Information Technology

Image: ZDNet
Verizon is removing the ability to automatically forward incoming emails from a Yahoo inbox to another email address for Yahoo Mail free users.
The feature will be removed on January 1, 2021.
Yahoo Mail users who still want to use automatic email forwarding are told to sign up for Yahoo Mail Pro, which costs $34.99 per year, or $3.49 a month.
Yahoo Mail owner Verizon announced the change at the start of the month and is now notifying users via email.
The company cited security reasons for dropping the feature.
“We regularly evaluate our products and services against current security standards and have decided to remove this feature to help ensure free Yahoo Mail accounts remain secure,” the company explained in a FAQ page published on October 31.
Automatic email forwarding is often abused. Hackers who breach email accounts often add their own email address as an automatic email forwarding rule to receive carbon copies of all messages a victim receives.

However, the feature is also often used by legitimate users to centralize email traffic to one single account.
Yahoo says that once the new year begins, all email forwarding rules will be disabled. Users who want to read their Yahoo emails will have to visit the Yahoo Mail website.
Yahoo Mail is believed to have more than three billion users. Many have abandoned the company’s services, though, after Yahoo announced two major hacks in the fall of 2016, one in September and one in December.
Existing Yahoo Mail users can check if they have automatic email forward rules for their account by visiting this link — or by clicking Settings in their Yahoo Mail inbox, selecting More Settings, selecting/clicking your account name in the account list, and then looking for the Forwarding section (see image below).

Image: ZDNet More

The Federal Bureau of Investigation has sent out a security alert warning that threat actors are abusing misconfigured SonarQube applications to access and steal source code repositories from US government agencies and private businesses.

Intrusions have taken place since at least April 2020, the FBI said in an alert sent out last month and made public this week on its website.
The alert specifically warns owners of SonarQube, a web-based application that companies integrate into their software build chains to test source code and discover security flaws before rolling out code and applications into production environments.
SonarQube apps are installed on web servers and connected to source code hosting systems like BitBucket, GitHub, or GitLab accounts, or Azure DevOps systems.
But the FBI says that some companies have left these systems unprotected, running on their default configuration (on port 9000) with default admin credentials (admin/admin).
FBI officials say that threat actors have abused these misconfigurations to access SonarQube instances, pivot to the connected source code repositories, and then access and steal proprietary or private/sensitive applications.
Officials provided two examples of past incidents:

“In August 2020, unknown threat actors leaked internal data from two organizations through a public lifecycle repository tool. The stolen data was sourced from SonarQube instances that used default port settings and admin credentials running on the affected organizations’ networks.
“This activity is similar toa previous data leak in July 2020, in which an identified cyber actor exfiltrated proprietary source code from enterprises throughpoorly secured SonarQube instances and published the exfiltrated source codeon a self-hosted public repository.”
Forgot problem resurfaces in 2020
The FBI alert touches on a little known issue among software developers and security researchers.
While the cyber-security industry has often warned about the dangers of leaving MongoDB or Elasticsearch databases exposed online without passwords, SonarQube has slipped through the cracks.
However, some security researchers have been warning about the dangers of leaving SonarQube applications exposed online with default credentials since as far back as May 2018.
At the time, data breach hunter Bob Diachenko warned that about 30% to 40% of all the ~3,000 SonarQube instances available online at the time had no password or authentication mechanism enabled.

After @zackwhittaker covered EE leak, I ran a couple of queries on Sonarqube. Shocked to see more than 3K+ instances available, with roughly 30-40% of them set without auth, and almost half of those containing source code with prod data. Big names involved, another area to cover. pic.twitter.com/tKBRLOYzq1
— Bob Diachenko (@MayhemDayOne) May 16, 2018

This year, a Swiss security researcher named Till Kottmann has also raised the same issue of misconfigured SonarQube instances. Throughout the year, Kottmann has gathered source code from tens of tech companies in a public portal, and many of these came from SonarQube applications.
“Most people seem to change absolutely none of the settings, which are actually properly explained in the setup guide from SonarQube,” Kottmann told ZDNet.
“I don’t know the current number of exposed SonarQube instances, but I doubt it changed much. I would guess it’s still far over 1,000 servers (that are indexed by Shodan) which are ‘vulnerable’ by either requiring no auth or leaving default creds,” he said.

To prevent leaks like these, the FBI alert lists a series of steps that companies can take to protect their SonarQube servers, starting with altering the app’s default configuration and credentials and then using firewalls to prevent unauthorized access to the app from unauthorized users. More

The Brazilian Superior Court of Justice (STJ, in the Portuguese acronym) has been hit by a major cyberattack that will bring its operations to a standstill for an entire week.
The incident was detected on Tuesday (3) while several trial sessions were taking place. According to the STJ, a virus was found in the Court’s network and, as a precautionary measure, the links to the Internet were disconnected, prompting the cancellation of trial sessions. All the Court’s systems, including email, as well as the telephony set up, also became unavailable as a result.
STJ minister Humberto Martins released a statement yesterday (5) on the incident, stating that the attack did not affect the information related to the ongoing Court proceedings. According to the minister’s note, the invasion blocked access to data using encryption, but there were backups in place.
Later, it emerged that the attack had also impacted the Court’s backups in what is being described as the worst ever cybersecurity incident ever recorded in Brazil.

Alongside the Brazilian Army’s Cyber Defense Center and the STJ’s pool of technology suppliers, which includes companies like Microsoft, the institution is now working on the recovery of the systems environment, using tape backups.
All the STJ sessions, which had been taking place virtually, have also been suspended. According to the Court, only urgent casework is being dealt with while the recovery taskforce progresses and the expectation is that systems will be up and running on November 10.
A federal police investigation has been launched at the the STJ’s request. Brazilian president Jair Bolsonaro said in a live streaming session yesterday (5) that a ransom had been demanded by the authors of the attack and that the actors responsible for the event had already been found. However, this had not been confirmed by the police at the time of writing.

The STJ cyberattack follows the news on Sunday (1) that the Brazilian National Council of Justice was the target of “unauthorized access” to its servers. More

Security firm Kaspersky said today that it discovered a Linux version of the RansomEXX ransomware, marking the first time a major Windows ransomware strain has been ported to Linux to aid in targeted intrusions.

RansomEXX is a relatively new ransomware strain that was first spotted earlier this year in June.
The ransomware has been used in attacks against the Texas Department of Transportation, Konica Minolta, US government contractor Tyler Technologies, Montreal’s public transportation system, and, most recently, against Brazil’s court system (STJ).
RansomEXX is what security researchers call a “big-game hunter” or “human-operated ransomware.” These two terms are used to describe ransomware groups that hunt large targets in search for big paydays, knowing that some companies or government agencies can’t afford to stay down while they recover their systems.
These groups buy access or breach networks themselves, expand access to as many systems as possible, and then manually deploy their ransomware binary as a final payload to cripple as much of the target’s infrastructure as possible.
But over the past year, there has been a paradigm shift into how these groups operate.
Many ransomware gangs have realized that attacking workstations first isn’t a lucrative deal, as companies will tend to re-image affected systems and move on without paying ransoms.

In recent months, in many incidents, some ransomware gangs haven’t bothered encrypting workstations, and have first and foremost, targeted crucial servers inside a company’s network, knowing that by taking down these systems first, companies wouldn’t be able to access their centralized data troves, even if workstations were unaffected.
The RansomEXX gang creating a Linux version of their Windows ransomware is in tune with how many companies operate today, with many firms running internal systems on Linux, and not always on Windows Server.
A Linux version makes perfect sense from an attacker’s perspective; always looking to expand and touch as much core infrastructure as possible in their quest to cripple companies and demand higher ransoms.
What we see from RansomEXX may soon turn out to be an industry-defining trend, with other big ransomware groups rolling out their Linux versions in the future as well.
And, this trend appears to have already begun. According to cyber-security firm Emsisoft, besides RansomEXX, the Mespinoza (Pysa) ransomware gang has also recently developed a Linux variant from their initial Windows version.
But Linux ransomware is also not unique. In the past years, other ransomware gangs have created Linux ransomware strains as well, such as the Snatch group. However, those groups were small-time operations that relied on spam campaigns to infect victims, were rarely successful, and did not engage in targeted intrusions like the current generation of ransomware groups we see today.
Emsisoft says the RansomEXX Linux variants they’ve detected were seen as far back as July. Configuring systems to detect RansomEXX Linux variants isn’t a solid strategy because of the way big-game hunter ransomware crews operate. By the time attackers deploy the ransomware, they already own most of a company’s network. The best strategy companies can take against these types of intrusions is to secure network perimeters by applying security patches to gateway devices and by making sure they are not misconfigured with weak or default credentials.
Technical details about the RansomEXX Linux variant are available in the Kaspersky report. More

Hackers used previously unknown tools in a cyber espionage campaign targeting defence and aerospace companies in a social engineering and phishing campaign which is more widely targeted than first thought.
Researchers at McAfee first detailed Operation North Star earlier this year, but further analysis of reveals additional tactics and techniques of the campaign which has almost identical elements to Hidden Cobra – AKA The Lazarus Group – a hacking operation which the US government and others say is working out of North Korea on behalf of the government in Pyongyang.
The campaign is still based around spear-phishing emails and LinkedIn messages which pose as job recruitment messages in an effort to lure victims into opening malicious attachments. Hackers even used legitimate recruitment adverts and documents taken from popular US defence contractor websites to make the emails look more authentic.
But now additional analysis by McAfee has revealed how the attackers use two stages of malware implants. All targets are compromised with the first stage of malware, which allows attackers to gather data including disk information, free disk space, computer name and logged in username and process information.
The hackers analyse this information to determine if the victim is high value enough to continue to with an attack – if the victim isn’t deemed important enough, the machine is sidelined while the attackers focus on distributing a second stage malware to victims deemed more worthwhile of attention.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
The second stage uses a previously known implant called Torisma, a custom-developed tool focused on specialised monitoring of high value victims’ systems, looking to gain access to login credentials and remote desktop sessions – all while remaining undetected.

“What is clear is that the campaign’s objective was to establish a long-term, persistent espionage campaign focused on specific individuals in possession of strategically valuable technology from key countries around the world,” McAfee researchers said in a blog post.
For Operation North Star, this meant researching specific target victims and created custom content to lure victims in, then infecting them with malware in an effort to commit espionage.
Initial reporting of the campaign detailed attacks against targets in the US, but those weren’t the only ones hackers were looking to compromise – analysis of the attacks has revealed that defence and technology contractors in Israel, Russia, India and Australia have also been targeted by this campaign.
“The actors behind the campaign were more sophisticated than they initially appeared. They are focused and deliberate in what they meant to achieve and more disciplined and patient in executing to achieve their objective,” said researchers.
Cyber espionage isn’t the only form of cyber attacks that North Korea is involved in; hackers working on behalf of Pyongyang regularly steal cryptocurrency to get around internatioanl sanctons. North Korea was also blamed for the WannaCry ransomware outbreak.
READ MORE ON CYBERSECURITY More

Image: Check Point
Several companies and large corporations from Israel have been breached and had their systems encrypted using a new strain of ransomware named Pay2Key, in what appears to be a targeted attack against Israeli networks.

The first attacks were seen in late October but have now grown in numbers while also remaining contained to Israel.
“As days go by, more of the reported ransomware attacks turn out to be related to the new Pay2Key ransomware,” Israeli cyber-security firm Check Point said in a security alert published today.
According to the company, attacks usually happened after midnight, when companies have fewer IT employees at work.
The initial entry point for all intrusions is currently believed to be weakly secured RDP (Remote Desktop Protocol) services.
Access to company networks appears to have been obtained “some time before the attack,” but once the ransomware crew begins its intrusion, it usually takes them an hour to spread to the entire network and encrypt files.
To avoid having their activities detected, the Pay2Key operators usually set up a pivot point on the local network, through which they proxy all their communications to reduce their detectable network footprint.

Once the encryption ends, ransom notes are left on the hacked systems, with the Pay2Key gang usually asking for payments of 7 to 9 bitcoins (~$110K-$140K).
Based on current analysis, Check Point said the encryption scheme appears to be solid (using the AES and RSA algorithms), which unfortunately has prevented the company from creating a free decrypter for victims.
Researchers say the ransomware has been created from scratch, with no overlaps with other known ransomware strains, and appears to have been named “Cobalt” during a previous/development phase.
Some sleuthing from the Check Point team has also linked the ransomware to a Keybase account using the same Pay2Key name, registered earlier this year in June, but it is currently unclear who developed the ransomware and why are they targeting only Israeli companies. More

Vulcan Cyber has opened its extensive database of vulnerabilities in enterprise IT in a bid to speed up large remediation backlogs and improve team effectiveness.
The Remedy Cloud is a free website with one of the largest databases of common vulnerabilities and exposures (CVEs) along with the best way to fix each one, patches, and relevant notes. 

“Due to process breakdowns there’s never an end — just a growing backlog of vulnerabilities that require remediation,” says Yaniv Bar-Dayan, CEO of Vulcan. 
The complexity of enterprise IT operations carries with it a growing number of vulnerabilities that need to be patched. But organizations struggle to identify every vulnerability and then access which ones are the most important and need to be tackled first. 
Some CVEs have been “weaponized” by criminals and are used to expose sensitive corporate data that can result in massive fines and lost business trust.
The backlog in CVE remediation is partly due to a bottleneck that Vulcan says occurs when security teams hand-off the fix to DevOps, or other IT teams. 
“Vulcan Remedy Cloud streamlines this workflow by providing both teams with remediation playbooks. This one function is extraordinarily effective at creating cross-team alignment and cooperation,” says Bar-Dayan.

The Vulcan remedies database provides the patches, the configuration scripts, and workarounds that have been proven to work with the most challenging vulnerabilities.
Vulcan also announced a remediation analytics feature added to its paid-for Vulcan remediation orchestration platform which automates much of the remediation process.  More

The US Justice Department says it’s seized $1bn in bitcoin allegedly stolen by a hacker from Silk Road creator Ross Ulbricht before his arrest for running the dark-web market. 
Announcing the bitcoin seizure from the unnamed hacker, the Department of Justice revealed it is now seeking forfeiture of the illicit funds, which represent its largest haul of cryptocurrency to date.

Ulbricht operated Silk Road between 2011 and October 2013, when the FBI seized the dark-web site and arrested him. He was convicted in 2015 for money laundering and distributing narcotics, and sentenced to life in prison. He lost an appeal for a new trial in 2017. 
SEE: Network security policy (TechRepublic Premium)
Over that period, the site generated revenues of 9.5 million bitcoins and earned commissions totaling over 600,000 bitcoins.
According to the complaint, earlier this year law enforcement used a bitcoin attribution company to analyze bitcoin transactions carried out by Silk Road and noticed 54 transactions around 2013 that were sent to two addresses totaling 70,411.46 bitcoins. 
Since the transactions weren’t recorded in Silk Road’s database, it was assumed the funds were stolen. 

In April 2013, the bulk of the funds totaling 69,471.082201 bitcoins were sent to an account referred to as ‘1HQ3’, the first characters in the address. 
“Between April 2015 and November 2020, the remainder of the funds, 69,370.082201 bitcoins, remained in 1HQ3. As of November 3, 2020, 1HQ3 had a balance of 69,370.22491543 bitcoin (valued at approximately $1bn as of November 4, 2020),” the document states.
Investigators determined that the unnamed hacker, referred to as ‘Individual X’ in court documents, was involved in a transaction that related to the account. 
The US Internal Revenue Service and the Justice Department reckon Individual X stole the cryptocurrency from Silk Road.
“According to the investigation, Ulbricht became aware of Individual X’s online identity and threatened Individual X for return of the cryptocurrency to Ulbricht. Individual X did not return the cryptocurrency but kept it and did not spend it,” the complaint reads.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
Earlier this week, the unnamed hacker agreed to forfeit the cryptocurrency to the US Attorney’s Office, Northern District of California and on November 3, the US government took possession of the cryptocurrency. 
Now the Justice Department needs to prove that the seized cryptocurrency is subject to forfeiture. 
In 2014 the US government auctioned off about 30,000 of the bitcoins found in the wallet files on Silk Road’s servers.  More