issue completely and security researchers that had already published their code, said they deleted it, but it was already branched on GitHub. Microsoft then dropped CVE-2021-34527 later in the week, which had much the same description of running code as SYSTEM as CVE-2021-34481. Unlike the new vulnerability, this one can be run remotely. Related Coverage More

Organisations should provide a proper channel through which anyone can report vulnerabilities in their systems. This will ensure potential security holes can be identified and plugged before they are exploited. Establishing a vulnerability disclosure policy (VDP) also would provide assurance to anyone, such as security researchers, acting in good faith that they would not face prosecution in reporting the vulnerability, said Kevin Gallerin, Asia-Pacific managing director of bug bounty platform, YesWeHack. In fact, creating such policies was more important than running bug bounty programmes, Gallerin said in a video interview with ZDNet. He noted that more companies today were embracing the need for a VDP, detailing a “safe and clear framework” through which information about security vulnerabilities could be submitted and how these should be handled within the organisation. 

Without a proper policy in place, security researchers might be less inclined to report a vulnerability or, when they did so, might not receive a response since the organisation’s employees lacked guidance on what they needed to do.”The information [then] gets lost and forgotten until the vulnerability eventually gets exploited,” Gallerin said, adding that a proper VDP would provide a structured channel to report security issues and mitigate the affected organisation’s risks by reducing their time to remediation. “We’re a strong advocate for this.”YesWeHack’s service offerings include helping enterprises establish their VDP, integrating vulnerability management with their internal workflows, as well as review and recommend changes to their existing VDP. The vendor was seeing growing demand for both its bug bounty and VDP services in this region, including China, Indonesia, and Australia, Gallerin said.  

Headquartered in France, the vendor has an office in Singapore and currently is running bug bounty programmes for Southeast Asian e-commerce operator, Lazada, and Chinese telecoms equipment manufacturer, ZTE. Some 30% of its customer base are in this region, of which half are in Singapore. Gallerin told ZDNet that YesWeHack was targeting for Asia-Pacific to account for half of its global clientele, adding that the bug bounty platform currently works with some 10,000 security researchers in this region. It has a global network of more than 25,000 security researchers. Its triage team comprises full-time employees in Singapore and France, who divide their time between triaging–to assess submissions in bug bounty programmes–and supporting research and development projects for internal deployment as well as tools for the hunter community.It previously ran a private bug bounty programme for Lazada, which saw $150,000 in bounties handed out to bug hunters, he said, but declined to say how many vulnerabilities were identified. The e-commerce operator had started out with smaller, private bug hunting exercises before gradually scaling up and launching its public bug bounty programme last month with YesWeHack, Gallerin said.He noted that most companies in Asia, compared to their US or European counterparts, were less comfortable discussing potential vulnerabilities in their systems and preferred to run private bug bounty programmes. They did, however, realise there likely were security holes their own teams had overlooked and saw bug bounty programmes as a way to identify, and plug, potential vulnerabilities, he said. The main objective here was to prevent potential data breaches, he added, which was a common concern amongst Asian companies, especially as businesses today increasingly were collecting and managing large volumes of personal customer data. According to Gallerin, YesWeHack’s hacker community had been able to find at least one critical vulnerability–which enabled full access to user data or infrastructure–in most bug bounty programmes it ran. RELATED COVERAGE More

Multiple civil rights groups banded together this week to end the use of facial recognition tools by large retailers. According to advocacy group Fight For the Future, companies like Apple, Macy’s, Albertsons, Lowes and Ace Hardware use facial recognition software in their stores to identify shoplifters. The group created a scorecard of retailers that they update based on whether the company is currently using facial recognition, will in the future or never will.  Stores like Walmart, Kroger, Home Depot, Target, Costco, CVS, Dollar Tree and Verizon have all committed to never using facial recognition in their stores in statements to Fight For the Future. Walgreens, McDonald’s, 7-Eleven, Best Buy, Publix, Aldi, Dollar General, Kohl’s, Starbucks, Shoprite and Ross are just a few of the companies that Fight For the Future believes may use facial recognition software in the future.But it isn’t just major retailers deploying facial recognition software. Backlash to private use of facial recognition culminated on Wednesday when Livonia skating rink in Michigan was accused of banning a Black teenager after its facial recognition software mistakenly implicated her in a brawl. Lamya Robinson told Fox2 that after her mom dropped her off at the skating rink last Saturday, security guards refused to let her inside, claiming her face had been scanned and the system indicated she was banned after starting a fight in March.”I was so confused because I’ve never been there,” Lamya told the local news outlet. “I was like, that is not me. who is that?” 

Lamya’s mother Juliea Robinson called it “basically racial profiling.””You’re just saying every young Black, brown girl with glasses fits the profile and that’s not right,” Robinson added. The skating rink refused to back down in a statement to the local news outlet, claiming their software had a “97 percent match.” “This is what we looked at, not the thumbnail photos Ms. Robinson took a picture of. If there was a mistake, we apologize for that,” the statement said. Caitlin Seeley George, campaign director at Fight for the Future, told ZDNet that Lamya’s situation was “exactly why we think facial recognition should be banned in public places.” “This girl should not have been singled out, excluded from hanging out with her friends, and kicked out of a public place. It’s also not hard to imagine what could have happened if police were called to the scene and how they might have acted on this false information,” Seeley George said. “We’ve seen time and again how this technology is being used in ways that discriminate against Black and brown people, and it needs to stop. Local lawmakers in Portland enacted an ordinance that bans use of facial recognition in places of public accommodation like restaurants, retail stores, and yes, skating rinks. We’re calling for Congress to enact such a ban at the federal level as well.”The situation occurred after Robert Williams, another Black Michigan resident arrested based on a mistake by facial recognition software, testified in Congress this week. Williams came forward in June 2020 as one of the first people to confirm having been arrested based on faulty facial recognition software in use by police. He filed a lawsuit against the Detroit Police Department with the ACLU after he was arrested on the front yard of his home as his children watched, all based on a facial recognition match that implicated him in a robbery. After 16 hours in holding, he was shown the photo that led to the match and held it up to his face, causing one officer to say “the computer must have gotten it wrong.” Police put a security camera photo into their database and Williams’ driver’s license was listed as a match. “Detroiters know what it feels like to be watched, to be followed around by surveillance cameras using facial recognition,” said Tawana Petty, national organizing director at Data for Black Lives. 

“In Detroit, we suffer under Project Green Light, a mass surveillance program that utilizes more than 2000 flashing green surveillance cameras at over 700 businesses, including medical facilities, public housing and eating establishments,” Petty added, noting that the cameras using facial recognition are monitored at real-time crime centers, police precincts and on officers’ mobile devices 24/7. She said in a statement that it is difficult to explain the psychological toll it takes on a community to know that every move is being monitored “by a racially-biased algorithm with the power to yank your freedom away from you.” “We must ban facial recognition from stores and get this invasive technology out of every aspect of our lives,” Petty said. EFF senior staff attorney Adam Schwartz told ZDNet that facial recognition use is growing among retailers and that the racial implications of stores having databases of “potential” shoplifters was particularly fraught considering the privacy implications. But he disagreed with Fight For The Future’s stance, explaining that instead of banning its use among private organizations, there should be opt-in consent requirements that would stop stores from randomly scanning every face that walks in. He noted the need for innovation and some positive instances of facial recognition being used across society, including the iPhone feature that allows you to open your phone with your face. Ahmer Inam, chief AI officer at Pactera EDGE, said much of the backlash toward retail use of facial recognition is because companies have not been transparent about how they’re using it. “Using a mindful AI approach, a powerful tool like facial recognition can yield tremendous benefits for the consumer — as well as the retailer. But values such as privacy, transparency, and ethical-use have to be top-of-mind during the build. It’s something we’ve seen work effectively for our facial recognition and other AI projects,” Inam said. “The biggest challenge facial recognition ‘faces’ right now is model bias that results in false positives. For retailer’s, it isn’t just about building a facial recognition-based system — but to what purpose and intention.” Inam listed multiple examples of facial recognition being used to improve the retail experience like that of CaliBurger, which rolled out kiosks that use facial recognition to connect orders to customers. But Seeley George said companies are adopting facial recognition in the name of “convenience” and “personalization,” while ignoring how they abuse peoples’ rights and put them in danger. “The stores that are using or are considering using facial recognition should pay attention to this call from dozens of leading civil rights and racial justice organizations who represent millions of people,” Seeley George said.”Retailers should commit to not using facial recognition in their stores so we can champion their decision, or be prepared for an onslaught of opposition.” More

The State Department announced a $10 million reward for any information about hackers working for foreign governments. 

The measure is aimed squarely at those participating in “malicious cyber activities against US critical infrastructure in violation of the Computer Fraud and Abuse Act.” Officials said in a release that this included ransomware attacks targeting “critical infrastructure.” In addition to ransomware, the notice mentions a number of other cyber violations and notes that it applies to government computers as well as “those used in or affecting interstate or foreign commerce or communication.”Ransomware groups have made millions over the last two years attacking pipelines, manufacturers, hospitals, schools and local governments. While attacks on Colonial Pipeline and major meat processor JBS drew the biggest headlines, hundreds of healthcare institutions, universities and grade schools have suffered from damaging attacks. The DHS estimated that about $350 million in ransom was paid to cybercriminals in 2020.The reward program is run through the Diplomatic Security Service and has organized a “Dark Web (Tor-based) tips-reporting channel to protect the safety and security of potential sources.””The RFJ program also is working with interagency partners to enable the rapid processing of information as well as the possible relocation of and payment of rewards to sources. Reward payments may include payments in cryptocurrency,” the State Department said. “More information about this reward offer is located on the Rewards for Justice website at www.rewardsforjustice.net.”

POLITICO reported on Wednesday that the reward was part of a larger rollout of actions the Biden Administration was taking to address ransomware attacks. A multi-agency ransomware task force has been created that will lead both “defensive and offensive measures” against ransomware groups. The White House is also giving the task force the leading role in pushing government agencies and “critical infrastructure companies” to improve their defenses and shore up cybersecurity gaps. The task force will give Biden’s team weekly updates on the effort to beef up the government’s cybersecurity, according to Politico. US Senators met with deputy national security advisor Anne Neuberger on Wednesday afternoon where she explained the White House efforts to address ransomware attacks. CISA executive assistant director for cybersecurity Eric Goldstein was also on the call alongside officials from the FBI, DOJ and Treasury Department. The leaders of the Senate Judiciary also announced this week that they planned to hold a hearing on July 27 about ransomware. An anonymous source told Politico that cybersecurity officials asked for the authority to make some cybersecurity measures mandatory for certain infrastructure organizations. Adam Flatley, director of threat intelligence at cybersecurity company [redacted], worked on the Ransomware Task Force and contributed to a comprehensive guide for battling ransomware in April. He lauded the stopransomware.gov site and said offering a central location with free resources to help prevent, prepare for, report, and respond to ransomware attacks would be helpful for the most vulnerable organizations.”This is especially true for those organizations who have budget constraints that force them to go it alone, which is the case for so many good, hard working folks,” he added. Some experts questioned whether the reward would be an effective mechanism for tips about cyberattackers.Austin Berglas, who previously served as assistant special agent in charge at the FBI’s New York Office Cyber Branch, said there was potential for the reporting mechanism to turn “into a public payphone.””The difficulty is the amount of resources that will be necessary to separate the ‘signal’ from the ‘noise’ and identify the legitimate tips. Other considerations include attribution to, and information provided by the tipster. If there was an arrest made and follow on prosecution (based on an anonymous lead), investigators will have to be able to provide evidence of the crimes alleged by the anonymous party,” Berglas explained.  

ZDNet Recommends

“This may or may not be possible without the cooperation of the anonymous lead source. Also, OFAC has to be considered when making anonymous payments — how is due diligence going to be performed prior to making a payment to a foreign national?”Berglas also noted that rival malicious hacking groups may view this scheme as a way to make money and reduce the amount of competition in the market. He added that the measures could do little to address the elephant in the room — the fact that many ransomware groups are provided safe harbor in Russia. “There are numerous existing cases where warrants are obtained and red notices are disseminated for criminals residing in these countries,” Berglas said. Many cybersecurity experts also took notice of the specific language of the State Department’s notice, focusing in on the phrase “while acting at the direction or under the control of a foreign government.””It appears to be an attempt to short-cut the process of detailed attribution that is necessary to implicate a foreign government in collusion or cooperation with organized crime,” said Mike Hamilton, former DHS vice-chair for the State, Local, Tribal, Territorial Government Coordinating Council.”If the US government can incentivize someone to provide evidence of such, paying out $10M is probably a good deal considering the resources we bring to bear with the intelligence community for the same outcome.” More

Facebook said it has disrupted a network of hackers tied to Iran who were attempting to distribute malware via malicious links shared under fake personas. The social network’s cyber espionage investigations team has taken action against the group, disabled their accounts and notified the roughly 200 users who were targeted. 

The hackers — believed to be part of the Tortoiseshell group — were targeting military personnel and people who worked in the aerospace and defense industries in the United States, often spending months on social engineering efforts with the goal of directing targets to attacker-controlled domains where their devices could be infected with espionage enabling malware.On Facebook, roughly 200 accounts associated with the hacking campaign were blocked and taken down.”This activity had the hallmarks of a well-resourced and persistent operation, while relying on relatively strong operational security measures to hide who’s behind it,” Facebook said in a blog post. “Our platform was one of the elements of the much broader cross-platform cyber espionage operation, and its activity on Facebook manifested primarily in social engineering and driving people off-platform (e.g. email, messaging and collaboration services and websites), rather than directly sharing of the malware itself.”Facebook said the highly focused campaign marked a departure from Tortoiseshell’s usual attack pattern. The group, estimated to have been active since 2018, is known for focusing primarily on the information technology industry, not aerospace and defense.  Moreover, Facebook said the campaign also used several distinct malware families, and that at least of a portion of their malware was custom developed by Mahak Rayan Afraz (MRA), an IT company in Tehran with ties to the Islamic Revolutionary Guard Corps (IRGC). Some current and former MRA executives have links to companies sanctioned by the US government, Facebook said.”We saw [Tortoiseshell] pivot in 2020 to the new focus on aerospace and defense in the US,” said Mike Dvilyanski, head of cyber espionage investigations for Facebook. “We have no insights as to the level of seniority in companies that the targets had. This relates to our overall investigation in malware analysis but we are confident that part of the malware was developed by the MRA.”RELATED: More

There’s never been a greater need for cybersecurity experts. Recent studies show that big companies experience significant security issues every 12 hours. If you’re interested in a security-related career in the tech industry, this $69 Infosec4TC Platinum Membership: Lifetime Access deal could be your path forward. The membership gives you access to over 90 courses that you can take at your own pace, and they are all security-related. Even better, the membership will give you access to any new courses that are offered in the future.

In addition to the courses, the membership includes free access to the student portal, all certification training bundles, future updates, private social media groups, frequently updated extra course materials, and the most recent exam questions. The courses include Hacking using Python From A to Z, The Complete Ethical Hacker Course, and multiple courses for becoming a Certified Information Systems Security Professional- CISSP 2021, including CISSP® Exam Preparation Training Course.There are also classes for certification as an Information Security Manager, as well as an Information Systems Auditor. Plus, the membership includes a free career consulting and planning session. Infosec4TC is familiar with the essentials, requirements, and concerns of businesses today. They will work with you to make sure you reach the career title you want. The company has the highest passing rate for certification, so they make great mentors.Not only can you get the skills you need today for a career in cybersecurity, but you can rest assured that you will be able to keep those skills up-to-date for as long as you’re working. And there’s no doubt that the training works because Infosec4TC is rated 4.4 out of 5 stars on Trustpilot. Don’t pass up this chance to get a lifetime of self-paced training, get the Infosec4TC Platinum Membership: Lifetime Access today, while it is available for only $69.

ZDNet Recommends More