Information Technology

Researchers have found three new malware families used in a widespread phishing campaign entrenched in financial crime.

On Tuesday, FireEye’s Mandiant cybersecurity team said the malware strains, dubbed Doubledrag, Doubledrop, and Doubleback, were detected in December 2020. The threat actors behind the malware, described as “experienced and well-resourced,” are being tracked as UNC2529.  Organizations in the US, EMEA region, Asia, and Australia have, so far, been targeted in two separate waves.  Phishing messages sent to potential victims were rarely based on the same email addresses and subject lines were tailored to targets; in many cases, threat actors would masquerade as account executives touting services suitable for different industries — including defense, medicine, transport, the military, and electronics.  Over 50 domains, in total, were used to manage the global phishing scheme. In one successful attack, UNC2529 successfully compromised a domain owned by a US heating and cooling services business, tampered with its DNS records, and used this structure to launch phishing attacks against at least 22 organizations.  The lure emails contained links to URLs leading to malicious .PDF payloads and an accompanying JavaScript file contained in a .zip archive. The documents, fetched from public sources, were corrupted to render them unreadable — and so it is thought that victims might become annoyed enough to double-click the .js file in an attempt to read the content. 

Mandiant says the .js file, that is heavily obfuscated, contains the Doubledrag downloader. Alternatively, some campaigns have used an Excel document with an embedded macro to deliver the same payload.  Upon execution, Doubledrag attempts to download a dropper as the second stage of the attack chain. This dropper, Doubledrop, is an obfuscated PowerShell script designed to establish a foothold into an infected machine by loading a backdoor into memory.  The backdoor is the final malware component, Doubleback, malware created in both 32-bit and 64-bit versions.  “The backdoor, once it has the execution control, loads its plugins and then enters a communication loop, fetching commands from its [command-and-control] C2 server and dispatching them,” Mandiant notes. “One interesting fact about the whole ecosystem is that only the downloader exists in the file system. The rest of the components are serialized in the registry database, which makes their detection somewhat harder, especially by file-based antivirus engines.” There are some indicators that the malware is still in progress, as existing functionality will scan for the existence of antivirus products — such as those offered by Kaspersky and BitDefender — but even if detected, no action is taken.  Analysis of the new malware strains is ongoing.  “Although Mandiant has no evidence about the objectives of this threat actor, their broad targeting across industries and geographies is consistent with a targeting calculus most commonly seen among financially motivated groups,” the researchers say.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Five serious vulnerabilities in a driver used by Dell devices have been disclosed by researchers. 

On Tuesday, SentinelLabs said the vulnerabilities were discovered by security researcher Kasif Dekel, who explored Dell’s DBUtil BIOS driver — software used in the vendor’s desktop and laptop PCs, notebooks, and tablet products.  The team says that the driver has been vulnerable since 2009, although there is no evidence, at present, that the bugs have been exploited in the wild.  The DBUtil BIOS driver comes on many Dell machines running Windows and contains a component — the dbutil_2_3.sys module — which is installed and loaded on-demand by initiating the firmware update process and then unloaded after a system reboot — and this module was subject to Dekel’s scrutiny.  Dell has assigned one CVE (CVE-2021-21551), CVSS 8.8, to cover the five vulnerabilities disclosed by SentinelLabs. Two are memory corruption issues in the driver, two are security failures caused by a lack of input validation, and one logic issue was found that could be exploited to trigger denial-of-service.  “These multiple critical vulnerabilities in Dell software could allow attackers to escalate privileges from a non-administrator user to kernel mode privileges,” the researchers say. 

The team notes that the most crucial issue in the driver is that access-control list (ACL) requirements, which set permissions, are not invoked during Input/Output Control (IOCTL) requests.  As drivers often operate with high levels of privilege, this means requests can be sent locally by non-privileged users.  “[This] can be invoked by a non-privileged user,” the researchers say. “Allowing any process to communicate with your driver is often a bad practice since drivers operate with the highest of privileges; thus, some IOCTL functions can be abused “by design.” Functions in the driver were also exposed, creating read/write vulnerabilities usable to overwrite tokens and escalate privileges.  Another interesting bug was the possibility to use arbitrary operands to run IN/OUT (I/O) instructions in kernel mode.  “Since IOPL (I/O privilege level) equals to CPL (current privilege level), it is obviously possible to interact with peripheral devices such as the HDD and GPU to either read/write directly to the disk or invoke DMA operations,” the team noted. “For example, we could communicate with ATA port IO for directly writing to the disk, then overwrite a binary that is loaded by a privileged process.” SentinelLabs commented:  “These critical vulnerabilities, which have been present in Dell devices since 2009, affect millions of devices and millions of users worldwide. As with a previous bug that lay in hiding for 12 years, it is difficult to overstate the impact this could have on users and enterprises that fail to patch.” Proof-of-Concept (PoC) code is being withheld until June to allow users time to patch. Dell was made aware of Dekel’s findings on December 1, 2020. Following triage and issues surrounding some fixes for end-of-life products, Dell worked with Microsoft and has now issued a fixed driver for Windows machines.   The PC giant has issued an advisory (DSA-2021-088) and a FAQ document containing remediation steps to patch the bugs. Dell has described the security flaw as “a driver (dbutil_2_3.sys) packaged with Dell Client firmware update utility packages and software tools [which] contains an insufficient access control vulnerability which may lead to escalation of privileges, denial of service, or information disclosure.” “Local authenticated user access is first required before this vulnerability can be exploited,” Dell added. “We remediated a vulnerability (CVE-2021-21551) in a driver (dbutil_2_3.sys) affecting certain Windows-based Dell computers,” a Dell spokesperson said. “We have seen no evidence this vulnerability has been exploited by malicious actors to date. We appreciate the researchers working directly with us to resolve the issue.”  Update 18.35 BST: Inclusion and improved clarity of the module’s loading process. 

Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Acronis has shored up $250 million in new funds, with plans to tap the monies to expand its product support and partner network. It also is open to further acquisitions if potential candidates can drive the company’s goal of providing deeper and broader data protection.Its latest funding round was led by private equity firm CVC Capital Partners, which dished out some $220 million, with other investors contributing the remaining $30 million, said Acronis’ founder and CEO Serguei Beloussov. He and with his partners remain the company’s largest shareholders.This marked the Singapore-based data security vendor’s third, and biggest, funding round that involved external investors. It secured $147 million from investors led by Goldman Sach in 2019, following its first round in 2004 when it raised $11 million. 

Speaking to ZDNet in a video call, Beloussov said the new funds would help support the company’s growth across several areas, including bolstering its partner ecosystem and product portfolio. In particular, Acronis would look to support a larger number of workload types on its flagship offering, Cyber Protect. The data security platform currently is optimised to secure 30 different workload types including Linux, VMWare, and Microsoft Hyper-V. “We want to extend [this so] support is deeper and broader, and we can protect our customers’ compete infrastructure,” Beloussov said, adding that the vendor hoped to add application workloads such as Netsuite and Salesforce, to its portfolio. The funds injection also would drive research and development efforts to integrate machine learning and artificial intelligence (AI) capabilities with its network and security infrastructure, he said.

The aim here was to enhance the platform’s ability to detect, predict, and prevent potential system downtime, whether this was due to security attacks, natural disaster, or hardware and software faults, he noted. Machine learning also could be leveraged to help network administrators speed up their decision-making and more quickly resolve problems, he added. In some cases, it could do so without any human intervention and with much faster and better results, he said. The technology also could be tapped to improve the quality and speed of Acronis’ product development, Beloussov said. Noting that the company had a product development team of 1,600, including 1,000 engineers, he said this number was not always big enough to support a company of Acronis’ size. Hence, a good way to augment and advance such human resources was through machine-assisted intelligence, he said.The CEO also was open to making further acquisitions if potential candidates could help Acronis provide broader and deeper protection as well as better enable its partner ecosystem, which included managed services providers (MSPs), telcos, cloud providers, and cloud services aggregators.  The vendor currently has 10,000 active MSPs on its network, in addition to another 5,000 that were registered but not actively engaged. The company would be looking to grow this number with the new funds, which also would be used to provide more training and certification programmes for its partners. Here, special focus would go towards Asia-Pacific and Japan, where the service provider markets were growing rapidly but were less developed compared to the US, Beloussov said. He also revealed plans to expand in China, where Acronis would soon open its first office–likely in Beijing or Shanghai–and a data centre.The vendor currently operates 26 data centres worldwide and plans to increase this number to 111. Earlier this year, it launched a site in Bhutan and planned to open data centres in India and Indonesia.The latest funds, which Acronis said pushed its value to more than $2.5 billion, also would be tapped to grow its engineering team in key markets, including Singapore, Israel, and Bulgaria.RELATED COVERAGE More

Phishing emails claiming to be from a delivery company are being used to deliver a new version of a form of malware which is used to deliver ransomware and other cyber attacks.Buer malware first emerged in 2019 and is used by cyber criminals to gain a foothold on networks which they can exploit themselves, or to sell that access on to other attackers to deliver their own malware campaigns, most notably, ransomware attacks.Now cybersecurity researchers at Proofpoint have uncovered a new variant of Buer which is written in an entirely different coding language to the original malware. It’s unusual for malware to be completely changed in this way, but it helps the new campaigns remain undetected in attacks against Windows systems.The original Buer was written in C programming language, while the new variant is written in Rust programming language – leading researchers to name the new variant RustyBuer. “Rewriting the malware in Rust enables the threat actor to better evade existing Buer detection capabilities,” said Proofpoint.RustyBuer is commonly delivered via phishing emails designed to look as if they come from delivery company DHL, asking the user to download a Microsoft Word or Excel document which supposedly details information about a scheduled delivery.SEE: Network security policy (TechRepublic Premium)The delivery is in fact fake, but cyber criminals know that the Covid-19 pandemic has resulted in more people ordering more items online, so messages claiming to be from delivery companies have become a common trick to lure people into opening malicious messages and downloading harmful files.

In this instance, the malicious document asks users to enable macros – by asking them to enable editing – in order to allow the malware to run. The fake delivery notice claims that the user needs to do this because the document is ‘protected’ – even using the logos of several anti-virus providers in an effort to look more legitimate to the victim.If macros are enabled, the RustyBuer is delivered to the system, providing the attackers with a backdoor into the network and the ability to compromise victims with other attacks, including ransomware. The new version of the malware, combined with improvements to email lures suggest that the authors of Beur are hard at work to make their product as effective as possible, providing those they sell it to on underground forums with both a means of compromising networks themselves, as well as selling on access to infected machines to others.”The rewritten malware, and the use of newer lures attempting to appear more legitimate, suggest threat actors leveraging RustyBuer are evolving techniques in multiple ways to both evade detection and attempt to increase successful click rates,” Proofpoint researchers wrote in a blog post. “Based on the frequency of RustyBuer campaigns observed by Proofpoint, researchers anticipate we will continue to see the new variant in the future,” they added. One way organisations can help prevent Buer, RustyBuer and other forms of malware from being able to be run from phishing emails is to disable macros in Microsoft Office products for users who don’t need them.MORE ON CYBERSECURITY More

Microsoft has released an open-source tool called Counterfit that helps developers test the security of artificial intelligence (AI) systems.Microsoft has published the Counterfit project on GitHub and points out that a previous study it conducted found most organizations lack the tools to address adversarial machine learning. 

Artificial Intelligence

“This tool was born out of our own need to assess Microsoft’s AI systems for vulnerabilities with the goal of proactively securing AI services, in accordance with Microsoft’s responsible AI principles and Responsible AI Strategy in Engineering (RAISE) initiative,” Microsoft says in a blogpost. SEE: Building the bionic brain (free PDF) (TechRepublic)Microsoft describes the command line tool as a “generic automation tool to attack multiple AI systems at scale” that Microsoft’s red team operations use to test its own AI models. Microsoft is also exploring using Counterfit in the AI development phase. The tool can be deployed via Azure Shell from a browser or installed locally in an Anaconda Python environment. Microsoft promises the command line tool can assess models hosted in any cloud environment, on-premises, or on edge networks. Counterfit is also model-agnostic and strives to be data-agnostic, applicable to models that use text, images, or generic input. 

“Our tool makes published attack algorithms accessible to the security community and helps to provide an extensible interface from which to build, manage, and launch attacks on AI models,” Microsoft notes. This tool in part could be used to prevent adversarial machine learning, where an attacker tricks a machine-learning model with manipulative data, such as McAfee’s hack on older Tesla’s with MobileEye cameras, which tricked them into misreading the speed limit by placing black tape on speed signs. Another example was Microsoft’s Tay chatbot disaster, which saw the bot tweeting racist comments.      Its workflow has also been designed in line with widely used cybersecurity frameworks, such as Metasploit or PowerShell Empire. “The tool comes preloaded with published attack algorithms that can be used to bootstrap red team operations to evade and steal AI models,” explains Microsoft. The tool can also help with vulnerability scanning AI systems and creating logs to record attacks against a target model. SEE: Facial recognition: Don’t use it to snoop on how staff are feeling, says watchdogMicrosoft tested Counterfit with several customers, including aerospace giant Airbus, a Microsoft customer developing an AI platform on Azure AI services.  “AI is increasingly used in industry; it is vital to look ahead to securing this technology particularly to understand where feature space attacks can be realized in the problem space,” said Matilda Rhode, a senior cybersecurity researcher at Airbus in a statement.  “The release of open-source tools from an organization such as Microsoft for security practitioners to evaluate the security of AI systems is both welcome and a clear indication that the industry is taking this problem seriously.” More

I’ve heard from several iPhone user having issues installing the latest iOS 14.5.1 update. Some users mentioned that the update was stuck on “Checking for update,” while others are experiencing crashes and lock ups.iOS 14.5.1 is an important update, fixing a bug in the App Tracking Transparency framework, as well as a security bug that, according to Apple, is being actively exploited.But what if you can’t install the update?Must read: iPhone users – Do this today!Here’s are my top tips for smooth installs.Make sure you have a minimum of 1GB free, with between 5 and 10GB being optimalReboot the iPhone before installingPut the iPhone on charge and ensure it is over 50 percent chargedMake sure you are not in Low Power ModeTurn off VPNMake sure you are connected to a strong and stable Wi-Fi connectionIf this fails, reboot the iPhone and try again. If it continues to fail, you might have better luck installing the update using a computer. More

The term “extended detection and response” or XDR was coined back in 2018, but definitions continue to vary significantly. There was no reliable, unbiased explanation for what XDR is and how it differs from a security analytics platform, which has led to confusion and disregard, dismissing it as nothing more than yet another cybersecurity marketing buzzword. To help clarify this, Forrester has released research on what XDR is, what XDR isn’t, and what clients need to look for when evaluating XDR solutions. This research is a rigorous breakdown of what to expect from XDR solutions based on interviews and survey results from XDR end users and over 40 security vendors. Below is an adaptation of a short excerpt of the report that defines XDR and explains its origins. The complete report goes into significantly more depth and includes helpful recommendations. 

What Is Extended Detection And Response (XDR)? XDR is emerging due to the value that endpoint detection and response (EDR) brings to incident response and the appetite to pair EDR data with additional telemetry that can’t be captured from endpoints alone. Forrester defines XDR as: The evolution of EDR, which optimizes threat detection, investigation, response, and hunting in real time. XDR unifies security-relevant endpoint detections with telemetry from security and business tools such as network analysis and visibility (NAV), email security, identity and access management, cloud security, and more. It is a cloud-native platform built on big data infrastructure to provide security teams with flexibility, scalability, and opportunities for automation. XDR’s value is driven by its security analytics capabilities, third-party integrations, and response actions. Why Does XDR Come From EDR? EDR was the proof of concept for XDR. EDR’s remarkable success served as validation that its detection and response capabilities allow security analysts to detect threats, perform investigations, and respond in real-time. While EDR provides effective endpoint detection and response, security teams require more telemetry than just the endpoint. Security teams have used security analytics platforms, security information and event management (SIEM) solutions, NAV, and homegrown data lakes to match endpoint telemetry with security data from other parts of the environment. These efforts had varying degrees of success but suffered from extreme resource consumption, a high rate of false positives, and sizable data volumes. How Is XDR Brought To Market? XDR is often categorized as open or closed, which is confusing, as open implies “open source,” which is very different than what is meant by “open XDR.” Thus, Forrester describes XDR as “native” or “hybrid.” 

Forrester defines hybrid XDR as: An XDR platform that relies on integrations with third parties for the collection of other forms of telemetry and execution of response actions related to that telemetry. Forrester defines native XDR as: An XDR suite that integrates with other security tools from their portfolio for the collection of other forms of telemetry and execution of response actions related to that telemetry. Is XDR The Same As SIEM? XDR is on a collision course with security analytics and security orchestration, automation, and response (SOAR). XDR and SIEM are not converging but colliding. XDR will compete head-to-head with security analytics platforms (and SIEMs) for threat detection, investigation, response, and hunting. Security analytics platforms have over a decade of experience in data aggregation they apply to these challenges but have yet to provide incident response capabilities that are sufficient at enterprise scale, forcing enterprises to prioritize alternate solutions. XDR is rising to fill that void through a distinctly different approach anchored in endpoint and optimization. The core difference between XDR and the SIEM is that XDR detections remain anchored in endpoint detections, as opposed to taking the nebulous approach of applying security analytics to a large set of data. As XDR evolves, expect the vendor definition of endpoint to evolve as well based on where the attacker target is, regardless of if it takes the form of a laptop, workstation, mobile device, or the cloud. This post was written by Analyst Allie Mellen, and it originally appeared here.  More

Screenshot by Jason Cipriani/ZDNet
Apple on Monday released iOS 14.5.1 and iPadOS 14.5.1 for its iPhone and iPad lineup. The update comes just a week after
iOS 14.5 and iPadOS 14.5

were officially released, but there’s a good reason for the back-to-back updates: It includes a fix for two security issues that, according to Apple, are actively being used. According to a security post about Monday’s update, there are two WebKit bugs that “Apple is aware of a report that this issue may have been actively exploited.”Also: Turn the Apple logo on the back of your iPhone into a buttonThe issue impacts the iPhone 6S or newer, all iPad Pro models, the iPad Air 2 or newer, the iPad 5th generation or newer, the iPad Mini 4 or later, and the latest iPod touch. To update your device, open Settings > General > Software Update and follow the prompts. As always, it’s a good idea to backup your device before installing the update.Apple also released a similar update for its Mac lineup with MacOS 11.3.1, WatchOS 7.4.1 for the Apple Watch, and iOS 12.5.3 for older iPhone and iPad models. 

Apple Event More