Information Technology

The number of hackers uncovering security vulnerabilities and submitting them to one of the best known bug bounty programs increased by almost two thirds over the course of the last year.
The 2021 Hacker Report from bug bounty platform HackerOne details the development of penetration testing and ethical hacking over the last 12 months and says that there’s been a 63 percent increase in the number of hackers submitting vulnerabilities over the course of that period.
The goal of bug bounty schemes is to provide ethical hackers with a means of discovering and disclosing these vulnerabilities before cyber criminals taking advantage of them. Hackers earned $40 million from disclosing vulnerabilities to the HackerOne bug bounty program during the last year alone, up from $19 million in 2019.
SEE: Meet the hackers who earn millions for saving the web, one bug at a time
While most of the people hunting for vulnerabilities focus on web applications, there’s been an increase in those examining other potential flaws, with a large growth in the submission of vulnerabilities relating to Android, Internet of Things devices and APIs.
While the financial incentives of finding vulnerabilities to play a role in hacking – 76 percent of those surveyed by HackerOne said they do it to make money – 85 percent of those involved in bug bounty schemes say they’re involved in order to learn, while two thirds do it for fun.
“We’re seeing huge growth in vulnerability submissions across all categories and an increase in hackers specialising across a wider variety of technologies,” said HackerOne co-founder, Jobert Abma, who believes human ingenuity is still the best way to discover and disclose security vulnerabilities.

“Every time a hacker links several low-severity vulnerabilities together to help a customer avoid a breach, or finds a unique bypass to a software patch, it proves that machines will never truly outpace humankind,” he said.
MORE ON CYBERSECURITY More

Apple has released a fix for a bug that affects iPhones, iPads and MacBooks and which could lead to ‘arbitrary code execution’ by visiting a website hosting malicious code. 

Like many bugs, this one is a memory related bug and it affects WebKit, the browser engine behind Safari on iPhones and MacBooks. Apple delivered the security fix in macOS Big Sur 11.2.3 and iOS 14.4.1 and iPadOS 14.4.1. 
In typical fashion, Apple hasn’t released much information about the bug but notes that the issue means its browser is vulnerable to processing maliciously crafted web content that “may lead to arbitrary code execution”.
SEE: Top 10 iPad tips (free PDF) (TechRepublic)
The bug, tracked as CVE-2021-1844, was discovered by Clément Lecigne from Google’s Threat Analysis Group and Alison Huffman from Microsoft’s browser vulnerability research group. 
Apple doesn’t say whether the bug was being exploited before the update. Both security researchers are noteworthy. 
Huffman discovered a flaw in Google’s Chrome browser that was being exploited before Google released a patch. That bug, CVE-2021-21166, was addressed in the release of the Chrome 89 stable channel for desktop on Windows, Mac, and Linux last week. Lecigne found two critical iPhone bugs that were being exploited in 2019.   

The iOS updates are available for the iPhone 6s and later, iPad Air 2 and later, iPad mini 4 and later, and iPod touch (7th generation).
iOS 14.4.1 is available now worldwide and contains a 138MB update. “This update provides important security updates and is recommended for all users,” Apple notes. iPhone owners can go to the Settings app and check for software updates to get the patch. It’s always easy to install but, as usual, the process takes a few minutes while the device prepares the update and then users will need to wait for the device to restart.  More

Google has removed 10 apps from the Play Store which contained droppers for financial Trojans. 

On Tuesday, Check Point Research (CPR) said in a blog post that the Android applications appear to have been submitted by the same threat actor who created new developer accounts for each app.
The dropper was loaded into otherwise innocent-looking software and each of the 10 apps were utilities, including Cake VPN, Pacific VPN, BeatPlayer, QR/Barcode Scanner MAX, and QRecorder. 
The utilities’ functionality is ripped from existing, legitimate open source Android apps. 
In order to avoid detection by Google’s standard security protections, Firebase was used as a platform for command-and-control (C2) communication and GitHub was abused for payload downloads. 
According to the researchers, the hidden dropper’s C2 infrastructure contains parameters — enable or disable — to ‘decide’ whether or not to trigger the app’s malicious functions. The parameter is set to “false” until Google has published the app, and then the trap springs. 
Dubbed Clast82, CPR says the newly-discovered dropper has been designed to deliver financial malware. Once triggered, second-stage payloads are pulled from GitHub including mRAT and AlienBot.

“If the infected device prevents installations of applications from unknown sources, Clast82 prompts the user with a fake request, pretending to be ‘Google Play Services’ requesting the user to allow the installation every five seconds,” the team says. 
MRAT is used to provide remote access to a compromised mobile device, whereas AlienBot facilitates the injection of malicious code into existing, legitimate financial apps. Attackers can hijack banking apps to obtain access to user accounts and steal their financial data, and the malware will also attempt to intercept two-factor authentication (2FA) codes. 
The researchers reported the malicious apps to Google on January 29, a day after discovery. By February 9, Google had confirmed that the malware had been removed from the Play Store. The apps accounted for roughly 15,000 installs.
 “The hacker behind Clast82 was able to bypass Google Play’s protections using a creative, but concerning, methodology,” commented Aviran Hazum, Check Point mobile research manager. “With a simple manipulation of readily available third-party resources — like a GitHub account, or a FireBase account — the hacker was able to leverage readily available resources to bypass Google Play Store’s protections.”

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Hackers breached the email servers of the European Banking Authority (EBA) as part of the global cyberattacks targeting Microsoft Exchange Server – and while the Paris-based financial security agency for the European Union says that no data has been stolen as part of the attack, it remains on high alert.
The EBA fell victim to a hacking campaign exploiting four zero-day vulnerabilities in Microsoft Exchange Server that has affected tens of thousands of organisations around the world.

More Coverage

The vulnerabilities allowed cyber attackers to gain access to the European Banking Authority’s email servers, initially leading to fears that personal data may have been accessed by hackers.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
However, in an update on the investigation into the incident, the EBA said the email infrastructure has been secured and at this stage it’s believed “no data extraction has been performed” and there’s “no indication to think that the breach has gone beyond our email servers”.
The EBA’s email system was taken offline as a precautionary measure but it has now been fully restored following the deployment of additional security measures.
“Since it became aware of the vulnerabilities, the EBA has taken a proactive approach and carried out a thorough assessment to appropriately and effectively detect any network intrusion that could compromise the confidentiality, integrity and availability of its systems and data,” the EBA said in a statement.

“Besides re-securing its email system, the EBA remains in heightened security alert and will continue monitoring the situation,” it added.
Analysis of the Microsoft Exchange Server attack was carried out by the European Banking Authority in collaboration with the European Union’s Computer Emergency Response Team (CERT-EU), as well as additional security experts.
The EBA is just one of thousands of organisations around the world that are believed to have been targeted by attackers exploiting newly discovered zero-day flaws in Microsoft Exchange Server, the email inbox, calendar, and collaboration solution used by enterprises of all sizes around the world.
Microsoft has released a security update to patch the vulnerabilities and is urging customers to apply it as soon as possible to protect themselves from being attacked.
The cyberattacks targeting Microsoft Exchange Server have been attributed to a state-sponsored advanced persistent threat (APT) hacking group working out of China, dubbed Hafnium.
Other organisations targeted by the hacking group include think tanks, non-profits, defence contractors, higher education institutions and infectious disease researchers.
MORE ON CYBERSECURITY More

Microsoft has released security updates for unsupported versions of Exchange email servers following widespread attacks exploiting four newly discovered security vulnerabilities.
Microsoft has already released out-of-band emergency patches for Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019 but, in light of ongoing cyberattacks exploiting the flaws, it’s produced security updates for earlier versions of Exchange it otherwise does not patch. 

More Coverage

The security updates for older versions of Exchange only address the four newly disclosed flaws that are being tracked as CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The issues affect on-premise Exchange servers. 
Though patches for unsupported Microsoft products are rare, the company has been forced to issue them on multiple occasions in the past five years to address global cyberattacks. It made patches for unsupported Windows XP in 2017 after the WannaCry ransomware attacks and produced patches for Windows XP again in 2019 after identifying a severe wormable flaw in Windows.    
Microsoft notes that this security update for Exchange only addresses the four new flaws and does not mean those versions of Exchange, such as Exchange 2010 and earlier, are now supported. The patches are designed to update specific cumulative updates (CU) of Exchange. 
The patches include updates for the following cumulative updates: 
“Microsoft is producing an additional series of security updates (SUs) that can be applied to some older (and unsupported) Cumulative Updates (CUs). The availability of these updates does not mean that you don’t have to keep your environment current,” Microsoft states.  

“This is intended only as a temporary measure to help you protect vulnerable machines right now. You still need to update to the latest supported CU and then apply the applicable SUs. If you are already mid-update to a later CU, you should continue with that update.”
Microsoft spokesman Frank X Shaw said on Twitter that Microsoft engineers had “worked around the clock to deliver fixes” for  these older and unsupported cumulative update versions of Windows Exchange.
Microsoft raced out patches for Exchange earlier this month after security researchers discovered that suspected China-backed hackers were exploiting Exchange servers to access emails of targets. Security firm Volexity said the bugs had been exploited from around January 6, 2021.  
SEE: Network security policy (TechRepublic Premium)
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) this week ordered civilian agencies to apply Microsoft’s patches or disconnect vulnerable email servers. CISA also warned it had seen “widespread domestic and international exploitation” of the flaws. 
It’s been a busy few months for cybersecurity teams around the world after the SolarWinds supply chain attack was disclosed by Microsoft and FireEye in mid-December. Those teams are already under pressure after supporting remote-working arrangements during the pandemic. 
Chris Krebs, the former director of CISA, commented this week that incident response teams are burned out. He recommended patching Exchange now if possible and assume that the organization has been breached already. If searching for signs of compromise was not currently possible, he recommended following CISA’s advice: disconnect and rebuild the Exchange server.
Microsoft says the new Exchange updates are available only through the Microsoft Download Center and not on the Microsoft Update service.
“We are producing updates only for some older CUs for Exchange 2016 and 2019,” it notes. 
Microsoft also warns that there are problems with this security update that may cause Outlook on the web to crash, depending on the configuration. 
“When you try to manually install this security update by double-clicking the update file (.msp) to run it in normal mode (that is, not as an administrator), some files are not correctly updated,” Microsoft notes in a support document. 
“When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook on the web and the Exchange Control Panel (ECP) might stop working.””This issue occurs on servers that are using User Account Control (UAC). The issue occurs because the security update doesn’t correctly stop certain Exchange-related services. To avoid this issue, follow these steps to manually install this security update.”
CISA today issued another warning for organizations to apply Microsoft’s patches. 
“CISA urges ALL organizations across ALL sectors to follow guidance to address the widespread domestic and international exploitation of Microsoft Exchange Server product vulnerabilities,” CISA said on Twitter. 
“An adversary can exploit this vulnerability to compromise your network and steal information, encrypt data for ransom, or even execute a destructive attack,” it said in an advisory.   More

A cryptocurrency miner is being deployed on QNAP NAS devices through a remote code execution flaw.

QNAP, a Taiwanese vendor, manufactures hardware including network-attached storage (NAS) devices, products used to provide additional, centralized storage in home and business use cases. 
On March 2, 360Netlab researchers received reports that QNAP NAS devices were subject to a new wave of attacks. 
Internet of Things (IoT) and associated devices are commonly hijacked through brute-force attacks and via credential theft. However, in this case, two vulnerabilities leading to remote code execution (RCE) are thought to be to blame. 
The vulnerabilities are tracked as CVE-2020-2506 and CVE-2020-2507. According to QNAP, the Helpdesk app security issues combine improper access control and a command injection vulnerability which can be used to trigger RCE and hijack NAS devices. 
The critical vulnerabilities were disclosed in a security advisory dated October 7, 2020. Devices that contain firmware prior to August are vulnerable. 
360Netlab researchers estimate that “hundreds of thousands of online QNAP NAS devices” have not been patched. An online mapping scan, as of last week, detected 4,297,426 QNAP NAS devices — with 951,486 unique IPs — that may remain vulnerable. 

The team says that these products are susceptible to full hijacking through attackers gaining root privileges — and this allows them to deploy cryptocurrency mining malware. 
The miner is called UnityMiner. This malware, which utilizes a version of open source XMRig — used to mine Monero (XMR) — is able to disguise the mining process and tamper with reported CPU memory resource usage data in an attempt to hide its presence on a compromised machine. 
“When QNAP users check the system usage via the web management interface, they cannot see the abnormal system behavior,” the researchers note. 
Once deployed on a target machine, the malware consists of unity_install.sh and Quick.tar.gz, which together contain download instructions, the payload, and configuration data. 
The CPU architecture will be checked so the correct miner version can be installed, and as of now, UnityMiner is compatible with ARM64 and AMD64. Only half of the available cores are used for mining, likely in another effort to stay under the radar and not overload the infected NAS device. 
Three pool proxies are used to disguise the address of the wallet where cryptocurrency, after mining, is stored. 
360Netlab contacted QNAP with its findings on March 3. 
In January, QNAP published a security advisory warning of the active exploit of Dovecat, malware that compromises NAS devices via weak credentials for the purpose of cryptocurrency mining. 
ZDNet has reached out to QNAP and will update when we hear back. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Intel has signed an agreement with Defense Advanced Research Projects Agency (DARPA) to take part in its Data Protection in Virtual Environments (DPRIVE) program, which is aiming to develop an accelerator for fully homomorphic encryption (FHE).
“Fully homomorphic encryption remains the holy grail in the quest to keep data secure while in use,” Intel Labs principal engineer Rosario Cammarota said.
FHE is an approach to data security that delivers mathematical proof of encryption by using cryptographic means, which DARPA has touted could potentially provide a new level of certainty around how data is stored and manipulated.
“Today, traditional encryption protects data while stored or in transmission, but the information must be decrypted to perform a computation, analyse it, or employ it to train a machine learning model,” the agency explained.
“Decryption endangers the data, exposing it to compromise by savvy adversaries or even accidental leaks. FHE enables computation on encrypted information, allowing users to strike a balance between using sensitive data to its full extent and removing the risk of exposure.”
While FHE is positioned as a viable path forward, it requires a prohibitive amount of compute power and time.
“A computation that would take a millisecond to complete on a standard laptop would take weeks to compute on a conventional server running FHE today,” DARPA program manager Tom Rondeau said.

DARPA launched DPRIVE to reduce the processing time from weeks to seconds.
Microsoft is the key cloud ecosystem and homomorphic encryption partner leading the commercial adoption of the technology once developed by testing it in its cloud offerings, including Microsoft Azure and the Microsoft JEDI cloud with the US government.
Intel’s role will be to design an application-specific integrated circuit accelerator to reduce the performance overhead currently associated with fully homomorphic encryption.
“When fully realised, the accelerator could deliver a massive improvement in executing FHE workloads over existing CPU-driven systems, potentially reducing cryptograms’ processing time by five orders of magnitude,” the chip giant said.
Intel joins DPRIVE alongside Duality Technologies, Galois, and SRI International. The four companies will lead researchers to develop an FHE accelerator hardware and software stack that reduces the computational overhead required to make FHE calculations to a speed comparable to similar unencrypted data operations.
In addition, teams are exploring novel approaches to memory management, flexible data structures and programming models, and formal verification methods to ensure the FHE implementation is correct-by-design and provides confidence to the user, DARPA said.
“We currently estimate we are about a million times slower to compute in the FHE world then we are in the plaintext world. The goal of DPRIVE is to bring FHE down to the computational speeds we see in plaintext. If we are able to achieve this goal while positioning the technology to scale, DPRIVE will have a significant impact on our ability to protect and preserve data and user privacy,” Rondeau said.
HERE’S MORE More

Pros
✓Loud siren and strobe
✓Configurable alert zones
✓Well-constructed

Cons
✕Voice alert too quiet

The Ezviz C3X outdoor security camera is very cool for an outdoor security camera and it has some much-needed features for monitoring your home or office.
This is a well-constructed, solid, metal camera with a locking metal base to hold it firmly in place.
It is dust-proof, weather-proof, rated IP67, and is solid enough not to be blown by the wind when secured by its locking ring on the mount.
Eileen Brown
The C3X comes in two versions. You can buy either a Wi-Fi or PoE (Power over Ethernet) camera. I have the Wi-Fi version that can also be connected to the internet through a LAN cable to your router.
Inside the box, there is the camera, power adaptor, extension lead, and cable seal kit. There is also a paper drilling template and a screw kit.
The quick start guide has a QR code to enable you to download the full user guide and the app. The camera is also compatible with Alexa, and Google Home.
Top ZDNET Reviews

On the body of the camera, there is an LED indicator, which is blue to show the Wi-Fi connection status or whether a video is being viewed in the app. The LED flashes red if the Wi-Fi connection has failed.
The C3X is so simple to connect to the app — by far the easiest camera I have tried so far. It is simple to connect the app to the camera using 2.4GHz Wi-Fi and it is really simple to use.
The C3X will either use a micro SD card up to 256GB, or there is a free 7-day trial to the cloud services. The camera will record video using H.265 video compression to save storage space. Its a viewing angle of up to 89 degrees horizontal (106 degrees diagonal)
The night view has really good color — as opposed to the usual black and white view of other cameras I have reviewed.
Only on dark nights, before the moon has risen, does the camera switch to black and white. It does not use a spotlight to enhance the view.
You can program the C3X to emit a siren and bright strobe light when it detects any motion.
The camera siren will fire if it detects people or cars but not when it detects tree movement or dogs.

Eileen Brown
You can configure a voice alert to trigger instead when someone enters the zone or field of view.
However, the voice output from the camera is really quiet — even when all of the options in the settings are set to intense. It is far more effective to use the siren.
It was a little disappointing as I had hoped for a really loud bellow when someone crossed into the zone.
The camera itself has dual 2MP lenses. One lens records the brightness and the other captures color information. The two 1080p images are merged by the camera.
It also has dial infrared lights which can detect motion up to 100ft away.
You can select which parts of the image view will be used to detect motion by drawing a specific zone — or set a line to cross. The lines feature is sluggish to set so you need to be patient.
All in all, this camera has some great features. I particularly like the alert detection feature, the siren, and the strobe light.
For $149 the Ezviz C3X is a neat little camera that is super easy to configure and the motion detection feature is excellent — if only the voice alert was louder.

ZDNet Recommends More