Information Technology

Brazilian government officials will be meeting their US counterparts and investors as part of a plan intended to speed up the process around Brazil’s upcoming 5G auction. The US visit starts today (7) and will end on Friday (11). The agenda is led by Brazil’s Ministry of Communications and includes representatives from the Ministry of Foreign Affairs, the Ministry of Defense, the Special Secretariat for Strategic Affairs, the National Congress, as well as senators Ciro Nogueira and Flávio Bolsonaro, president Jair Bolsonaro’s son. Other participants of the meetings in the US are representatives from the Brazilian Intelligence Agency, as well as ministers and technical staff from the Federal Court of Auditors, which is current analyzing the notice for the auction for the 5G spectrum, expected to take place in July.

The aim of the visit, according to the Ministry of Communications, is to “learn more about regulatory approaches to private communications networks and their implementation, as well as sharing experiences around cybersecurity”. During the meetings in Washington and New York, the ministers will visit the US Department of Defense, as well as the Department of National Intelligence and the Federal Communications Commission. According to Communications minister Fabio Faria, the meetings in the US are “a great solution” to expedite the 5G auction, since the Federal Court of Auditors will have the opportunity to have their questions in relation to the fifth-generation spectrum answered, especially when it comes to the implementation of the government’s private network. Another goal of the visit is to “promote the dialog with potential investors in the Brazilian telecommunications market”, the Ministry noted. The Brazilian government officials have meetings set up with Motorola, Qualcomm, IBM and AT&T, as well as investment funds and banks, as well as consulting firm Eurasia. The Brazilian government’s US visit this week follows a previous tour led by the Ministry of Communications to some of the leading countries in the 5G space. During the visit, which took place in February, government officials visited Sweden, Finland, Japan and China. At the time, the Brazilian delegation visited companies such as Nokia and Ericsson in their home countries, and new meetings with these two companies will take place during the US visit. More

Facebook is now testing out new privacy and encryption features for Messenger’s Secret Conversations. 

The tests, due to start over the course of this week, will include trials of end-to-end encrypted audio and video calling. At present, Secret Conversations only supports messages, pictures, video clips, voice recordings, and stickers being sent with end-to-end encryption, a protocol that is intended to prevent anyone other than participants from reading content, including platform providers.  Secret Conversations does not support encrypted group messages, payments, or audio/video calling, however, the social media giant has now begun testing extended encryption options for a potential rollout in the future.  Test group participants will see a phone icon at the top of the Secret Conversations window, as shown below, that can be selected to make a call. The option will be set in a similar layout to typical Messenger windows.  Facebook told ZDNet that the features will “give people more choice and controls” and that development in these areas is an “important step toward making Messenger a more secure and private experience.”The tests are expected to last several months. Potential rollouts may follow depending on the success of the trials. 

In addition, the company is trying out a new timer feature. Secret Conversations already permits users to set a timer for their messages to expire, but the bolt-on will allow participants to turn off disappearing messages entirely — or set a default timer for content to vanish based on one minute, 15 minutes, or 24-hour intervals.  The company has previously announced its plans to make chats across the platform encrypted by default, it’s likely years before such a rollout is ready. In the meantime, the trials with Secret Conversations could pave the way forward in default encryption development. “While we expect to make more progress on default end-to-end encryption for Messenger and Instagram Direct this year, it’s a long-term project and we won’t be fully end-to-end encrypted until sometime in 2022 at the earliest,” the company said.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A phishing campaign is delivering a new variant of one of the oldest forms of remote access trojan (RAT) malware in an effort to steal usernames, passwords and other sensitive information. It also aims to steal cryptocurrency from the victim.Agent Tesla first emerged in 2014 and it remains a common form of malware today. The malware is focused on stealing sensitive information from compromised Windows machines with the aid of a keylogger, which sends what the victim is typing to the attacker – allowing them to see usernames, passwords, and more.

Now researchers at Fortinet have detailed a new Agent Tesla campaign that distributes an updated version of the malware via phishing emails.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)The malicious messages are designed to look like a business email – for example, one asks the user to open a Microsoft Excel attachment titled “Order Requirements and Specs”. The document contains a macro which, if run, starts a process that executes and downloads Agent Tesla onto the machine.This is done across a number of different stages, including downloading PowerShell files, running VBScript and creating a schedule task, all to help mask the installation of the malware, allowing the attacker to secretly monitor activity on the machine. This version of Agent Tesla pings the operator every 20 minutes, sending them any new input detected.In addition to this, the attack also hijacks any bitcoin wallet on the victim’s device. By monitoring activity on the machine and the abuse of PowerShell code, the attacker can monitor for a valid bitcoin address. If this is spotted, the code modifies the bitcoin address and changes it to one owned by the attacker, allowing them to steal cryptocurrency transfers.

Despite being around since 2014, Agent Tesla remains popular with cyber criminals by remaining effective and being relatively cheap: it can cost as little as $15 to buy a license on underground forums. SEE: Network security policy (TechRepublic Premium)In addition to low cost, the authors of Agent Tesla offer 24/7 technical support, allowing it to serve as an entry point for less sophisticated cyber criminals – while still being potentially damaging to any person or organisation that falls victim to the malware.Many of the attacks continue to be distributed by phishing emails – which means if the right precautions are taken, falling victim can be avoided. Cybersecurity researchers recommend using antivirus software to detect suspicious activity, while users should be careful when it comes to opening attachments from unknown sources with unexpected emails.MORE ON CYBERSECURITY More

Microsoft-owned GitHub has updated its policies on sharing malware and exploits on the site to better support security researchers sharing so-called “dual-use” software – or software that can be used for security research but which might be used to attack networks. It admits the language it previously used was “overly broad”. 

“We explicitly permit dual-use security technologies and content related to research into vulnerabilities, malware, and exploits,” says Michael Hanley, chief security officer of GitHub, in a blogpost. SEE: Network security policy (TechRepublic Premium)Dual-use technologies include tools like the Metasploit framework and Mimikatz, which are used by defenders, ransomware attackers and state-sponsored threat actors to compromise networks and move around networks after they’re compromised. “While many of these tools can be abused, we do not intend or want to adjudicate intent or solve the question of abuse of dual-use projects that are hosted on GitHub,” the company said in its pull request regarding exploit and malware policies. “Many of the projects cited in this ongoing discussion, such as mimikatz, metasploit, and others are all incredibly valuable tools and the goal is to further protect from what we felt was overly broad language in our existing [Acceptable Use Policies] that could be viewed as hostile toward these projects as-written.”

GitHub has also clarified when it may disrupt ongoing attacks that are using GitHub as a content delivery network (CDN) to distribute exploits or malware. GitHub acknowledged its language around the term “harm” was too broad.”We do not allow use of GitHub in direct support of unlawful attacks that cause technical harm, which we’ve further defined as overconsumption of resources, physical damage, downtime, denial of service, or data loss,” notes Hanley. It also updated sections of the policy that ask researchers working on dual-use projects to provide a point of contact, but this is not mandatory. The policy update follows a review that GitHub initiated in April after it took down code from researcher Nguyen Jang in March. Jang had posted proof-of-concept (PoC) exploit code targeting two of four zero-day vulnerabilities – dubbed ProxyLogon – affecting on-premise Exchange servers. Microsoft released patches for the bugs on March 2, but warned that a Chinese state-sponsored group Hafnium had been exploiting the flaws before it released patches. Microsoft also warned that the bugs could be quickly exploited by other threat actors before customers applied patches. On March 9, Jang shared his proof-of-concept exploit on GitHub, as reported by The Record. While being just a PoC for two of Exchange flaws, the code could be tweaked with little effort to exploit vulnerable Exchange email servers and gain remote code execution, according to experts.And at that point, many organizations still hadn’t patched affected Exchange servers. SEE: Cloud computing: Microsoft sets out new data storage options for European customersPer Motherboard, GitHub took Jang’s PoC down a few hours after he posted it because of the potential damage it could cause, but acknowledged that PoC exploit code could be helpful to the security community for research purposes. GitHub came under fire from security researchers because it looked like it was making an exception for PoC exploit code affecting parent Microsoft’s software while allowing researchers to share PoC code for non-Microsoft products on the site, as Google security researcher Tavis Ormandy pointed out on Twitter.  The other policy option is to ban sharing PoC exploit code, but Ormandy argued this would be a bad outcome for defenders. “I’m saying that security pros benefit from openly sharing research and access to tools, and they make us safer. We could say “no sharing”, so there is only black market access to exploits. I don’t think that’s a win,” wrote Ormandy.  More

Tax and auditing giant Deloitte announced Monday that it’s acquiring cloud security posture management (CSPM) provider CloudQuest to expand its portfolio of cloud security orchestration, automation and response (SOAR) services. Financial terms of the deal were not disclosed.

The deal marks Deloitte’s second security-related acquisition this year as the company aims to bolster its existing cybersecurity offerings that aid clients in threat management and intelligence. Deloitte said CloudQuest’s technology is designed to help businesses manage security workflows, reduce risk and improve data security. With the addition of CloudQuest’s business, Deloitte’s Cyber Cloud offering will gain more capabilities for monitoring, preventing and remediating security threats, the company said.”Our acquisition of CloudQuest represents our profound commitment to transforming alongside our clients, competing vigorously in the market, and aggressively building out tech-enabled approaches that position Deloitte cyber as an unquestionable business enabler,” said Deborah Golden, leader and principal of Deloitte Risk and Financial Advisory Cyber and Strategic Risk leader for Deloitte & Touche LLP.Deloitte stands as one of the largest private companies in the US, selling tax, auditing, consulting, and cybersecurity advisory services to major governments and large Fortune 500 multinationals. 

Digital transformation More

The number of ransomware attacks targeting schools, colleges and universities is on the rise again, warns the UK’s National Cyber Security Centre (NCSC).The latest alert comes following a spate of high-profile ransomware attacks around the world during the past month, including incidents encrypting the networks of Colonial Pipeline, Ireland’s health service and meat supplier JBS.

The NCSC has previously warned about ransomware attacks targeting the education sector, but late May and early June has seen another increase in incidents – at a critical time of year when it comes to coursework, exams and other assignments.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  The NCSC has previously detailed how ransomware incidents affecting education have led to the loss of student coursework, school financial records, as well as data relating to COVID-19 testing. “It is important that senior leaders understand the nature of the threat and the potential for ransomware to cause considerable damage to their institutions in terms of lost data and access to critical services,” said the NCSC alert.Some of the most common methods cyber criminals use to gain access to university networks and lay the groundwork for ransomware attacks involve targeting remote desktop protocol (RDP) and virtual private networks (VPNs).

By exploiting weak passwords, a lack of multi-factor authentication or unpatched vulnerabilities in RDP and VPNs, cyber criminals can stealthily compromise networks. Their presence is often only discovered once they’ve unleashed the ransomware attack and encrypted systems and services.To help prevent ransomware attacks in the first place, the NCSC recommends that organisations have effective vulnerability management and patching procedures, so they can rapidly update networks and software with the relevant security patches when new vulnerabilities emerge.SEE: What is a software developer? Everything you need to know about the programmer role and how it is changingThe NCSC also suggests that RDP and other cloud services are secured using multi-factor authentication and that mechanisms are introduced to help detect and prevent phishing attacks. It’s also recommended that organisations in the education sector – and beyond – have plans to enable effective recovery, so if the worst happens and the network is encrypted with ransomware, it’s possible to restore it without giving into the ransom demands of cyber criminals.This can be achieved by having up-to-date and tested offline backups, because according to the NCSC, “offline backups are the most effective way to recover from a ransomware attack”.MORE ON CYBERSECURITY More

A new brand of malware designed to compromise Windows containers to reach Kubernetes clusters has been revealed by researchers. 

The malware, dubbed Siloscape, is considered unusual as malware generally designed to target containers focuses on Linux as a popular operating system for managing cloud applications and environments.  According to Palo Alto Networks’ Unit 42, Siloscape, first discovered in March this year, has been named as such because its overall aim is to escape Windows containers via a server silo. In a blog post on Monday, the cybersecurity researchers said Siloscape uses the Tor proxy and an .onion domain to connect to its command-and-control (C2) server, used by threat actors to manage their malware, data exfiltration, and to send commands.  The malware, labeled as CloudMalware.exe, targets Windows containers — using Server rather than Hyper-V isolation —  and will launch attacks utilizing known vulnerabilities that have not been patched for initial access against servers, web pages, or databases.  Siloscape will then attempt to achieve remote code execution (RCE) on the underlying node of a container by using various Windows container escape techniques, such as the impersonation of the CExecSvc.exe, a container image service, to obtain SeTcbPrivilege privileges. “Siloscape mimics CExecSvc.exe privileges by impersonating its main thread and then calls NtSetInformationSymbolicLink on a newly created symbolic link to break out of the container,” Unit 42 says. “More specifically, it links its local containerized X drive to the host’s C drive.”

If the malware is able to escape, it will then try to create malicious containers, steal data from applications running in compromised clusters, or will load up cryptocurrency miners to leverage the system’s resources to covertly mine for cryptocurrency and earn its operators profit for as long as the activities go undetected.  The malware’s developers have ensured that heavy obfuscation is in place — to the point where functions and module names are only deobfuscated at runtime — in order to conceal itself and make reverse-engineering more difficult. In addition, the malware uses a pair of keys to decrypt the C2 server’s password — keys that are suspected to be generated for each unique attack.  “The hardcoded key makes each binary a little bit different than the rest, which is why I couldn’t find its hash anywhere,” the research states. “It also makes it impossible to detect Siloscape by hash alone.” Unit 42 managed to obtain access to the C2 and identified a total of 23 active victims, as well as 313 victims in total, likely secured in campaigns over the past year. However, it was mere minutes before the researchers’ presence was noted and they were kicked out of the server and the service was rendered inactive — at least, at that .onion address.  Microsoft recommends that Hyper-V containers are deployed if containerization is utilized as a form of security boundary rather than relying on standard Windows containers. Unit 42 added that Kubernetes clusters should be configured properly and should not allow node privileges alone to be enough to create new deployments. 

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The US Cybersecurity and Infrastructure Security Agency has warned companies running VMware vCenter Server and VMware Cloud Foundation software to update as soon as possible because attackers are scanning the internet for vulnerable servers. VMware released a patch for two critical remote code execution flaws on May 25. The two bugs, tracked as CVE-2021-21985 and CVE-2021-21986, have a severity rating of 9.8 out of 10. The bugs affect VMware vCenter Server (vCenter Server) and VMware Cloud Foundation (Cloud Foundation).  CISA  has now warned that it is “aware of the likelihood that cyber threat actors are attempting to exploit CVE-2021-21985”. It said organisations should apply the necessary updates as soon as possible, even if out-of-cycle work is required.As ZDNet reported last month, CVE-2021-21985 affects the vSphere HTML5 client and allows an attacker with network access to port 443 to exploit it to execute commands freely on the underlying operating system that hosts vCenter Server and take control of it.   “Although patches were made on May 25, 2021, unpatched systems remain an attractive target and attackers can exploit this vulnerability to take control of an unpatched system,” CISA warned. Via Ars Technica, Troy Mursch, a security researcher for Bad Packets, has been tracking mass scanning for the bugs on internet-exposed VMware vCenter servers. On Saturday, Mursch reported he had seen exploit activity using a proof of concept exploit targeting VMware vCenter servers harboring CVE-2021-21985. Bad Packets runs a honeypot that contains servers with the bug. 

CVE-2021-21985 exploit activity detected from 119.28.15.199 (🇭🇰) based on this PoC (https://t.co/qhBbHdOaK4) targeting our VMware vCenter honeypot.Query our API for “source_ip_address=119.28.15.199″ for full payload and other relevant indicators. #threatintel— Bad Packets (@bad_packets) June 5, 2021

VMware urged customers to patch affected servers immediately. The virtualization software firm warned organisations that have placed their vCenter Servers on networks that are exposed to the internet and thus may not have firewall protection — often the last line of defence — that they should therefore audit these systems for compromise.”In this era of ransomware it is safest to assume that an attacker is already inside the network somewhere, on a desktop and perhaps even in control of a user account, which is why we strongly recommend declaring an emergency change and patching as soon as possible,” it previously said.CISA recommended administrators review VMware’s VMSA-2021-010 advisory, its blogpost, and its FAQ about the issue.  More