Information Technology

file photo
As most experts predicted last month, the fallout from the SolarWinds supply chain attack is getting bigger as time passes by, and companies had the time to audit internal networks and DNS logs.
This week, four new cyber-security vendors — Mimecast, Palo Alto Networks, Qualys, and Fidelis — have added their names to the list of companies that have installed trojanized versions of the SolarWinds Orion app.
Mimecast hack linked to SolarWinds software
The most important of this week’s announcements came from Mimecast, a vendor of email security products.
Two weeks ago, the company disclosed a major security breach during which hackers broke into its network and used digital certificates used by one of its security products to access the Microsoft 365 accounts of some of its customers.
In an update on its blog today, Mimecast said it linked this incident to a trojanized SolarWinds Orion app installed on its network.
The company has now confirmed that the SolarWinds hackers are the ones who abused its certificate to go after Mimecast’s customers.
Palo Alto Networks discloses Sep & Oct 2020 incidents
Another major security vendor who came forward to disclose a SolarWinds-related incident was Palo Alto Networks, a vendor of cyber-security software and network equipment.

Speaking to Forbes investigative reporter Thomas Brewster this week, Palo Alto Networks said it detected two security incidents in September and October 2020 that were linked to SolarWinds software.
“Our Security Operation Center […] immediately isolated the server, initiated an investigation and verified our infrastructure was secure,” Palo Alto Networks told Forbes on Monday.
However, the company said it investigated the breaches as separate solitary incidents and didn’t detect the broader supply chain attack, which would be spotted only months later when hackers breached fellow security vendor FireEye.
Palo Alto Networks said the investigation into the September and October SolarWinds-linked intrusions didn’t yield much and concluded that “the attempted attack was unsuccessful and no data was compromised.”
Qualys: It was only a test system
But the Forbes report also cited the findings of Erik Hjelmvik, founder of network security company Netresec, who published on Monday a report detailing 23 new domains that were used by the SolarWinds hackers to deploy second-stage payloads into infected networks they deemed as high value.
Two of these 23 new domains were “corp.qualys.com,” suggesting that cybersecurity auditing giant Qualys might have been targeted by the attackers.
However, in a statement to Forbes, Qualys said that the intrusion was not as big as it appears, claiming that its engineers installed a trojanized version of the SolarWinds Orion app inside a lab environment for testing purposes, separate from its primary network.
A subsequent investigation did not find any evidence of further malicious activity or data exfiltration, Qualys said.
However, some security researchers are not buying the company’s statement, suggesting that the “corp.qualys.com” domain suggested that hackers did get access to its primary network and not a laboratory environment, as the company claims.
Fidelis also discloses second-stage targeting
The fourth and latest major disclosure came today from Fidelis Cybersecurity in the form of a blog post from the company’s CISO, Chris Kubic.
The Fidelis exec said they, too, had installed a trojanized version of the SolarWinds Orion app in May 2020 as part of a “software evaluation.”
“The software installation was traced to a machine configured as a test system, isolated from our core network, and infrequently powered on,” Kubic said.
Fidelis said that despite efforts from the attacker to escalate their access inside the Fidelis internal network, the company believes that the test system was “sufficiently isolated and powered up too infrequently for the attacker to take it to the next stage of the attack.”
This week’s disclosures bring the total number of cyber-security vendors targeted by the SolarWinds hackers to eight. Previous disclosures came from FireEye (initial intrusion which uncovered the entire SolarWinds supply chain attack in the first place), Microsoft (intruders accessed some of the company’s source code), CrowdStrike (failed intrusion), and Malwarebytes (attackers accessed some of the company’s email accounts).

SolarWinds Updates More

Image: Mozilla
Mozilla has released today Firefox 85 to the stable channel, a new version of its beloved browser that removes support for the Adobe Flash Player plugin but also boosts privacy protections by adding more comprehensive defenses against “supercookies.”

The removal of the Flash plugin comes after Mozilla announced its intention to drop Flash in July 2017 as part of a coordinated industry-wide Flash deprecation and End-of-Life plan, together with Adobe, Apple, Google, Microsoft, and Facebook.
The EOL date was set to Dec. 31, 2020, a date after which Adobe agreed to stop providing updates for the software.
Firefox now joins Chrome and Edge, both of which removed support for Flash earlier this month with the release of Chrome 88 and Edge 88.
Network partitioning and supercookies protection
But even if Firefox 85 is the first version that ships without the much-maligned Flash plugin, the bigger feature in this release is “network partitioning.”
First reported by ZDNet last month, the network partitioning feature works by splitting the Firefox browser cache on a per-website basis, a technical solution that prevents websites from tracking users as they move across the web.
In a blog post today, Mozilla said this new feature has effectively blocked the use of supercookies inside Firefox going forward.

“Supercookies can be used in place of ordinary cookies to store user identifiers, but they are much more difficult to delete and block,” Mozilla said today.
“Over the years, trackers have been found storing user identifiers as supercookies in increasingly obscure parts of the browser, including in Flash storage, ETags, and HSTS flags.
“The changes we’re making in Firefox 85 greatly reduce the effectiveness of cache-based supercookies by eliminating a tracker’s ability to use them across websites,” the browser maker said.
Mozilla said that while they expected a big impact on website performance after splitting the Firefox cache, internal metrics show that the impact was minimal.
“Our metrics show a very modest impact on page load time: between a 0.09% and 0.75% increase at the 80th percentile and below, and a maximum increase of 1.32% at the 85th percentile,” Mozilla said.
The browser maker viewed this performance impact as acceptable for improving overall user privacy.
Other changes
But other features shipped with Firefox 85 today. The first is a change in how bookmarks are saved inside Firefox.
Starting with this version, Firefox now remembers where users saved their last bookmark and saves all other bookmarks to the same location. 
Furthermore, Firefox has also added a bookmarks folder to the bookmarks toolbar. This last feature caused some problems last week, when some Firefox users saw it in their browsers, but without an easy way of disabling it. With Firefox 85, removing that folder from the bookmarks toolbar is possible via a right-click menu option.
In addition, Firefox 85 also ships with a button to remove all saved credentials, which could be a very useful feature in case users need to clear a Firefox installation and make it available for other users.
Other changes are detailed in the Firefox 85 changelog here, while security updates are listed here. More

Image: ZDNet
The South African Revenue Service has released this week its own custom web browser for the sole purpose of re-enabling Adobe Flash Player support, rather than port its existing website from using Flash to HTML-based web forms.
Flash Player reached its official end of life (EOL) on December 31, 2020, when Adobe officially stopped supporting the software.
To prevent the app from continuing to be used in the real-world to the detriment of users and their security, Adobe also began blocking Flash content from playing inside the app starting January 12, with the help of a time-bomb mechanism.
As Adobe hoped, this last step worked as intended and prevented companies from continuing using the software, forcing many to update systems and remove the app.
As SARS tweeted on January 12, the agency was impacted by the time-bomb mechanism, and starting that day, the agency was unable to receive any tax filings via its web portal, where the upload forms were designed as Flash widgets.

SARS is aware of certain forms not loading correctly due to Adobe Flash. We are currently working on resolving the matter and will advise once the problem has been resolved. We sincerely apologise for the current inconvenience.
— SA Revenue Service (@sarstax) January 12, 2021

But despite having a three and a half years heads-up, SARS did not choose to port its Flash widgets to basic HTML & JS forms, a process that any web developer would describe as trivial.
Instead, the South African government agency decided to take one of the most mind-blowing decisions in the history of bad IT decisions and release its own web browser.

Chrome, Firefox, Edge: Hey, we no longer support Adobe Flash Player due to security reasons.SARS: mxm okay, we’ll build our own browser ke! 🤡
— Monsieur Elon Masakhane (@VendaVendor) January 26, 2021

Released on Monday on the agency’s official website, the new SARS eFiling Browser is a stripped-down version of the Chromium browser that has two features.
The first is to re-enable Flash support. The second is to let users access the SARS eFiling website.
As Chris Peterson, a software engineer at Mozilla, pointed out, the SARS browser only lets users access the official SARS website, which somewhat reduces the risk of users getting their systems infected via Flash exploits while navigating the web.
But as others have also pointed out, this does nothing for accessibility, as the browser is only available for Windows users and not for other operating systems such as macOS, Linux, and mobile users, all of which are still unable to file taxes.

Do tell me about the Linux, iOS, Android and MacOS versions of this browser
— Stephan Eggermont (@StOnSoftware) January 26, 2021

Pressed for more answers on its decision to focus on a narrow-minded solution via its custom browser rather than port some forms on its website, a SARS spokesperson did not return a request for comment.
But in spite of its unexpected response to the Flash EOL, SARS is only an outlier in the grand scheme of things, as most companies have already moved operations away from Adobe Flash.
Sure, there are a few exceptions here and there that can grab headlines due to poor decisions, but most companies have known long in advance that this day was coming and have taken steps to avoid any downtime.
Another of these outlier cases that made headlines over the past week was the case of the local train station in the Chinese city of Dalian. Initial reports claimed that the rail station had to stop all rail traffic after its internal systems, built around Flash, stopped working.
This turned out to be false, and later reports from Chinese media clarified that railway traffic never stopped in Dalian because of the Flash EOL. However, the reports also admitted that there’s some truth in the original report and that, indeed, some internal traffic statistics system had stopped working at the rail station on January 12, when Adobe blocked Flash content from working.
That system was eventually upgraded to a Flash Player version that Adobe offers inside China only, which does not contain the January 12 time-bomb mechanism, allowing the system to continue working beyond the Flash EOL. More

Cybercriminals will often use brute-force attacks, phishing emails, and existing data dumps to break into corporate networks but there is one area that is often ignored to a company’s detriment: ghost accounts. 

It is not always the case that when a staff member leaves their employ, whether due to a new job offer, changes of circumstance, illness, or in unfortunate cases, death, that their accounts are removed from corporate networks. 
This oversight is one that cybercriminals are now taking advantage of, and in a recent case, actively exploited in order to spread ransomware. 
In a case study documented by Sophos’ cyberforensics group Rapid Response on Tuesday, an organization reached out after being infected by Nemty ransomware. 
According to Sophos, the ransomware — also known as Nefilim — impacted over 100 systems, encrypting valuable files and demanding payment in return for a decryption key. 
First detected in 2019, Nemty was a Ransomware-as-a-Service (RaaS) variant of malware that could be purchased in underground forums. In 2020, the developers took Nemty private, reserving the code’s future development for select partners. 
During an investigation into the source of the infection, Sophos narrowed down the original network intrusion to a high-level administrator account. Over the course of a month, the threat actors quietly explored the company’s resources, obtaining domain admin account credentials and exfiltrating hundreds of gigabytes’ worth of data. 

Once the cyberattackers had finished their reconnaissance and taken everything of value, Nemty was deployed.
“Ransomware is the final payload in a longer attack,” noted Peter Mackenzie, Rapid Response manager. “It is the attacker telling you they already have control of your network and have finished the bulk of the attack. Identifying you are under a ransomware attack is easy, identifying the attacker was on your network a week earlier is what counts.”
The cybersecurity team asked who the high privilege administration account belonged to. The victim company said the account belonged to a former member of staff who passed away approximately three months before the cyberintrusion. 
Instead of revoking access and closing down the ‘ghost’ account, the firm chose to keep it active and open “because there were services that it was used for.”
Sophos suggests that any ghost account allowed to stay connected to corporate resources once the user has no need of it should have interactive logins disabled, or if the account is really needed, a service account should be created in its stead. 
In addition, the team says that zero-trust measures should be implemented companywide to reduce potential attack surfaces.
In another case noted by Sophos, a new user account was covertly created on a corporate network and added to a domain admin group in Active Directory, and this account was used to delete roughly 150 virtual servers and deploy Microsoft BitLocker to encrypt existing server backups, piling on the pressure for payment. 
Update 16.03 GMT: Added detail for additional clarity concerning the two case studies.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Veritas Technologies and Fortinet are rolling out new efforts to better secure and backup multi-cloud deployments and automate threat detection, investigation, and response, respectively. 

Veritas Technologies is launching Veritas NetBackup 9, which is designed to secure edge, data center, and cloud deployments.
The company said NetBackup 9 includes Flex Scale, a scale-out deployment option that plays well with multi-cloud deployments. The architecture behind NetBackup 9 brings a cloud experience to on-premise data centers and the ability to add nodes as needed.
Also: Best VPNs • Best security keys • Best antivirus       
Veritas is also adding new deployment modes to NetBackup including options for cloud, appliances, and build-your-own-server, containerize options, and a hyper-converged offering.
NetBackup 9 new features include:
Policy automation to manage deployment, provisioning, scaling, load balancing, recovery, and cloud integration.
Auto-discovery of workloads as well more integrations via API.
OpenStack-based enterprise data protection via native OpenStack APIs.
Doug Matthews, vice president of Enterprise Data Protection and Compliance at Veritas Technologies, said that less than 10% of the customer base overall is using OpenStack technologies, but the company’s largest customers are. “Multicloud is more ubiquitous in the enterprise, specifically large enterprises,” said Matthews.  

Fortinet rolled out a new extended detection and response (XDR) offering that aims to use artificial intelligence to improve cyber attack responses. FortiXDR is cloud-native and expands on Fortinet’s security fabric, services, and automation tools.
Must read:
According to Fortinet, FortiXDR is designed to cut through the security data clutter. The argument is that security teams are struggling with multiple vendors and information overflow. FortiXDR’s AI engine is continually trained and informed by FortiGuard Labs research.
Features of FortiXDR include:
Contextual responses and filtering reduce the number of alerts across products by 77% on average.
Automation for complex tasks to save time and minimize human error.
Automation of incident investigation. More

Group of hooded hackers shining through a digital north korean flag cybersecurity concept
Michael Borgers, Getty Images/iStockphoto
Google said today that a North Korean government hacking group has targeted members of the cyber-security community engaging in vulnerability research.

The attacks have been spotted by the Google Threat Analysis Group (TAG), a Google security team specialized in hunting advanced persistent threat (APT) groups.
In a report published earlier today, Google said North Korean hackers used multiple profiles on various social networks, such as Twitter, LinkedIn, Telegram, Discord, and Keybase, to reach out to security researchers using fake personas.
Email was also used in some instances, Google said.
“After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project,” said Adam Weidemann, a security researcher with Google TAG.
The Visual Studio project contained malicious code that installed malware on the targeted researcher’s operating system. The malware acted as a backdoor, contacting a remote command and control server and waiting for commands.
New mysterious browser attack also discovered
But Wiedemann said that the attackers didn’t always distribute malicious files to their targets. In some other cases, they asked security researchers to visit a blog they had hosted at blog[.]br0vvnn[.]io (do not access).

Google said the blog hosted malicious code that infected the security researcher’s computer after accessing the site.
“A malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server,” Weidemann said.
But Google TAG also added that many victims who accessed the site were also running “fully patched and up-to-date Windows 10 and Chrome browser versions” and still got infected.
Details about the browser-based attacks are still scant, but some security researchers believe the North Korean group most likely used a combination of Chrome and Windows 10 zero-day vulnerabilities to deploy their malicious code.
As a result, the Google TAG team is currently asking the cyber-security community to share more details about the attacks, if any security researchers believe they were infected.
The Google TAG report includes a list of links for the fake social media profiles that the North Korean actor used to lure and trick members of the infosec community.
Security researchers are advised to review their browsing histories and see if they interacted with any of these profiles or if they accessed the malicious blog.br0vvnn.io domain.

Image: Google
In case they did, they are most likely to have been infected, and certain steps need to be taken to investigate their own systems.
The reason for targeting security researchers is pretty obvious as it could allow the North Korean group to steal exploits for vulnerabilities discovered by the infected researchers, vulnerabilities that the threat group could deploy in its own attacks with little to no development costs.
In the meantime, several security researchers have already disclosed on social media that they received messages from the attackers’ accounts, although, none have admitted to having systems compromised.

WARNING! I can confirm this is true and I got hit by @z0x55g who sent me a Windows kernel PoC trigger. The vulnerability was real and complex to trigger. Fortunately I only ran it in VM.. in the end the VMDK I was using was actually corrupted and non-bootable, so it self-imploded https://t.co/dvdCWsZyne
— Richard Johnson (@richinseattle) January 26, 2021 More

Image via RTL Nieuws
Dutch police have arrested two individuals on Friday for allegedly selling data from the Dutch health ministry’s COVID-19 systems on the criminal underground.

The arrests came after an investigation by RTL Nieuws reporter Daniel Verlaan who discovered ads for Dutch citizen data online, advertised on instant messaging apps like Telegram, Snapchat, and Wickr.
The ads consisted of photos of computer screens listing data of one or more Dutch citizens.
The reporter said he tracked down the screengrabs to two IT systems used by the Dutch Municipal Health Service (GGD) — namely CoronIT, which contains details about Dutch citizens who took a COVID-19 test, and HPzone Light, one of the DDG’s contact-tracing systems.
Verlaan said the data had been sold online for months for prices ranging from €30 to €50 per person.
Buyers would receive details such as home addresses, emails, telephone numbers, dates of birth, and a person’s BSN identifier (Dutch social security number).
Two men arrested in Amsterdam within a day
In a press release today, Dutch police said they started an investigation last week when they learned of the ads and arrested two suspects within 24 hours of the complaint.

Both men were arrested in Amsterdam on Friday, and were identified as a 21-year-old man from the city of Heiloo and a 23-year-old man from the city of Alblasserdam. Their homes were also searched, and their computers seized, police said.
According to Verlaan, the two suspects worked in DDG call centers, where they had access to official Dutch government COVID-19 systems and databases.
The names of the two suspects, scheduled to appear in court tomorrow, were not released; in accordance with Dutch law.
“Because people are working from home, they can easily take photos of their screens. This is one of the issues when your administrative staff is working from home,” Victor Gevers, Chair of the Dutch Institute for Vulnerability Disclosure, told ZDNet in an interview today.
“We have seen this before in the Netherlands with influencers and VIPs.
“The BSN number (Dutch social security number) is important because this makes financial fraud easier for criminals,” Gevers added.
“But also for blackmailing purposes. Especially when they know where you live.”

Coronavirus More

So cute. So nosy.
They don’t have a gun. They just have personality.

more Technically Incorrect

They roll around shopping malls and parking lots, like futuristic Blarts, offering you a sense of modern reassurance.
Originally, Knightscope’s robot cops were the source of neighborhood humor. They’d fall in fountains and then proclaim they weren’t dead.
Yet we should have worried, perhaps, that these were Trojan ponies, ready to trot into our lives and recount our movements to the powers-that-be.
I’ve been shivering, you see, after reading of the Electronic Frontier Foundation’s concerns.
Sample: “The next time you’re at a protest and are relieved to see a robot rather than a baton-wielding officer, know that that robot may be using the IP address of your phone to identify your participation,” says the EFF.
I tend not to be seen at protests, other than in this column, but I can imagine one or two enthusiastic marchers will mutter: “What the EFF?”

The EFF says that the Huntingdon Park, Calif., police has been boasting to its mayor and city council that the wireless technology in these robots’ bowels is “capable of identifying smartphones within its range down to the MAC and IP addresses.”
The company has a section on its site touting “Cellular Device Detection of Persons of Interest.”
It reads, in part: “When a device emitting a Wi-Fi signal passes within a nearly 500ft radius of a robot, actionable intelligence is captured from that device including information such as: Where, when, distance between the robot and device, the duration the device was in the area, and how many other times it was detected on site recently.”
One shouldn’t be surprised, of course. A couple of years ago, Knightscope boasted that some of its robots had facial recognition capabilities.
The company then explained: “While facial recognition is largely seen as a tool to protect against known threats, it is also capable of greeting VIPs with a personal message and notifying our clients of VIP arrivals on site.”
I fear facial recognition is largely seen as a surveillance tool employed by too many governments for quite nasty reasons, too often against innocent people. It can be seen as frighteningly inaccurate, too.
The EFF worries that the efficacy of these robots is all in the programming. It’s already accepted that facial recognition and AI have a troubling racial bias. “If robots are designed to think people wearing hoods are suspicious, they may target youth of color,” says the EFF’s policy analyst Matthew Guariglia.
I twice asked Knightscope if it recognized an issue with any potential privacy concerns and will update, should its PR — or AI — respond.
I regularly get updates from Knightscope, as the company markets its latest achievements.
“New contracts in new places,” shouted one from last year. A water district, a storage facility, and an apartment complex in Las Vegas have all signed up.
Perhaps you’ll find such moves understandable, if not pacifying, as hiring good security humans isn’t always easy.

Remote work

Then there was the announcement that Knightscope is the sole provider of Autonomous Security Robots on the NCPA platform. That would be the National Cooperative Purchasing Alliance. It’s a government thing.
Hark at Knightscope’s enthusiasm: “Contracts are available for use to over 90,000 agencies nationwide in both the public and nonprofit sectors including: K-12, Higher Education, City, County, State, Healthcare, Church/Religious and all Non-profit organizations.”
A security robot at your kid’s school? A security robot that could instantly know — and, let’s dream a little of the future — and transmit who your kid is and what they’re doing? A security robot at your church — let’s dream a little more of a bright future — that might (accidentally) overhear your confessions?
Those are, of course, merely my happy hopes but this was always going to be a fraught enterprise.
Why, last week I received the latest of Knightscope’s promotional emails. This one boasted: “Suffice it to say that 2020 will go down as one of the most challenging years for generations to come. And in spite of the pandemic and political turmoil, Knightscope has continued to fight tooth and nail for the safety of our country.”
All hail, the friendly robot militia.
Which only made me remember another excited message Knightscope sent me just before Christmas. This one pointed to a fine article, headlined: “Will Robotics Specialist Knightscope be the Next Palantir?
A sample Bloomberg headline: “Palantir Knows Everything About You.” More