Information Technology

Adobe has released a security update to address a vulnerability affecting both Windows and Mac versions of Acrobat DC, Acrobat Reader DC, Acrobat 2020, Acrobat Reader 2020, Acrobat 2017 and Acrobat Reader 2017.In a security bulletin, the company acknowledged that it has received reports of the vulnerability being “exploited in the wild in limited attacks targeting Adobe Reader users on Windows.” The flaw, labeled CVE-2021-28550, could lead to arbitrary code execution if successfully exploited.Cybersecurity experts, like nVisium director of infrastructure Shawn Smith, said code execution is a serious threat that can potentially cost hundreds of labor hours to manually verify every instance of some software has been updated. Sean Nikkel, senior cyber threat intel analyst at Digital Shadows, said the use of malicious PDF files has been a staple of various nation-state actors, as well as criminal actors, for years because of the ubiquity of Adobe products in use for the private and public sectors. He called Adobe the “Microsoft of a lot of office productivity software” and added that attackers historically have used phishing emails with PDF attachments to entice users to download and open files, generally under the pretense of it being a critical document for review, such as a financial document, news article, or a shipping label. “In some other instances, a would-be attacker could create a malicious website that is also hosting weaponized PDF files,” Nikkel said. 

“Generally, PDF documents, which frequently are opened either via browser or a reader such as Adobe Acrobat or Reader, can contain malicious Javascript or allow some other system interaction that allows code execution or other vectors of attack to occur, sometimes without the user knowing.” Nikkel explained that some researchers are reporting massive increases in attacks with weaponized documents and theorizing the increase resulted from widespread remote work over the past year.  More

Microsoft is enabling IT pros to keep tabs on the security of their Linux devices using the company’s Defender for Endpoint product (formerly known as Microsoft Defender Advanced Thread Protection). The Threat and Vulnerability Management (TVM) capabilities already available for Windows, and Windows Server are now also in public preview for macOS and Linux as of today, May 11. And Microsoft plans to bring TVM to Android and iOS devices later this summer, officials said today. TVM allows users to review recently discovered vulnerabilities within applications and potential misconfigurations across Linux and remediate any affected managed and unmanaged devices. Users currently can discover, prioritize and remediate more than 30 known unsecure configurations in macOS and Linux with this capability. Initially, Microsoft is supporting RHEL, CentOS and Ubuntu Linux, with Oracle Linux, SUSE and Debian being added shortly, according to a Microsoft security blog post. The ability to assess secure configurations in threat and vulnerability management is a component of Microsoft Secure Score for Devices. It also will be part of Microsoft Secure Score all up once generally available. In other Patch Tuesday news, Microsoft rolled out the 21H1 of the Windows Holographic OS today. This is the version of Windows 10 that works on HoloLens devices, not 21H1 for regular PCs. (Windows 10 21H1 still has yet to start rolling out to mainstream users and remains in preview.) Windows Holographic 21H1 (build 20346.1002) features the new Chromium-based Edge; more granular controls in the settings app; support for “Swipe to Type” in the holographic keyboard; a new Power menu; the ability to display multiple user accounts on the sign-in screen and more. Today also is the last day that several versions of Windows 10 will get security updates. Windows 10 1803 for Enterprise and Education, Version 1809 for Enterprise and Education and Version 1909 Home/Pro are all at end-of-service as of today. Users should upgrade to a newer version of Windows 10 to continue to get security updates. More

Apple enterprise support services provider Jamf this afternoon said it will acquire nine-year-old startup Wandera of San Francisco, a provider of cloud-based software for “zero trust” security, in what it said would “close the gap” between what consumers and what enterprise wants. Minneapolis-based Jamf will pay $350 million up-front, plus an additional $50 million to be paid in two installments later this year, for a total considration of $400 million, which will be financed with cash and debt, said Jamf.Simultaneously, Jamf reported Q1 revenue and profit that topped Wall Street’s expectations, and an outlook that was higher as well. Jamf shares declined by 2% in late trading at $30.80.  The acquisition of Wandera “will provide our customers a single source platform that handles deployment, Application Lifecycle Management, policies, filtering, and security capabilities across all Apple devices,” said Jamf CEO Dean Hager in prepared remarks, “while delivering Zero Trust Network Access for all mobile workers.”Addressing Q1 results, Hager remarked that the company had seen “strong momentum and balanced growth across our business in the first quarter as current trends in mobile work, education technology and digital health continued to strengthen our value proposition to customers as well as our business results.”Added Hager, “The year is off to a great start, and with the strategic acquisition of Wandera, we will enhance our leadership position in security with a uniquely comprehensive platform, including advanced security solutions like zero trust network access. 

“We are excited to round out our offering to provide customers an Apple-first enterprise solution that connects, manages and protects all Apple devices, data and users.””Revenue in the three months ended in December rose 37%, year over year, to $81.2 million, yielding a net profit of 8 cents a share, excluding some costs.Analysts had been modeling $76.7 million and 5 cents per share.Jamf said its annualized recurring revenue rose 37% as well, to $308 million.Subscription revenue in the quarter rose to $74.9 million, it said.For the current quarter, the company sees revenue of $82 million to $84 million, above consensus for $79 million.For the full year, the company sees revenue in a range of $335 million to $341 million, versus consensus of $333.8 million.

Tech Earnings More

Can you run eBPF on Windows? Sure, if you’re using Windows Subsystem for Linux 2.0. Of course, there you’re running it on the Linux kernel on Windows 10. But running eBPF on Windows natively? Nah. That will change soon, however. Microsoft has started an open-source project to make eBPF work on Windows 10 and Windows Server 2016 and later. 

This is the ebpf-for-windows project. With it, Windows developers can use eBPF toolchains and application programming interfaces (APIs) on top of existing versions of Windows. This won’t be easy. Still, by building on the work of others, it should be possible. This project takes several existing eBPF open-source projects and adds the “glue” to make them run on Windows. Why would you want to do this? Linux developers already know the answer to that, but Windows programmers probably don’t. Here’s the story.First, it all started with a firewall program: The decades-old Berkeley Packet Filter (BPF). This was designed for capturing and filtering network packets on a register-based virtual machine (VM). That was useful. But, as the years went by, Alexei Starovoitov, Linux kernel developer and Facebook software engineer, realized that updating BPF to work with modern processors, extended BPF (eBPF), to run user-supplied programs inside of the kernel would make it far more powerful. It was introduced in the 3.15 Linux kernel and programmers quickly started using it for all kinds of programs. Today, eBPF remains very useful for network filtering, analysis, and management, but it has far more jobs. EBPF is also used for system call filtering and process context tracing. In short, it’s become a Swiss-army knife for programming tracing, system profiling, and collecting and aggregating low-level custom metrics. At a higher level, this means eBPF has become the foundation of security programs, such as Cilium, Falco, and Tracee; Kubernetes observation programs like Hubble and Pixie, and, of course, toolchains such as Clang.In Windows, here’s how it’s going to work: Existing eBPF toolchains will generate eBPF bytecode from source code in various languages. This bytecode can then be used by any application or manually through the Windows netsh command-line tool. This will be done using a shared library that exposes Libbpf APIs. This is still a work in progress.

The library will then send the eBPF bytecode to the PREVAIL static verifier. This, in turn, is hosted in a user-mode protected process, which is a Windows security environment that allows a kernel component to trust a user-mode daemon signed by a trusted key. If the bytecode passes all the verifier’s safety checks, the bytecode can be loaded either into the uBPF interpreter running in a Windows kernel-mode execution context or compiled by the uBPF just-in-time (JIT) compiler and have native code loaded into the kernel-mode execution context. The uBPF step is based on an Apache-licensed library for executing eBPF programs.Then, the eBPF programs running in the kernel-mode execution context will be attached to hooks that handle events and call helper APIs. These are exposed via the eBPF shim. This shim wraps public Windows kernel APIs. This enables eBPF to be used on Windows. So far, two hooks (XDP and socket bind) have been added. Other hooks, and not just network ones, will be added.This is in no way an eBPF fork. It’s just adding a Windows-specific hosting environment for eBPF. The name of the game is to enable Windows developers to use eBPF programs, which will be source code compatible across Windows and Linux. Some of this will be done by using the Libbpf APIs Of course, some eBPF code is very specific to Linux — for example, if it uses Linux internal data structures. But many other APIs and hooks will work across platforms. EBPF, as advanced Linux programmers know, gives Linux developers a great deal of power. Now, this take on eBPF will share the wealth with Windows developers.Related Stories: More

A new Android trojan has been identified by security researchers, who said on Monday that once it is successfully installed in the victim’s device, those behind it can obtain a live stream of the device screen and also interact with it via its Accessibility Services.

The malware, dubbed “Teabot” by security researchers with Cleafy, has been used to hijack users’ credentials and SMS messages to facilitate fraudulent activities against banks in Spain, Germany, Italy, Belgium, and the Netherlands.Cleafy’s Threat Intelligence and Incident Response team first discovered the banking trojan in January and found that it enabled fraud against more than 60 banks across Europe. By March 29, Cleafy analysts found the trojan being used against Italian banks and by May, banks in Belgium and Netherlands were also dealing with it. Research shows that Teabot is still under development but initially only focused on Spanish banks before moving on to banks in Germany and Italy. The malware now is currently supporting 6 different languages, including Spanish, English, Italian, German, French, and Dutch. The app was initially named TeaTV before repeatedly switching titles to “VLC MediaPlayer,” “Mobdro,” “DHL,” “UPS,” and “bpost.” “When the malicious app has been downloaded on the device, it tries to be installed as an “Android Service,” which is an application component that can perform long-running operations in the background. This feature is abused by TeaBot to silently hide from the user, once installed, preventing also detection and ensuring its persistence,” the Cleafy report said. Once the TeaBot is installed, it will request Android permissions to observe your actions, retrieve window content, and perform arbitrary gestures. ‍When the permissions are granted, the app will remove its icon from the device, according to Cleafy study.

Saumitra Das, CTO of cybersecurity firm Blue Hexagon said Teabot represents a shift in mobile malware from just being a sideline issue to being a mainstream problem just as malware on traditional endpoints. “Threat actors realize the true potential of mobile devices and the threat they can pose to the end-user,” Das said.  “It is important to remember that even though the apps are not on Google Play, the phishing/social engineering tactics used by the actors behind Teabot/Flubot are as good as any threat family on the PC side; that within a short time frame, they can manage to get a huge infection base. These threats should not be underestimated.” More

more coverage

Microsoft’s May Patch Tuesday dump included patches for 55 CVEs with four rated critical. There were also three zero-day bugs but none have been exploited. Products impacted includes Internet Explorer, .NET Core and Visual Studio, Windows 10 and Office to name a few. You can find the updates for May here. The fixed zero day bugs include:CVE-2021-31204 .NET and Visual Studio Elevation of Privilege VulnerabilityCVE-2021-31207 Microsoft Exchange Server Security Feature Bypass VulnerabilityCVE-2021-31200 Common Utilities Remote Code Execution VulnerabilityZero Day Initiative flagged CVE-2021-31166 as one of the more interesting bugs. ZDI said:CVE-2021-31166 – HTTP Protocol Stack Remote Code Execution VulnerabilityThis patch corrects a bug that could allow an unauthenticated attacker to remotely execute code as kernel. An attacker would simply need to send a specially crafted packet to an affected server. That makes this bug wormable, with even Microsoft calling that out in their write-up. Before you pass this aside, Windows 10 can also be configured as a web server, so it is impacted as well. Definitely put this on the top of your test-and-deploy list.There’s also a Hyper-V Remote Code Execution Vulnerability flagged by ZDI with a CVSS rating of 9.9. More

For victims of ransomware attacks, paying the ransom doesn’t guarantee that their network will be restored – and handing money to criminals only encourages more criminals to try their luck infecting more companies with the file-encrypting malware.The impact of ransomware attacks continues to rise as cyber criminals encrypt networks while also blackmailing victims with the prospect of stolen data being published, in order to generate as much money as possible from extortion.But speaking at the National Cyber Security Centre’s (NCSC) CYBERUK 2021 virtual conference, Home Secretary Priti Patel warned ransomware victims that the government doesn’t support victims of ransomware attacks paying the ransom.SEE: This company was hit by ransomware. Here’s what they did next, and why they didn’t pay upNot only does paying the ransom prove to cyber criminals that their campaigns work, but there’s no guarantee that cyber criminals can be trusted not to come back again in future – or just publish the stolen data anyway. “Government has a strong position against paying ransoms to criminals, including when targeted by ransomware,” said Patel.”Paying a ransom in response to ransomware does not guarantee a successful outcome, will not protect networks from future attacks, nor will it prevent the possibility of future data leaks. In fact, paying a ransom is likely to encourage criminality to continue to use this approach”.

Patel referred to the Colonial Pipeline ransomware attack as an example of just how disruptive ransomware attacks can be, as “cyber criminals have been increasing focused on companies and organisations, taking the time to research their target so they can maximise their chance of releasing higher sums of money through extortion,” she said.The Home Secretary urged organisations to take heed of high profile ransomware attacks and learn the necessary cybersecurity lessons in order to avoid becoming another victim of malware extortion campaigns.”Understand the consequence of an incident and how it will affect your organisation in the future – this is not just about the loss of data, there can be real disruption and significant impacts,” said Patel.”Ransomware, like other cyber crime types, has no boundaries. The challenge of investigating and identifying those responsible is one we share with our international partners,” she added.Last month, the director of UK intelligence agency GCHQ, Jeremy Fleming, spoke about the increasing danger posed by ransomware, warning that ransomware attacks are growing at an “alarming rate”.MORE ON CYBERSECURITY More

If there’s one thing an organisation should do to protect its network from cyber attacks, it’s turn on automatic updates for security patches so cyber criminals and other malicious hackers can’t exploit vulnerabilities which have already been fixed.

ZDNet Recommends

The advice comes from the UK’s National Cyber Security Centre – the cyber arm of GCHQ – which recommends applying security patches as soon as they’re available as one of the simplest things an organisation can do to prevent intruders entering their networks.”Patching is now so much easier and so much less risky than it was when we first started doing this stuff. If there’s one thing that anyone out there wants to take away, turn on automatic updates, please – even if you’re an enterprise, turn on automatic updates,” said Dr Ian Levy, technical director of the NCSC, speaking at the cybersecurity agency’s CYBERUK 2021 virtual event.”The sort of things we’ve seen over the last six to nine months like the big vulnerabilities and the big incidents, a lot of them come down to people not patching properly. And I know it’s really boring but it is really important”.Levy detailed how the NCSC contacted organisations after the recent vulnerabilities in Microsoft Exchange Server came to light to encourage them to patch their systems – yet some of these still took weeks to apply the updates, all the while potentially leaving themselves open to cyber criminals and other hostile hacking groups actively looking to exploit the flawsSEE: Network security policy (TechRepublic Premium)”People were taking weeks and weeks to patch, even though there was all the noise in the news, even though we were individually contacting them to say ‘hey, you’ve got a vulnerable Exchange server, please patch’,” he explained.

When vulnerabilities are made public, cyber attackers will actively look for networks which have yet to apply the patches. But information security teams can beat criminal hackers to the punch by examining their own networks for potential vulnerabilities, such as unsecured internet facing Remote Desktop Protocol (RDP) ports.”Think about how people select victims – look across your external facing stuff and you can see exactly what they can see,” Levy said. “As soon as RDP pops up, run back home and turn it off because it shouldn’t be connected to the internet any more”.But Levy also warned that some organisations don’t help themselves at all when it comes to applying security updates, noting that the NCSC is aware of over 1,000 endpoints in the UK which are still vulnerable to BlueKeep, a critical vulnerability in Microsoft’s RDP implementation which allows attackers to remotely execute malicious code on machines. It was detailed and patched two years ago but the organiations which haven’t applied the update are still at risk of a vulnerability popular with cyber threat groups.”That’s not okay, that’s not been patched; we know that’s one of the favourite ways of various threat groups to get in – external facing unpatched vulnerabilities, you kind of deserve what you get if you’re on that space these days!,” said Levy.SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  However, there the vast majority of organisations are taking advice on board and learning from major incidents like the SolarWinds supply chain hack or the Microsoft Exchange server attacks – and one of the key things organisations need to do to secure their infrastructure from cyber threats is to provide their information security teams with the resources needed to do things like apply the patches.”This can be done, there are organisations, companies, sectors that do this effectively. This isn’t a technical problem any more, it’s an investment problem, it’s a skills problem it’s making sure you use the right capabilities in the right way and make the right investment choices,” said Paul Chichester, director of operations at the NCSC.”This is not something that’s impossible to fix. Even the highest-end nation state, you can defend against those capabilities and the technology and capabilities is out there,” he added.The NCSC also hopes that the publicity around these high-profile cyber events is reaching the boardroom and that directors are taking notice and asking questions about how they can ensure they’re not the next organisation in the news for being breached.”My sense is the benefit of having SolarWinds as a shorthand for a much wider set of activity is there is a bit more conversation in the boardroom, there’s been a lot of coverage on this incident,” said Lindy Cameron, CEO of the NCSC.”My hope is CEOs are asking questions of their CISO and actually demanding to know there’s a system in place to make sure they can patch on a regular basis,” she added.MORE ON CYBERSECURITY More