Information Technology

Adobe has released a second out-of-band security update to patch critical vulnerabilities across numerous software products. 

The patch, released outside of the tech giant’s typical monthly security cycle, impacts Adobe Illustrator, Dreamweaver, Marketo, Animate, After Effects, Photoshop, Premiere Pro, Media Encoder, InDesign, and the Creative Cloud desktop application on Windows and macOS machines. 
See also: Everything announced at Adobe Max 2020: Creative Cloud gets collaborative, Illustrator for iPad, and more
Published on October 20, the first app tackled is Illustrator, which received a fix for seven critical vulnerabilities. The memory corruption and out of bounds read/write issues, when exploited, can lead to arbitrary code execution. 
Adobe Dreamweaver was subject to an “important” uncontrolled search path element security flaw which could be exploited for the purpose of privilege escalation, and another “important” issue impacting the Marketo Sales Insight Salesforce package, a cross-site scripting (XSS) bug, could have been weaponized to deploy malicious JavaScript in a browser session. 
Adobe’s next batch of fixes focused on Animate, in which four critical vulnerabilities — out-of-bounds read, stack overflow, and double-free problems — all resulting in arbitrary code execution were resolved.  
CNET: What’s the best cheap VPN? We found three good options
After Effects, too, contained critical issues that have since been patched. A single out-of-bounds read and an uncontrolled search path problem leading to the execution of malicious code are now patched. 
Critical uncontrolled search path problems were also found and fixed in Photoshop, Premiere Pro, Media Encoder, and Creative Cloud installer for desktop.
Finally, a single, critical memory corruption bug has been patched in InDesign that could also be abused to execute arbitrary code. 
TechRepublic: Homebrew: How to install reconnaissance tools on macOS
Adobe thanked researchers working with the Trend Micro Zero Day Initiative and from Fortinet’s FortiGuard Labs, Qihoo 360 CERT, Root Fix, and Decathlon, among others, for their disclosures.
Last week, Adobe released a separate set of out-of-band security fixes impacting the Magento platform. On October 15, Adobe said the patch resolved nine vulnerabilities, eight of which are critical — including a bug that could be abused to tamper with Magento customer lists.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Orange Tsai
A month after details were published about three severe vulnerabilities in a type of server used to manage fleets of mobile devices, multiple threat actors are now exploiting these bugs to take over crucial enterprise servers and even orchestrate intrusions inside company networks.
The targets of these attacks are MDM servers from software maker MobileIron.
MDM stands for Mobile Device Management. MDM systems are used inside enterprises to allow companies to manage employees’ mobile devices, by allowing system administrators to deploy certificates, apps, access-control lists, and wipe stolen phones from a central server.
In order to enforce these features, MDM servers need to be online all the time and reachable over the internet, so remote employees’ phones can report back to the company and get the latest updates.
Three major bugs discovered in MobileIron MDMs
Earlier this summer, a security researcher named Orange Tsai discovered three major vulnerabilities in MobileIron’s MDM solutions, which he reported to the vendor, and which the company patched in July.

But Tsai never released in-depth details about any of the three bugs, allowing companies to update their systems.
However, many did not. Tsai eventually published a detailed write-up about the three bugs in September, after he used one of the bugs to hack into Facebook’s MDM server and pivot to the company’s internal network as part of Facebook’s bug bounty program.
Exploitation begins after PoC is published on GitHub
But Tsai’s blog post also had some unintended consequences. Other security researchers used the details in his blog to create public proof-of-concept (PoC) exploits for CVE-2020-15505, the most dangerous of the three bugs that Tsai discovered over the summer.
This PoC exploit was later released on GitHub and made available to other security researchers and penetration testers, but also to attackers.
And just like all the times before when someone released a PoC for a dangerous bug on GitHub, attacks followed within days.
The first wave took place at the start of October and was detected by RiskIQ researchers.
Not that much is known about these attacks, as RiskIQ never went into details, but a report from BlackArrow, published on October 13, breaks down a threat actor’s attempts to hack into MobileIron MDM systems and install the Kaiten DDoS malware.
But if companies thought that getting their MDM server infected with DDoS malware was the worst thing that could happen, they thought wrong.
Today, the US National Security Agency (NSA) listed the MobileIron CVE-2020-15505 as one of the top 25 vulnerabilities exploited by Chinese state-sponsored hackers in recent months.
The NSA said Chinese threat actors have been using the MobileIron bug, along with many others, to gain an initial foothold on internet-connected systems, and then pivot to internal networks.
Companies urged to patch
With MobileIron boasting that more than 20,000 companies use its MDM solutions, including many Fortune 500 companies, this vulnerability is shaping to be one of the most dangerous security flaws disclosed this year.
With such a huge installbase, MobileIron MDM servers are likely to remain under attack for the foreseeable future.
But at this point in time, patching is only half of the job. Companies must also perform security audits of their MobileIron MDM servers, their mobile devices, and internal networks.
This is because CVE-2020-15505 can be considered a gateway bug. Once exploited, intruders can use this bug to take over the entire MDM server and then deploy malware on mobile devices connected to the MDM server or access the company’s internal network, to which the MDM server is likely to be connected. More

Adobe has begun testing a method to securely watermark digital assets such as photos in its applications to ensure proper attribution of digital media, it said in a blog post Tuesday afternoon.
The watermarking function is part of a broader industry effort to use authentication of authorship as a means to combat deep fakes and other misleading materials on the Internet.
Adobe’s Photoshop image editing tool, and its Behance marketplace for digital media, have gained a feature to add authorship data, via a palette of meta-data that can be turned on and off, according to an essay posted Tuesday by the Adobe executive in charge of the software Will Allen.
“The tool is built using an early version of the open standard that will provide a secure layer of tamper-evident attribution data to photos, including the author’s name, location and edit history,” wrote Allen. 
In a YouTube video, a walk-through is shown of what’s called the Content Credentials panel, a palette that pops up in the Adobe UI just like brushes and other palettes. 
The Credentials panel lets a user turn on or off the meta-data on the image. The meta-data contains information such as the author of the image. As the image is manipulated in Photoshop, the Credentials panel keeps track of the actions and adds those changes to the meta-data of the image.
The Credentials panel is working off of a proposed open standard for credentials that is being promoted by the Content Authenticity Initiative, a group formed a year ago by Adobe at its MAX user conference, in conjunction with The New York Times and Twitter. The CAI is promoting the adoption of meta-data across software platforms as a universal, secure means of enforcing authorship data.
A white paper posted by CAI describes various workflows. In the case of image data, a photojournalist would use a CAI-compliant device to capture the photo, and the device would automatically attach the authorship meta-data to the photo file, which would then be important to Photoshop and other CAI-compliant software tools.  More

Google has released Chrome version 86.0.4240.111 earlier today to deploy security fixes, including a patch for an actively exploited zero-day vulnerability.
The zero-day is tracked as CVE-2020-15999 and is described as a memory corruption bug in the FreeType font rendering library that’s included with standard Chrome distributions.
In-the-wild attacks leveraging this FreeType bug were discovered by security researchers from Project Zero, one of Google’s internal security teams.
According to Project Zero team lead Ben Hawkes, a threat actor was spotted abusing this FreeType bug to mount attacks against Chrome users.
Hawkes now urged other app vendors who use the same FreeType library to update their software as well, in case the threat actor decides to shift attacks against other apps.
A patch for this bug has been included in FreeType 2.10.4, released earlier today.
Chrome users can updated to v86.0.4240.111 via the browser’s built-in update function (see Chrome menu, Help option, and About Google Chrome section).

The finer details about CVE-2020-15999 active exploitation attempts have not been made public. Google usually sits on technical details for months to give users enough time to update and keep even the smallest clues from falling into attackers’ hands.
However, since the patch for this zero-day is visible in the source code of FreeType, an open source project, it’s expected that threat actors will be able to reverse-engineer the zero-day and come up with their own exploits within days or weeks.
CVE-2020-15999 is the third Chrome zero-day exploited in the wild in the past twelve months. The first two were CVE-2019-13720 (October 2019) and CVE-2020-6418 (February 2020). More

Image: CSIS
Last week, a coalition of cyber-security firms led by Microsoft orchestrated a global takedown against TrickBot, one of today’s largest malware botnets and cybercrime operations.

Even if Microsoft brought down TrickBot infrastructure in the first few days, the botnet survived, and TrickBot operators brought new command and control (C&C) servers online in the hopes of continuing their cybercrime spree.
But as several sources in the cyber-security industry told ZDNet last week, everyone expected TrickBot to fight back, and Microsoft promised to continue cracking down against the group in the weeks to come.
In an update posted today on its takedown efforts, Microsoft confirmed a second wave of takedown actions against TrickBot.
94% of TrickBot servers taken down in a week
The OS maker said it has slowly chipped away at TrickBot infrastructure over the past week and has taken down 94% of the botnet’s C&C servers, including the original servers and new ones brought online after the first takedown.
“From the time we began our operation until October 18, we have taken down 120 of the 128 servers we identified as Trickbot infrastructure around the world,” said Tom Burt, CVP of Customer Security and Trust at Microsoft.
Burt says Microsoft brought down 62 of the original 69 TrickBot C&C servers and 58 of the 59 servers TrickBot tried to bring online after last week’s takedown.
The seven servers that could not be brought down last week were described as Internet of Things (IoT) devices.
The reason these systems couldn’t be taken down right away was that they weren’t located inside web hosting companies and data centers, and the device owners couldn’t be reached via an “abuse email.”
Additional coordination was needed with local internet service providers, but Microsoft says “these [devices] are in the process of being disabled.”
Burt credited Microsoft’s swift response to the second wave of TrickBot server infrastructure to the company’s lawyers, who moved in quickly and requested new court orders to have these new servers taken down within days.
Down, but not out
Currently, the TrickBot botnet is still alive, but it has once again been brought down to its knees. Nonetheless, a few command and control servers are still alive, allowing the TrickBot operators to keep control of their horde of infected devices.
According to cyber-security firm Intel 471, these last few TrickBot C&C remnants are located in Brazil, Colombia, Indonesia, and Kyrgyzstan.
How much will TrickBot survive is unclear, but Burt said Microsoft plans to hunt down TrickBot infrastructure at least until the US Presidential Elections, to be held on November 3.
Burt said Microsoft is trying to prevent TrickBot from renting access to infected computers to ransomware gangs, something the TrickBot botnet is known to have done in the past.
Microsoft fears that a badly timed ransomware attack might end up causing downtimes to election systems — either by directly encrypting election-related infrastructure; or indirectly, by impacting election-related supply chains.
Such fears have been played down by most cyber-security experts, as ransomware gangs have a multitude of distribution methods at their disposal, and taking down TrickBot won’t necessarily mean that the election’s are safe from ransomware attacks — but nobody’s mad at Microsoft for crippling a botnet that has given many system administrators nightmares for the past two years.
Nonetheless, from afar, the takedown attempt doesn’t seem to have worried TrickBot operators too much, as they spent the last week trying to make new victims with the help of a partner malware botnet (Emotet).

Had a feeling this would happen. Emotet often drops TrickBot, and a few month ago TrickBot was dropping Emotet. As a result they are able to recover some old bots, as well as infect new systems via Emotet. https://t.co/ijB87gqKJ1
— MalwareTech (@MalwareTechBlog) October 14, 2020 More

Image: ZDNet, Tanguy Keryhuel, Martin Vorel
The US National Security Agency has published today an in-depth report detailing the top 25 vulnerabilities that are currently being consistently scanned, targeted, and exploited by Chinese state-sponsored hacking groups.

All 25 security bugs are well known and have patches available from their vendors, ready to be installed.
Exploits for many vulnerabilities are also publicly available. Some have been exploited by more than just Chinese hackers, being also incorporated into the arsenal of ransomware gangs, low-level malware groups, and nation-state actors from other countries (i.e., Russia and Iran).
“Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks,” the NSA said today.
The US cyber-security agency urges organizations in the US public and private sector to patch systems for the vulnerabilities listed below.
These include:
1) CVE-2019-11510 – On Pulse Secure VPN servers, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This may lead to exposure of keys or passwords
2) CVE-2020-5902 – On F5 BIG-IP proxies and load balancer, the Traffic Management User Interface (TMUI) —also referred to as the Configuration utility— is vulnerable to a Remote Code Execution (RCE) vulnerability that can allow remote attackers to take over the entire BIG-IP device.
3) CVE-2019-19781 – Citrix Application Delivery Controller (ADC) and Gateway systems are vulnerable to a directory traversal bug, which can lead to remote code execution without the attacker having to possess valid credentials for the device. These two issues can be chained to take over Citrix systems.
4+5+6) CVE-2020-8193, CVE-2020-8195, CVE-2020-8196 – Another set of Citrix ADC and Gateway bugs. These ones also impact SDWAN WAN-OP systems as well. The three bugs allow unauthenticated access to certain URL endpoints and information disclosure to low-privileged users.
7) CVE-2019-0708 (aka BlueKeep) – A remote code execution vulnerability exists within Remote Desktop Services on Windows operating systems.
8) CVE-2020-15505 – A remote code execution vulnerability in the MobileIron mobile device management (MDM) software that allows remote attackers to execute arbitrary code and take over remote company servers.
9) CVE-2020-1350 (aka SIGRed) – A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.
10) CVE-2020-1472 (aka Netlogon) – An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC).
11) CVE-2019-1040 – A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection.
12) CVE-2018-6789 – Sending a handcrafted message to an Exim mail transfer agent may cause a buffer overflow. This can be used to execute code remotely and take over email servers.
13) CVE-2020-0688 – A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.
14) CVE-2018-4939 – Certain Adobe ColdFusion versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.
15) CVE-2015-4852 – The WLS Security component in Oracle WebLogic 15 Server allows remote attackers to execute arbitrary commands via a crafted serialized Java object
16) CVE-2020-2555 – A vulnerability exists in the Oracle Coherence product of Oracle Fusion Middleware. This easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence systems.
17) CVE-2019-3396 – The Widget Connector macro in Atlassian Confluence 17 Server allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
18) CVE-2019-11580 – Attackers who can send requests to an Atlassian Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution.
19) CVE-2020-10189 – Zoho ManageEngine Desktop Central allows remote code execution because of deserialization of untrusted data.
20) CVE-2019-18935 – Progress Telerik UI for ASP.NET AJAX contains a .NET deserialization vulnerability. Exploitation can result in remote code execution.
21) CVE-2020-0601 (aka CurveBall) – A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.
22) CVE-2019-0803 – An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.
23) CVE-2017-6327 – The Symantec Messaging Gateway can encounter a remote code execution issue.
24) CVE-2020-3118 – A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload an affected device.
25) CVE-2020-8515 – DrayTek Vigor devices allow remote code execution as root (without authentication) via shell metacharacters. More

The number of ransomware attacks which threaten to leak stolen data if the victim doesn’t pay a ransom to get their encrypted files and servers back is growing – and this is being reflected in the changing nature of the cyber criminal market.
Analysis by cybersecurity researchers at Digital Shadows found that over the last three months – between July and September – 80 percent of ransomware attacks combined with data dumps were associated with four families of ransomware – Maze, Sodinokibi, Conti and Netwalker.
The period from April to June saw just three ransomware families account for 80 percent of alerts – DoppelPaymer, Maze and Sodinokibi.
The way DoppelPayer has dropped off and how Conti and NetWalker have suddenly emerged some of the most prolific threats shows how the ransomware space continues to evolve, partly because of how successful it has already become for the crooks behind it.
Maze was the first major family of ransomware to add threats of data breaches to their ransom demands and other ransomware operators have taken note – and stolen the additional extortion tactic.
“There is an inherent competitive nature that has befallen the ransomware landscape. The saturated ransomware market pushes ransomware developers to cut through the noise and gain the best ransomware title,” Alec Alvarado, cyber threat intelligence analyst at Digital Shadows told ZDNet.
“This title drives more affiliates to carry out their work and, thus, more successful attacks to reach their goal: to make as much money as possible”.
Indeed, DoppelPaymer’s activity has dropped over the last few months – although it still remains active – enabling Conti and NetWalker to grab a larger slice of the pie.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 
The evolution of NetWalker in itself provides a good summary of how ransomware has been changing. The ransomware first emerged in April 2019 when it began operating a ransomware-as-a-service model for cyber criminals who had to be vetted before being given access to the tools.
Then in March 2020 the operations of NetWalker shifted from the mass-distribution of ransomware to a more clinical approach which targeted specific large organisations. So notorious did the cyber crime group become, the FBI issued a warning on NetWalker ransomware and the Covid-19 themed phishing emails it used to gain a foothold in networks.
NetWalker’s potency has seen it rise up the ranks to become one of the most effective forms of ransomware – with the hackers making off with an average of around $175,000 in bitcoin following each successful campaign.
But despite the continued success of ransomware, a few relatively simple cybersecurity measures can prevent an organisation from becoming yet another victim of this kind of attack.
“Phishing is still a favored tactic of ransomware groups, so the common phishing mitigations apply here. Employee awareness and dedicated training around phishing that encapsulates exercises using simulated phishing emails help organizations reduce this threat,” said Alvarado.
Organisations should also ensure that security patches are regularly applied across the network so that cyber criminals can’t exploit known vulnerabilities. In addition to this, regularly making backups of corporate data is helpful because in the event of a ransomware attack, it’s possible to relatively swiftly restore the network without giving into ransom demands.
READ MORE ON CYBERSECURITY More

Google has removed two ad blocker extensions from the official Chrome Web Store over the weekend after the two were caught collecting user data last week.

The two extensions were named Nano Adblocker and Nano Defender, and each had more than 50,000 and 200,000 installs, respectively, at the time they were taken down.
The two had been around for more than a year, but the malicious code was not included with the original versions.
The data collection code was added at the start of this month, in October 2020, after the original author sold the two extensions to “a team of Turkish developers.”
After the sale, several users, including Raymond Hill, the author of the uBlock Origin ad blocker, came forward to point out that the two extensions were modified to include malicious code.
“The extension is now designed to lookup[sic] specific information from your outgoing network requests according to an externally configurable heuristics and send it to https://def.dev-nano.com,” Hill said.
After further analysis, this malicious code was exposed to collect information about users, such as:
User IP address
Country
OS details
Website URLs
Timestamps for web requests
HTTP methods (POST, GET, HEAD, etc.)
Size of HTTP responses
HTTP status codes
Time spent on each web page
Other URLs clicked on a web page
In addition, the two Turkish developers also never modified the two extensions’ author fields, leaving the original author’s name in place, in what appeared to be an attempt to hide the sale and the culprit behind the malicious code.
After being called out on GitHub, the two Turkish developers created a privacy policy page where they attempted to disclose the data collection behavior in a misguided attempt to legitimize the malicious code.
However, this only made things easier for Google’s staff, as any type of extensive data collection is forbidden, per Chrome Web Store rules.
The two extensions were taken down over the weekend and disabled in users’ Chrome browsers.
The Firefox versions of Nano Adblocker and Nano Defender never contained the malicious code, as they were not part of the sale and were managed by a different developer. More