Information Technology

Hackers believed to be operating on behalf of a foreign government have breached software provider SolarWinds and then deployed a malware-laced update for its Orion software to infect the networks of multiple US companies and government networks, US security firm FireEye said today.

ZDNet Recommends

The best VPNs in 2020
VPNs aren’t essential only for securing your unencrypted Wi-Fi connections in coffee shops and airports. Every remote worker should consider a VPN to stay safe online. Here are your top choices for best VPNs in 2020 and how to get set up.
Read More

FireEye’s report comes after Reuters, the Washington Post, and Wall Street Journal reported on Sunday intrusions at the US Treasury Department and the US Department of Commerce’s National Telecommunications and Information Administration (NTIA).
The SolarWinds supply chain attack is also how hackers gained access to FireEye’s own network, which the company disclosed earlier this week.
The Washington Post cited sources claiming that multiple other government agencies were also impacted.
Reuters reported that the incident was considered so serious that it led to a rare meeting of the US National Security Council at the White House, a day earlier, on Saturday.
Sources speaking with the Washington Post linked the intrusion to APT29, a codename used by the cyber-security industry to describe hackers associated with the Russian Foreign Intelligence Service (SVR).
FireEye wouldn’t confirm the APT29 attribution and gave the group a neutral codename of UNC2452, although several sources in the cyber-security community told ZDNet the APT29 attribution, done by the US government, is most likely correct, based on current evidence.

In security alerts sent to its customers in private on Sunday, Microsoft also confirmed the SolarWinds compromise and provided countermeasures to customers that may have been affected.
Hackers deployed SUNBURST malware via Orion update
SolarWinds published a press release late on Sunday admitting to the breach of Orion, a software platform for centralized monitoring and management, usually employed in large networks to keep track of all IT resources, such as servers, workstations, mobiles, and IoT devices.
The software firm said that Orion update versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, have been tainted with malware.
FireEye named this malware SUNBURST and published a technical report earlier today, along with detection rules on GitHub.
Microsoft named the malware Solorigate and added detection rules to its Defender antivirus.
Image: Microsoft
The number of victims was not disclosed.
Despite initial reports on Sunday and the hacking campaign doesn’t appear to have been targeted at the US, specifically.
“The campaign is widespread, affecting public and private organizations around the world,” FireEye said.
“The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals,” FireEye added.
SolarWinds said it plans to release a new update (2020.2.1 HF 2) on Tuesday, December 15, that “replaces the compromised component and provides several additional security enhancements.”
The US Cybersecurity and Infrastructure Agency (CISA) has also issued an emergency directive with instructions on how government agencies can detect and analyze systems compromised with the SUNBURST malware.
Update 23:45 ET to add the information about the Microsoft and CISA security alerts. More

Security researchers have discovered this week a botnet operation that targets PostgreSQL databases to install a cryptocurrency miner.

Codenamed by researchers as PgMiner, the botnet is just the latest in a long list of recent cybercrime operations that target web-tech for monetary profits.
According to researchers at Palo Alto Networks’ Unit 42, the botnet operates by performing brute-force attacks against internet-accessible PostgreSQL databases.
The attacks follow a simple pattern.
The botnet randomly picks a public network range (e.g., 18.xxx.xxx.xxx) and then iterates through all IP addresses part of that range, searching for systems that have the PostgreSQL port (port 5432) exposed online.
If PgMiner finds an active PostgreSQL system, the botnet moves from the scanning phase to its brute-force phase, where it shuffles through a long list of passwords in an attempt to guess the credentials for “postgres,” the default PostgreSQL account.
If PostgreSQL database owners have forgotten to disable this user or have forgotten to change its passwords, the hackers access the database and use the PostgreSQL COPY from PROGRAM feature to escalate their access from the database app to the underlying server and take over the entire OS.

Once they have a more solid hold on the infected system, the PgMiner crew deploys a coin-mining application and attempt to mine as much Monero cryptocurrency before they get detected.
According to Unit 42, at the time of their report, the botnet only had the ability to deploy miners on Linux MIPS, ARM, and x64 platforms.
Other notable features of the PgMiner botnet include the fact that its operators have been controlling infected bots via a command and control (C2) server hosted on the Tor network and that the botnet’s codebase appears to resemble the SystemdMiner botnet.

Image: Palo Alto Networks
PgMiner marks the second time a coin-miner operation targets PostgreSQL databases, with similar attacks seen in 2018, carried out by the StickyDB botnet.
Other database technologies that have also been targeted by crypto-mining botnets in the past include MySQL, MSSQL, Redis, and OrientDB. More

Cisco
A former Cisco engineer was sentenced this week to 24 months in prison for accessing Cisco’s network without authorization after he left the company and then destroying servers that hosted infrastructure for the Cisco Webex Teams service.

Sudhish Kasaba Ramesh, 31, of San Jose, was formally charged earlier this year in July and pleaded guilty a month later in August.
According to court documents, Ramesh worked for Cisco between July 2016 and April 2018, when he resigned and joined another company.
However, for reasons not mentioned in the indictment, five months later, in September 2018, Ramesh accessed Cisco’s cloud infrastructure hosted on Amazon’s Web Services.
Investigators said Ramesh then proceeded to run a script that deleted 456 virtual machines that were supporting Cisco’s video conferencing software WebEx Teams, actions that resulted in the temporary deletion of more than 16,000 Webex accounts.
It took Cisco two weeks to recover the accounts and rebuild its systems, costing the company more than $2.4 million, with $1,400,000 in employee time and $1,000,000 in customer refunds.
The tech giant’s management brought the case to law enforcement as soon as it realized the Webex Teams outage was the result of intentional sabotage and not a server issue.

Although Ramesh apologized for his actions, the former Cisco engineer never explained what drove him to delete Cisco’s servers.
Besides serving the next two years in prison, Ramesh was also ordered to pay a $15,000 fine.
Ramesh was also fired from his job at his current employer, personal lifestyle site Stich Fix, and is scheduled to begin his prison sentence next year, on February 10.
Cisco said that the incident didn’t expose any of its customers’ data, and the company restored service to all affected parties. More

Hackers are resetting passwords for admin accounts on WordPress sites using a zero-day vulnerability in a popular WordPress plugin installed on more than 500,000 sites.
The zero-day was used in attacks over the past weeks and was patched on Monday.
It impacts Easy WP SMTP, a plugin that lets site owners configure the SMTP settings for their website’s outgoing emails.
According to the team at Ninja Technologies Network (NinTechNet), Easy WP SMTP 1.4.2 and older versions of the plugin contain a feature that creates debug logs for all emails sent by the site, which it then stores in its installation folder.
“The plugin’s folder doesn’t have any index.html file, hence, on servers that have directory listing enabled, hackers can find and view the log,” said NinTechNet’s Jerome Bruandet. 

Image: NinTechNet
Bruandet says that on sites running vulnerable versions of this plugin, hackers have been carrying out automated attacks to identify the admin account and then initiate a password reset.
Since a password reset involves sending an email with the password reset link to the admin account, this email is also recorded in the Easy WP SMTP debug log.

All attackers have to do is access the debug log after the password reset, grab the reset link, and take over the site’s admin account.

Image: NinTechNet
“This vulnerability is currently exploited, make sure to update as soon as possible to the latest version,” Bruandet warned earlier this week on Monday.
The plugin’s developers have fixed this issue by moving the plugin’s debug log into the WordPress logs folder, where it’s better protected. The version where this bug was fixed is Easy WP SMTP 1.4.4, according to the plugin’s changelog.
This marks the second zero-day discovered in this very popular plugin. A first zero-day was discovered being abused in the wild in March 2019, when hackers used a Easy WP SMTP vulnerability to enable user registration and then created backdoor admin accounts.
The good news is that compared to March 2019, today, the WordPress CMS has received a built-in auto-update function for themes and plugins.
Added in August 2020, with the release of WordPress 5.5, if enabled, this feature will allow plugins to always run on the latest version by updating themselves, instead of waiting for an admin’s button press.
However, it is currently unclear how many WordPress sites have this feature enabled and how many of the 500,000+ WordPress sites are currently running the latest (patched) Easy WP SMTP version.
According to WordPress.org stats, the number isn’t that high, meaning that many sites remain vulnerable to attacks.

Image: ZDNet More

Ransomware which demands millions of dollars from victims and is being updated with new features could become another serious threat to businesses.
MountLocker ransomware first emerged in July and encrypts the networks of victims with the attackers demanding bitcoin in exchange for the decryption key. Like other forms of ransomware, the criminal hackers behind it threaten to leak stolen information from the victim organisation if the bitcoin ransom isn’t paid.
Cybersecurity researchers at BlackBerry have been analysing MountLocker and say that those behind it are “clearly just warming up” – and this family of ransomware could become a major threat going forward.
Researchers note that MountLocker takes advantage of an affiliate scheme in order to find victims, likely negotiating with hackers who’ve already compromised a network with malware in order to make the deployment of the ransomware as easy and widespread as possible – and providing a means for both parties to illicitly make money from the network compromise.
“Affiliates are often separate organised crime groups, who go looking for easy – and not so easy – entry into networks,” Tom Bonner, distinguished threat researcher at Blackberry told ZDNet.
“Once they have established a foothold they will begin negotiations with ransomware operators, usually via dark web channels, in order to obtain a ransomware to monetize the access to the victim’s environment,” he added.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

While it’s possible for hackers to breach the network using malware, it’s common for outsiders to gain access to the network by breaching weak, commonly used or default passwords then escalate their privileges from there.
In this case, the MountLocker crew spread across the network with publicly available tools deploying ransomware across the network in as little as 24 hours. Once the command to execute the ransomware is initiated, victims find themselves locked out of their network and facing a seven-figure ransom demand.
Analysis of campaigns found that an updated version of MountLocker designed to make it even more efficient at encrypting files emerged last month, as well as updating the ability to evade detection by security software.
While MountLocker still appears to be in a relatively early stage of development, it’s already proved effective by claiming victims around the world and it’s likely to become more prolific as it evolves.
“Since its inception, the MountLocker group have been seen to both expand and improve their services and malware. While their current capabilities are not particularly advanced, we expect this group to continue developing and growing in prominence over the short term,” says the research paper.
Like all forms of ransomware, MountLocker takes advantage of common security vulnerabilities in order to spread, so some of the best ways to protect against falling victim to it is to ensure that default passwords aren’t used, two-factor authentication is applied and networks are updated with the latest security patches to counter known vulnerabilities.
It’s also useful for organisations to have a plan in place, so that if they do fall victim to a ransomware attack, they’re able to react accordingly.
“With the highly targeted and increasingly sophisticated nature of these attacks, it is highly advisable to have disaster recovery plans in place like secure backups and test to backups frequently,” said Bonner.
READ MORE ON CYBERSECURTY More

Security vulnerabilities in Point-of-sale (PoS) terminals produced by two of the biggest manufacturers of these devices in the world could have allowed cyber criminals to steal credit card details, clone terminals and commit other forms of financial fraud at the cost of both buyers and retailers.
The vulnerabilities in Verifone and Ingenico products – which are used in millions of stores around the world – have been detailed by independent researcher Aleksei Stennikov and Timur Yunusov, head of offensive security research at Cyber R&D Lab during a presentation Black Hat Europe 2020.
After being disclosed to the vendors, the vulnerabilities can now be fixed by applying security patches – although it can be certain at all if retailers and others involved in the distribution and use of the PoS terminals have applied the updates.
One of the key vulnerabilities in both brands of device is the use of default passwords which could provider attackers with access to a service menu and the ability to manipulate or change the code on the machines in order to run malicious commands.
Researchers say these security issues have existed for at least 10 years while some have even existed in one form or another for up to 20 years – although the latter are mostly in legacy elements of the device which are no longer used.
See: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened
Attackers could gain access to the devices to manipulate them in one of two ways. Either they’re able to physically gain access to the PoS terminal, or they’re able to remotely gain access via the internet and then execute arbitrary code, buffer overflows and other common techniques which can provide attackers with an escalation of privileges and the ability to control the device – and see and steal the data that goes through it.

Remote access is possible if an attacker to gains access to the network via phishing or another attack and then move freely around the network to the PoS terminal.
Ultimately, the PoS machine is a computer and if it’s connected to the network and the internet, then attackers can attempt to gain access to and manipulate it like any other insecure machine.
The way the PoS terminal communicates with the rest of the network means attackers could access unencrypted data card data including Track2 and PIN information, providing all the necessary information required to steal and clone payment cards. 
In order to protect against attacks exploiting PoS vulnerabilities, it’s recommended that retailers using the devices ensure they’re patched and up to date and they should avoid using default passwords where possible.
It’s also recommended that if possible, PoS devices are on a different network to other devices, so if an attacker does gain access to the network via a Windows system, it’s not as simple for them to pivot to the PoS devices.
Both PoS device manufacturers have confirmed they were informed of the vulnerabilities and that a patch has been released to prevent attackers exploiting them. Neither firm is aware of any instances of the vulnerabilities being exploited in the wild.
“Ingenico has not been made aware of any fraudulent access to payments data resulting from these vulnerabilities, already fully corrected. Every day, Ingenico works hard to implement, on a continuing basis, the highest standards of latest security technologies in order to protect its customers and end users and is closely monitoring the situation to avoid reoccurrence of this issue,” an Ingenico spokesperson told ZDNet. 
“We are aware of the issues raised potentially affecting a subset of our legacy payment devices. To date we are not aware of these vulnerabilities being exploited in the market,” a Verifone spokesperson told ZDNet.
“The security firm has validated that our latest patches and software updates, which are available to all customers, remedy these vulnerabilities. Customers are currently in different phases of implementing these patches or software updates”.
READ MORE ON CYBERSECURITY More

Cisco has rolled out patches for several critical flaws affecting the Jabber clients for Windows, MacOS, and the mobile apps for iOS and Android. 
The flaws are bad, with the worst having a severity rating of 9.9 out of a possible 10. What’s worse, the flaws were meant to have been fixed three months ago in updates for Jabber, shortly after researchers released proof-of-concept exploit code for the wormable bugs, which can be exploited via an instant message. 

Networking

Jabber is Cisco’s widely-used enterprise chat and instant-messaging platform, which it acquired in 2008. The app is based on the Chromium Embedded Framework (CEF), which allows developers to embed a natively sandboxed Chromium-based web browser in their applications.  
SEE: Network security policy (TechRepublic Premium)
Cisco says the bugs allow an attacker to “execute arbitrary programs on the underlying operating system with elevated privileges or gain access to sensitive information”. Customers have no other option but to install the latest updates to prevent attacks. 
Norwegian security outfit Watchcom found earlier this year that Jabber was vulnerable to cross-site scripting (XSS) through XHTML-IM messages. Jabber did not properly sanitize incoming HTML messages and instead passed them through a faulty XSS filter.
Cisco notes that the new message-handling vulnerabilities can be exploited if an attacker can send Extensible Messaging and Presence Protocol (XMPP) messages to end-user systems running Cisco Jabber. 

“Attackers may require access to the same XMPP domain or another method of access to be able to send messages to clients,” Cisco notes in an advisory. 
The three incompletely fixed bugs are tracked as CVE-2020-26085, CVE-2020-27127, and CVE-2020-27132. 
Watchcom reported four vulnerabilities to Cisco earlier this year, and they were disclosed by the networking giant in September. But three of them were not properly fixed in updates at the time, according to Watchcom. 
Watchcom probed the patches after a client requested an audit to check that the bugs had been sufficiently mitigated in Cisco’s existing patches. It found the bugs were not mitigated. 
Two of the three improperly patched bugs can be used to gain remote code execution. One of them can also be used to gain NT LAN Manager (NTLM) password hashes from users. 
“Two of the vulnerabilities are caused by the ability to inject custom HTML tags into XMPP messages,” explains Watchcom’s penetration tester, Olav Sortland Thoresen. 
“The patch released in September only patched the specific injection points that Watchcom had identified. The underlying issue was not addressed. We were therefore able to find new injection points that could be used to exploit the vulnerabilities.
“Since some of the vulnerabilities are wormable, organizations should consider disabling communication with external organizations through Cisco Jabber until all employees have installed the update,” he added. 
SEE: Keeping data flowing could soon cost billions, business warned
Cisco also found two additional bugs in Jabber during internal testing. They are tracked as CVE-2020-27133 and CVE-2020-27134. 
CVE-2020-27134 is a vulnerability in the application protocol handling features of Jabber for Windows, which has a severity rating of eight out of 10. 
CVE-2020-27133 has a severity rating of 8.8 out of 10 and affects Jabber for Windows and Jabber for macOS. It may allow an authenticated, remote attacker to gain access to sensitive information.
More on Cisco and networking security More

Mastercard and Visa have distanced themselves from Pornhub by revoking card payment services following accusations that the website is hosting illegal content. 

Pornhub is one of the world’s largest pornography video platforms. In 2019, the company said it recorded 42 billion visits or an average of 115 million visits per day. Pornhub generates income through premium subscriptions and ad impressions. 
A New York Times report, published on December 4, accused Pornhub of monetizing “child rapes, revenge pornography, spycam videos of women showering, racist and misogynist content, and footage of women being asphyxiated in plastic bags,” and said the platform was “infested” with sexual abuse content. 
Furthermore, the report claimed that Pornhub is not in control of content uploaded to the platform that involves minors.
“Because it’s impossible to be sure whether a youth in a video is 14 or 18, neither Pornhub nor anyone else has a clear idea of how much content is illegal,” the report says. 
When contacted by the NYT, Pornhub dismissed claims that the company allowed child-related video content on the platform as “irresponsible and flagrantly untrue.”
“Pornhub is unequivocally committed to combating child sexual abuse material, and has instituted a comprehensive, industry-leading trust and safety policy to identify and eradicate illegal material from our community,” Pornhub added. 

This week, Pornhub implemented changes to user video uploads. Effective immediately, the company said only “verified uploaders” from content partners and people within the Model Program would be able to upload content; download facilities have been revoked for free users, and Pornhub has promised to expand content moderation. 
It is worth noting that Google, Twitter, and Facebook are also constantly working to remove child abuse and illegal sexual content from search results and their respective platforms. 
See also: Mastercard keeping humans in the loop of AI fraud and risk-related decisions
However, these assurances have not been enough for payment service providers that have previously worked with Pornhub. As reported by The Guardian, both Mastercard and Visa are now reviewing their links with the website. 
Mastercard conducted its own investigation into the allegations. According to Nicholas Kristof, the NYT investigator, the financial services giant said on Thursday:

 “Today, the use of our cards at Pornhub is being terminated.  Our investigation over the past several days has confirmed violations of our standards prohibiting unlawful content […] we continue to investigate potential illegal content on other websites.”

Visa is in the middle of its own investigation into Pornhub and has decided to temporarily suspend card activity. 
“Given the allegations of illegal activity, Visa is suspending Pornhub’s acceptance privileges pending the completion of our ongoing investigation,” the company said in a statement. “We are instructing the financial institutions who serve MindGeek to suspend processing of payments through the Visa network.”
Pornhub is owned by MindGeek, an umbrella parent company that maintains over 100 websites and brands aside from Pornhub, including RedTube and Youporn. The decision to suspend card payments will likely hit the conglomerate hard, and may also affect legal workers in the sex industry who generate an income from paid members on these platforms. 
After reaching out to MindGeek, ZDNet was referred to Pornhub’s statement:

“These actions are exceptionally disappointing, as they come just two days after Pornhub instituted the most far-reaching safeguards in user-generated platform history. Unverified users are now banned from uploading content — a policy no other platform has put in place, including Facebook, which reported 84 million instances of child sexual abuse material over the last three years. In comparison, the Internet Watch Foundation reported 118 incidents on Pornhub over the last three years.
This news is crushing for the hundreds of thousands of models who rely on our platform for their livelihoods.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More