Information Technology

IBM is rolling out new zero trust capabilities to Cloud Pak for Security, its platform for tackling cybersecurity threats across multicloud and hybrid environments. IBM said the features are aimed at helping customers adopt a zero trust approach to security by applying the principles of least privilege access; never trust, always verify, and assume breach. 

Among the key features are the new IBM Security zero trust blueprints, which are designed around common zero trust use cases. The four new blueprints are meant to provide a framework to help preserve customer privacy, secure hybrid and remote workforces, reduce the risk of insider threats, and protect hybrid cloud environments. IBM also introduced the as a Service version of IBM Cloud Pak for Security. The new consumption model lets customers choose between an owned or hosted deployment model based on their environment and needs.Meanwhile, a new partnership between IBM and Zscaler was announced as part of an effort to address remote work and network security modernization. The alliance will combine IBM Security Services with Zscaler’s network security technology to deliver an end-to-end secure access service edge (SASE) solution. Dow Chemical is an early customer working with IBM Security and Zscaler as part of its remote/hybrid workforce modernization strategy. Launched in 2019 as the foundation of IBM’s open security strategy, Cloud Pak for Security is designed to glean threat information and insights from various sources without having to move data. The system leverages IBM’s investment in Red Hat, including Open Shift, and is designed specifically to unify security across hybrid cloud environments.Over the last year IBM has expanded the capabilities within Cloud Pak for Security to address some of the key components of threat management — such as detection, investigation and response — using AI and automated workflows. In October, IBM added a new integrated data security hub that promises to bring data security insights directly into threat management and security response platforms.  More

The US Department of Defense significantly has expanded its bug bounty program to all publicly accessible information systems, including not just websites but also networks, frequency-based communication, Internet of Things, and industrial control systems. The DoD bug bounty, which is overseen by the DoD’s Cyber Crime Center (DC3), is now much broader than the “Hack the Pentagon” pilot kicked off in 2016 with partner HackerOne. Hackers were restricted to probing DoD’s public-facing websites and applications. Brett Goldstein, director of the Defense Digital Service, said the DoD’s bug bounty “allows for research and reporting of vulnerabilities related to all DoD publicly-accessible networks, frequency-based communication, Internet of Things, industrial control systems, and more”, according to a DoD press release.  “This expansion is a testament to transforming the government’s approach to security and leapfrogging the current state of technology within DoD,” said Goldstein.The DoD says that since the bug bounty launched, it had received more than 29,000 vulnerability reports from hackers. More than 70 percent of them determined to be valid after triage.   Last month DC3 launched another bug bounty pilot called the Defense Industrial Base Vulnerability Disclosure Program (DIB-VDP), which aims to improve the security of defense contractors. It’s also being run on HackerOne. Carnegie Mellon University Software Engineering Institute conducted a feasibility study in 2020 and recommended the pilot program proceed. 

“The department has always maintained the perspective that DOD websites were only the beginning as they account for a fraction of our overall attack surface,” said DC3 director Kristopher Johnson.Johnson said he expects the number of bug reports it receives to “drastically increase” due to the broader scope of the program, which now allows security researchers to report bugs they wouldn’t have been allowed to in the past.     More

A massive distributed denial of service (DDoS) attack took down the websites of more than 200 organisations across Belgium, including government, parliament, universities and research institutes. The DDoS attack started at 11am on Tuesday 4 May and overwhelmed the web sites with traffic, rendering their public-facing sites unusable for visitors, while the attack overwhelmed internal systems, cutting them off from the internet.

The attack targeted Belnet, the government-funded ISP provider for the county’s educational institutions, research centres, scientific institutes and government services – including government ministries and the Belgian parliament. Some debates and committee meetings had to be postponed as users couldn’t access the virtual services required to take part. SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic) Belgium’s central authority for cybersecurity, the Center for Cybersecurity Belgium (CCB), was contacted following the attack in order to help contain and resolve it. One of the reasons the attack was so disruptive was because those behind the disruption kept altering the techniques behind it. “The fact that the perpetrators of the attack constantly changed tactics made it even more difficult to neutralize it,” said Dirk Haex, technical director at Belnet. A day on from the DDoS attack, an update from Belnet said its services are available again but that the service provider is remaining vigilant about potential follow-up attacks.

“We are fully aware of the impact on the organizations connected to our network and their users and we are aware that this has profoundly disrupted their functioning,” said Haex. A DDoS attack is designed purely with the intent of disrupting web sites and services by taking them offline by overwhelming them with an excessive amount of traffic. In many cases, DDoS attacks will exploit servers, computers and Internet of Things devices that have been taken control of by cyber criminals and roped into a botnet – an army of devices controlled by cyber attackers – using that traffic to overwhelm the capabilities of the target to the extent it becomes inaccessible for anyone. SEE: This malware has been rewritten in the Rust programming language to make it harder to spot The intent of the attackers is purely disruption and Belnet have stated that there’s been no data breach or theft of data as a result of the attack, nor did cyber criminals infiltrate the network – they just overwhelmed it with web traffic. According to Belnet, it’s unclear who was behind the attack, but the network provider is investigating it. Belnet has also filed a complaint with the Federal Computer Crime Unit.

MORE ON CYBERSECURITY More

Google has revealed Chrome 90 has adopted a new Windows 10 security feature called “Hardware-enforced Stack Protection” to protect the memory stack from attackers.   Hardware-enforced Stack Protection, which Microsoft previewed in March 2020, is designed to protect against return oriented programming (ROP) malware attacks, by using CPU hardware to protect an application’s code while running inside CPU memory. 

The added protection is enabled in Chrome 90 on Windows 20H1 with December update or later, and on Intel 11th Gen or AMD Zen 3 CPUs, which feature Control-flow Enforcement Technology (CET).SEE: Managing and troubleshooting Android devices checklist (TechRepublic Premium)For several years Intel and Microsoft have been working on CET to thwart ROP attacks, which can bypass existing memory-exploit mitigations to install malware.CET introduces “shadow stacks”, which are used exclusively for control transfer operations. These shadow stacks are isolated from the data stack and protected from tampering.Intel explained in its document on CET: “When shadow stacks are enabled, the CALL instruction pushes the return address on both the data and shadow stack. The RET instruction pops the return address from both stacks and compares them. If the return addresses from the two stacks do not match, the processor signals a control protection exception (#CP).”

Google’s Chrome platform security team warns that the shadow stack might cause problems for some software loaded into Chrome. “[CET] improves security by making exploits more difficult to write. However, it may affect stability if software that loads itself into Chrome is not compatible with the mitigation,” the Chrome security team notes. Google, however, has also provided details for developers who need to debug a problem in Chrome’s shadow stack. Developers can see which processes have Hardware-enforced Stack Protection enabled in Windows Task Manager. Google describes ROP attacks as where “attackers take advantage of the process’s own code, as that must be executable.” The Chrome team explain how CET in Chrome works on Windows, with the operating system handling the comparison of return addresses from the “normal” stack and the shadow stack. If they don’t match, Windows raises an exception.”Along with the existing stack, the cpu maintains a shadow stack. This stack cannot be directly manipulated by normal program code and only stores return addresses,” the Chrome team explains. “The CALL instruction is modified to push a return address (the instruction after the CALL) to both the normal stack, and the shadow stack. The RET (return) instruction still takes its return address from the normal stack, but now verifies that it is the same as the one stored in the shadow stack region. If it is, then the program is left alone and it continues to work as it always did. If the addresses do not match then an exception is raised which is intercepted by the operating system (not by Chrome).” SEE: Google: Here’s how we’re toughening up Android securityThe operating system has an opportunity to modify the shadow region and allow the program to continue, but in most cases an address mismatch is the result of a program error so the program is immediately terminated, Google explained. Microsoft in February also released developer guidance for Hardware-enforced Stack Protection. Microsoft’s Chromium-based Edge from version 90 has enabled the protection in “compatibility mode”.  More

A banking Trojan focused on Brazilian targets has evolved from using pornography as a distribution model to phishing email models. 

ESET researchers have named the Trojan Ousaban, a mixture of “boldness” and “banking trojan.” Kaspersky researchers track the malware as Javali, one of four major banking Trojans in Brazil — alongside Guildma, Melcoz, and Grandoreiro.  Thought to have been in active circulation since 2018, the malware is written in Delphi, a coding language commonly employed for Trojans in the region.  The term “boldness” has stemmed from the malware’s roots in using sexual imagery as a lure and distribution vector. According to the researchers, some of the images used could be considered “obscene.”  However, Ousaban has moved on since its roots in pornography and has now adopted a more typical approach in distribution. Phishing emails are sent using themes such as messages claiming there were failed package delivery attempts that ask users to open files attached to the email.  The file contains an MSI Microsoft Windows installer package. If executed, the MSI extracts a JavaScript downloader that fetches a .ZIP archive containing a legitimate application which also installs the Trojan through DLL side-loading. 

A more complicated distribution chain has also been traced, in which the legitimate app has been tampered with to fetch an encrypted injector that obtains a URL containing remote configuration files for a command-and-control (C2) server address and port, as well as another malicious file that changes various settings on a victim’s PC.  Ousaban contains typical capabilities of a Latin American banking Trojan, including the installation of a backdoor, keylogging, screenshot capabilities, mouse and keyboard simulation, and the theft of user data.  When victims visit banking institutions, screen overlays are employed to harvest account credentials. However, unusually for malware in the region, Ousaban will also attempt to steal account usernames and passwords from email services by using the same overlay technique.  ESET says the Trojan’s persistence mechanism includes the creation of either a .LNK file or VBS loader in the Windows startup folder, or alternatively, the malware will modify the registry. In addition, Ousaban uses Themida or Enigma binary obfuscation to hide its executable files and will inflate their sizes to roughly 400MB “to evade detection and automated processing.” Kasperksky says that Javali/Ousaban has expanded beyond its Brazilian base in the past year or so, but ESET has yet to find any links between the Trojan and a suggested presence in Europe.  Last month, ESET explored Janeleiro, a .NET Trojan operating in Brazil with similarities to Casbaneiro, Grandoreiro, and Mekotio. This banking malware is being used in targeted attacks against enterprise and government entities.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

A new cryptocurrency stealer variant is being spread through a global spam campaign and potentially through Discord channels. 

Dubbed Panda Stealer, Trend Micro researchers said this week that the malware has been found targeting individuals across countries including the US, Australia, Japan, and Germany. The malware begins its infection chain through phishing emails and samples uploaded to VirusTotal also indicate that victims have been downloading executables from malicious websites via Discord links.  Panda Stealer’s phishing emails pretend to be business quote requests. So far, two methods have been linked to the campaign: the first of which uses attached .XLSM documents that require victims to enable malicious macros. If macros are permitted, a loader then downloads and executes the main stealer.  In the second chain, an attached .XLS file contains an Excel formula that hides a PowerShell command. This command attempts to access a paste.ee URL to pull a PowerShell script to the victim’s system and to then grab a fileless payload.  “The CallByName export function in Visual Basic is used to call the load of a .NET assembly within memory from a paste.ee URL,” Trend Micro says. “The loaded assembly, obfuscated with an Agile.NET obfuscator, hollows a legitimate MSBuild.exe process and replaces it with its payload: the hex-encoded Panda Stealer binary from another paste.ee URL.”

Once downloaded, Panda Stealer will attempt to detect keys and addresses associated with cryptocurrency wallets holding funds including Ethereum (ETH), Litecoin (LTC), Bytecoin (BCN), and Dash (DASH). In addition, the malware is able to take screenshots, exfiltrate system data, and steal information including browser cookies and credentials for NordVPN, Telegram, Discord, and Steam accounts. While the campaign has not been attributed to specific cyberattackers, Trend Micro says that an examination of the malware’s active command-and-control (C2) servers led the team to IP addresses and a virtual private server (VPS) rented from Shock Hosting. The server has since been suspended.  Panda Stealer is a variant of Collector Stealer, malware that has been sold in the past on underground forums and through Telegram channels. The stealer has since appeared to have been cracked by Russian threat actors going under the alias NCP/su1c1de.The cracked malware strain is similar but uses different infrastructure elements such as C2 URLs and folders. “Because the cracked Collector Stealer builder is openly accessible online, cybercriminal groups and script kiddies alike can use it to create their own customized version of the stealer and C2 panel,” the researchers note. “Threat actors may also augment their malware campaigns with specific features from Collector Stealer.” Trend Micro says there are similarities in the attack chain and fileless distribution method to Phobos ransomware. Specifically, as described by Morphisec, the “Fair” variant of Phobos is similar in its distribution approach and is being constantly updated to reduce its footprint, such as reducing encryption requirements, in order to stay under the radar for as long as possible.  The researchers also noted correlations between Phobos and LockBit in an April 2021 report.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Signal
Encrypted instant messaging app Signal has tried to run a series of Instagram ads to show the amount of data the social media platform and its parent company Facebook collect about users and how it uses the data to push targeted ads. But that attempt was quickly shut down by Facebook, Signal said in a blog post. Signal explained how it created some targeted ads featuring its own branding to illustrate that if an ad was being used to target a K-pop fan, it would say so. Or if the user was a teacher, it would also say so. “We created a multi-variant targeted ad designed to show you the personal data that Facebook collects about you and sells access to,” Signal said. “The ad would simply display some of the information collected about the viewer which the advertising platform uses. Facebook was not into that idea. “Facebook is more than willing to sell visibility into people’s lives, unless it’s to tell people about how their data is being used. Being transparent about how ads use people’s data is apparently enough to get banned; in Facebook’s world, the only acceptable usage is to hide what you’re doing from your audience.” Signal has recently gained a flood of new users after Facebook-owned WhatsApp announced new terms of service that would allow it to share user profile data with Facebook in some circumstances. The new terms are due to take effect on May 15. Signal became the fastest growing app in Q1 2021, according to mobile ad analytics App Annie.

Last month, Signal exposed it was possible to gain arbitrary code execution through Cellebrite tools. The tools are used to pull data out of phones the user has in their possession. Signal CEO Moxie Marlinspike said that Cellebrite contains “many opportunities for exploitation” and he thought Cellebrite should have been more careful when creating their forensic tools. Related Coverage Facebook says ACCC’s ad tech probe makes a number of incorrect assumptionsSocial media giant said the watchdog has misconstrued Facebook’s position and that its overall inquiry requires much more consideration, analysis, and stakeholder engagement. Facebook vs. Google: Similar models, diverging perspectivesThe two kings of internet advertising have employed different strategies in addressing recent threats, moves that indicate a growing shift in business focuses. Data of 553m Facebook users dumped online: how to see if you are impactedThe data is old but that doesn’t mean it still can’t be used. WhatsApp tries again to explain what data it shares with Facebook and whyWhatsApp will soon display a banner in your smartphone app explaining when it will share your data with Facebook. ‘Anti-Facebook’ MeWe social network adds 2.5 million new members in one weekPeople all over the world are leaving Facebook and Twitter and privacy-first social network MeWe is scooping these disaffected users up onto its platform. More

Security legend McAfee, which is shedding its enterprise business, and bandwidth provider Akamai Technologies, which is transitioning to being more of an enterprise security company, both this afternoon reported Q1 results  that topped analysts’ expectations.Akamai said its sales of its security software and services rose by 29%, year over year, to $310 million.McAfee said its consumer security business, which excludes revenue from the enterprise business that McAfee is selling off, rose by 25%, year over year. McAfee and Akamai shares were both unchanged in late trading.  Akamai CEO Tom Leighton said that the company was “pleased with our excellent start in 2021,” noting that “revenue, margins and earnings all [exceeded] expectations.”Added Leighton, “We continued to capitalize on the substantial opportunities for our business, as demonstrated by the very strong growth of our security and edge applications solutions and strong traffic growth on the Akamai Intelligent Edge Platform.”Akamai’s total revenue in the three months ended in March rose 10%, year over year, to $843 million, yielding a net profit of $1.38 a share.

Analysts had been modeling $830 million and $1.30 per share.Akamai did not offer a forecast.McAfee’s total revenue in the three months ended in March rose 13%, year over year, to $773 million, yielding a net profit of 44 cents a share.Analysts had been modeling $732 million and 36 cents per share.McAfee announced March 8th it would sell its enterprise security business to private equity firm Symphony Technology Group for $4 billion in cash. The enterprise business is categorized as “discontinued operations” within the quarterly results, while the remaining consumer business is continuing operations. For the current quarter, McAfee sees revenue from its remaining business, excluding enterprise, of $430 million to $434 million. For the full year, the company sees revenue from continuing operations in a range of $1.77 billion to $1.79 billion.

Tech Earnings More