Information Technology

Payment security is getting weaker as 27.9% of global organizations were in full compliance with the Payment Card Industry Data Security Standard (PCI DSS), according to Verizon.
The Verizon Business 2020 Payment Security Report highlights that PCI DSS compliance is down 27.5% from 2016. Full PCI DSS compliance meets 12 requirements. Those requirements are:
Protect your system with firewalls
Configure passwords and settings
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use and regularly update anti-virus software
Regularly update and patch systems
Restrict access to cardholder data to business need to know
Assign a unique ID to each person with computer access
Restrict physical access to workplace and cardholder data
Implement logging and log management
Conduct vulnerability scans and penetration tests
Documentation and risk assessments
Verizon’s findings are a bit alarming given that credit cards are a big target for cybercrime. Consider a few recent events:
According to Verizon, companies are struggling to retain qualified chief information security officers and lack long-term planning.
Among the key items in the report:
51.9% successfully test security systems and processes as well as unmonitored system access.
Two-thirds of all businesses track and monitor access to business-critical systems.
70.6% of financial institutions maintain essential perimeter security controls.
Here’s a look at the five-year trends for full PCI DSS compliance by requirement.

A look at the five-year trends for complying to the 12 requirements of payment card security. 
Verizon More

Cisco has been ordered by a US District judge to pay over $1.9 billion to a Virginian security company for infringing upon four cybersecurity patents.
Senior District Judge Henry Morgan made the decision following a month-long trial over video conference, saying it was “clear and not a close call”. The trial did not use a jury due to the coronavirus pandemic.
The Virginian company, Centripetal Networks, made the allegations at the start of 2018 after it claimed Cisco’s network devices used its solutions and patents.
According to Morgan, virtually all of Cisco’s exhibits, technical documents, and demonstratives for the trial focused on its old technology rather than the accused products.
“Their demonstratives of the functionality of Cisco’s accused products were not based upon their own current technical documents, but rather upon inaccurate animations produced post facto for use in the litigation which served to confuse the issues, rather than inform the court,” Morgan said.
“Most of Cisco’s challenges amounted to no more than conclusory statements by its experts without evidentiary support.”
The $1.9 billion owed to Centripetal Networks comprises of $1.89 billion in damages and $13.7 million in interest. 
While the actual damages suffered by Centripetal Networks amounted to around $755 million, the court multiplied that figure by 2.5 times to reflect Cisco’s wilful and egregious conduct in infringing upon the cybersecurity patents. 
In addition, the court also ordered a running royalty of 10% on the apportioned sales of Cisco’s products that infringed upon Centripetal Network’s patents. These royalties will be provided for a period of three years followed by a second three-year term of a running royalty of 5%.
Cisco said it was disappointed with the decision and would make an appeal at the US Court of Appeals for the Federal Circuit.
“We are disappointed with the trial court’s decision given the substantial evidence of non-infringement, invalidity and that Cisco’s innovations predate the patents by many years,” Cisco said in a statement.
Related Coverage
Cisco announces plans to acquire Kubernetes security player Portshift
Portshift’s platform is used to secure cloud applications on Kubernetes environments.
Cisco, ServiceNow announce integration for workplace contact tracing
The companies said they will integrate Cisco’s indoor location services platform, DNA Spaces, with ServiceNow’s contact tracing and workplace safety application.
Former IT director gets jail time for selling government’s Cisco gear on eBay
Former Horry County IT security director sentenced to two years in federal prison.
Cisco warns of actively exploited IOS XR zero-days
Cisco said it discovered the attacks last week during a support case the company’s support team was called in to investigate.
Patch now: Cisco warns of nasty bug in its data center software
Cisco Data Center Network Manager (DCNM) exposed to critical flaw that can be exploited by anyone on the internet. More

Microsoft said on Monday that Iranian state-sponsored hackers are currently exploiting the Zerologon vulnerability in real-world hacking campaigns.
Successful attacks would allow hackers to take over servers known as domain controllers (DC) that are the centerpieces of most enterprise networks and enable intruders to gain full control over their targets.
The Iranian attacks were detected by Microsoft’s Threat Intelligence Center (MSTIC) and have been going on for at least two weeks, the company said today in a short tweet.

MSTIC has observed activity by the nation-state actor MERCURY using the CVE-2020-1472 exploit (ZeroLogon) in active campaigns over the last 2 weeks. We strongly recommend patching. Microsoft 365 Defender customers can also refer to these detections: https://t.co/ieBj2dox78
— Microsoft Security Intelligence (@MsftSecIntel) October 5, 2020

MSTIC linked the attacks to a group of Iranian hackers that the company tracks as MERCURY, but who are more widely known under their monicker of MuddyWatter.
The group is believed to be a contractor for the Iranian government working under orders from the Islamic Revolutionary Guard Corps, Iran’s primary intelligence and military service.
According to Microsoft’s Digital Defense Report, this group has historically targeted NGOs, intergovernmental organizations, government humanitarian aid, and human rights organizations.
Nonetheless, Microsoft says that Mercury’s most recent targets included “a high number of targets involved in work with refugees” and “network technology providers in the Middle East.”
Attacks began after public Zerologon PoC
Zerologon was described by many as the most dangerous bug disclosed this year. The bug is a vulnerability in Netlogon, the protocol used by Windows systems to authenticate against a Windows Server running as a domain controller.
Exploiting the Zerologon bug can allow hackers to take over an unpatched domain controller, and inherently a company’s internal network.
Attacks usually need to be carried out from internal networks, but if the domain controller is exposed online, they can also be carried out remotely over the internet.
Microsoft issued patches for Zerologon (CVE-2020-1472) in August, but the first detailed write-up about this bug was published in September, delaying most of the attacks.
But while security researchers delayed publishing details to give system administrators more time to patch, weaponized proof-of-concept code for Zerologon was published almost on the same day as the detailed write-up, spurring a wave of attacks within days.
Following the bug’s disclosure, DHS gave federal agencies three days to patch domain controllers or disconnect them from federal networks in order to prevent attacks, which the agency was expecting to come — and they did, days later.

Microsoft is actively tracking threat actor activity using exploits for the CVE-2020-1472 Netlogon EoP vulnerability, dubbed Zerologon. We have observed attacks where public exploits have been incorporated into attacker playbooks.
— Microsoft Security Intelligence (@MsftSecIntel) September 24, 2020

The MERCURY attacks appear to have begun around one week after this proof-of-concept code was published, and around the same time, Microsoft began detecting the first Zerologon exploitation attempts. More

Image: CNET
By combining two exploits initially developed for jailbreaking iPhones, security researchers claim they can also jailbreak Macs and MacBook devices that include Apple’s latest line of T2 security chips.
While exploitation is still pretty complex, the technique of combining the two exploits has been mentioned on Twitter and Reddit over the past few weeks, having been tested and confirmed by several of today’s top Apple security and jailbreaking experts.

With @checkra1n 0.11.0, you can now jailbreak the T2 chip in your Mac. An incredible amount of work went into this and it required changes at multiple levels.There’s too many people to tag, but shoutout to everyone who worked on getting this incredible feature shipped.
— Jamie Bishop (@jamiebishop123) September 22, 2020

checkm8 + blackbird and the T2 SEP is all yours…
— Siguza (@s1guza) September 5, 2020

If exploited correctly, this jailbreaking technique allows users/attackers to gain full control over their devices to modify core OS behavior or be used to retrieve sensitive or encrypted data, and even plant malware.
What are T2 chips?
For Apple users and ZDNet readers that are not aware of what T2 is, this is a special co-processor that is installed alongside the main Intel CPU on modern Apple desktops (iMac, Mac Pro, Mac mini) and laptops (MacBooks).
T2 chips were announced in 2017 and began shipping with all Apple devices sold since 2018.
Their role is to function as a separate CPU, also known as a co-processor. By default, they handle audio processing and various low-level I/O functions in order to help lift some load off the main CPU.
However, they also serve as a “security chip” —as a Secure Enclave Processor (SEP)— that processes sensitive data like cryptographic operations, KeyChain passwords, TouchID authentication, and the device’s encrypted storage and secure boot capabilities.
In other words, they have a significant role in every recent Apple desktop device, where the chips underpin most security features.
How the jailbreak works
Over the summer, security researchers have figured out a way to break T2s and found a way to run code inside the security chip during its boot-up routine and alter its normal behavior.
The attack requires combining two other exploits that were initially designed for jailbreaking iOS devices — namely Checkm8 and Blackbird. This works because of some shared hardware and software features between T2 chips and iPhones and their underlying hardware.
According to a post from Belgian security firm ironPeak, jailbreaking a T2 security chip involves connecting to a Mac/MacBook via USB-C and running version 0.11.0 of the Checkra1n jailbreaking software during the Mac’s boot-up process.
Per ironPeak, this works because “Apple left a debugging interface open in the T2 security chip shipping to customers, allowing anyone to enter Device Firmware Update (DFU) mode without authentication.”
“Using this method, it is possible to create an USB-C cable that can automatically exploit your macOS device on boot,” ironPeak said.
This allows an attacker to get root access on the T2 chip and modify and take control of anything running on the targeted device, even recovering encrypted data.
Danger to users
The danger regarding this new jailbreaking technique is pretty obvious. Any Mac or MacBook left unattended can be hacked by someone who can connect a USB-C cable, reboot the device, and then run Checkra1n 0.11.0.
The news isn’t especially great for travelers during security checks at border crossings or for enterprises that employ large fleets of Macs and MacBook notepads, all of which are now exposed to attacks and having their secrets pilfered in classic evil maid attacks.
However, the new jailbreaking method also opens the door for new law enforcement investigation tools that could allow investigators to access suspects’ Macs and MacBooks to retrieve information that would have been previously encrypted.
Unpatchable
Unfortunately, since this is a hardware-related issue, all T2 chips are to be considered unpatchable.
The only way users can deal with the aftermath of an attack is to reinstall BridgeOS, the operating system that runs on T2 chips.
“If you suspect your system to be tampered with, use Apple Configurator to reinstall bridgeOS on your T2 chip described here. If you are a potential target of state actors, verify your SMC payload integrity using .e.g. rickmark/smcutil and don’t leave your device unsupervised,” ironPeak said.
Apple did not return a request for comment. More

Many victims of ransomware aren’t reporting attacks to police, making it harder to measure the level of crime and to tackle the gangs involved.
Europol’s Internet Organised Crime Threat Assessment 2020 report details the key forms of cyber crime which pose a threat to businesses right now and ransomware remains one of the main concerns, especially as these gangs increasingly display high levels of skill and sophistication.
In many cases, ransomware gangs don’t just encrypt the network with malware and demand hundreds of thousands or millions of dollars in bitcoin, they’ll also threaten to leak stolen sensitive corporate files or personal data if they don’t receive a payment.
And while ransomware is one of the most high profile forms of cyber attack, Europol’s report warns that it remains an under-reported crime as many organisations still aren’t coming forward to law enforcement after falling victim.
Several law enforcement agencies across Europe say they’ve only heard of ransomware cases via reports in local media.
The report suggests that approaching police to start a criminal investigation was “not generally a priority” for victims, who are more concerned with maintaining business continuity and limiting reputational damage. For some, the idea of getting law enforcement involved could be seen as a risk to their reputation.
SEE: Security Awareness and Training policy (TechRepublic Premium)
That’s why some businesses are choosing to engage with what Europol describes as “private sector security firms” to investigate attacks or negotiate ransom payments, instead of approaching the authorities.
Companies do this so evidence of the attack and their response to it can remain outside the public eye, especially given how law enforcement agencies recommend that organisations should never give into the demands of cyber criminals. But many businesses still view paying the ransom as the quickest and easiest way of restoring operations, even if cyber criminal groups can’t always be trusted to keep their word.
And on top of the moral quandaries when it comes to dealing with cyber criminals or private negotiators, police warn that not reporting ransomware attacks is detrimental to others.
“By using such companies, victims will not file an official complaint, which increases the lack of visibility and awareness concerning real figures of ransomware attacks among law enforcement,” says the Europol paper.
“Not reporting cases to law enforcement agencies will obviously hamper any efforts, as important evidence and intelligence from different cases can be missed”.
But it isn’t just businesses which were actively attempting to avoid publicity which don’t report ransomware attacks; the report notes that some victims just don’t think that law enforcement is able to do anything to help.
However, the report adds that investigating every attack possible helps the authorities build up a better picture of the ransomware landscape and how to potentially prevent attacks or aid organisations which fall victim.
For example, Europol’s No More Ransom portal provides free decryption keys for various families of ransomware. The keys are provided by both cybersecurity companies and law enforcement agencies which have been able to break the encryption following investigation of the ransomware. If organisations don’t report ransomware attacks, it could prevent other victims from being able to use free tools like this.
READ MORE ON CYBERSECURITY More

Image: Soviet Artefacts, ZDNet

A Chinese-speaking hacking group has been observed using a UEFI bootkit to download and install additional malware on targeted computers.
UEFI firmware is a crucial component for every computer. This crucial firmware inside a flash memory bolted to the motherboard and controls all the computer’s hardware components and helps boot the actual user-facing OS (such as Windows, Linux, macOS, etc.).
Attacks on UEFI firmware are the Holy Grail of every hacker group, as planting malicious code here allows it to survive OS reinstalls.
Nonetheless, despite these benefits, UEFI firmware attacks are rare because tampering with this component is particularly hard as attackers either need physical access to the device or they need to compromise targets via complex supply chain attacks where the UEFI firmware or tools that work with UEFI firmware are modified to insert malicious code.
In a talk at the SAS virtual security conference today, security researchers from Kaspersky said they detected the second known instance of a widespread attack leveraging malicious code implanted in the UEFI.
The first, disclosed by ESET in 2018, was supposedly carried out by Fancy Bear, one of Russia’s state-sponsored hacker groups. This second one is the work of Chinese-speaking hackers, according to Kaspersky.
UEFI bootkit used to deploy new MosaicRegressor malware
The company said it discovered these attacks after two computers were flagged by the company’s Firmware Scanner module as suspicious.
In their talk today, Kaspersky malware researchers Mark Lechtik and Igor Kuznetsov said they investigated the flagged systems and found malicious code inside the flagged UEFI firmware. This code, they said, was designed to install a malicious app (as an autorun program) after every computer start.
This initial autorun program acted as a downloader for other malware components, which Kaspersky named the MosaicRegressor malware framework.
Kaspersky said it has yet to obtain and analyze all of MosaicRegressor’s components, but the one that they did look at contained functionality to gather all the documents from the “Recent Documents” folder and putting them in a password-protected archive — most likely preparing the files for exfiltration via another component.
The researchers said they found the UEFI bootkit on only two systems, but they found MosaicRegressor components on a multitude of other computers.
However, the targets of these attacks were all carefully selected. All were diplomatic entities and NGOs in Africa, Asia, and Europe.
“Based on the affiliation of the discovered victims, we could determine that all had some connection to the DPRK [North Korea], be it non-profit activity related to the country or actual presence within it,” Kaspersky said.
Based on leaked HackingTeam malware
But Kasperksy also made another major discovery while analyzing these attacks. The UEFI malicious code wasn’t exactly new. According to their analysis, the code was based on VectorEDK, which is a hacking utility to attack UEFI firmware, created by HackingTeam, a now-defunct Italian vendor of hacking tools, exploits, and surveillance software.
The company was hacked in 2015, and its tools were dumped online, including the VectorEDK toolkit. According to its manual, the tool was designed to be used with physical access to a victim’s computer.
Kaspersky says that based on the similarities between VectorEDK and the modified version used by the Chinese group, the Chinese group most likely deployed their tool using physical access to their targets’ computers as well.
The company’s full report on these attacks is available as a 30-page PDF report here. More

Earlier today someone pointed out to me an article over on the Forbes blogs encouraging readers to “Stop This ‘Hidden’ Location Tracking” on their iPhones. Now, this is something that I’ve encouraged paranoid people or those looking for the best possible security to do.
But there are downsides. Costly downsides.
It can cause your battery to wear out prematurely.
Must read: iPhone battery bad after installing iOS 14? Apple offers some help

How does turning off a feature that tracks your location cause your iPhone’s battery to wear out?
Well, first off, you’ve got to ask why Apple is collecting this data in the first place. After all, it’s stored on the iPhone, and not sent back to the Apple mothership.
Because this is part of the data collected by your iPhone that makes the machine learning smarter.
And one thing it is used for, amongst other things, is to determine whether your iPhone should turn on Optimized Battery Charging when you plug in your iPhone to charge.
Now, you can check out what data your iPhone is collecting as you travel by going to Settings  > Privacy  > Location Services  > System Services  > Significant Locations. In order to gain access to this data you will need to authenticate yourself using the iPhone’s passcode, or using Face ID/Touch ID.
Once in, you can see what data is being collected, what it is being used for, delete it, and prevent it from being collected.
But be aware that this data is used for a lot of things in apps such as Photos, Maps, Calendar, as well as system services such as Optimized Battery Charging. Also be aware that it is not sent to Apple, and that the data is encrypted and cannot be read by Apple.

An entry under Significant Locations
But I also understand why some people might not want their iPhones collecting this data.
Just be aware that turning this off with break things. More

Image: npm

techrepublic cheat sheet

Four JavaScript npm packages contained malicious code that collected user details and uploaded the information to a public GitHub page.
The four packages where this malicious code was identified included:
electorn: 255 downloads
lodashs: 78 downloads
loadyaml: 48 downloads
loadyml: 37 downloads
All four packages were developed by the same user (simplelive12) and uploaded on the npm portal in August. Two packages (lodashs, loadyml) were removed by the author shortly after publication, but not before they infected some users.
The remainder packages, electorn and loadyaml, were removed last week, on October 1, by the npm security team following a report from Sonatype, a company that monitors public package repositories as part of its developer security operations (DevSecOps) services.
According to Sonatype security researcher Ax Sharma, the four malicious packages used a technique known as typosquatting to get installs.
All four were misspellings of more popular packages, and they relied on users making mistakes when typing the name of a popular package in order to weasel their way inside someone’s codebase.
But once a developer mistakenly included and installed one of the four malicious packages, the malicious code found inside would collect the developer’s IP address, country, city, computer username, home directory path, and CPU model information and post this information as a new comment inside the “Issues” section of a GitHub repository.

Image: Sonatype
Sharma said the data wouldn’t stay on GitHub for long and would be purged every 24 hours — most likely after being scraped and indexed inside another database.
While we may never know what was the end goal of this campaign, it is very likely that we’re looking at a reconnaissance operation.
Information like IP addresses, usernames, and home directory paths can reveal if a user is working from home or a corporate environment. Data like the home directory path and CPU model can also help attackers deploy finely-tuned malware for a specific architecture.
All the attacker would have needed to do was to push a subsequent update to the electorn and loadyaml packages with additional malicious code.
Developers are advised to review project dependencies and see if they accidentally used one of the four. More