Information Technology

Previously unknown malware has been detected in widespread attacks against e-commerce customers in Latin America. 

The malware, dubbed Chaes by Cybereason Nocturnus researchers, is being deployed by a threat actor across the LATAM region to steal financial information. 
In a blog post on Wednesday, the cybersecurity team said Brazilian customers of the area’s largest e-commerce company, MercadoLivre, are the focus of the infostealing malware.
See also: Lazarus group strikes cryptocurrency firm through LinkedIn job adverts
Headquartered in Buenos Aires, Argentina, MercadoLivre operates both an online marketplace and auctions platform. In 2019, an estimated 320.6 million users were registered with the e-commerce giant. 
First detected in late 2020 by Cybereason, Chaes is spread via phishing campaigns, in which emails claim that a MercadoLivre purchase has been successful. To try and increase the email’s look of legitimacy, the threat actors also appended a “scanned by Avast” footnote. 
The messages contain a malicious .docx file attachment. Assaf Dahan, Cybereason Head of Threat Research, told ZDNet the attachment leverages “a template injection technique, using Microsoft Word’s built-in feature to fetch a payload from a remote server.”

If a victim clicks the file, the vulnerability is used to establish a connection with the attacker’s command-and-control (C2) server, as well as download the first malicious payload, an .msi file.
This file then deploys a .vbs file used to execute other processes, as well as uninstall.dll and engine.bin, that both act as the malware’s “engine.” A further trio of files — hhc.exe, hha.dll and chaes1.bin — are installed that stitch together Chaes’s main components. A cryptocurrency mining module was also recorded. 
CNET: Rules for strong passwords don’t work, researchers find. Here’s what does
Chaes creates registry keys to maintain persistence for the malware’s main engine and will deploy modules disguised as legitimate processes in order to steal system information, extract sensitive information from Google Chrome browser sessions, harvest login credentials for online accounts, and exfiltrate financial information; in particular, when the MercadoLivre domain is visited.
Of particular note is Chaes’ ability to open a Chrome session. Activity is monitored and controlled through API hooking and the Node.js library Puppeteer. MercadoLivre and MercadoPago pages can be accessed without consent on infected machines. The malware is also able to take screenshots of MercadoLivre pages visited and send them to the C2.
“The alarming part in this node.js-based malware is the fact the majority of this behavior is considered normal, as the usage of the Puppeteer library for web scraping is not malicious by nature,” the team says. “Therefore, detecting these kinds of threats is much more challenging.”
TechRepublic: Hackers for hire target victims with cyber espionage campaign
However, Chaes appears to be under active development, as revised versions of the malware are more direct in targeting MercadoLivre pages that relate to e-commerce purchases. 
Cybereason is currently exploring whether or not the malware is being used in campaigns against other e-commerce companies, and warns that Chaes may indicate a “possible future trend in using the Puppeteer library for further attacks in other major financial institutions.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Mozilla
Mozilla laid out on Tuesday the steps it will take to put the final nails into the coffin containing Adobe Flash.
“Firefox version 84 will be the final version to support Flash. On January 26, 2021 when we release Firefox version 85, it will ship without Flash support, improving our performance and security,” Mozilla said in a post.
“There will be no setting to re-enable Flash support. The Adobe Flash plugin will stop loading Flash content after January 12, 2021.”
Users in the nightly and beta channels will see support disappear when the 85 build hits them, with nightly losing support on Tuesday, and the beta channel set to lose Flash support on December 14.
Mozilla said if a company required Flash licensing support after it ends, they should get in contact with Samsung’s Harman for Adobe-endorsed support.
It’s been a long road to finally killing off Flash in browsers.
Adobe announced the ending of Flash updates and distribution in July 2017. Flash-ending crusader Apple only got around to removing the technology in Safari 14, which appeared in September.

Browser makers had previously taken steps to cage Flash. For instance, Mozilla moved to prevent Flash running by default last year.
Earlier on Tuesday, Firefox released version 83 that shipped a feature allowing users to only browse the web on HTTPS sites.
If Firefox 83 cannot make a HTTPS connection, the browser will show an error to the user and ask them to click a button to confirm they want to access a website via HTTP instead.
Firefox 83 is also the first version to support pinching to zoom on desktops.
Traditional zooming on Firefox causes the page to be reflowed as it zooms in, whereas pinching on Firefox 83 behaves as it does on mobile and only increases the size of content.
“Reflowing and non-reflowing zoom lend themselves to different use cases. Reflowing zoom is useful if, say, you’re reading an article but the text is a bit small for comfort,” Mozilla software engineer Botond Ballo said.
“Non-reflowing zoom is useful if, say, you want to zoom in on an image or diagram to get a closer look at it.”
Pinch zooming is currently supported on touchscreens and touchpads on Windows and Mac desktops, with Linux support labelled as a work in progress.
Related Coverage More

Image: CISA
In a pair of tweets published on Tuesday, US President Donald Trump announced that he “terminated” Chris Krebs, Director of the Cybersecurity and Infrastructure Security Agency (CISA), over a recent statement calling the recent presidential election the most secure in US history.
Trump claimed the statement was “highly inaccurate,” citing instead “massive improprieties and fraud” in an election he lost to Democrat candidate Joe Biden.

…votes from Trump to Biden, late voting, and many more. Therefore, effective immediately, Chris Krebs has been terminated as Director of the Cybersecurity and Infrastructure Security Agency.
— Donald J. Trump (@realDonaldTrump) November 18, 2020

A CISA spokesperson was not available for comment; however, Krebs confirmed the firing in a tweet from his personal account.

Prior to being terminated today, Krebs served as CISA Director for exactly two years and one day, since November 16, 2018, when the agency was formally founded.
Rumors that Trump was looking to fire the CISA top official began circulating last week when Krebs told multiple associates that he expected to be fired him following the agency’s efforts to counter voter disinformation campaigns during the recent election.
According to a Reuters report, Krebs got on Trump’s bad side after establishing and running Rumor Control, a web page on the CISA website where CISA experts debunked election fraud rumors, many of which the US president was actively promoting during and after the election as facts on his Twitter account.
Following the Reuters report, several Democrat officials and cyber-security experts came to Krebs’ defense.

Cyberscoop reported that while multiple Republican lawmakers previously lauded Krebs’ work at CISA in previous months, none came to his defense after drawing Trump’s ire.
“Chris Krebs is an extraordinary public servant and exactly the person Americans want protecting the security of our elections,” US Sen. Mark R. Warner (D-VA), Vice Chairman of the Senate Select Committee on Intelligence, said in a statement today.
“It speaks volumes that the president chose to fire him simply for telling the truth.” More

CyberCX, the group of security companies headed by two of Australia’s most experienced technology and cyber veterans, has continued its expansion, this time into Queensland.
The company said it has unified Queensland’s best cybersecurity talent, expertise, and capability to create the state’s leading full-service cybersecurity operator.
The launch follows CyberCX recently acquiring two Queensland-based cyber companies, Alcorn Group and Yell IT.
CyberCX said it would work closely with the University of Queensland and QUT to help it grow its Queensland workforce to around 200 over the next 18 months.
“Queensland is a key market focus for CyberCX. We are the country’s largest, sovereign cybersecurity player and we are passionate about protecting the communities we serve,” CyberCX CEO John Paitaridis said. “CyberCX is well placed to deliver mission-critical cybersecurity services to Queensland businesses and government leveraging our 600 plus cybersecurity specialists nationally.”
See also: Former PM Turnbull suggests Australia boosts its cyber capability by buying local
CyberCX in late October also stood up operations in Western Australia after acquiring two local cyber firms, Asterisk Information Security and Diamond Cyber Security.

Similar to its Brisbane approach, CyberCX said it would work with ECU, UWA, and Curtin University to grow its Western Australian workforce to over 70 cybersecurity professionals over the next year. 
CyberCX, backed by private equity firm BGH Capital, was formed a year ago when it brought together 12 of Australia’s independent cybersecurity brands: Alcorn, Assurance, Asterisk, CQR, Diamond, Enosys, Klein&Co, Phriendly Phishing, Sense of Security, Shearwater, TSS, and YellIT.
It is headed by Alastair MacGibbon, former head of the Australian Cyber Security Centre and once special adviser on cybersecurity to former Prime Minister Malcolm Turnbull, as well as Paitaridis, who was formerly Optus Business’ managing director.
Since launch, CyberCX has gone on an expansion spree, scooping up a number of local cybersecurity startups, which in addition to the Queensland and Western Australian acquisitions, includes identity management firm Decipher Works and cloud security specialists CloudTen in October; and two Melbourne-based startups, Basis Networks and Identity Solutions, in July.
CyberCX has also pushed into the New Zealand market in August, adding its first Kiwi acquisition in Insomnia Security a month later.
RELATED COVERAGE More

Managed.com, one of the biggest providers of managed web hosting solutions, has taken down all its servers in order to deal with a ransomware attack, ZDNet has learned today.

The attack took place on Monday, November 16, and the ransomware impacted the company’s public-facing web hosting systems, resulting in some customer sites having their data encrypted.
Managed.com said the incident only impacted a limited number of customer sites, which the company said it immediately took offline.
But hours after the attack, Managed.com said it also took down its entire web hosting infrastructure, which the company is now working to restore.
This included WordPress and DotNetNuke managed hosting solutions, email servers, DNS servers, RDP access points, FTP servers, and online databases.
Initially, the company passed the attack as unscheduled maintenance but eventually came clean in emails and messages provided by its tech support operators to an ever-increasing number of angry customers.
The company says it is now working with law enforcement to identify the attackers and restore customer systems as soon as possible.

But on online forums, Managed.com customers now fear that their sites will remain down for days or weeks. They cite a similar incident that took place at fellow web hosting provider A2 Hosting in May 2019, from which the company needed more than a month to recover, during which time a large number of customers had to wait for their sites and site data to be restored.
A Managed.com spokesperson did not return a request for comment before this article’s publication.
Managed.com now joins a long list of ransomware incidents that have impacted web hosting and data center providers. The list also includes Equinix, CyrusOne, Cognizant, X-Cart, A2 Hosting, SmarterASP.NET, Dataresolution.net, and Internet Nayana. More

I know it’s still hard for some of you to wrap your minds around it, but Microsoft really does support Linux these days. A case in point: Back in June, Microsoft released Microsoft Defender Advanced Threat Protection (ATP) for Linux for general use. Now, Microsoft has improved the Linux version of Defender, by adding a public preview of endpoint detection and response (EDR) capabilities.

This is still not a version of Microsoft Defender you can run on a standalone Linux desktop. Its primary job remains to protect Linux servers from server and network threats. If you want protection for your standalone desktop, use such programs as ClamAV or Sophos Antivirus for Linux.
For businesses, though, with workers from home now using their Macs and Windows PCs here, there, and everywhere, it’s a different story. While based on Linux servers, you’ll be able to use it to protect PCs running macOS, Windows 8.1, and Windows 10. 
With these new EDR capabilities, Linux Defender users can detect advanced attacks that involve Linux servers, utilize rich experiences, and quickly remediate threats. This builds on the existing preventative antivirus capabilities and centralized reporting available via the Microsoft Defender Security Center.
Specifically, it includes:
Rich investigation experience, which includes machine timeline, process creation, file creation, network connections, login events, and advanced hunting.
Optimized performance-enhanced CPU utilization in compilation procedures and large software deployments.
In-context AV detection. Just like with the Windows edition, you’ll get insight into where a threat came from and how the malicious process or activity was created.
To run the updated program, you’ll need one of the following Linux servers: RHEL 7.2+; CentOS Linux 7.2+; Ubuntu 16.04 or higher LTS; SLES 12+; Debian or higher; or Oracle Linux 7.2.
Next, to try these public preview capabilities, you’ll need to turn on the preview features in Microsoft Defender Security Center. Before you do this, make sure you’re running version 101.12.99 or higher. You can find out which version you’re running with the command: 

mdatp health

You shouldn’t switch all your servers running Microsoft Defender for Endpoint on Linux to the preview in any case. Instead, Microsoft recommends you configure only some of your Linux servers to Preview mode, with the following command:

$ sudo mdatp edr early-preview enable 

Once that’s done, if you’re feeling brave and want to see for yourself if it works, Microsoft is offering a way to run a simulated attack. To do this, follow the steps below to simulate a detection on your Linux server and investigate the case. 

Verify that the onboarded Linux server appears in Microsoft Defender Security Center. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears. 

Download and extract the script file from here aka.ms/LinuxDIY to an onboarded Linux server and run the following command:./mde_linux_edr_diy.sh

After a few minutes, it should be raised in Microsoft Defender Security Center.

Look at the alert details, machine timeline, and perform your typical investigation steps.

 Good luck! 
Related Stories: More

Google
Google has released today version 87 of its Chrome browser, a release that comes with a security fix for the NAT Slipstream attack technique and a broader deprecation of the FTP protocol.
Todays’ release is available for Windows, Mac, Linux, Chrome OS, Android, and iOS. Users can update to the new version via Chrome’s built-in update utility.
While in previous versions, Google has shipped some changes to Chrome settings and UI elements, almost all the major new Chrome 87 features are aimed at web developers.
In Chrome 87, we have new APIs and updates to Chrome’s built-in Developer Tools, such as:
Support for the new Cookie Store API;
New features to allow easier modification of web fonts via CSS;
A new feature to let websites enumerate all the locally installed fonts;
Support for pan, tilt, and zoom controls on webcam streams; and,
Support for debugging WebAuthn operations via the Chrome DevTools.
NAT Slipstream attack fixes
Chrome 87 also comes with a fix for a new attack disclosed at the end of October by Samy Kamkar, a famous security researcher and computer hacker.
Named NAT Slipstream, this technique allows attackers to bypass firewalls and make connections to internal networks by tricking users into accessing malicious sites — effectively turning Chrome into a proxy for attackers.

Image: Samy Kamkar
Chrome 87 will be the first browser to block NAT Slipstream attacks by blocking access to ports 5060 and 5061, which the attack uses to bypass firewalls and network address translation (NAT) schemes.

Similar efforts are also underway at Apple and Mozilla, with fixes planned for future versions of Safari and Firefox.
FTP deprecation
In addition, Google is also following through on its plans to remove FTP support from Chrome. This process started last year, and was initially planned for Chrome 81.
Google delayed its initial deprecation schedule due to the COVID-19 pandemic, fearing that the change might disrupt hospital networks or employees working from home needing to access resources stored on FTP servers.
The FTP deprecation was rescheduled for the fall and began last month with the release of Chrome 86 when Google removed support for FTP links for 1% of Chrome’s userbase.
With Chrome 87, Google will now remove FTP support for half of Chrome’s userbase, and the browser maker plans to disable support for FTP links altogether next year, in January, with the release of Chrome 88.
Mozilla has already removed support for FTP links in Firefox earlier this year in June, with the release of Firefox 77.
Tab throttling, occlusion tracking, and back-forward cache
Chrome 87 also comes with some performance improvements by the addition of tab throttling, occlusion tracking, and back-forward cache.
The first two features will work together. Occlusion tracking will allow Chrome to know which browser windows and tabs are visible to the user, and then enable the new tab throttling feature to put background tabs to sleep until they’re needed again.
Back-forward caching is an older feature that was first added in Chrome 79, but hidden under a Chrome flag. With Chrome 87, back-forward caching is now enabled by default for all users. Google says it expects to improve back-forward navigation events by roughly 20% once this new feature is enabled.
But we only touched on the major Chrome 87 features. Users who’d like to learn more about the other features added or removed in this new Chrome release can check out the following links for more information:
Chrome security updates are detailed here [not yet live].
Chromium open-source browser changes are detailed here.
Chrome developer API deprecations and feature removals are listed here.
Chrome for Android updates are detailed here [not yet live].
Chrome for iOS updates are detailed here.
Changes to Chrome V8 JavaScript engine are available here.
Changes to Chrome’s DevTools are listed here.
[embedded content]
[embedded content] More

A majority of businesses across the Asia-Pacific region are choosing to pay up after falling victim to ransomware attacks, with 88% in Australia and 78% in Singapore forking out the ransom in full or in part. And such attacks are expected to continue climbing amidst accelerated digital transform efforts and remote work, as organisations evolve to cope with the global pandemic. 
Some 45% of enterprises in Singapore would take between five and 10 days to recover fully from a ransomware attack, compared to 11% in India and 35% in China, according to Veritas’ 2020 Ransomware Resiliency Report released Tuesday night. Conducted by Wakefield Research in September, the global study polled 2,690 senior IT executives from companies with at least 1,000 employees, including 150 respondents each from six Asia-Pacific markets including Japan and South Korea.
And while 39% in India said they would need fewer than five days to fully recover from a ransomware attack, another 36% in the country said they needed more than a month to do so — the highest number across the region. Just 1% in Singapore said they would need more than a month to recover completely from such attacks, as did 2% in Australia and 8% in China. 

Global pandemic opening up can of security worms
Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.
Read More

Furthermore, 1% in Australia as well as in South Korea said they would not be able to recover fully from a ransomware attack, along with 7% in China. Worldwide, 2% said they would be unable to do so. 
Upon experiencing a ransomware attack, 62% in China paid the ransom in full or in part, while 77% in India and 57% in Japan did likewise. Another 69% in South Korea paid the ransom in full or in part. 
The study also revealed that, across the board, companies managing greater complexity in their multi-cloud infrastructure were more likely to pay the ransom to reclaim their hijacked data, with the number that did so in full running a mean number of 17.11 cloud services. 
In addition, 20% of companies operating fewer than five cloud platforms paid a ransom in full, compared to 30% with more than 20 cloud platforms.

The complexity of having to operate cloud architectures also had significant impact on the organisation’s ability to recover following a ransomware attack, according to Veritas. Some 44% of businesses with fewer than five cloud providers in their infrastructure needing fewer than five days to recover, compared to 12% with more than 20 providers doing likewise. 
And while 49% of businesses with fewer than five cloud providers could restore 90% or more of their data, only 39% of their peers running more than 20 cloud services were able to do likewise. 
In Singapore, 49% said their security had kept pace with their IT complexity. Their counterparts in India, at 55% were most confident amongst other in the region about their security measures keeping pace with their IT complexity. Just 31% in China said likewise, along with 36% in Japan, 39% in South Korea, and 43% in Australia. 
Ransomware attacks on an upward trajectory
With ransomware attacks expected to continue climbing amidst accelerated digital transformation efforts and remote work practices, enterprises in the region will need to ensure they can detect and recover from such attacks. 
Andy Ng, Veritas’ Asia-Pacific vice president and managing director, underscored the security vendor’s recommended three-step layered approach to detect, protect, and recover.  
Speaking to ZDNet in a concall, Ng said: “We always advise companies not to pay because doing so leave them more open to being attacked again. The best step forward is to have a sound data protection and recovery strategy. It will mean every copy of data you have is backed up and protected, including keeping it offsite. If you have three copies of the data, and the ability to recover quickly, you won’t be held ransom because you’ll always have access to the data.”
He noted that the global pandemic had left companies more susceptible to cyber attacks, as they rushed to digitalise their operations and equip their employees to work remotely. Digital transformation efforts had been fast-tracked, from 18 months to three months, and companies were grappling with having to manage data across many diverse sources as they deployed multi-cloud hybrid IT infrastructures, he said. 
Pointing to the human as the most vulnerable component within an organisation, Ng said malicious hackers now could target a wider spread of end-point client devices. He revealed that a Veritas customer in the professional services sector had their network compromised after it embarked on a work-from-home model and rushed to distribute laptops and tablets to their employees, leaving some devices without proper data protection. 
He added that there had been an increase of ransomware attacks against manufacturing companies in the last two to three years and, more recently, professional services companies. 

While healthcare and financial services sectors were expected targets, he noted that these sectors typically were more heavily regulated and had to comply with strict guidelines laid out by their local authorities. As such, he was seeing fewer ransomware attacks involving these organisations here. 
Large enterprises, though, increasingly were hot targets because their deeper pockets meant ransom demands and returns could potentially be higher for hackers, he said.
ZDNet asked how efforts by governments such as Singapore to ease data access to facilitate business transactions could impact the ransomware landscape in Asia-Pacific. Ng noted the “fine balance” of having to drive digital transformation, under certain market pressures such as COVID-19, and securely manage data in the organisation’s own data centres as well as across its cloud providers’ platforms. 
“As companies digitalise, the resiliency gap will only get wider,” he said, adding that the Singapore government already was working to address this. “It’s not easy because the ransomware [challenge] is not going to go away.”
“The unique security challenges posed by increased multi-cloud adoption combined with an ever-changing threat landscape requires proactive measures put in place for prevention and mitigation,” Ng said in the report. “It is imperative for companies deploy corresponding data protection solutions to close that resiliency gap in order to protect increasingly valuable digital assets.”
Citing Veritas’ own research, he noted that 42% of companies had been hit by at least one ransomware in the last two years. 
According to the Ransomware Resiliency Report, 15% of Indian organisations had experienced more than five ransomware attacks while 31% saw between three and five such attacks. Some 13% in Singapore had experienced one ransomware attack, while 9% reported between three and five such attacks.
To help companies plug any gaps in their IT infrastructure, Ng suggested that governments could introduce similar regulations they had implemented for healthcare and financial services in other sectors such as manufacturing, which were increasingly under the targets of ransomware attacks. 
“That’s an area governments can play a more proactive role, in defining what’s bare minimum for companies in manufacturing, for instance,” he said. 
RELATED COVERAGE More