Information Technology

Adobe, the maker of the once-ubiquitous Flash Player, has removed all Flash components in the latest release of its Reader and Acrobat PDF products ahead of Flash’s official death in December 2020. 
The company’s update also contains patches for several critical security flaws that should make the November release imperative for admins to install.

Enterprise Software

The removal of various Flash components in the Reader and Acrobat November 2020 Release – DC Continuous, Acrobat 2020, and Acrobat 2017 – are listed as this release’s “top new features”. 
SEE: Security Awareness and Training policy (TechRepublic Premium)    
Adobe notes that Flash is now deprecated and no longer used in its Acrobat DC desktop app. Previously, there were options or a button in Acrobat to collect user responses from a forms file that relied on Flash, such as Update, Filter, Export (All/Selected), Archive (All/Selected), Add, and Delete. 
Adobe says the Flash-dependent forms options have been replaced with a ‘secondary toolbar’ containing action buttons to Update, Add, Delete, Export, and Archive those Form responses.
Additionally, Adobe’s PDFMaker menu in Microsoft’s Word and PowerPoint apps no longer have the Insert Media button, which previously allowed Office users to embed Flash content in documents.

“By default, Microsoft has disabled the ability to add Flash or Rich media content in the Office documents. If your document already has flash content embedded in it, Acrobat prevents embedding of Flash or Rich media in the converted PDF file and adds an image instead,” Adobe notes. 
“If you have enabled the Flash content in Microsoft documents, Acrobat adds a blank box in the converted PDF file.”
The removals are part of the industry-wide effort to eliminate Flash from mainstream browsers by end of this year. Adobe, Apple, Facebook, Google, and Mozilla in 2017 announced they would end support for Flash in their browsers by December 2020. 
SEE: Seven Windows 10 annoyances (and how to fix them)
Microsoft in October released an update for all supported versions of Windows that permanently removes Flash from the operating system. It released the Flash-killing update to let admins test the impact of no Flash on business applications. 
The security component of the new update addresses three critical memory-related flaws that if exploited “could lead to arbitrary code execution”, according to Adobe. 
These include a heap-based buffer overflow, CVE-2020-24435, an out-of-bounds write, CVE-2020-24436, and a use-after-free vulnerability, CVE-2020-24430 and CVE-2020-24437.  

Adobe’s PDFMaker menu in Microsoft’s Word and PowerPoint apps no longer have the Insert Media button
Image: Adobe More

Image: Setyaki Irham, ZDNet
More than 23,000 hacked databases have been made available for download on several hacking forums and Telegram channels in what threat intel analysts are calling the biggest leak of its kind.
The database collection is said to have originated from Cit0Day.in, a private service advertised on hacking forums to other cybercriminals.
Cit0day operated by collecting hacked databases and then providing access to usernames, emails, addresses, and even cleartext passwords to other hackers for a daily or monthly fee.
Cybercriminals would then use the site to identify possible passwords for targeted users and then attempt to breach their accounts at other, more high-profile sites.
The idea behind the site isn’t unique, and Cit0Day could be considered a reincarnation of similar “data breach index” services such as LeakedSource and WeLeakInfo, both taken down by authorities in 2018 and 2020, respectively.
In fact, Cit0Day launched in January 2018, as LeakedSource was taken down, and was heavily advertised on both underground hacking forums but also on major forums on the public internet, like BitcoinTalk, according to data provided by threat intelligence service KELA, which first alerted ZDNet about the site earlier this year.
However, the Cit0day website went down on September 14, when the site’s main domain sported an FBI and DOJ seizure notice.

Image: ZDNet

Rumors started circulating on hacking forums that the site’s creator, an individual known as Xrenovi4, might have been arrested, similar to what happened to the authors of LeakedSource and WeLeakInfo.
But all signs pointed to the fact that the FBI takedown notice was fake.
KELA Product Manager Raveed Laeb told ZDNet that the seizure banner was actually copied from the Deer.io takedown, a Shopify like platform for hackers, and then edited to fit the Cit0day portal.
An FBI spokesperson for the FBI declined to comment and refused to confirm any investigation, citing internal policies present in all law enforcement agencies.
In addition, no arrest was ever announced in connection to Cit0day, which is contrary to how the FBI and DOJ operate — with both agencies usually taking down criminal sites only when they can also charge their creators.
Cit0day hacked database now shared online
But if users hoped that Cit0day and Xrenovi4 would shut down and then walk into the sunset, this is not what happened.
While it’s unclear if Xrenovi4 leaked the data themselves or if the data was hacked by a rival gang, Cit0day’s entire collection of hacked databases was provided as a free download on a well-known forum for Russian-speaking hackers last month.

Image: ZDNet
In total, 23,618 hacked databases were provided for download via the MEGA file-hosting portal. The link was live only for a few hours before being taken down following an abuse report.
ZDNet was not able to download the entire dataset, estimated at around 50GB and 13 billion user records, but forum users who did confirmed the data’s authenticity. Additional confirmation was provided to ZDNet earlier today by Italian security firm D3Lab.
But even if the data was available for a few hours, this short time window allowed the data to enter the public domain.
Since October, the Cit0day data has now been shared in private and via Telegram and Discord channels operated by known underground data brokers.
In addition, a third of the Cit0day database also made a comeback on Sunday when it was shared online again, this time on an even more popular hacker forum.

Image: ZDNet
Cit0day data included both old and new data dumps
Most of the hacked databases included in the Cit0day dump are old and come from sites that have been hacked years ago.
Furthermore, many of the hacked databases are from small, no-name sites with small userbases in the range of thousands or tens of thousands of users.
Not all the 23,000 leaked databases belong to big internet portals, but famous hacked databases from big name sites are also included, having been collected together with the small ones.
Many of these small sites also didn’t use top-notch security measures, and around a third of the leaked Cit0day databases were listed as “dehashed” — a term used to describe hacked databases where Cit0day provided passwords in cleartext.
However, many databases didn’t even contain a password, having a designation of “nohash.”

Image: ZDNet
Currently, this data is now being used by other cybercrime gangs to orchestrate spam campaigns and credential stuffing and password spraying attacks against users who might have reused passwords across online accounts.
Even if some of these databases are from old hacks, mega leaks like these are incredibly damaging to the security posture of most internet users.
In effect, this mega leak is a collective memory of thousands of past hacks, one that many users may want forgotten and not collected like baseball cards inside services like WeLeakInfo, LeakedSource, or Cit0day.
Services like Cit0day prolong the shelf life of past mistakes in selecting passwords for online accounts.
Users should use the example of mega leaks like the Cit0day dump to review the passwords they use for their online accounts, change old ones, and start using unique passwords for each account. Using password managers to help you with the passwords for all your online accounts is also highly recommended. More

Image: Karen Vardazaryan, Mattel, ZDNet
US toymaker Mattel revealed today that it suffered a ransomware attack that crippled some business functions, but the company says it recovered from the attack with no significant financial losses.

The incident took place on July 28, according to a 10-Q quarterly form the company filed with the US Securities Exchange Commission earlier today.
Mattel said that the ransomware attack was initially successful and resulted in the successful encryption of some of its systems.
“Promptly upon detection of the attack, Mattel began enacting its response protocols and taking a series of measures to stop the attack and restore impacted systems.
“Mattel contained the attack and, although some business functions were temporarily impacted, Mattel restored its operations,” the company explained.
For more than a year, ransomware gangs have been stealing data and engaging in a double-extortion scheme, threatening to upload the hacked company’s data on public “leak sites” unless victims pay their ransom demand.
However, the toymaker said that a subsequent forensic investigation concluded that the ransomware gang behind the July intrusion did not steal “any sensitive business data or retail customer, supplier, consumer, or employee data.”

All in all, Mattel appears to have escaped the incident with only a short downtime and without any serious damages.
While companies like Cognizant said they expected to lose between $50 million and $70 million, and Norsk Hydro reported losses of at least $40 million following ransomware incidents, Mattel said the ransomware attack it suffered had “no material impact to [its] operations or financial condition.” More

Image: Joshua Hoehne
The operators of the REvil ransomware strain have “acquired” the source code of the KPOT trojan in an auction held on a hacker forum last month.

The sale took place after the KPOT malware author decided to auction off the code, desiring to move off to other projects.
The sale was organized as a public auction on a private underground hacking forum for Russian-speaking cyber-criminals, security researcher Pancak3 told ZDNet in an interview last month.
The only bidder was UNKN, a well-known member of the REvil (Sodinokibi) ransomware gang, Pancak3 said.
UNKN paid the initial asking price of $6,500, while other forum members declined to participate, citing the steep asking price.
The REvil operator received the source code of KPOT 2.0, the latest version of the KPOT malware.
First spotted in 2018, KPOT is a classic “information stealer” that can extract and steal passwords from various apps on infected computers. This includes web browsers, instant messengers, email clients, VPNs, RDP services, FTP apps, cryptocurrency wallets, and gaming software, according to a 2019 Proofpoint report.

Pancak3, who first spotted the KPOT auction in mid-October, told ZDNet that he believes the REvil gang bought KPOT to “further develop it” and add it to its considerable arsenal of hacking tools the gang uses during its targeted intrusions inside corporate networks.

Although many other forum members have described the KPOT code as overpriced, UNKN and the REvil gang have money to spare.
The REvil member, who has been operating as the ransomware gang’s public figurehead and recruiter for the past two years on hacking forums, has recently given an interview to a Russian YouTube channel, claiming that the REvil gang makes more than $100 million from ransom demands each year [1, 2].
UNKN also claimed the gang fears assassinations more than they fear a law enforcement action. More

Voters across multiple US states have been targeted today by robocalls telling them to stay home or come vote tomorrow, on Wednesday, due to massive turnouts and long lines at voting stations.
US citizens and authorities have reported robocalls messages in nine states, including Florida, Georgia, Iowa, Kansas, Michigan, Nebraska, New York, New Hampshire, and North Carolina.
In response to the reports, state officials have taken today to social media to dispel the misinformation shared in the robocalls, urging voters to vote in-person by 8 PM ET today, the last day of voting, and not follow the advice shared in some calls, which was trying to mislead voters by tricking them to come vote tomorrow — after polls were set to close.

We received reports that an unknown party is purposefully spreading misinformation via robocalls in Flint in an attempt to confuse voters.Let me be clear — if you plan to vote in-person, you must do so, or be in line to do so, by 8PM today.
— Governor Gretchen Whitmer (@GovWhitmer) November 3, 2020

NOTICE: We are receiving reports of robocalls telling voters to stay home. Disregard these calls. If you have not already voted, today is the day! Polls in Kansas close at 7:00 p.m. local time.Find your polling location here: https://t.co/PWjjT24hmw #Election2020 #ksleg
— KS Sec. of State (@KansasSOS) November 3, 2020

However, while some messages were specifically trying to mislead voters to show up to vote on the wrong day, the vast majority of robocalls featured even simpler messages that merely tried to convince voters to stay home.
The message, which didn’t mention the voting process in an obvious attempt to avoid a possible law enforcement investigation, said: “This is just a test call. Time to stay home. Stay safe and stay home.”

UPDATE: I’m collecting confirmed robocalls to voters in Massachusetts, New York, New Hampshire, Michigan, Nebraska and Georgia among others. Will continue to update. pic.twitter.com/tZ9DsV7eWQ
— John Scott-Railton (@jsrailton) November 3, 2020

According to the Washington Post, more than 10 million robocalls of this type have been placed today.
US officials, including the Federal Bureau of Investigation (FBI) and the Federal Communications Commission (FCC), said they are aware of the campaigns and looking into the matter.
DHS says this happened before

Nevertheless, the issue doesn’t seem to alarm US federal officials too much either.
According to a Cyberscoop report, speaking on background in a press conference today, DHS officials said robocall campaigns had taken place each election cycle, and this one was not out of the ordinary.
Some of these campaigns started even before the voting process.
For example, Michigan Attorney General Dana Nessel filed official charges on October 1 against two Republican operatives for their role in a recent campaign targeting minority voters in Michigan this fall.
Nessel identified the suspects as Jack Burkman, 54, of Virginia and Jacob Wohl, 22, of California, who, if found guilty, face up to 24 years behind bars.
According to a Reuters report, the FBI is formally investigating today’s new wave of robocall campaigns.
Federal agencies like CISA and the FBI also said that despite a few malfunctions here and there, today’s election process has not been marred by cyber-security issues. More

Image: deepanker70
Google has released security updates for the Chrome for Android browser to fix a zero-day vulnerability that is currently exploited in the wild.
Chrome for Android version 86.0.4240.185 was released last night with fixes for CVE-2020-16010, a heap buffer overflow vulnerability in the Chrome for Android user interface (UI) component.
Google said the bug was exploited to allow attackers to bypass and escape the Chrome security sandbox on Android devices and run code on the underlying OS.
Details about the attack are not public to give Chrome users more time to install the updates and prevent other threat actors from developing exploits for the same zero-day.

A few people noticed that CVE-2020-16010 wasn’t included in the link above. That’s because Chrome has separate release notes for Desktop and Android. The release notes covering CVE-2020-16010 (sandbox escape for Chrome on Android) are now available here: https://t.co/6hBKMuCAaK
— Ben Hawkes (@benhawkes) November 3, 2020

Google credited its internal Threat Analysis Group (TAG) team for discovering the Chrome for Android zero-day attacks.
This marks the third Chrome zero-day discovered by the TAG team in the past two weeks.
The first two zero-days affected only Chrome for desktop versions.

The first was patched on October 20, was tracked as CVE-2020-15999, and affected Chrome’s FreeType font rendering library.
In a follow-up report last week, Google said this first Chrome zero-day was utilized together with a Windows zero-day (CVE-2020-17087) as part of a two-step exploit chain, with the Chrome zero-day allowing attackers to execute malicious code inside Chrome, while the Windows zero-day was used to elevate the code’s privileges and attack the underlying Windows OS.
On top of this, Google also patched a second zero-day yesterday. Tracked as CVE-2020-16009, this zero-day was described as a remote code execution in the Chrome V8 JavaScript engine.
Hours after the Chrome team released patches for this second zero-day, Google revealed a third zero-day, impacting only its Chrome for Android version.
While the three zero-days are all different from each other and impact different Chrome versions and components, Google did not clarify if all zero-days are exploited by the same threat actor or by multiple groups.
Such details are usually revealed months after patches, via reports published on Google’s Project Zero and Google Security blogs. In the meantime, Chrome users, both on Android and on desktop, should hurry to install the latest updates (v86.0.4240.185 on Android and v86.0.4240.183 on desktop). More

Screengrab of the GrowDiaries website
GrowDiaries, an online community where marijuana growers can blog about their plants and interact with other farmers, has suffered a security breach in September this year.
The breach occurred after the company left two Kibana apps exposed on the internet without administrative passwords.
Kibana apps are normally used by a company’s IT and development staff, as the app allows programmers to manage Elasticsearch databases via a simple web-based visual interface.
Due to its native features, securing Kibana apps is just as important as securing the databases themselves.
But in a report published today on LinkedIn, Bob Diachenko, a security researcher known for discovering and reporting unsecured databases, said GrowDiaries failed to secure two of its Kibana apps, which appear to have been left exposed online without a password since September 22, 2020.
Diachenko says these two Kibana apps granted attackers access to two sets of Elasticsearch databases, with one storing 1.4 million user records and the second holding more than two million user data points.
The first exposed usernames, email addresses, and IP addresses, while the second database also exposed user articles posted on the GrowDiaries site and users’ account passwords.

While the passwords were stored in a hashed format, Diachenko said the format was MD5, a hashing function known to be insecure and crackable (allowing threat actors to determine the cleartext version of each password).

Image: Bob Diachenko
Diachenko said he reported the exposed Kibana apps to GrowDiaries on October 10, with the company securing its infrastructure five days later.
The Ukrainian security researcher said that while GrowDiaries did intervene to secure its server, the company refused other communications, so he was unable to determine if someone else accessed the company’s Elasticsearch databases to download user data.
However, Diachenko said that something like this happening was “likely” as he is certainly not the only one looking for accidentally exposed databases.
A GrowDiaries spokesperson did not return an additional request for comment from ZDNet before this article’s publication.
GrowDiaries users are advised to change their passwords, just in case the data made it into someone else’s hands. With the passwords stored in MD5 format, their old passwords are not secure, and accounts are in danger of getting hijacked. More

Almost two thirds of vulnerabilities on enterprise networks involve flaws which are over two years old which have not been patched, despite fixes being available. This lack of patching is putting businesses at risk of attacks which could often be easily avoided if security updates were applied.
Analysis by Bitdefender found that 64 percent of all reported unpatched vulnerabilities during the first half of 2020 involve known bugs dating from 2018 and previous years, which means organisations are at risk from flaws that somebody should have fixed a long time ago.
“The vast majority of organizations still have unpatched vulnerabilities that were identified anywhere between 2002 and 2018,” the report said.
Applying patches can be time-consuming, tedious and unrewarding work. But for cyber criminals, unpatched vulnerabilities provide a simple way to deploy cyber attacks and malware. But while businesses and users are encouraged to apply security patches to operating systems and software as soon as possible, the figures in Bitdefender’s 2020 Business Threat Landscape Report suggests that some organisations are still slow to apply them.
SEE: Security Awareness and Training policy (TechRepublic Premium)
“With organizations having most of their workforce remote, setting and deploying patching policies has never been more crucial. With six in 10 organizations having machines with unpatched vulnerabilities that are older than 2018, the risks of having those vulnerabilities exploited by threat actors are higher than ever,” the report warned.
In some cases, organisations don’t apply security patches because they fear it could have a negative impact on how they run their systems – and therefore run the risk of a cyber attack instead.

“Backward compatibility plays a vital role in deciding whether or not some applications should be patched. For example, patching or upgrading an application or service could break compatibility with other software that could be mission-critical for the organization. In this case, not patching could be less of a security decision but more of a business decision,” Liviu Arsene, global cybersecurity researcher at Bitdefender told ZDNet.
However, by having a good knowledge of what the network looks like and having a plan to apply patches organisations can go a long way to protecting themselves from falling victim to cyber attacks designed to take advantage if known vulnerabilities.
“Having a patching policy and roll out procedure in place is always the best solution for addressing known vulnerabilities,” said Arsene.
“Systems that are mission-critical but cannot be patched for backward compatibility or business continuity reasons should be isolated and access to them tightly regulated,” he added.
READ MORE ON CYBERSECURITY More