Information Technology

Glassdoor, a website for job hunting and posting anonymous company reviews, has resolved a critical issue that could be exploited to take over accounts. 

Bug bounty researcher “Tabahi” (ta8ahi) found the issue, described as a site-wide cross-site request forgery (CSRF) bug deserving of a 9 – 10 severity score. 
The vulnerability impacted the Glassdoor web domain. A token, gdToken, was in use to prevent CSRF from occurring on endpoints, and at first glance, it appeared to be a secure implementation. 
However, Tabahi’s tests resulted in a fraudulent session request passing through CSRF checks — a discovery made by accident, as the bug bounty hunter missed copying an underscore beginning a request attempt. 
This odd discovery led Tabahi to try and reproduce the result. Generating CSRF tokens from account “A,” stripping the first character, and attempting to use it as the token for account “B” proved to be successful.
There are two types of Glassdoor accounts: one for job seekers and one for employers — both of which use the same CSRF protection. 
See also: Remote code execution vulnerability uncovered in Starbucks mobile platform

The vulnerability allowed attackers to obtain a CSRF token from the firm’s server to hijack accounts from logged-in victims. This could include establishing new administrators on employer accounts, deleting information on job seekers and employers, adding fake reviews, deleting CVs, as well as posting, applying for, and deleting job listings. 
Glassdoor’s security team triaged the problem as a token length validation error, and exception handling issues were also present. According to Tabahi, “an exception was triggered with the forged tokens and they didn’t fail the response, and in turn, just logged it and allowed the operation to continue.”
The bug bounty hunter first reported their findings to Glassdoor via HackerOne in February. After a period of time to triage the bug, the vulnerability report was accepted as valid and a critical score was issued. Glassdoor patched the issue in the same month, but public disclosure was only made in December. 
Tabahi was awarded a bug bounty of $3,000 for reporting the CSRF vulnerability, including both a $2,500 financial reward from Glassdoor and a $500 bonus from HackerOne.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

In a joint security alert published on Thursday, the US Cybersecurity Infrastructure and Security Agency, along with the Federal Bureau of Investigation, warned about increased cyber-attacks targeting the US K-12 educational sector, often leading to ransomware attacks, the theft of data, and the disruption of distance learning services.

“As of December 2020, the FBI, CISA, and MS-ISAC continue to receive reports from K-12 educational institutions about the disruption of distance learning efforts by cyber actors,” the alert reads.
“Cyber actors likely view schools as targets of opportunity, and these types of attacks are expected to continue through the 2020/2021 academic year,” it added.
Ransomware attacks
But of all the attacks plaguing the K-12 sector (kindergarten through twelfth-grade schools), ransomware has been a particularly aggressive threat this year, CISA and the FBI said.
“According to MS-ISAC data, the percentage of reported ransomware incidents against K-12 schools increased at the beginning of the 2020 school year,” the two agencies said.
“In August and September, 57% of ransomware incidents reported to the MS-ISAC involved K-12 schools, compared to 28% of all reported ransomware incidents from January through July,” they said.
The numbers are also consistent with a recent Emsisoft report where the company also noted a surge in ransomware attacks against the educational sector in Q3 2020.

The five most active ransomware groups targeting the US K-12 this year have been Ryuk, Maze, Nefilim, AKO, and Sodinokibi/REvil, according to reports received by the two agencies.
Making matters worse, all five are ransomware operations known to run “leak sites” where they usually dump data from victims who don’t pay, which also creates the danger of having student data published online.
Commodity malware
But an increase in ransomware attacks wasn’t the only problem that K-12 schools faced this school year. CISA and the FBI said that mundane commodity malware has also made its way on the networks of US K-12 organizations.
“These malware variants are purely opportunistic as they not only affect educational institutions but other organizations as well,” the agencies said.
Among the most common malware infections seen on K-12 networks, the ZeuS (or Zloader) trojan (Windows) and Shlayer loader (macOS) have topped the infection charts.
Image: CISA, FBI
The presence of this malware shouldn’t be taken lightly, as these threats can often turn into bigger intrusions at the drop of a hat and, normally, need to be addressed right away.
DDoS attacks and video conference disruptions
But on top of malware, which can lead to IT staff shutting down networks to deal with infections, the two agencies also warned K-12 schools to take care to protect themselves against other forms of cyber-attacks that can also cause disruptions, albeit more temporary.
These included distributed denial of service (DDoS) attacks and live video conference disruptions (also known as Zoom bombing).
With school IT systems now needing to work at full capacity in order to keep school resources up and running, DDoS attacks have been recently a favorite attack vector used to either ransom schools for a monetary profit or by the students themselves in order to get out of online classes.
Both Check Point and Kaspersky have already noted earlier this year that DDoS attacks against the educational sector have increased not only in the US but worldwide, as schools have moved their operations online.
As for video conference disruptions, this has been an issue for schools since March 2020 and has never gone away.
“These disruptions have included verbally harassing students and teachers, displaying pornography and/or violent images, and doxing meeting attendees,” CISA and the FBI said.
The alert published by the two agencies includes a long list of countermeasures that K-12 schools —and everyone else— can apply to prevent the most common threats they’ve seen this year.
“A combination of basic cyber hygiene, such as patch management, verifying compliance with strong password management policies, performing regular backups of essential systems that are not accessible from the same network, and ensuring that systems are protected with security software at the endpoint and gateway can help address some of these threats,” Satnam Narang, staff research engineer at Tenable, told ZDNet.
“Social engineering is still a viable tool in the cybercriminal’s toolkit, so regularly performing security awareness training is another weapon in the fight against these attacks.” More

Image: Asha Barbaschow/ZDNet
The federal government is hoping to “modernise” and “streamline” its use of the data it holds as well as set guidelines on how it shares that data between agencies and with the private and research sectors.
The data reforms presented in the Data Availability and Transparency Bill 2020 are touted by Minister for Government Services Stuart Robert as an opportunity to establish a new framework that is able to proactively assist in designing better services and policies.
The Bill, as well as the Data Availability and Transparency (Consequential Amendments) Bill, were both introduced to Parliament on Wednesday, after two years of consultation.
The government initially announced its intentions to introduce the Data Availability and Transparency Act (DATA) in May 2018 when it stood up the Office of the National Data Commissioner (NDC) to draft the legislation in response to the 2016 Productivity Commission Data Availability and Use report. The Australian government was hoping to introduce the Act by June 3, but due to the COVID-19 pandemic affecting its timeline, consultation on an exposure draft of the Bill did not go ahead. 
The government in 2018 also pledged AU$65 million to “reform” the Australian data system, with the National Data Advisory Council then being established the following year to provide advice to the NDC on ethical data use, community expectations, technical best practice, and industry and international developments.
The new Bill, in a nutshell, creates a scheme of controlled access to public sector data.
Under the legislation, data would only be shared for three purposes: Government services delivery, informing government policy and programs, and research and development.

In a discussion paper in September 2019, the federal government tweaked what it proposed the year prior by removing a fundamental element of privacy — consent.
The government’s position on consent has since become more nuanced, with the Bill introduced to the House stating that any sharing of personal information is to be done with the consent of the individuals, unless it is unreasonable or impracticable.
Attention is now on developing the “next layers of materials to support the Bill”, National Data Commissioner Deborah Anton said this week, including the regulations to be tabled once the Bill has passed Parliament.  
The Australian Security Intelligence Organisation Amendment Bill 2020, meanwhile, passed both Houses on Wednesday. 
It implements the government’s response to the report of the PJCIS into ASIO’s questioning and detention powers by amending the Australian Security Intelligence Organisation Act 1979 in relation to compulsory questioning powers and tracking devices.
It also amends four Acts to make consequential amendments; and makes amendments contingent on the commencement of the Federal Circuit and Family Court of Australia (Consequential Amendments and Transitional Provisions) Act 2020.
An advisory report was handed down by the PJCIS earlier this month, which recommended the passage of the Bill, following the removal of ASIO’s capability to use a tracking device without an internal authorisation.
The Intelligence Oversight and Other Legislation Amendment (Integrity Measures) Bill 2020, which implements the government’s decision to extend the Inspector-General of Intelligence and Security’s (IGIS) jurisdiction to the intelligence functions of ACIC and Austrac, not just ASIO, also entered the House on Wednesday.
The legislation mandating an Australian News Media Bargaining Code also entered the House of Representatives this week, as did the Security Legislation Amendment (Critical Infrastructure) Bill 2020, which was labelled as a significant step in the protection of critical infrastructure and essential services that Australians rely upon by Minister for Home Affairs Peter Dutton. 
The Australian government on December 3 also put forward its Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 that would hand the Australian Federal Police and the Australian Criminal Intelligence Commission three new warrants for dealing with online crime.  
LATEST FROM CANBERRA More

The Department of Infrastructure, Transport, Regional Development, and Communications has run up the flagpole the idea of inserting security provisions into the Telecommunications Act to require telcos to safeguard their systems as a condition of their licence to operate.
Writing in a submission to the Parliamentary Joint Committee on Intelligence and Security (PJCIS) review of the Telecommunications Sector Security Reforms (TSSR), the department said there are no specific requirements on carriers to protect their networks from cyber intrusions.
“The addition of an object with a specific security focus would support the measures taken by government and industry into the future,” it said.
“It would also mean that the full force of the existing regulatory framework (including codes and standards under Part 6 of the Tel Act [Telecommunications Act], carrier licence conditions and service provider rules) could be available to support security objectives.”
A number of options exist for how that mechanism would work under Part 6, the department said, and it could end up taking the form of licence conditions, service provider rules, or an industry code or standard.
“If these mechanisms are used to achieve security objectives, it is appropriate that the Minister for Home Affairs have the ability to enforce these obligations, consistent with the powers that the Minister for Home Affairs already has in relation to TSSR,” the department said.
As it currently stands under TSSR obligations, telcos need to “do their best” to protect infrastructure, but the department put forward the idea of making it more prescriptive and easier to interpret.

“The creation of a delegated instrument (such as a determination making power), with appropriate Ministerial oversight, could offer a clearer alternative,” it said.
“Additionally, industry and government could create and promulgate security standards using existing mechanisms in Part 6 of the Tel Act which is currently used, for example, to set out emergency call service and mobile number porting identity requirements.”
There was also the opportunity to close gaps, the department pointed out, which included “obvious trigger events” such as a telco being acquired.
“A change in ownership of a carrier, effectively a transfer of carrier licence, could trigger a security check subject to a risk assessment,” it wrote.
The department also said direction powers could be extended to allow for directions to be handed to telcos without the requirement for an adverse finding to be handed to the telco in question, if the security risk lies with a supplier, and not the telco itself.
While it is possible to create a list of carriers with telco licences, the department said no definitive list of carriage service providers (CSP) currently exists.
“A list of a subset of CSPs delivering specific services, such as commercial telephony or broadband services, could be maintained by either regulator (CAC or ACMA) and be used to proactively enforce security, consumer protection and other obligations across the Tel Act,” the submission said.
Earlier in the week, Optus revealed it was responsible for over half of the 66 notifications made under the TSSR regime to June 30.
“Optus has reviewed the TSSR status of well over 150 projects and proposed changes over the last two years and submitted formal TSSR notifications for 36 of them,” it said.
“The time for the resolution of these notifications has varied between 30 days to eight months.”
The telco said this meant the regime was not operating as intended due to telcos each coming up with their own notification thresholds and interpretations. Consequently, the TSSR is simultaneously at risk of under-notification and over-notification
The Singaporean telco further said it had experienced significant impacts due to the TSSR.
The main result of the TSSR thus far has been the banning of Huawei from 5G deployments in Australia. It was a decision that Optus said changed its market position, investment strategy, customer outcomes, and network design and capability.
Related Coverage More

Australia’s national intelligence community (NIC) hopes to build a highly-secure private community cloud service capable of protecting data that is classified all the way to the level of top secret.
The Office of National Intelligence (ONI), Australia’s peak intelligence agency, is leading the project, and issued a call for expressions of interest on Friday.
“The NIC is seeking to accelerate its ability to transpose and extract relevant data from complex data sources. It sees common toolsets for data filtering and manipulation to extract relevant useful information as a force multiplier,” ONI wrote.
“The NIC seeks greater interoperability through shared common services, common infrastructure, and standards, centralisation of services, and the ability to create collaborative environments.”
All 10 NIC agencies will eventually use the cloud: ONI, Australian Signals Directorate (ASD), Australian Geospatial-Intelligence Organisation, Australian Secret Intelligence Service, Australian Security Intelligence Organisation (ASIO), Defence Intelligence Organisation, Australian Criminal Intelligence Commission, and the intelligence functions of the Australian Federal Police, Australian Transaction Reports and Analysis Centre (Austrac), and the Department of Home Affairs.
The platform would also allow “trusted third-parties” to operate software-as-a-service (SaaS) services in the private community cloud.
ONI’s leadership of the project, and indeed the project itself, stem from recommendations of the 2017 Independent Intelligence Review.

“We recommend that data analytics and ICT connectivity, including the establishment of an intelligence community computing environment in which technical barriers to collaboration are minimised, be one of the highest priorities of a more structured approach to technological change and the funding of joint capabilities,” the review said.
The project does not involve agencies collecting any new data. Nor does it expand their remit. All existing regulatory arrangements still apply.
Rather, the NIC hopes that a community cloud will improve its ability to analyse data and detect threats, as well as  improve collaboration and data sharing.
“Top Secret” is the highest level in Australia’s Protective Security Policy Framework. It represents material which, if released, would have “catastrophic business impact” or cause “exceptionally grave damage to the national interest, organisations or individuals”.
Until very recently the only major cloud vendor to handle top secret data, at least to the equivalent standards of the US government, was Amazon Web Services (AWS). AWS in 2017 went live with an AWS Secret Region targeted towards the US intelligence community, including the CIA, and other government agencies working with secret-level datasets. 
In Australia, AWS was certified to the protected level, two classification levels down from top secret. The “protected” certification came via the ASD’s Certified Cloud Services List (CCSL), which was in June shuttered, leaving certifications gained through the CCSL process void.
Under the ISM framework, AWS had 92 services assessed as protected. It also negotiated an Australia-wide government cloud deal in 2019.   
While the CCSL is no longer, it is expected the Information Security Registered Assessors Program (IRAP) will support government in maintaining their assurance and risk management activities.  
This week, Microsoft launched Azure Government Top Secret cloud to handle classified data at all levels, including top secret, for US government customers. However, Microsoft is still working with the government to achieve accreditation. 
Under the CCSL, Microsoft was also able to store government information up to a protected level. Unlike all previous such certifications, Microsoft’s certifications were provisional, and came with what the ASD called “consumer guides”. 
ASIO issued expressions of interest in 2019 to use Microsoft Azure internally for protected, secret, and top secret data.
In the UK, private company UKCloud launched its potentially top secret UKCloudX service in 2018. UKCloud is already a provider of cloud services to the UK government’s G-Cloud via a contract with the government’s purchasing agency Crown Commercial Services.
ONI is seeking to explore the market, however, and vendors with experience in delivering secure cloud environments can apply, even if they do not yet have top secret certification.
However, the cloud must be hosted on infrastructure physically located in Australia and geographically dispersed.
“[This is] the first stage in a multiphase procurement process by which ONI will determine which, if any, respondents will be invited to participate in the next stage of the procurement process,” ONI wrote.
Expressions of interest close February 8, 2021.
RELATED COVERAGE
Tech industry concerns put aside as Critical Infrastructure Bill enters Parliament
New Bill introduces a positive security obligation, cybersecurity requirements such as mandatory incident reporting and vulnerability testing, and government ‘last resort’ powers to step in and defend.
Commonwealth entities left to self-assess security in cloud procurement
With the government’s Cloud Services Certification Program now shuttered, Commonwealth entities will be required to perform their own due diligence when procuring cloud services.
Intelligence review recommends new electronic surveillance Act for Australia
It would repeal the existing parts of three Acts to form a new one that covers the use of computer access and surveillance devices powers. More

Image via Alex Haney
In a surprising and unexpected announcement on Thursday, the Facebook security team has revealed the real identity of APT32, one of today’s most active state-sponsored hacking group, believed to be linked to the Vietnamese government.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

The company said it took this step after it detected APT32 using its platform to spread malware in attempts to infect users.
“Our investigation linked this activity to CyberOne Group [archived website, archived Facebook page], an IT company in Vietnam (also known as CyberOne Security, CyberOne Technologies, Hành Tinh Company Limited, Planet and Diacauso),” said Nathaniel Gleicher, Head of Security Policy at Facebook, and Mike Dvilyanski, Cyber Threat Intelligence Manager.
A CyberOne spokesperson could not be reached for comment over the phone, as a previously listed phone number was offline. Emails sent to the company bounced.
APT32 used Facebook to approach targets
According to Gleicher and Dvilyanski, APT32 operated on Facebook by creating accounts and pages for fictitious personas, usually posing as activists or business entities.
Using romantic or other lures, the group would often share links with their targets to various domains they either hacked or operated themselves.
The links would usually lead to phishing or malware, or would even include links to Android apps that the group had managed to upload on the official Play Store, allowing them to spy on their victims.

Based on its insights into this campaign, Facebook said the group targeted entities such as:
Vietnamese human rights activists locally and abroad
Foreign governments, including those in Laos and Cambodia
Non-governmental organizations
News agencies
and, businesses across information technology, hospitality, agriculture and commodities, hospitals, retail, the auto industry, and mobile services
Facebook said that besides taking down the group’s accounts and pages, they have also blocked the group’s domains, so they can’t be re-used again under new accounts APT32 might set up in the future.
The social network also shared YARA rules and malware signatures, so other social networks and security firms can also take action and protect their users.
A long string of hacks
Believed to have begun operating in 2014, the APT32 group is also often referred to as OceanLotus.
Its past operations are a literal smorgasbord of activity, and the group has been linked to attacks on almost everything of interest to the Vietnamese state.
This not only included the affairs of neighboring countries, but also attacks on political dissidents and activists, and even private businesses that the group might believe are of interest to the Vietnamese government.
The best example of this targeting has been the group’s widespread attacks on automakers in 2019. In what experts have described as a persistent campaign to steal intellectual property to support Vietnam’s state-funded fledgling automotive startup VinFast, the group hit and stole data from the likes of BMW, Hyundai, Toyota Australia, Toyota Japan, and even Toyota Vietnam, all in succession, in a small time window.
Furthermore, when the coronavirus pandemic hit the world earlier this year, APT32 also re-focused on gathering COVID-19 data, even targeting government officials in Wuhan, China, where the first cases were recorded, seeking information about the disease.
This versatility in targeting is a staple of a mature threat actor. But this versatility also extends to its arsenal of hacking tools. Social engineering, drive-by downloads, Office bugs, custom malware, abusing open-source tools, public exploits, macOS malware — the group has used them all.
Although often ignored in cyber-security reports because of its links to Vietnam, the group has often shown prowess in shifting tactics and hacking tools across the years, a sign that they have the resources and knowledge to adapt.
Facebook’s dox will be controversial & disputed
According to Facebook, this maturity comes from the fact that behind APT32 is an actual cyber-security firm, one that’s still hiring even today, according to recent job posts.
But if Facebook is accurate in its dox remains to be seen.
Facebook’s actions are surprising, to say the least, and are bound to attract scrutiny not only from government officials in Vietnam and all the hacked countries but also from the cyber-security industry.
This is because doxing nation-state groups is something that has been, until today, left to prosecutors or anonymous vigilantes only.
Cyber-security firms usually tip-toe around attribution to any government, let alone linking groups to various intelligence agencies or local contractors.
Besides the US Department of Justice and a group known as IntrusionTruth, nobody has dared cross this line. Well, except FireEye, which doxed some Russian malware and then got hacked by a suspected Russian group.
But if we learned anything, it is that the DOJ is usually also reading and looking into any public doxing of nation-state groups. Three of the four IntrusionTruth doxings have eventually turned into official DOJ cases. More

The Department of Home Affairs has confirmed that a review it undertook on controversial video-sharing platform TikTok was simply a standard network evaluation.
Addressing the Select Committee on Foreign Interference through Social Media on Friday, Home Affairs first assistant secretary Hamish Hansford said a risk assessment was undertaken on TikTok internally for departmental systems in January 2020 by the department’s cybersecurity risk area.
“We routinely look at areas of vulnerability across our departmental protected network, as well as our systems, as well as our mobile devices, and that’s a routine function undertaken by our cybersecurity risk area sitting within our information and communication technology area of the department,” he said.
“That conforms with some of the guidance by the Australian Signals Directorate around application whitelisting, application control, locking down systems from macros — that type of thing — so that was done in the context of departmental systems.”
Hansford said the Home Affairs review was portrayed in a different way. He said the internal review was completely distinct from the role that his division plays in relation to cybersecurity policy advice to government.
See also: JCPAA calls for Commonwealth entities to be cyber assessed annually by ANAO
There was no advice provided to government on TikTok as a result of this review.

Prime Minister Scott Morrison in August said that he had a “good look” at TikTok and there was no evidence to suggest the misuse of any person’s data.
“We have had a look, a good look at this, and there is no evidence for us to suggest, having done that, that there is any misuse of any people’s data that has occurred, at least from an Australian perspective, in relation to these applications,” he told the Aspen Security Forum.
“You know, there’s plenty of things that are on TikTok which are embarrassing enough in public. So that’s sort of a social media device.”
Morrison said the same issues are present with other social media companies, such as Facebook.
“Enormous amounts of information is being provided that goes back into systems. Now, it is true that with applications like TikTok, those data, that data, that information can be accessed at a sovereign state level. That is not the case in relation to the applications that are coming out of the United States. But I think people should understand and there’s a sort of a buyer beware process,” the prime minister added.
“There’s nothing at this point that would suggest to us that security interests have been compromised or Australian citizens have been compromised because of what’s happening with those applications.”
The committee was hoping to ascertain how Morrison came to this conclusion.
While Hansford took on notice where Morrison received such advice, he said he assumed it was from the Australian Signals Directorate (ASD).
Speaking during Senate Estimates in October, Director-General of the ASD Rachel Noble said her team was involved in providing the advice to Morrison but didn’t detail what that advice was.
Noble did say, however, that the ASD’s role is to provide technical advice when it comes to departmental staff using TikTok on work-issued phones.
“It’s ultimately a matter for any individual department to make its own risk judgement about whether, on balance, they wish to provide said application on their work-provided iPhone, for example. And that will be their own judgement weighed against the potential utility of the application to the proper running of their own organisation,” she said.
“We have provided quite extensive public advice about social media apps … the nature of that advice in the broad, is that it’s important to remember that all social media apps’ business model is to monetise your personal information that you provide them but also to on-sell the nature of your activity and engagement … that is a big moneymaking business model.
“Our advice really encourages people to consider that and proceed with great caution. Be thoughtful about what personal information you are willing to provide.”
A question on whether TikTok receives the same scrutiny from the Australian government as Huawei was offloaded to the Australian Cyber Security Centre.
HERE’S MORE More

Image: UiPath
Tech unicorn UiPath, a startup that makes robotics automation software, is currently emailing users about a security incident that exposed their personal information online.
“On December 1, 2020, UiPath became aware of an incident that resulted in unauthorized disclosure of a file containing limited personal information about users of UiPath Academy,” the company wrote in an email sent to users today, seen by ZDNet.
The file included details such as real names, email addresses, usernames, company name, country locations, and UiPath certification details for users who signed up for the company’s online learning platform, the UiPath Academy.
“We are aware of only one online source where the information was made available,” UiPath said. “For important security (and other related) reasons, UiPath is unable to name the source.”

Details provided in a FAQ page suggest the exposed file might have been an older backup. UiPath said that only users who registered on its platform before or on March 17, 2020, had their details leaked.
UiPath said that no passwords or financial information were exposed in the recent incident and that it will be notifying all users who had their data exposed online. Only data from the UiPath Academic was exposed, and the company’s official products remained secure, it said.
UiPath declined to say how many users were impacted after ZDNet reached out for comment earlier today.

Founded in 2005 in Bucharest, Romania, UiPath is considered one of the biggest providers of RPA (robotics process automation), which is software (not actual robots) for automating various business operations using algorithms and artificial intelligence workers.
With a customerbase of more than 7,000 companies, UiPath has raised more than $1.2 billion in funding and is valued at $10.2 billion as of July 2020. More