Information Technology

Image: Avira
Cybersecurity firm NortonLifeLock (formerly Symantec) has agreed today to acquire German antivirus maker Avira from Bahrain-based Investcorp Technology Partners in a $360 million all-cash deal.

The acquisition is expected to close in Q1 2021, subject to regulatory approvals and customary closing conditions, the two companies said today in a joint press release.
Avira CEO Travis Witteveen and CTO Matthias Ollig will also join the NortonLifeLock leadership team following the deal’s completion.
NortonLifeLock hopes today’s acquisition will accelerate its international expansion in markets it currently has a small presence.
Avira has a strong userbase in the EU. The company is known for its freemium business model through which it provides free security software to users across the world.
Avira free software is installed on more than 30 million devices, and the company also boasts more than 1.5 million paying customers.
Avira was founded in 1986 in Germany by Tjark Auerbach, and at its peak, in 2012, it boasted a userbase of more than 100 million devices.

Auerbach sold Avira to Investcorp in April 2020 for $180 million.
NortonLifeLock was founded in November 2019 after Broadcom bought Symantec’s enterprise security assets for $10.7 billion. NortonLifeLock now manages Symantec’s old consumer-facing portfolio. More

Credit: Microsoft

Microsoft is taking the wraps off Azure Government Top Secret, a new cloud offering for those who need to manage top-secret classified data. The new offering joins the existing family of Azure clouds available to U.S. government users, including Azure Government and Azure Government Secret — along with the Azure public cloud.Microsoft is working with the U.S. government on getting accreditation for its Government Top Secret cloud. Officials said on December 7 that the company recently completed the build-out of new Azure Government Top Secret regions. Microsoft execs noted that the consistency among its various flavors of Azure means it is easier for development to happen anywhere and code to be promoted seamlessly to enclaves with higher classification levels.Microsoft also announced today new functionality for its Azure Government Secret cloud, which officials said is being used in the U.S. Department of Defense, law enforcement, and other agencies. Government Secret is authorized by the DoD Impact Level 6 and Intelligence Community Directive (ICD) 503. Windows Virtual Desktop is now available in Azure Government with FedRAMP High accreditation, Microsoft officials said.Microsoft’s Azure Kubernetes Service (AKS) and Azure Container Instances already are available in Government Secret. On the security front, Azure Sentinel, its proactive threat-management service, and Azure Security Center also are already available in Government Secret.Microsoft also is announcing today Availability Zones for Azure Government. Availability Zones are built to handle datacenter failures via redundancy and logical isolation of services. And it is adding its own Azure edge-computing devices, including the recently announced Azure Modular Datacenter, and ruggedized versions of Azure Stack Hub, Azure Stack Edge Pro, and Azure Stack Edge Mini R to its “tactical edge” portfolio.The Azure Modular Datacenter — available at Impact Levels 5 and 6 — is getting a new Network High Availability Module for network resiliency through multiple satellite connection partners in different orbits, as well as a High Availability Power Module. Azure Modular Datacenter is a portable version of an Azure datacenter that currently runs Azure Stack and is available to government customers and those who need portable data centers that have the option of satellite connectivity.
Microsoft made these government cloud announcements as part of its annual Government Leaders Summit. More

Google has set up a new site to track cross-site leaks, warning that these types of flaw are being used by some sites to steal information about the user or their data in other web applications. 
The new wiki includes information about the principles behind cross-site leaks, common attacks, and proposes defense mechanisms to stop these attacks. 
“Increasingly, security issues discovered in modern web applications hinge upon the misuse of long-standing web platform behaviors, allowing unsavory sites to reveal information about the user or their data in other web applications. This class of issues, broadly referred to as cross-site leaks (XS-Leaks), poses interesting challenges for security engineers and web browser developers due to a diversity of attacks and the complexity of building comprehensive defenses,” Google said.
The wiki explains that XSLeaks “are a class of vulnerabilities derived from side-channels built into the web platform.”
“They take advantage of the web’s core principle of composability, which allows websites to interact with each other, and abuse legitimate mechanisms to infer information about the user,” the wiki explains.
“The principle of an XS-Leak is to use such side-channels available on the web to reveal sensitive information about users, such as their data in other web applications, details about their local environment, or internal networks they are connected to.”
While such vulnerabilities are not generally viewed as serious flaws, they’re also very common and can be used as a launchpad for more complex and harmful attacks.

Google has been working on XSS vulnerabilities with external security researchers since 2010 via its bug bounty for Google websites including Google and YouTube. Google used to have a feature in Chrome called XSS Auditor that scanned a website’s source code for signs of cross-site scripting attacks on a user’s browser. However it removed XSS Auditor last year after finding it introduced too many XS leaks itself. 
The wiki goes through types of attacks offers an overview of security features that can thwart or mitigate it.
It also details how web browser developers can adopt new browser security features such as Fetch Metadata Request Headers sent by browsers with HTTPS requests to provide context about how a request was initiated. This allows applications to make more informed decision about how to respond to them.  
Other defenses include Cross-Origin Opener Policy, Cross-Origin Resource Policy, and SameSite cookies. More

Image via Iconfinder
Cyber-criminals have created a new type of web malware that hides inside images used for social media sharing buttons in order to steal credit card information entered in payment forms on online stores.
The malware, known as a web skimmer, or Magecart script, was spotted on online stores in June and September this year by Dutch security firm Sanguine Security (SangSec).
While this particular form isn’t widely deployed, its discovery suggests that Magecart gangs are constantly evolving their bag of tricks.
Steganography and malware attacks
At the technical level, this particular script uses a technique known as steganography. Steganography refers to hiding information inside another format (i.e., text inside images, images inside videos, etc.).
In the world of malware attacks, steganography is typically employed as a way to sneak malicious code past security scanners by placing the bad code inside seemingly innocent files.
Over the past years, the most common form of steganography attacks has been to hide malicious payloads inside image files, usually stored in PNG or JPG formats.
Malware gangs would add the malicious code inside the image, the image would be downloaded on a host system, extracted by another of the malware gang’s components, and then executed.

In the world of web-based skimmers (Magecart scripts), steganography works because most web skimmers are typically hidden in JavaScript code and not inside image files.
However, the technique has slowly been seeing some adoption among web skimmer gangs, with past steganographic attacks using site logos, product images, or favicons to hide payloads.
Malicious code hidden in SVG images
But as steganography use grew, security firms also started looking and analyzing image files as a place they could find irregularities or hidden web skimmer payloads.
The interesting detail in these recent attacks is that the malicious code wasn’t hidden inside PNG or JPG files but in SVG files, a type of image file for loading vector-based images.
Vector images load and drawn grahics with the help of coordinates and mathematical functions, and they’re a text-based format, rather than a binary format, which, in theory, would make the detection of malicious payloads even easier than with PNG and JPG files.
However, SangSec says the threat actors were very clever when they designed their payload.
“The malicious payload assumes the form of an HTML < svg > element, using the < path > element as a container for the payload. The payload itself is concealed utilizing syntax that strongly resembles correct use of the < svg > element,” SangSec said in a report last week.
“While skimmers have added their malicious payload to benign files like images in the past, this is the first time that malicious code has been constructed as a perfectly valid image. The result is that security scanners can no longer find malware just by testing for valid syntax,” the company added.
SangSec said it found malware gangs testing this technique in June, and on live e-commerce sites in September, with the malicious payload hidden inside social media sharing icons for sites like Google, Facebook, Twitter, Instagram, YouTube, and Pinterest.
On infected stores, once users accessed the checkout page, a secondary component (called a decoder) would read the malicious code hidden inside the social sharing icons and then load a keylogger that recorded and exfiltrated card details entered in the payment form.
User protections
End users have very few options available at their disposal when it comes to web skimmer attacks, as this type of code is usually invisible to them and extremely hard to detect, even for professionals.
Furthermore, users shopping on a site have no way at their disposal to know how secure a site really is, and if the store owner invests in security at all.
The simplest way shoppers can protect themselves from web skimmer attacks is to use virtual cards designed for one-time payments.
These cards are currently provided by some banks or payment apps, and they’re currently the best way to deal with web-based skimming as even if attackers manage to record transaction details, the card data is useless as it was generated for one transaction only. More

Italian police have arrested a former employee of Leonardo SpA and another individual in connection to the theft of sensitive corporate and military information.

The Naples Public Prosecutor’s Office said on November 5 that an ongoing cyberattack was maintained against the Aerostructures and Aircraft Division of Leonardo SpA, one of the largest defense contractors worldwide.
Headquartered in Rome, Italy, the company accounts for over 49,000 employees and maintains a presence in its home location, the UK, US, and Poland across the aerospace, military, and security sectors. 
See also: Working from home causes surge in security breaches, staff ‘oblivious’ to best practices
Last week, Italian law enforcement said the pair — one of which was an IT manager for Leonardo — were arrested for allegedly compromising the corporation’s network by executing malware able to quietly exfiltrate sensitive data. 
According to the Naples office, the duo deployed malware dubbed cftmon.exe on 94 workstations, of which 33 were located at the company plant in Pomigliano D’Arco. The malware, described as a Trojan variant, was loaded through USB sticks plugged into the workstations and remained undetected from roughly May 2015 to January 2017. 
In 2017, Leonardo’s cybersecurity team detected anomalous network traffic originating from these workstations which were directed to a command-and-control (C2) server, fujinama.altervista.org. The web domain has since been seized by Italian police. 

The malware was able to silently exfiltrate classified and valuable corporate data, including military information, and maintained persistence by automatically executing on each workstation at startup.
CNET: Your Amazon Echo will get Sidewalk soon if it hasn’t yet. Here’s why it matters
Originally, the defense contractor believed that the data exfiltration was a small and rather insignificant incident, but Italian law enforcement says a subsequent investigation revealed a “much more extensive and severe scenario.”
Reconstructions of the incident performed by the police suggest that up to 10GB of data — or 100,000 files — was stolen during the campaign relating to security and defense strategy, HR, product distribution, and component design for civil and military aircraft, as well as employee credentials.
Italian prosecutors have accused the pair of “abusive access to computer systems, unlawful interception of electronic communications, and [the] unlawful processing of personal data.”
TechRepublic: Most used passwords for 2020: The internet’s favorite curse word, name, food, and team
The head of Leonardo’s cybersecurity team has also been placed under house arrest for allegedly misleading and hindering investigative efforts concerning the cyberattack. 
In a statement, Leonardo said that the arrests relate to an individual who is not an employee of the company, as well as a “non-executive” former member of staff. 
“The company, which is obviously the injured party in this affair, has provided maximum cooperation since the beginning and will continue to do so to enable the investigators to clarify the incident, and for its own protection,” Leonardo added.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Tanguy Keryhuel, Mark Basarab, ZDNet
The US National Security Agency has published a security alert today urging companies to update VMWare products for a vulnerability that is currently exploited by “Russian state-sponsored malicious cyber actors.”

The vulnerability tracked as CVE-2020-4006, impacts VMWare endpoint and identity management products, often deployed in enterprise and government networks.
The affected products, listed below, allow system administrators to manage large fleets of virtualized workstations, their authentication procedures, and the apps installed on each VM.
VMware Workspace ONE Access (Access) 20.01 and 20.10on Linux
VMware Workspace ONE Access Connector (Access Connector)
VMware Identity Manager (vIDM) 3.3.1, 3.3.2, and 3.3.3on Linux
VMware Identity Manager Connector (vIDM Connector) 3.3.1, 3.3.2, 3.3.3, 19.03
VMware Cloud Foundation 4.x
vRealize Suite Lifecycle Manager 8.x
VMWare warned customers last month, on November 23, that these products contained a major security bug and published mitigations and workarounds to prevent attacks.
On Friday, VMWare released official patches and credited NSA analysts for reporting the issue to its security team.
The NSA has also issued its own security alert, urging government organizations to patch their VMWare products amid ongoing attacks from Russian hackers.
“This advisory emphasizes the importance for National Security System (NSS), Department of Defense (DoD), and Defense Industrial Base (DIB) system administrators to apply vendor-provided patches to affected VMware identity management products,” the NSA said in a press release.
How CVE-2020-4006 works

At its core, CVE-2020-4006 is a basic “command injection” vulnerability that allows attackers to execute OS-level commands.
The vulnerability is not extremely dangerous because it can only be exploited after an attacker has authenticated on a WorkspaceONE web-based dashboard.
But if an attacker is in possession of valid credentials, the vulnerability can be used to take full control over any unpatched VMWare Workspace ONE system.

Image: NSA
The VMWare Workspace ONE web-based dashboard is typically used by system administrators to manage the settings of their virtualized workstations.
In most cases, the dashboard is available only via internal networks, but the dashboard can also be hosted over the internet in case administrators need to access their enterprise management tools from home, or if they need to manage networks in remote work points.
Many system administrators might play down this vulnerability because attackers first need access to valid Workspace ONE credentials, and then they need access to the web dashboard itself, which in some cases might be available only on internal networks (intranets).
However, things are never this simple.
“An attacker can achieve these prerequisites by using varieties of methods such as gathering credentials via Phishing, purchasing credentials from third-party sites, or by brute forcing credentials,” Mark Arena, CEO of cyber-security firm Intel 471, told ZDNet.
“Intel 471 considers this a medium risk issue due to the possibility of arbitrary command execution on the underlying operating systems with unrestricted privileges offset by the required authentication and adjacent network access,” Arena added.
Russian hackers planting web shells, pivoting to other systems
But despite these requirements, the NSA said it is aware of instances where Russian state-sponsored hackers have managed to obtain credentials for the VMWare Workspace ONE web panel and have integrated this bug into their attacks and used it to pivot laterally inside networks and escalate the access they had to a hacked organization.
According to the NSA, in the attacks was aware, the hackers installed a web shell on the VMWare Workspace ONE system and then generated SAML credentials for themselves.
The hackers then used the SAML credentials to access and steal sensitive data from the victim company’s Microsoft ADFS (Active Directory Federation Services) servers.
The NSA did not name which of the many Russian state-sponsored groups has been abusing this VMWare bug but warned organizations not to take CVE-2020-4006 lightly.
“NSA strongly recommends that NSS, DoD, and DIB system administrators apply the vendor-issued patch as soon as possible,” the agency said.
Contacted for comment, VMWare also urged customers to apply the patches released on Friday.

Image: NSA More

The Australian Information Commissioner and Privacy Commissioner Angelene Falk has handed down a determination that Flight Centre breached the privacy of 6,918 customers when it held its “design jam” event across the weekend of March 24 to March 26 in 2017.
On the first day of the event, Flight Centre handed a data set containing production data from the 2015 and 2016 calendar years to the 16 teams competing in the event, which consisted of 90 people in total.
The data set had 106 million rows of data, with the company believing it had obfuscated personal information of its customers, leaving only the customer’s year of birth, postcode, gender, and booking information. In the determination made by Falk, Flight Centre had its business intelligence and Australian infosec teams, as well as event coordinators review the first 1,000 rows of data to confirm there was no sensitive information in the file.
However, 36 hours after the event had begun, a free text field under a column called “ProductName” was found by one of the participants to contain credit card information.
Flight Centre then reviewed the file and found it contained 4,011 credit cards and 5,092 passport numbers affecting 6,918 people, as well as 475 usernames and passwords to mostly vendor portals. 757 dates of birth were also identified.
Upon learning of the breach, the company prevented access to the file and truncated the column to 10 characters, received verbal confirmation from participants that they had destroyed all copies of the file, and began a post-incident review. Those who had their payment or passport details breached were notified by the company, offered free identity theft and credit monitoring coverage for a year, and Flight Centre coughed up for the cost of replacing passports when customers opted for it.
Falk said that Flight Centre determined it was a low-risk incident because it involved no intrusion, the incident was not malicious, a known number of third parties had access to data, and there was no evidence of misuse.

The heart of the breach was Flight Centre having no technical controls to prevent travel consultants from entering passport information and credit card details into a free text field other than complying to company policy, Falk wrote.
“The absence of technical controls to prevent or detect such incorrect storage caused an inherent data security risk in terms of how this kind of personal information was protected by the respondent immediately prior to the data breach,” Falk said.
At the time of the incident, Flight Centre had the ability to detect inappropriate storage of credit card information in some of its systems, but not its quoting, invoicing, or receipting systems. The company now scans on a weekly basis for the storage of payment and passport information in free text fields.
Falk also criticised the company for handing over such a large data set in the first event it had run, and not requiring participants to sign an agreement.
“This determination is a strong reminder for organisations to build privacy by design into new projects involving personal information handling, particularly where large datasets will be shared with third-party suppliers for analysis,” Falk said on Monday.
“Organisations should assume that human errors — such as the inadvertent disclosure of personal information to suppliers — could occur and take steps to prevent them.
“They should also carry out privacy impact assessments for data projects to assist in identifying and addressing all relevant privacy impacts.”
Due to the company reacting swiftly, notifying individuals before the Notifiable Data Breaches Scheme came into force, offering those impacts a number of services, paying for monitoring of the dark web to see if the details were misused, and candour when dealing with her office, Falk said it was not appropriate to take further action other than declaring Flight Centre does not repeat its actions.
Related Coverage More

Image via Embraer
Brazilian company Embraer, considered today’s third-largest airplane maker after Boeing and Airbus, was the victim of a ransomware attack last month.
Today, hackers involved in the intrusion have leaked some of the company’s private files as revenge after the airplane maker refused to negotiate and instead chose to restore systems from backups without paying their ransom demand.
The Embraer files were shared on a website hosted on the dark web, managed by the RansomExx (also known as Defray777) ransomware gang.
Data uploaded on this site included samples of employee details, business contracts, photos of flight simulations, and source code, among others, according to samples reviewed by ZDNet.

Image: ZDNet
Today’s leak confirms that hackers managed to steal data from the company’s servers. Embraer issued a press release last week, admitting to a security breach, but did not confirm that the incident involved neither ransomware nor data theft.
The airplane maker said the attackers had “access to only a single environment,” and that the incident caused only a temporary impact on “some of its operations.”
An Embraer spokesperson did not return a request for comment sent by ZDNet today, following the leak.
RansomExx gets a “leak site”

Embraer is also one of three companies that had their data leaked over the weekend on the RansomExx leak site, launched on Saturday.
The RansomExx gang now joins a long list of ransomware gangs that run leak sites.
Ransomware gangs use leak sites as a way to put pressure on victims. During negotiations, companies are told that if they don’t pay the attacker’s desired ransom demand, the attackers will leak data online as a form of punishment, so it can be downloaded by competitors, or that companies face regulatory punishments in their countries. More