Information Technology

Three weeks after Google released the May 2021 Android security update, the Google Project Zero team has revealed that four of the vulnerabilities patched were already under attack. “There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664 may be under limited, targeted exploitation,” Google said in a note on its May 2021 bulletin, which was published on May 1.  SEE: Network security policy (TechRepublic Premium)Google Project Zero security researcher Maddie Stone flagged that these were zero-day or previously unknown flaws in a tweet. The four flaws affect Qualcomm’s GPU (CVE-2021-1905, CVE-2021-1906) and the Arm Mali GPU (CVE-2021-28663, CVE-2021-28664). 

Android has updated the May security with notes that 4 vulns were exploited in-the-wild. Qualcomm GPU: CVE-2021-1905, CVE-2021-1906ARM Mali GPU: CVE-2021-28663, CVE-2021-28664https://t.co/mT8vE2Us74— Maddie Stone (@maddiestone) May 19, 2021

As Project Zero notes in its “0day ‘in the wild'” spreadsheet, the Arm bugs allow an attacker to write to read-only memory in the Mail GPU and a use-after-free memory flaw in the GPU. The Qualcomm bugs include improper error handling and a use-after-free flaw in the GPU.  Google copped flack from security reporter Dan Goodin for saying the bugs “may be under limited, targeted exploitation” because it was “vague to the point of being meaningless”. 

Shane Huntley from Google’s Threat Analysis Group (TAG), who in November revealed three zero-day flaws in Apple’s iOS, defended Google’s phrasing, highlighting that Google doesn’t always have the information at hand to say whether a vulnerability is under attack. TAG also discovered and disclosed the zero-day flaws in Apple’s WebKit browser that prompted Apple to issue the emergency iOS 14.4.2 update in March. Apple even updated older iOS devices to version 12.5.2 to address those issues.

Google I/O 2021

“I understand the frustration sometimes that people aren’t always getting the IOCs and details they want but I can maybe shed a little more light here,” he wrote, referring to indicators of compromise (IOC).  “Firstly not all “In The Wild” reports mean that we know exactly the target set. “In The Wild” could mean that the exploit was discovered on the black market or a hacker forum or reported to us from a source that wished to remain anonymous. In those cases the IOCs or targeting isn’t available or known.SEE: This malware has been rewritten in the Rust programming language to make it harder to spot”We strongly believe that there’s a difference between exploits found ourselves or reported through coordinated disclosure and ones we know to be in the hands of attackers. Flagging the latter helps with prioritization.”We are working to provide more information where possible on what we observe but it is a trade off and sometimes either don’t have the details or can’t reveal all the info that some people want. We still think there’s value releasing what we can.”Qualcomm says in its advisory that CVE-2021-1905 was reported to on 17 November 2020 and rates it as a high-severity flaw. CVE-2021-1906 is a medium-severity flaw reported to it on 7 December 2020.  The flaws affect an enormous number of Qualcomm chipsets but require local access to be exploited, according to the chip maker. Samsung only yesterday started rolling out the May 2021 Android security patch to flagship Galaxy S21 phones, as Sammobile reports. But Samsung’s hugely popular A-series smartphones have not received this update yet. More

Singapore has instructed Facebook and Twitter to carry correction notices on posts claiming there is a local strain of the COVID-19 virus. The order, however, only applies to the platforms’ users in the country. The Ministry of Health said Thursday that the directive also had been given to SPH Magazines–specifically, its HardwareZone user forum. It would require the online platforms to carry a correction notice to “all end-users in Singapore” who accessed Facebook, Twitter, and HardwareZone.com, said the ministry. It referred to false statements circulating online that suggested a new variant of COVID-19 had originated in Singapore and was at risk of spreading to India. 

“There is no new ‘Singapore’ variant of COVID-19. Neither is there evidence of any COVID-19 variant that is ‘extremely dangerous for kids’,” the Health Ministry said. “The strain that is prevalent in many of the COVID-19 cases detected in Singapore in recent weeks is the B.1.617.2 variant, which originated from India. The existence and spread of the B.1.617.2 variant within India predates the detection of the variant in Singapore, and this has been publicly known and reported by various media sources from as early as May 5, 2021.”The correction notice order was issued by the Protection from Online Falsehoods and Manipulation Act (POFMA) Office, tasked for overseeing the Act.The move came days after India’s Chief Minister of Delhi Arvind Kejriwal said on Twitter that a Singapore variant of the virus was particularly harmful to children and could trigger a third wave of infections in India. He also urged his government to cancel flights from Singapore.In response, Singapore’s Ministry of Foreign Affairs said Wednesday that it “regrets the unfounded assertions” and was “disappointed” that a prominent political figure failed to ascertain facts before making such claims. The ministry added that it met with the High Commission of India to express its concerns.

On its part, India’s Foreign Minister Subrahmanyam Jaishankar rebuked Kejriwal, whose is from the country’s largest opposition party Aam Aadmi. Jaishankar said on Twitter: “Irresponsible comments from those who should know better can damage longstanding partnerships. So, let me clarify — Delhi CM does not speak for India.”He added that both countries had been partners in combating COVID-19 and India was “grateful” for Singapore’s role as a logistics hub and supplier of medical oxygen that India needed during its second wave. India on Wednesday reported a daily record of 4,529 deaths from COVID-19, exceeding a previous global record in the US where 4,475 deaths were recorded on January 12. Singapore currently is seeing a second wave in infections, with 34 community cases recorded on Wednesday and the 24th consecutive days such infections had been detected. In total, 31 people had succumbed to the virus in the city-state.POFMA was passed in May 2019, following a brief public debate, and kicked in October 2019 with details on how appeals against directives could be made. The bill was passed amidst strong criticism that it gave the government far-reaching powers over online communication and would be used to stifle free speech as well as quell political opponents.Non-compliance to a POFMA directive is an offence under the Act. Offenders could face up to three or five years’ imprisonment, a SG$30,000 or SG$50,000 fine, or both. If bots or inauthentic accounts are used to amplify falsehoods, the potential penalties that could be applied would be doubled. Offending internet intermediaries, meanwhile, could face up to SG$1 million in fines, and could also receive a daily SG$100,000 fine for each day they continue to breach the Act after conviction.RELATED COVERAGE More

Australian digital real estate business, Domain Group, has confirmed its platform was the victim of a phishing attack.”We have identified a scam that used a phishing attack to gain access to Domain’s administrative systems to engage with people who have made rental property enquiries,” the company’s CEO Jason Pellegrino said in a statement to ZDNet.”We understand the scammers then contacted some of these people by email to suggest that they pay a ‘deposit’ to secure a rental property on a website nominated by the scammer.”Domain said that while the attack is a serious matter, at this point, its investigation showed only a small number of people may have engaged with the scam. “Clearly people are becoming more aware of how to spot suspicious online behaviour and taking protective measures not to engage in such activity,” Pellegrino added. “Unfortunately, since Covid, scams like these have been on the rise. It is disappointing for us to find out that after such a challenging past twelve months for many of us, some see this as an opportunity to take advantage of others.”The CEO said since becoming aware of the scam, Domain has implemented several additional security controls and “elevated” its level of monitoring even further.

“We continue to implement further ways to identify and prevent phishing and have engaged external security consultants to provide further expertise in the management and prevention of online scams,” he said.Domain Group is approximately 65% owned by Nine Entertainment Co as a result of the Fairfax-Nine merger. Nine earlier this year had its services disrupted by a cyber attack that had forced it off air. Domain said the latest incident was not related to the one experienced by Nine.Over the ditch, New Zealand’s Waikato District Health Board has been working to get its systems back online, after it experienced a full outage of its information services on Tuesday. Stuff is reporting the incident was ransomware and that the head of Waikato DHB said “no ransom will be paid” to cyber criminals.In an update posted Wednesday afternoon, Waikato DHB said it was making “good progress” on restoring the infected systems and on the remediation process. “We are currently working with other government departments to investigate the cause, but are working on the theory that the initial incursion was via an email attachment. A forensic investigation is ongoing,” it said.This meant services across its Waikato, Thames, Te Kūiti, Tokoroa, and Taumarunui hospitals have this week been impacted. At Waikato Hospital, some elective surgeries have been deferred, while the number of outpatient clinics has been reduced.Of the 102 elective surgeries planned for inpatients at Waikato Hospital on Wednesday, 73 were still going ahead, with six elective surgeries cancelled on Tuesday, and 95 still performed.Elective surgeries at Thames Hospital have been postponed and all outpatient activity at Waikato DHB’s rural hospitals have been deferred.Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in AustraliaRELATED COVERAGE More

A screenshot of AFP Technology Detection Dog Georgia finding a phone hidden in a vacuum cleaner.
Image: AFP
The Australian Federal Police (AFP) this week revealed some of its canine squad have been trained to sniff out devices, such as USBs and SIM cards, at crime scenes or during the execution of search warrants.In a Facebook post showing a video of one dog, Georgia, finding a phone hidden in a vacuum cleaner, the AFP said since 2019, its three AFP technology detection dogs have located more than 120 devices in support of investigations ranging from child protection investigations to counter terrorism operations.It said over the next three years, at least 12 more labradors will be trained and deployed across the country.”A single USB can hold hundreds of thousands of child exploitation images, or documents of crucial evidence for a police investigation,” an AFP spokesperson told ZDNet. “However, with the Technology Detection Dogs, we are able to detect their presence, even when concealed.”AFP said the government is boosting funding by AU$35.4 million over four years to combat child sexual abuse and exploitation, which includes AU$5.7 million to expand the team of technology detection dogs. “The increased funding for the tech dogs capability will greatly enhance the ability of the AFP to collect vital digital evidence, bringing to justice not only online child sex offenders, but also violent extremists and those involved in organised crime,” the spokesperson said.According to the AFP, initial training of the dog squad takes at least three months of intensive work, followed by ongoing dedicated work between the handler and the dog once they are teamed.   

“These dogs are the very top tier among detection dogs, requiring specific traits such as a high drive, a high level of intelligence, endurance, and the ability to learn how to detect these devices in repetitive learning,” the spokesperson said. “The other critical element to this capability is, of course, the handler selection to pair with the dogs. “This is a highly technical capability and requires an experienced handler to work with the dogs and use them effectively.”Each dog can expect to work for around six years in the field, before enjoying a well-deserved retirement with their handler or a volunteer family. MORE FROM THE AFP More

A screenshot of AFP Technology Detection Dog Georgia finding a phone hidden in a vacuum cleaner.
Image: AFP
The Australian Federal Police (AFP) this week revealed some of its canine squad have been trained to sniff out devices, such as USBs and SIM cards, at crime scenes or during the execution of search warrants.In a Facebook post showing a video of one dog, Georgia, finding a phone hidden in a vacuum cleaner, the AFP said since 2019, its three AFP technology detection dogs have located more than 120 devices in support of investigations ranging from child protection investigations to counter terrorism operations.It said over the next three years, at least 12 more labradors will be trained and deployed across the country.”A single USB can hold hundreds of thousands of child exploitation images, or documents of crucial evidence for a police investigation,” an AFP spokesperson told ZDNet. “However, with the Technology Detection Dogs, we are able to detect their presence, even when concealed.”AFP said the government is boosting funding by AU$35.4 million over four years to combat child sexual abuse and exploitation, which includes AU$5.7 million to expand the team of technology detection dogs. “The increased funding for the tech dogs capability will greatly enhance the ability of the AFP to collect vital digital evidence, bringing to justice not only online child sex offenders, but also violent extremists and those involved in organised crime,” the spokesperson said.According to the AFP, initial training of the dog squad takes at least three months of intensive work, followed by ongoing dedicated work between the handler and the dog once they are teamed.   

“These dogs are the very top tier among detection dogs, requiring specific traits such as a high drive, a high level of intelligence, endurance, and the ability to learn how to detect these devices in repetitive learning,” the spokesperson said. “The other critical element to this capability is, of course, the handler selection to pair with the dogs. “This is a highly technical capability and requires an experienced handler to work with the dogs and use them effectively.”Each dog can expect to work for around six years in the field, before enjoying a well-deserved retirement with their handler or a volunteer family. MORE FROM THE AFP More

Palo Alto Networks announced a slate of new features on Wednesday designed to help customers introduce a Zero Trust across their network security stack. 

Anand Oswal, a senior vice president at Palo Alto Networks, said in a statement that they were trying to simplify the process of adopting complete Zero Trust Network Security by adding SaaS Security, Advanced URL Filtering, DNS Security, Cloud Identity Engine, and new ML-Powered Firewalls.”The productivity of a hybrid workforce lies in the ability for users to move freely on and off the campus network and still securely access any applications or data from any device in any location. Enabling this seamless experience securely is one of the many promises of a Zero Trust architecture,” Oswal said. The company statement explained that the new tools will introduce Cloud Access Security Brokers, which enable secure access to SaaS applications, as well as a Cloud Identity Engine that authenticates and authorizes the network’s users. URL Filtering, beefed-up DNS Security, an ML-powered firewall and more round out the list of tools being incorporated across an organization’s hardware, software and cloud. Multiple customers shared their experience with the product, including representatives from Caesars Entertainment Corporation, Takeda Pharmaceutical North America, CDW and World Wide Technology.Bobby Wilkins, vice president of cybersecurity at Caesars, said they were using the SaaS Security solution to protect data across all of their corporate SaaS applications, and CDW vice president Tom Cahill added that the ML-driven firewall would help innovate the company’s cybersecurity solutions. More

Every week there is a new organization facing a ransomware attack, but a new report from eSentire’s security research team and Dark Web researcher Mike Mayes says the incidents we see in the news are just a small slice of the true number of victims.The eSentire Ransomware Report says in 2021 alone, six ransomware groups compromised 292 organizations between Jan. 1 and April 31. The report estimates that the groups managed to bring in at least $45 million from these attacks and details multiple incidents that were never reported. The eSentire team and Mayes focused exclusively on the Ryuk/Conti, Sodin/REvil, CLOP, and DoppelPaymer ransomware groups, as well as two emerging but notable gangs in DarkSide and Avaddon. Each gang focuses on particular industries and regions of the world, according to the report. The Ryuk/Conti gang has attacked 352 organizations since 2018 and 63 this year, focusing mostly on manufacturing, construction and transportation companies. Dozens of their victims have never been publicized but the most notable organizations attacked include the Broward County School District and French cup company CEE Schisler, both of which did not pay the exorbitant ransoms, the report said. In addition to manufacturing, the group made waves in 2020 for attacking the IT systems of small governments across the United States like Jackson County, Georgia, Riviera Beach, Florida, and LaPorte County, Indiana. All three local governments paid the ransoms, which ranged from $130,000 to nearly $600,000. The group also spent much of 2020 attacking local hospitals as well. 

Like the Ryuk/Conti gang, the people behind the Sodin/REvil ransomware similarly focus on healthcare organizations while also devoting their efforts to attacking laptop manufacturers. Of their 161 victims, 52 were hit in 2021 and they made international news with attacks on Acer and Quanta, two of the world’s biggest technology manufacturers. Quanta, which produces Apple’s notebooks, was hit with a $50 million ransom demand. The company refused, and the Sodin/REvil gang leaked detailed designs of an Apple product in response. The gang threatened to leak more documents but pulled the photos and any other reference to the attack by May, according to the report, which noted that Apple has not spoken about the intrusion since. The DoppelPaymer/BitPaymer has made a name for itself by targeting government institutions and schools. The FBI released a notice in December specifically about the ransomware, noting that it was being used to attack critical infrastructure like hospitals and emergency services. The report adds that most of the group’s 59 victims this year have not been publicly identified other than the Illinois attorney general’s office, which was attacked on April 29.The Clop gang has focused its efforts on abusing the widely-covered vulnerability in Accellion’s file transfer system. The eSentire team and Mayes explain that the group used the vulnerability profusely, hitting the University of California, US bank Flagstar, global law firm Jones Day, Canadian jet manufacturer Bombardier, Stanford University, Dutch oil giant Royal Shell, the University of Colorado, the University of Miami, gas station company RaceTrac and many more. The report notes that the Clop gang became infamous for allegedly combing through an organization’s files and contacting customers or partners to demand that they pressure the victim into paying a ransom. The DarkSide gang has been in the news as of late for their attack on Colonial Pipeline, which set off a political firestorm in the United States and a run on gas stations in certain towns along the East Coast. The group is one of the newest of the leading ransomware groups, emerging in late 2020, according to the report. But they’ve wasted little time, racking up 59 victims since November and 37 this year. The report notes that the DarkSide group is one of the few that operates as a ransomware-as-a-service operation, offloading responsibility onto contractors who attack targets and split ransoms. eSentire said their research indicated that the people behind DarkSide were unaware of the Colonial attack before it happened and only found out from the news. They made waves last week when they allegedly shut down all of their operations due to increased law enforcement scrutiny. The ransomware has been implicated in multiple attacks on energy producers like one of Brazil’s largest electric utility companies, Companhia Paranaense de Energia, which they hit in February. The final group studied is the Avaddon gang, which was in the news this week for their attack on major European insurance company AXA. The attack was notable because AXA provides dozens of companies with cyberinsurance and pledged to stop reimbursing their customers in France for paid ransoms. In addition to AXA, the group has also attacked 46 organizations this year and operates as a ransomware-as-a-service operation like DarkSide. The report explains that the gang is notable for including a countdown clock on their Dark Web site and for the added threat of a DDoS attack if the ransom is not paid. The list of their victims includes healthcare organizations like Capital Medical Center in Olympia, Washington and Bridgeway Senior Healthcare in New Jersey. The eSentire team and Mayes added that the vast number of unreported attacks indicate that these gangs are “wreaking havoc against many more entities than the public realizes.””Another sobering realization is that no single industry is immune from this ransomware scourge,” the report said. “These debilitating attacks are happening across all regions and all  sectors, and it is imperative that all companies and private-sector organizations implement security protections to mitigate the damages stemming from of a ransomware attack.” More