Information Technology

Image: CSIS
Last week, a coalition of cyber-security firms led by Microsoft orchestrated a global takedown against TrickBot, one of today’s largest malware botnets and cybercrime operations.

Even if Microsoft brought down TrickBot infrastructure in the first few days, the botnet survived, and TrickBot operators brought new command and control (C&C) servers online in the hopes of continuing their cybercrime spree.
But as several sources in the cyber-security industry told ZDNet last week, everyone expected TrickBot to fight back, and Microsoft promised to continue cracking down against the group in the weeks to come.
In an update posted today on its takedown efforts, Microsoft confirmed a second wave of takedown actions against TrickBot.
94% of TrickBot servers taken down in a week
The OS maker said it has slowly chipped away at TrickBot infrastructure over the past week and has taken down 94% of the botnet’s C&C servers, including the original servers and new ones brought online after the first takedown.
“From the time we began our operation until October 18, we have taken down 120 of the 128 servers we identified as Trickbot infrastructure around the world,” said Tom Burt, CVP of Customer Security and Trust at Microsoft.
Burt says Microsoft brought down 62 of the original 69 TrickBot C&C servers and 58 of the 59 servers TrickBot tried to bring online after last week’s takedown.
The seven servers that could not be brought down last week were described as Internet of Things (IoT) devices.
The reason these systems couldn’t be taken down right away was that they weren’t located inside web hosting companies and data centers, and the device owners couldn’t be reached via an “abuse email.”
Additional coordination was needed with local internet service providers, but Microsoft says “these [devices] are in the process of being disabled.”
Burt credited Microsoft’s swift response to the second wave of TrickBot server infrastructure to the company’s lawyers, who moved in quickly and requested new court orders to have these new servers taken down within days.
Down, but not out
Currently, the TrickBot botnet is still alive, but it has once again been brought down to its knees. Nonetheless, a few command and control servers are still alive, allowing the TrickBot operators to keep control of their horde of infected devices.
According to cyber-security firm Intel 471, these last few TrickBot C&C remnants are located in Brazil, Colombia, Indonesia, and Kyrgyzstan.
How much will TrickBot survive is unclear, but Burt said Microsoft plans to hunt down TrickBot infrastructure at least until the US Presidential Elections, to be held on November 3.
Burt said Microsoft is trying to prevent TrickBot from renting access to infected computers to ransomware gangs, something the TrickBot botnet is known to have done in the past.
Microsoft fears that a badly timed ransomware attack might end up causing downtimes to election systems — either by directly encrypting election-related infrastructure; or indirectly, by impacting election-related supply chains.
Such fears have been played down by most cyber-security experts, as ransomware gangs have a multitude of distribution methods at their disposal, and taking down TrickBot won’t necessarily mean that the election’s are safe from ransomware attacks — but nobody’s mad at Microsoft for crippling a botnet that has given many system administrators nightmares for the past two years.
Nonetheless, from afar, the takedown attempt doesn’t seem to have worried TrickBot operators too much, as they spent the last week trying to make new victims with the help of a partner malware botnet (Emotet).

Had a feeling this would happen. Emotet often drops TrickBot, and a few month ago TrickBot was dropping Emotet. As a result they are able to recover some old bots, as well as infect new systems via Emotet. https://t.co/ijB87gqKJ1
— MalwareTech (@MalwareTechBlog) October 14, 2020 More

Image: ZDNet, Tanguy Keryhuel, Martin Vorel
The US National Security Agency has published today an in-depth report detailing the top 25 vulnerabilities that are currently being consistently scanned, targeted, and exploited by Chinese state-sponsored hacking groups.

All 25 security bugs are well known and have patches available from their vendors, ready to be installed.
Exploits for many vulnerabilities are also publicly available. Some have been exploited by more than just Chinese hackers, being also incorporated into the arsenal of ransomware gangs, low-level malware groups, and nation-state actors from other countries (i.e., Russia and Iran).
“Most of the vulnerabilities listed below can be exploited to gain initial access to victim networks using products that are directly accessible from the Internet and act as gateways to internal networks,” the NSA said today.
The US cyber-security agency urges organizations in the US public and private sector to patch systems for the vulnerabilities listed below.
These include:
1) CVE-2019-11510 – On Pulse Secure VPN servers, an unauthenticated remote attacker can send a specially crafted URI to perform an arbitrary file reading vulnerability. This may lead to exposure of keys or passwords
2) CVE-2020-5902 – On F5 BIG-IP proxies and load balancer, the Traffic Management User Interface (TMUI) —also referred to as the Configuration utility— is vulnerable to a Remote Code Execution (RCE) vulnerability that can allow remote attackers to take over the entire BIG-IP device.
3) CVE-2019-19781 – Citrix Application Delivery Controller (ADC) and Gateway systems are vulnerable to a directory traversal bug, which can lead to remote code execution without the attacker having to possess valid credentials for the device. These two issues can be chained to take over Citrix systems.
4+5+6) CVE-2020-8193, CVE-2020-8195, CVE-2020-8196 – Another set of Citrix ADC and Gateway bugs. These ones also impact SDWAN WAN-OP systems as well. The three bugs allow unauthenticated access to certain URL endpoints and information disclosure to low-privileged users.
7) CVE-2019-0708 (aka BlueKeep) – A remote code execution vulnerability exists within Remote Desktop Services on Windows operating systems.
8) CVE-2020-15505 – A remote code execution vulnerability in the MobileIron mobile device management (MDM) software that allows remote attackers to execute arbitrary code and take over remote company servers.
9) CVE-2020-1350 (aka SIGRed) – A remote code execution vulnerability exists in Windows Domain Name System servers when they fail to properly handle requests.
10) CVE-2020-1472 (aka Netlogon) – An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller using the Netlogon Remote Protocol (MS-NRPC).
11) CVE-2019-1040 – A tampering vulnerability exists in Microsoft Windows when a man-in-the-middle attacker is able to successfully bypass the NTLM MIC (Message Integrity Check) protection.
12) CVE-2018-6789 – Sending a handcrafted message to an Exim mail transfer agent may cause a buffer overflow. This can be used to execute code remotely and take over email servers.
13) CVE-2020-0688 – A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory.
14) CVE-2018-4939 – Certain Adobe ColdFusion versions have an exploitable Deserialization of Untrusted Data vulnerability. Successful exploitation could lead to arbitrary code execution.
15) CVE-2015-4852 – The WLS Security component in Oracle WebLogic 15 Server allows remote attackers to execute arbitrary commands via a crafted serialized Java object
16) CVE-2020-2555 – A vulnerability exists in the Oracle Coherence product of Oracle Fusion Middleware. This easily exploitable vulnerability allows unauthenticated attacker with network access via T3 to compromise Oracle Coherence systems.
17) CVE-2019-3396 – The Widget Connector macro in Atlassian Confluence 17 Server allows remote attackers to achieve path traversal and remote code execution on a Confluence Server or Data Center instance via server-side template injection.
18) CVE-2019-11580 – Attackers who can send requests to an Atlassian Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution.
19) CVE-2020-10189 – Zoho ManageEngine Desktop Central allows remote code execution because of deserialization of untrusted data.
20) CVE-2019-18935 – Progress Telerik UI for ASP.NET AJAX contains a .NET deserialization vulnerability. Exploitation can result in remote code execution.
21) CVE-2020-0601 (aka CurveBall) – A spoofing vulnerability exists in the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. An attacker could exploit the vulnerability by using a spoofed code-signing certificate to sign a malicious executable, making it appear that the file was from a trusted, legitimate source.
22) CVE-2019-0803 – An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory.
23) CVE-2017-6327 – The Symantec Messaging Gateway can encounter a remote code execution issue.
24) CVE-2020-3118 – A vulnerability in the Cisco Discovery Protocol implementation for Cisco IOS XR Software could allow an unauthenticated, adjacent attacker to execute arbitrary code or cause a reload an affected device.
25) CVE-2020-8515 – DrayTek Vigor devices allow remote code execution as root (without authentication) via shell metacharacters. More

The number of ransomware attacks which threaten to leak stolen data if the victim doesn’t pay a ransom to get their encrypted files and servers back is growing – and this is being reflected in the changing nature of the cyber criminal market.
Analysis by cybersecurity researchers at Digital Shadows found that over the last three months – between July and September – 80 percent of ransomware attacks combined with data dumps were associated with four families of ransomware – Maze, Sodinokibi, Conti and Netwalker.
The period from April to June saw just three ransomware families account for 80 percent of alerts – DoppelPaymer, Maze and Sodinokibi.
The way DoppelPayer has dropped off and how Conti and NetWalker have suddenly emerged some of the most prolific threats shows how the ransomware space continues to evolve, partly because of how successful it has already become for the crooks behind it.
Maze was the first major family of ransomware to add threats of data breaches to their ransom demands and other ransomware operators have taken note – and stolen the additional extortion tactic.
“There is an inherent competitive nature that has befallen the ransomware landscape. The saturated ransomware market pushes ransomware developers to cut through the noise and gain the best ransomware title,” Alec Alvarado, cyber threat intelligence analyst at Digital Shadows told ZDNet.
“This title drives more affiliates to carry out their work and, thus, more successful attacks to reach their goal: to make as much money as possible”.
Indeed, DoppelPaymer’s activity has dropped over the last few months – although it still remains active – enabling Conti and NetWalker to grab a larger slice of the pie.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 
The evolution of NetWalker in itself provides a good summary of how ransomware has been changing. The ransomware first emerged in April 2019 when it began operating a ransomware-as-a-service model for cyber criminals who had to be vetted before being given access to the tools.
Then in March 2020 the operations of NetWalker shifted from the mass-distribution of ransomware to a more clinical approach which targeted specific large organisations. So notorious did the cyber crime group become, the FBI issued a warning on NetWalker ransomware and the Covid-19 themed phishing emails it used to gain a foothold in networks.
NetWalker’s potency has seen it rise up the ranks to become one of the most effective forms of ransomware – with the hackers making off with an average of around $175,000 in bitcoin following each successful campaign.
But despite the continued success of ransomware, a few relatively simple cybersecurity measures can prevent an organisation from becoming yet another victim of this kind of attack.
“Phishing is still a favored tactic of ransomware groups, so the common phishing mitigations apply here. Employee awareness and dedicated training around phishing that encapsulates exercises using simulated phishing emails help organizations reduce this threat,” said Alvarado.
Organisations should also ensure that security patches are regularly applied across the network so that cyber criminals can’t exploit known vulnerabilities. In addition to this, regularly making backups of corporate data is helpful because in the event of a ransomware attack, it’s possible to relatively swiftly restore the network without giving into ransom demands.
READ MORE ON CYBERSECURITY More

Google has removed two ad blocker extensions from the official Chrome Web Store over the weekend after the two were caught collecting user data last week.

The two extensions were named Nano Adblocker and Nano Defender, and each had more than 50,000 and 200,000 installs, respectively, at the time they were taken down.
The two had been around for more than a year, but the malicious code was not included with the original versions.
The data collection code was added at the start of this month, in October 2020, after the original author sold the two extensions to “a team of Turkish developers.”
After the sale, several users, including Raymond Hill, the author of the uBlock Origin ad blocker, came forward to point out that the two extensions were modified to include malicious code.
“The extension is now designed to lookup[sic] specific information from your outgoing network requests according to an externally configurable heuristics and send it to https://def.dev-nano.com,” Hill said.
After further analysis, this malicious code was exposed to collect information about users, such as:
User IP address
Country
OS details
Website URLs
Timestamps for web requests
HTTP methods (POST, GET, HEAD, etc.)
Size of HTTP responses
HTTP status codes
Time spent on each web page
Other URLs clicked on a web page
In addition, the two Turkish developers also never modified the two extensions’ author fields, leaving the original author’s name in place, in what appeared to be an attempt to hide the sale and the culprit behind the malicious code.
After being called out on GitHub, the two Turkish developers created a privacy policy page where they attempted to disclose the data collection behavior in a misguided attempt to legitimize the malicious code.
However, this only made things easier for Google’s staff, as any type of extensive data collection is forbidden, per Chrome Web Store rules.
The two extensions were taken down over the weekend and disabled in users’ Chrome browsers.
The Firefox versions of Nano Adblocker and Nano Defender never contained the malicious code, as they were not part of the sale and were managed by a different developer. More

The COVID-19 pandemic has clearly changed the way people work and accelerated the already growing remote work trend. This has also created new security challenges for IT departments, as employees increasingly use their own personal devices to access corporate data and services.
The “Everywhere Enterprise” – in which employees, IT infrastructures, and customers are everywhere – has led to employees not prioritizing security in their new world of work.
Mountain View,CA-based mobile security platform MobileIron has looked at the impact that lockdown has had on employees working habits. It polled polled 1,200 workers across the US, UK, France, Germany, Belgium, Netherlands, Australia, and New Zealand.
The COVID-19 lockdown may have signalled the end for office working as we know it, as businesses shift towards the new way of working.
The study showed that over four out of five (82%) of global participants agree they do not want to return to the office full-time, ever. This is despite despite one in three (30%) employees claiming that being isolated from their team was the biggest hindrance to productivity during lockdown.
The current distributed remote work environment has also triggered a new threat landscape, with malicious actors increasingly targeting mobile devices with phishing attacks.
These attacks range from basic to sophisticated and are likely to succeed, with many employees unaware of how to identify and avoid a phishing attack. Over two in five (43%) of employees are not even sure what a phishing attack is.
Mobileiron
Two in three (66%) agree their employers have the right solutions and technologies in place to allow them to work from home, and 72% of employees agree that their mobile device has been important to ensuring their productivity during lockdown
There are four types of people who are adapting to the working from home environment:
Hybrid workers split time equally between working at home and going into the office for face-to-face meetings. Although they like working from home, being isolated from teammates is the biggest hindrance to productivity.
They depend on a laptop and mobile device, along with secure access to email, CRM applications and video collaboration tools, to stay productive. They believe that IT security ensures productivity and enhances usability of devices, however, they are only somewhat aware of phishing attacks.
Mobile workers work constantly on the go using a range of mobile devices, such as tablets and phones, rely on public Wi-Fi networks, remote collaboration tools, and cloud suites for work. They view unreliable technology as the biggest hindrance to productivity as they rely on mobile devices.
They view IT security as a hindrance to productivity as it slows down the ability to get tasks done. They also believe that IT security compromises personal privacy. They are the most likely to click on a malicious link due to a heavy reliance on mobile devices.
Desktop workers find being away from teammates and working from home a hindrance to productivity and can’t wait to get back to the office. They prefer to work on a desktop computer from a fixed location than on mobile devices.
They rely heavily on productivity suites to communicate with colleagues in and out of the office, and view IT security as a low priority for the IT department to deal with. They are only somewhat aware of phishing attacks.
Frontline workers work from fixed and specific locations, such as hospitals or retail shops. They rely on purpose-built devices and applications, such as medical or courier devices and applications, and are not as dependent on personal mobile devices for productivity as others.
They realize that IT security is essential to enabling productivity, and can not afford to have any device or application down time, given the specialist nature of their work.
Brian Foster, SVP Product Management, MobileIron. “Hackers know that people are using their loosely secured mobile devices more than ever before to access corporate data, and increasingly targeting them with phishing attacks.
Every company needs to implement a mobile-centric security strategy that prioritizes user experience and enables employees to maintain maximum productivity on any device, anywhere, without compromising personal privacy.”
Mobile devices now play a more critical role than ever before in ensuring productivity, so securing mobile devices, apps, and users should be every CIO’s top priority. 
If only they had the time to focus on security instead of trying to keep their business going. More

Image: Rapid7, ZDNet
An “address bar spoofing” vulnerability refers to a bug in a web browser that allows a malicious website to modify its real URL and show a fake one instead — usually one for a legitimate site.
Address bar spoofing vulnerabilities have been around since the early days of the web, but they have never been so dangerous as they are today.
While on desktop browsers there are various signs and security features that could be used to detect when malicious code alters the address bar to display a bogus URL, this is not possible on mobile browsers where screen size is at a premium, and many of the security features found in desktop browsers are missing.
With the address bar being the only and last line of defense on mobile browsers, address bar spoofing vulnerabilities are many times more dangerous on smartphones and other mobile devices.
Ten address bar spoofing bugs found in seven mobile browsers
In a report published today by cyber-security firm Rapid7, the company said it worked with Pakistani security researcher Rafay Baloch to disclose ten new address bar spoofing vulnerabilities across seven mobile browser apps.
Impacted browsers include big names like Apple Safari, Opera Touch, and Opera Mini, but also niche apps like Bolt, RITS, UC Browser, and Yandex Browser.
The issues were discovered earlier this year and reported to browser makers in August. The big vendors patched the issues right away, while the smaller vendors didn’t even bother replying to the researchers, leaving their browsers vulnerable to attacks.

Image: Rapid7
“Exploitation all comes down to ‘JavaScript shenanigans’,” said Rapid7’s Research Director, Tod Beardsley.
The Rapid7 exec says that by messing with the timing between when the page loads and when the browser gets a chance to refresh the address bar URL, a malicious site could force the browser to show the wrong address.
A finer breakdown of the technical “shenanigans” of each bug is available here, as detailed by Baloch.
Exploiting any of these bugs requires (1) an outdated browser and (2) an attacker capable of luring users on malicious sites.
Beardsley believes that attacks are easy to mount and recommends that users update their browsers as soon as possible or move to browsers that are not affected by these bugs. More

The latest version of Linus Torvalds’ Git version-control system brings experimental support for the SHA-256 cryptographic hash, moving it away from its reliance on the less safe SHA-1. 
Google and other researchers in 2017 showed that the SHAttered SHA-1 collision attack made it cheaper than previously thought to cause a SHA-1 collision. That is, when two files, in that case two PDFs with different content, were represented by the same SHA-1 hash value. 

The researchers highlighted that Git “strongly relies on SHA-1” for checking the integrity of file objects and commits. They argued SHA-1 was a tampering risk because it was possible to create “two Git repositories with the same head commit hash and different contents, say, a benign source code and a backdoored one”.
Torvalds at the time said the SHA-1 collision attack did not mean the “sky is falling for Git”.  
“Git doesn’t actually just hash the data, it does prepend a type/length field to it”, wrote Torvalds. This made Git harder to attack than a PDF.
However, since then researchers from France and Singapore discovered the SHA-1 ‘chosen-prefix collision attack’, a cheaper version of the SHA-1 collision attack conducted by Google two years earlier.
GitHub, which uses Git, put detection mitigations in place at the time also. However, ever since SHAttered arrived, the Git project has been hardening its SHA-1 implementation and gradually enabling support for the safer SHA-256.   
With experimental SHA-256 in Git 2.29, developers can now write a repository’s objects using a SHA-256 hash of its contents rather than SHA-1. 
“Git (and providers that use it, like GitHub) checks each object it hashes to see if there is evidence that that object is part of a colliding pair,” explained GitHub’s Taylor Blau.  
“This prevents GitHub from accepting both the benign and malicious halves of the pair, since the mathematical tricks required to generate a collision in any reasonable amount of time can be detected and rejected by Git.”
He points out that nevertheless any weaknesses in a cryptographic hash are a bad sign. 
“Even though Git has implemented detections that prevent the known attacks from being carried out, there’s no guarantee that new attacks won’t be found and used in the future. So the Git project has been preparing a transition plan to begin using a new object format with no known attacks: SHA-256.”
With Git 2.29, Git can operate in full SHA-1 or full SHA-256 mode, but this means there is currently no interoperability between repositories using the different object formats, SHA-1 or SHA-256.
Interoperability will be enabled in future by way of a translation table, allowing SHA-256 repositories to interact with SHA-1 clients. Neither GitHub nor its rivals currently support hosting SHA-256-enabled repositories.

Open Source More

Image: ZDNet
A ransomware gang has donated a part of the ransom demands it extorted from victims to charity organizations.
Current recipients include Children International, a non-profit for sponsoring children in extreme poverty, and The Water Project, a non-profit aiming to provide access to clean and reliable water across sub-Saharan Africa.
Each organization received 0.88 bitcoin (~$10,000) last week, according to transactions on the Bitcoin blockchain [1, 2].
The sender was a ransomware group going by the name of Darkside.
Active since August 2020, the Darkside group is a classic “big game hunter,” meaning it specifically goes after large corporate networks, encrypts their data, and asks huge ransom demands in the realm of millions of US dollars.
If victims don’t pay, the Darkside group leaks their data online, on a portal they are operating on the dark web.
“As we said in the first press release – we are targeting only large profitable corporations,” the Darkside group wrote in a page on their dark web portal, published on Monday.
“We think it’s fair that some of the money they’ve paid will go to charity. No matter how bad you think our work is, we are pleased to know that we helped change someone’s life,” the group also added; before posting proof of their two donations.

Image: ZDNet
This “press release,” as the group calls it, comes after a similar one published online in August, where the group promised not to encrypt files belonging to hospitals, schools, universities, non-profits, and the government sector.
If they kept their promise is currently impossible to tell. Other ransomware gangs have also promised not to attack the healthcare sector at the start of the COVID-19 pandemic, but eventually went back on their word.
Further, the Darkside group isn’t the first cybercrime gang to donate money to charities and non-profits.
In 2016, a hacker group going by the name of Phineas Fisher claimed they hacked a bank and donated the money to the Rojava autonomous Syrian province.
In 2018, the GandCrab ransomware gang released free decryption keys for victims located in war-torn Syria.
The GandCrab gang also added an exemption into their code that would not encrypt files for victims located in this country. Ironically, this unconventional exemption for Syrian victims is what helped security researchers tie the group to the REvil ransomware when the GandCrab group shut down and attempted to start a new operation under a new name (REvil, or Sodinokibi). More