Information Technology

Image: Apple
Apple has begun to publish privacy summaries in all of its app stores across iOS, iPadOS, macOS, watchOS, and tvOS, with developers now needing to answer a questionnaire as part of submitting an app or update.
Cupertino says this requirement applies to all developers including itself. Developers are required to tell Apple whether apps collect information such as names, email address, phone numbers, home addresses, and health and fitness data.
The information provided into the summary is broken down into three types: Data used to track you, data linked to you, data not linked to you.
The first category is defined as data that is combined with data from other apps or sites for the purposes of advertising or harvesting from data brokers, and the linked category is data that is tied to a user account on the app or device.
Users are still able to deny permissions within the app if they so choose.
The summary is based entirely on the answers provided by the developer, with the existing app review process remaining separate.
On the question of how developers will know what the privacy implications of the libraries they use are, Apple said it is seeing SDK makers updating their documentation in a way that provides information on privacy, but it remains the responsibility of developers to answer for the whole application.

Apple said it may follow up with developers if the information provided is found to be incorrect or users report a discrepancy, and failure to honestly answer the questions has the potential to lead to delisting. The company added that national data regulators could treat the privacy summary as a public statement on which to regulate and base decisions upon.
The current summary is not set in stone, with Apple saying it would evolve the requirement as time passes. The new information was first flagged in July.
Next year, Apple will begin forcing developers to show users the new app tracking permission prompt when apps want to track users. The prompt arrived in the recent iOS 14 release.
Cupertino also unveiled a privacy policy update on Monday, which was touted as complying with European GDPR definitions.
“We treat any data that relates to an identified or identifiable individual or that is linked or linkable to them by Apple as ‘personal data’, no matter where the individual lives,” the policy states.
“This means that data that directly identifies you — such as your name — is personal data, and also data that does not directly identify you, but that can reasonably be used to identify you — such as the serial number of your device — is personal data.”
The policy says Apple does not use “algorithms or profiling” to make decisions that would significantly impact customers without a human conducting a review.
The updated policy also applies to its partners and service providers, which includes the likes of Goldman Sachs.
Apple said the data it collects from browser cookies is treated as “nonpersonal data”, but when combined with other personal data it holds, it falls under the personal data remit.
Related Coverage More

Image: SolarWinds, ZDNet
IT software provider SolarWinds downplayed a recent security breach in documents filed with the US Securities and Exchange Commission on Monday.

Special feature

Cyberwar and the Future of Cybersecurity
Today’s security threats have expanded in scope and seriousness. There can now be millions — or even billions — of dollars at risk when information security isn’t handled properly.
Read More

SolarWinds disclosed on Sunday that a nation-state hacker group breached its network and inserted malware in updates for Orion, a software application for IT inventory management and monitoring.
Orion app versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, were tainted with malware, SolarWinds said in a security advisory.
The trojanized Orion update allowed attackers to deploy additional and highly stealthy malware on the networks of SolarWinds customers.
Also: Best VPN services of 2020: Safe and fast don’t come for free   
Only 18,000 of 300,000 customers affected
But while initial news reports on Sunday suggested that all of SolarWinds’ customers were impacted, in SEC documents filed today, SolarWinds said that of its 300,000 total customers, only 33,000 were using Orion, a software platform for IT inventory management and monitoring, and that fewer than 18,000 are believed to have installed the malware-laced update.
The company said it notified all its 33,000 Orion customers on Sunday, even if they didn’t install the trojanized Orion update, with information about the hack and mitigation steps they could take.

In a security advisory on Sunday and SEC filings today, SolarWinds said it plans to release an Orion update on Tuesday that will contain code to remove any traces of the malware from customer systems.
If customers can’t wait until Tuesday, Microsoft, FireEye, and the US Cybersecurity and Infrastructure Agency (CISA) have also published technical reports on Sunday with instructions on how to identify traces of the SolarWinds Orion-delivered malware (named SUNBURST by FireEye and Solarigate by Microsoft), remove it from systems, and detect if hackers pivoted with a second-stage attack to internal networks.
SolarWinds Office 365 email account was also compromised
But while details about how hackers pivoted from SolarWinds to customer networks via the tainted Orion malware have now come to light, SolarWinds has not yet said how hackers breached its own network.
Nonetheless, in the same SEC documents, SolarWinds said that it also learned from Microsoft about a compromise of its Office 365 email and office productivity accounts.
The company said it’s currently investigating if the attackers used access to the email accounts to steal customer data.
SolarWinds did not specifically say that this email account compromise led to hackers gaining access to the server infrastructure supporting the Orion app’s update mechanism.
One of the most consequential hacks in recent years
The SolarWinds Orion platform hack is slowly turning out to be one of the most significant hacks in recent years.
Currently, the SolarWinds security breach has been linked to hacks at US security firm FireEye, the US Treasury Department, and the US Department of Commerce’s National Telecommunications and Information Administration (NTIA).
The hack is, however, expected to be much, much worse. Forbes reported today that SolarWinds is a major contractor for the US government, with regular customers including the likes of CISA, US Cyber Command, the Department of Defense, the Federal Bureau of Investigation, the Department of Homeland Security, Veterans Affairs, and many others.
In addition, FireEye, which is investigating the incident as part of its own security breach, said the attackers also compromised targets all over the world, and not just in the US, including governments and private sector companies across several verticals.
Citing industry sources, Reuters reported today that despite a broad install base for the Orion platform, the attackers appear to have focused only on a small number of high-value targets, leaving most Orion customers unaffected.
Several IT administrators reported today that they found signs of the malware-laced Orion update on their systems, but they did not find signs of second-stage payloads, typically used by the attackers to escalate access to other systems and internal customer networks.

That is consistent with what I’m seeing with customers. SW Orion with no IOC
— Nicholas Zurfluh (@zurfluhn) December 14, 2020

SolarWinds said in SEC documents today that in the first three quarters of 2020, revenue from the Orion product line brought in approximately $343 million, representing about 45% of the company’s total revenue.
If customers end up abandoning the app, the fallout from this security breach will end up having a major impact on SolarWinds’ bottom line as well. More

Hackers believed to be operating on behalf of a foreign government have breached software provider SolarWinds and then deployed a malware-laced update for its Orion software to infect the networks of multiple US companies and government networks, US security firm FireEye said today.

ZDNet Recommends

The best VPNs in 2020
VPNs aren’t essential only for securing your unencrypted Wi-Fi connections in coffee shops and airports. Every remote worker should consider a VPN to stay safe online. Here are your top choices for best VPNs in 2020 and how to get set up.
Read More

FireEye’s report comes after Reuters, the Washington Post, and Wall Street Journal reported on Sunday intrusions at the US Treasury Department and the US Department of Commerce’s National Telecommunications and Information Administration (NTIA).
The SolarWinds supply chain attack is also how hackers gained access to FireEye’s own network, which the company disclosed earlier this week.
The Washington Post cited sources claiming that multiple other government agencies were also impacted.
Reuters reported that the incident was considered so serious that it led to a rare meeting of the US National Security Council at the White House, a day earlier, on Saturday.
Sources speaking with the Washington Post linked the intrusion to APT29, a codename used by the cyber-security industry to describe hackers associated with the Russian Foreign Intelligence Service (SVR).
FireEye wouldn’t confirm the APT29 attribution and gave the group a neutral codename of UNC2452, although several sources in the cyber-security community told ZDNet the APT29 attribution, done by the US government, is most likely correct, based on current evidence.

In security alerts sent to its customers in private on Sunday, Microsoft also confirmed the SolarWinds compromise and provided countermeasures to customers that may have been affected.
Hackers deployed SUNBURST malware via Orion update
SolarWinds published a press release late on Sunday admitting to the breach of Orion, a software platform for centralized monitoring and management, usually employed in large networks to keep track of all IT resources, such as servers, workstations, mobiles, and IoT devices.
The software firm said that Orion update versions 2019.4 through 2020.2.1, released between March 2020 and June 2020, have been tainted with malware.
FireEye named this malware SUNBURST and published a technical report earlier today, along with detection rules on GitHub.
Microsoft named the malware Solorigate and added detection rules to its Defender antivirus.
Image: Microsoft
The number of victims was not disclosed.
Despite initial reports on Sunday and the hacking campaign doesn’t appear to have been targeted at the US, specifically.
“The campaign is widespread, affecting public and private organizations around the world,” FireEye said.
“The victims have included government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East. We anticipate there are additional victims in other countries and verticals,” FireEye added.
SolarWinds said it plans to release a new update (2020.2.1 HF 2) on Tuesday, December 15, that “replaces the compromised component and provides several additional security enhancements.”
The US Cybersecurity and Infrastructure Agency (CISA) has also issued an emergency directive with instructions on how government agencies can detect and analyze systems compromised with the SUNBURST malware.
Update 23:45 ET to add the information about the Microsoft and CISA security alerts. More

Security researchers have discovered this week a botnet operation that targets PostgreSQL databases to install a cryptocurrency miner.

Codenamed by researchers as PgMiner, the botnet is just the latest in a long list of recent cybercrime operations that target web-tech for monetary profits.
According to researchers at Palo Alto Networks’ Unit 42, the botnet operates by performing brute-force attacks against internet-accessible PostgreSQL databases.
The attacks follow a simple pattern.
The botnet randomly picks a public network range (e.g., 18.xxx.xxx.xxx) and then iterates through all IP addresses part of that range, searching for systems that have the PostgreSQL port (port 5432) exposed online.
If PgMiner finds an active PostgreSQL system, the botnet moves from the scanning phase to its brute-force phase, where it shuffles through a long list of passwords in an attempt to guess the credentials for “postgres,” the default PostgreSQL account.
If PostgreSQL database owners have forgotten to disable this user or have forgotten to change its passwords, the hackers access the database and use the PostgreSQL COPY from PROGRAM feature to escalate their access from the database app to the underlying server and take over the entire OS.

Once they have a more solid hold on the infected system, the PgMiner crew deploys a coin-mining application and attempt to mine as much Monero cryptocurrency before they get detected.
According to Unit 42, at the time of their report, the botnet only had the ability to deploy miners on Linux MIPS, ARM, and x64 platforms.
Other notable features of the PgMiner botnet include the fact that its operators have been controlling infected bots via a command and control (C2) server hosted on the Tor network and that the botnet’s codebase appears to resemble the SystemdMiner botnet.

Image: Palo Alto Networks
PgMiner marks the second time a coin-miner operation targets PostgreSQL databases, with similar attacks seen in 2018, carried out by the StickyDB botnet.
Other database technologies that have also been targeted by crypto-mining botnets in the past include MySQL, MSSQL, Redis, and OrientDB. More

Cisco
A former Cisco engineer was sentenced this week to 24 months in prison for accessing Cisco’s network without authorization after he left the company and then destroying servers that hosted infrastructure for the Cisco Webex Teams service.

Sudhish Kasaba Ramesh, 31, of San Jose, was formally charged earlier this year in July and pleaded guilty a month later in August.
According to court documents, Ramesh worked for Cisco between July 2016 and April 2018, when he resigned and joined another company.
However, for reasons not mentioned in the indictment, five months later, in September 2018, Ramesh accessed Cisco’s cloud infrastructure hosted on Amazon’s Web Services.
Investigators said Ramesh then proceeded to run a script that deleted 456 virtual machines that were supporting Cisco’s video conferencing software WebEx Teams, actions that resulted in the temporary deletion of more than 16,000 Webex accounts.
It took Cisco two weeks to recover the accounts and rebuild its systems, costing the company more than $2.4 million, with $1,400,000 in employee time and $1,000,000 in customer refunds.
The tech giant’s management brought the case to law enforcement as soon as it realized the Webex Teams outage was the result of intentional sabotage and not a server issue.

Although Ramesh apologized for his actions, the former Cisco engineer never explained what drove him to delete Cisco’s servers.
Besides serving the next two years in prison, Ramesh was also ordered to pay a $15,000 fine.
Ramesh was also fired from his job at his current employer, personal lifestyle site Stich Fix, and is scheduled to begin his prison sentence next year, on February 10.
Cisco said that the incident didn’t expose any of its customers’ data, and the company restored service to all affected parties. More

Hackers are resetting passwords for admin accounts on WordPress sites using a zero-day vulnerability in a popular WordPress plugin installed on more than 500,000 sites.
The zero-day was used in attacks over the past weeks and was patched on Monday.
It impacts Easy WP SMTP, a plugin that lets site owners configure the SMTP settings for their website’s outgoing emails.
According to the team at Ninja Technologies Network (NinTechNet), Easy WP SMTP 1.4.2 and older versions of the plugin contain a feature that creates debug logs for all emails sent by the site, which it then stores in its installation folder.
“The plugin’s folder doesn’t have any index.html file, hence, on servers that have directory listing enabled, hackers can find and view the log,” said NinTechNet’s Jerome Bruandet. 

Image: NinTechNet
Bruandet says that on sites running vulnerable versions of this plugin, hackers have been carrying out automated attacks to identify the admin account and then initiate a password reset.
Since a password reset involves sending an email with the password reset link to the admin account, this email is also recorded in the Easy WP SMTP debug log.

All attackers have to do is access the debug log after the password reset, grab the reset link, and take over the site’s admin account.

Image: NinTechNet
“This vulnerability is currently exploited, make sure to update as soon as possible to the latest version,” Bruandet warned earlier this week on Monday.
The plugin’s developers have fixed this issue by moving the plugin’s debug log into the WordPress logs folder, where it’s better protected. The version where this bug was fixed is Easy WP SMTP 1.4.4, according to the plugin’s changelog.
This marks the second zero-day discovered in this very popular plugin. A first zero-day was discovered being abused in the wild in March 2019, when hackers used a Easy WP SMTP vulnerability to enable user registration and then created backdoor admin accounts.
The good news is that compared to March 2019, today, the WordPress CMS has received a built-in auto-update function for themes and plugins.
Added in August 2020, with the release of WordPress 5.5, if enabled, this feature will allow plugins to always run on the latest version by updating themselves, instead of waiting for an admin’s button press.
However, it is currently unclear how many WordPress sites have this feature enabled and how many of the 500,000+ WordPress sites are currently running the latest (patched) Easy WP SMTP version.
According to WordPress.org stats, the number isn’t that high, meaning that many sites remain vulnerable to attacks.

Image: ZDNet More

Ransomware which demands millions of dollars from victims and is being updated with new features could become another serious threat to businesses.
MountLocker ransomware first emerged in July and encrypts the networks of victims with the attackers demanding bitcoin in exchange for the decryption key. Like other forms of ransomware, the criminal hackers behind it threaten to leak stolen information from the victim organisation if the bitcoin ransom isn’t paid.
Cybersecurity researchers at BlackBerry have been analysing MountLocker and say that those behind it are “clearly just warming up” – and this family of ransomware could become a major threat going forward.
Researchers note that MountLocker takes advantage of an affiliate scheme in order to find victims, likely negotiating with hackers who’ve already compromised a network with malware in order to make the deployment of the ransomware as easy and widespread as possible – and providing a means for both parties to illicitly make money from the network compromise.
“Affiliates are often separate organised crime groups, who go looking for easy – and not so easy – entry into networks,” Tom Bonner, distinguished threat researcher at Blackberry told ZDNet.
“Once they have established a foothold they will begin negotiations with ransomware operators, usually via dark web channels, in order to obtain a ransomware to monetize the access to the victim’s environment,” he added.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) 

While it’s possible for hackers to breach the network using malware, it’s common for outsiders to gain access to the network by breaching weak, commonly used or default passwords then escalate their privileges from there.
In this case, the MountLocker crew spread across the network with publicly available tools deploying ransomware across the network in as little as 24 hours. Once the command to execute the ransomware is initiated, victims find themselves locked out of their network and facing a seven-figure ransom demand.
Analysis of campaigns found that an updated version of MountLocker designed to make it even more efficient at encrypting files emerged last month, as well as updating the ability to evade detection by security software.
While MountLocker still appears to be in a relatively early stage of development, it’s already proved effective by claiming victims around the world and it’s likely to become more prolific as it evolves.
“Since its inception, the MountLocker group have been seen to both expand and improve their services and malware. While their current capabilities are not particularly advanced, we expect this group to continue developing and growing in prominence over the short term,” says the research paper.
Like all forms of ransomware, MountLocker takes advantage of common security vulnerabilities in order to spread, so some of the best ways to protect against falling victim to it is to ensure that default passwords aren’t used, two-factor authentication is applied and networks are updated with the latest security patches to counter known vulnerabilities.
It’s also useful for organisations to have a plan in place, so that if they do fall victim to a ransomware attack, they’re able to react accordingly.
“With the highly targeted and increasingly sophisticated nature of these attacks, it is highly advisable to have disaster recovery plans in place like secure backups and test to backups frequently,” said Bonner.
READ MORE ON CYBERSECURTY More

Security vulnerabilities in Point-of-sale (PoS) terminals produced by two of the biggest manufacturers of these devices in the world could have allowed cyber criminals to steal credit card details, clone terminals and commit other forms of financial fraud at the cost of both buyers and retailers.
The vulnerabilities in Verifone and Ingenico products – which are used in millions of stores around the world – have been detailed by independent researcher Aleksei Stennikov and Timur Yunusov, head of offensive security research at Cyber R&D Lab during a presentation Black Hat Europe 2020.
After being disclosed to the vendors, the vulnerabilities can now be fixed by applying security patches – although it can be certain at all if retailers and others involved in the distribution and use of the PoS terminals have applied the updates.
One of the key vulnerabilities in both brands of device is the use of default passwords which could provider attackers with access to a service menu and the ability to manipulate or change the code on the machines in order to run malicious commands.
Researchers say these security issues have existed for at least 10 years while some have even existed in one form or another for up to 20 years – although the latter are mostly in legacy elements of the device which are no longer used.
See: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened
Attackers could gain access to the devices to manipulate them in one of two ways. Either they’re able to physically gain access to the PoS terminal, or they’re able to remotely gain access via the internet and then execute arbitrary code, buffer overflows and other common techniques which can provide attackers with an escalation of privileges and the ability to control the device – and see and steal the data that goes through it.

Remote access is possible if an attacker to gains access to the network via phishing or another attack and then move freely around the network to the PoS terminal.
Ultimately, the PoS machine is a computer and if it’s connected to the network and the internet, then attackers can attempt to gain access to and manipulate it like any other insecure machine.
The way the PoS terminal communicates with the rest of the network means attackers could access unencrypted data card data including Track2 and PIN information, providing all the necessary information required to steal and clone payment cards. 
In order to protect against attacks exploiting PoS vulnerabilities, it’s recommended that retailers using the devices ensure they’re patched and up to date and they should avoid using default passwords where possible.
It’s also recommended that if possible, PoS devices are on a different network to other devices, so if an attacker does gain access to the network via a Windows system, it’s not as simple for them to pivot to the PoS devices.
Both PoS device manufacturers have confirmed they were informed of the vulnerabilities and that a patch has been released to prevent attackers exploiting them. Neither firm is aware of any instances of the vulnerabilities being exploited in the wild.
“Ingenico has not been made aware of any fraudulent access to payments data resulting from these vulnerabilities, already fully corrected. Every day, Ingenico works hard to implement, on a continuing basis, the highest standards of latest security technologies in order to protect its customers and end users and is closely monitoring the situation to avoid reoccurrence of this issue,” an Ingenico spokesperson told ZDNet. 
“We are aware of the issues raised potentially affecting a subset of our legacy payment devices. To date we are not aware of these vulnerabilities being exploited in the market,” a Verifone spokesperson told ZDNet.
“The security firm has validated that our latest patches and software updates, which are available to all customers, remedy these vulnerabilities. Customers are currently in different phases of implementing these patches or software updates”.
READ MORE ON CYBERSECURITY More