Information Technology

Image: VMware, ZDNet
More than 6,700 VMware vCenter servers are currently exposed online and vulnerable to a new attack that can allow hackers to take over unpatched devices and effectively take over companies’ entire networks.
Scans for VMware vCenter devices are currently underway, according to threat intelligence firm Bad Packets.

The scans have started earlier today after a Chinese security researcher published proof-of-concept code on their blog for a vulnerability tracked as CVE-2021-21972.
This vulnerability impacts vSphere Client (HTML5), a plugin of VMware vCenter, a type of server usually deployed inside large enterprise networks as a centralized management utility through which IT personnel manage VMware products installed on local workstations.
Last year, security firm Positive Technologies discovered that an attacker could target the HTTPS interface of this vCenter plugin and execute malicious code with elevated privileges on the device without having to authenticate.
Because of the central role of a vCenter server inside corporate networks, the issue was classified as highly critical and privately reported to VMware, which released official patches yesterday, on February 23, 2021.
Due to the large number of companies that run vCenter software on their networks, Positive Technologies initially planned to keep details about this bug secret until system administrators had enough time to test and apply the patch.

However, the proof-of-concept code posted by the Chinese researcher, and others, effectively denied companies any grace period to apply the patch and also started a free-for-all mass-scan for vulnerable vCenter systems left connected online, with hackers hurrying to compromise systems before rival gangs.
Making matters worse, the exploit for this bug is also a one-line cURL request, which makes it easy even for low-skilled threat actors to automate attacks.

According to a Shodan query, more than 6,700 VMware vCenter servers are currently connected to the internet. All these systems are now vulnerable to takeover attacks if administrators failed to apply yesterday’s CVE-2021-21972 patches.
VMware has taken this bug very seriously and has assigned a severity score of 9.8 out of a maximum of 10 and is now urging customers to update their systems as soon as possible.
Due to the critical and central role that VMware vCenter servers play in enterprise networks, a compromise of this device could allow attackers access to any system that’s connected or managed through the central server.
These are the types of devices that threat actors (known as “network access brokers”) like to compromise and then sell on underground cybercrime forums to ransomware gangs, which then encrypt victims’ files and demand huge ransoms.
Since a PoC is now out in the open, Positive Technologies has also decided to publish an in-depth technical report on the bug, so network defenders can learn how the exploit work and prepare additional defenses or forensics tools to detect past attacks. More

Hardly a week goes by without yet another major Windows security problem popping up, while Linux security problems, when looked at closely, usually turn out to be blunders made by incompetent system administration. But Linux can’t rest on its laurels. There are real Linux security concerns that need addressing. That’s where Google and the Linux Foundation come in with a new plan to underwrite two full-time maintainers for Linux kernel security development, Gustavo Silva and Nathan Chancellor. 

ZDNet Recommends

Silva and Chancellor’s exclusive focus will be to maintain and improve kernel security and associated initiatives to ensure Linux’s security. There’s certainly work to be done. 
As the Linux Foundation’s Open Source Security Foundation (OpenSSF) and the Laboratory for Innovation Science at Harvard (LISH) found in its open-source contributor survey, security is often neglected in open-source software development. True Linux has over 20,000 contributors, and as of August 2020, one million commits, but security is not one of their top-of-mind issues. 
Unfortunately, it starts at the top. Linus Torvalds, Linux’s creator, really dislikes people who make improving security in Linux more trouble than it needs to be. In 2017, in his own inestimable style, he called some security developers “f-cking morons.” But Torvalds, while often colorful, also gave direction to security programmers.
From Torvalds’ viewpoint, “Security problems are just bugs. … The only process I’m interested in is the _development_ process, where we find bugs and fix them.” Or, as Torvalds said in 2008, “To me, security is important. But it’s no less important than everything *else* that is also important!”
Torvalds isn’t the only one who sees it that way. Jason A. Donenfeld, creator of Linux’s Wireguard Virtual Private Network (VPN), said on the Linux Kernel Mailing List (LKML) that “some security people scoff at other security people’s obsession with ‘security bugs.'” 
He added: “The security industry is largely obsessed by finding (and selling / using /patching /reporting /showcasing /stockpiling /detecting / stealing) these ‘dangerous/useful’ variety of bugs. And this obsession is continually fulfilled because bugs keep happening — which is just the nature of software development — and so this ‘security bug’ infatuation continues.”

While Torvalds and Donenfeld recognize the importance of securing Linux, too many developers hear their disdain for security researchers while missing that they both regard fixing real security bugs as necessary work. The result? On average, open-source programmers use just 2.27% of their total contribution time on security. Worst still, most open-source developers feel little desire to spend more of their time and effort on security. 
As David A. Wheeler, The Linux Foundation’s director of open-source supply chain security, said in the Report on the 2020 FOSS Contributor Survey: “It is clear from the 2020 findings that we need to take steps to improve security without overburdening contributors.” 
The solution, the report authors suggested, was to devote money and resources to specific security purposes. This includes adding security-related tools to the continuous integration (CI) pipeline, security audits, and computing resources. In other words, make it easier for developers to add security to their projects.
Specifically, OpenSSF and LISH suggested:
Funding security audits of critical open-source projects and require that the audits produce specific, mergeable changes. 
Rewrite portions or entire components of FOSS projects prone to vulnerabilities to produce a substantially more secure result (e.g., contribute a rewrite in a memory-safe language). 
Prioritize secure software development best practices. 
Companies should make secure software development training a requirement for hiring or continued professional development for their paid FOSS developers. 
Use badging programs, mentoring programs, and the influence of respected FOSS contributors to encourage projects and their contributors to develop and maintain secure software development practices. 
Encourage projects to incorporate security tools and automated tests as part of their continuous integration (CI) pipeline; ideally as part of their default code management platform. 
By Google providing funds to underwrite two full-time Linux security maintainers signals the importance of security in the ongoing sustainability of open-source software. “At Google, security is always top of mind and we understand the critical role it plays to the sustainability of open-source software,” said Dan Lorenc, Google staff software engineer, in a statement. “We’re honored to support the efforts of both Gustavo Silva and Nathan Chancellor as they work to enhance the security of the Linux kernel.”
Chancellor’s work will be focused on triaging and fixing all bugs found with Clang/LLVM compilers while working on establishing CI systems to support Clang and LLVM compiler tools. Two years ago, Chancellor started contributing to mainline Linux under the ClangBuiltLinux project, which is a collaborative effort to get the Linux kernel building with Clang and LLVM. 
The Linux kernel has always traditionally been compiled with GNU toolchains such as GCC and binutils. The more modern Clang and LLVM utilities enable developers to create cleaner and more secure builds. Linux distributions such as Android, ChromeOS, and OpenMandriva already use Clang-built kernels.
Chancellor has been working on the Linux kernel for four and a half years. “I hope that more and more people will start to use the LLVM compiler infrastructure project and contribute fixes to it and the kernel — it will go a long way toward improving Linux security for everyone,” said Chancellor. 
Gustavo Silva’s full-time Linux security work is currently dedicated to eliminating several classes of buffer overflows by transforming all instances of zero-length and one-element arrays into flexible-array members, which is the preferred and least error-prone mechanism to declare such variable-length types. Silva is also working on fixing bugs before they hit the mainline, while proactively developing defense mechanisms that cut off whole classes of vulnerabilities. Before that, Silva led the effort to eliminate implicit switch fall-throughs in the Linux kernel Silva sent his first kernel patch in 2010 and is an active member of the Kernel Self Protection Project (KSPP). He is consistently one of the top five most active kernel developers since 2017 with more than 2,000 mainline commits. Silva’s work has impacted 27 different stable trees, going all the way down to Linux v3.16. 
“We are working towards building a high-quality kernel that is reliable, robust, and more resistant to attack every time,” said Silva. “Through these efforts, we hope people, maintainers, in particular, will recognize the importance of adopting changes that will make their code less prone to common errors.”
“Ensuring the security of the Linux kernel is extremely important as it’s a critical part of modern computing and infrastructure. It requires us all to assist in any way we can to ensure that it is sustainably secure,” added Wheeler. “We extend a special thanks to Google for underwriting Gustavo and Nathan’s Linux kernel security development work along with a thank you to all the maintainers, developers, and organizations who have made the Linux kernel a collaborative global success.”
Google has recently been putting more resources behind security for all open-source software. The company recently proposed a framework, “Know, Prevent, Fix,” for how we can think about open-source vulnerabilities and concrete areas to address first, including:
Consensus on metadata and identity standards: We need consensus on fundamentals to tackle these complex problems as an industry. Agreements on metadata details and identities will enable automation, reduce the effort required to update software, and minimize the impact of vulnerabilities.
Increased transparency and review for critical software: For software that is critical to security, we need to agree on development processes that ensure sufficient review, avoid unilateral changes, and transparently lead to well-defined, verifiable official versions.
Going back to Linux in specific, funding Linux kernel security and development is a collaborative effort that needs support from everyone. To support work like this, discussions are taking place in the Securing Critical Projects Working Group inside the OpenSSF.  If you want to be involved in the work, now’s your chance. It’s not just Google and top Linux developers, everyone who works with Linux needs to be involved.
Related Stories: More

Image: Oleksii Leonov (CC BY 2.0)The Ukrainian government said today that Russian hackers compromised a government file-sharing system as part of an attempt to disseminate malicious documents to other government agencies.
The target of the attack was the System of Electronic Interaction of Executive Bodies (SEI EB), a web-based portal used by Ukrainian government agencies to circulate documents between each other and public authorities.
In a statement published today, officials with Ukraine’s National Security and Defense Council said the purpose of the attack was “the mass contamination of information resources of public authorities.”
Ukrainian officials said the attackers uploaded documents on this portal that contained macro scripts. If users downloaded any of these documents and allowed the scripts to execute (usually by pressing the “Enable Editing” button inside Office apps), the macros would secretly download malware that would allow the hackers to take control of a victim’s computer.
Ukraine links the attacks to Russian cyberspies
“The methods and means of carrying out this cyberattack allow [us] to connect it with one of the hacker spy groups from the Russian Federation,” NSDC officials said.
Even if most state-sponsored hacker groups have been assigned names by the cyber-security industry, Ukrainian officials did not attribute the attack to a specific Russian activity cluster.
Officials did, however, publish indicators of compromise (IOCs) used in the attacks. They include:
Domains: enterox.ru
IP addresses: 109.68.212.97
Link (URL): http://109.68.212.97/infant.php

Today’s NSDC security alert is the second warning the agency has published this week. The agency also warned on Monday that Russian hackers launched DDoS attacks last week that targeted the websites of the Security Service of Ukraine, the National Security and Defense Council of Ukraine, and resources of other state institutions and strategic enterprises. More

Many charities are encouraging individuals and organisations to donate their old laptops, tablets and other devices, and while many want to support good causes, it can be hard to know how to make sure devices are in the right state to hand over.

ZDNet Recommends

The UK’s National Cyber Security Centre (NCSC) has issued advice on erasing data from devices so they can be passed on as safely as possible.
Firstly, donors should be encouraged to erase all of the data on the laptop or tablet before they give it to charity – because failure to do so could result in their personal data like usernames and passwords being available to others.
The NCSC notes that users should be encouraged to do this themselves, so they have the most control possible over their data, including backing up any information or files they want to keep before erasing the data from the device.
SEE: Technology in education: The latest products and trends (free PDF) (TechRepublic)
Secondly, charities which receive donations of laptops and other computers should erase data on donated devices – even if the user says they’ve already deleted the data. By performing a factory reset like this, it will revert the laptop to as if it was being used for the first time, allowing the new user to set it up as the please.
This also prevents information preciously stored on the device from being shared and will also prevent most malware that could have potentially been installed on the laptop from compromising the new user.

It’s also recommended that the charities which are providing laptops to schoolchildren are selective about what devices they pass on and don’t give out any computers which are reliant on an operating system which is no longer supported by its manufacturer.
This is because unsupported operating systems no longer receive security updates from their manufacturers, something which leaves users unprotected against new vulnerabilities, malware and other cyber attacks.
It’s recommended that devices which can’t be donated due to being out of support are recycled instead.
MORE ON CYBERSECURITY More

Credit: Microsoft
Microsoft is continuing to roll out more vertical cloud packages tailored for specific vertical industries. On February 24, the company announced three more of these “industry clouds” for financial services, manufacturing and nonprofit. These supplement the already-announced Microsoft cloud packages for healthcare and retail.These industry clouds package together common data models, cross-cloud connectors, workflows, application programming interfaces and industry-specific components and standards. They are designed for use with Azure, Microsoft 365, Dynamics 365, Power Platform tools and other Microsoft services and are meant to connect front-end productivity tasks to backend data management, officials said.
Also: Top cloud providers in 2021: AWS, Microsoft Azure, and Google Cloud, hybrid, SaaS players”Other industry clouds are just about one business process or one use case,” said Alysa Taylor, Corporate Vice President of Business Applications and Global Industry.Microsoft, for its part, is pulling together multiple scenarios into a single vertical cloud. In the past, systems integrators inside and outside companies would be the ones creating these kinds of templates and custom solutions. But the company still is looking to involve partners in extending and tailoring these cloud packages, Taylor said.There are productivity and security pieces that are common across Microsoft’s vertical clouds, such as Teams collaboration, Office apps and Power BI analytics. Engineering teams from Office, Dynamics, Azure and other parts of the company are meeting bi-weekly to build out these vertical clouds, Taylor said. But there are also capabilities in each that are unique to specific industries.The Microsoft Cloud for Financial Services, for example, includes features such as a prebuilt Loan Manager and Banking customer engagement. The public preview of the Financial Services cloud is slated for March 2021.The Microsoft Cloud for Manufacturing will adhere to standards from the OPC Foundation, Open Manufacturing Platform and Digital Twins Consortium. The Manufacturing Cloud will be available for public preview by the end of June 2021.And the Microsoft Cloud for Nonprofit includes donor-management, volunteer management and fundraising functionality. The public preview is slated to be out by the end of June.Microsoft also announced today that its previously announced Microsoft Cloud for Retail will be in public preview as of March 2021. And the first update to the Microsoft Cloud for Healthcare will be available in April, which will add support for eight new languages, plus features for virtual health, remote patient monitoring, care coordination and patient self-service.
Taylor said Microsoft is in the planning phase right now to determine which additional verticals it will be targeting with industry clouds in the coming months. More

A botnet used for illicit cryptocurrency mining activities is abusing Bitcoin (BTC) transactions to stay under the radar. 

According to new research published by Akamai on Tuesday, the technique is being harnessed by operators of a long-running cryptocurrency mining botnet campaign, in which BTC blockchain transactions are being exploited to hide backup command-and-control (C2) server addresses. 
Botnets rely on C2 servers to receive commands from cyberattackers. Law enforcement and security teams are constantly finding and taking down these C2 servers in order to render campaigns defunct — but if backups are in play, takedowns can be more difficult. 
Akamai says that botnet operators are able to hide backup C2 IP addresses via the blockchain, and this is described as a “simple, yet effective, way to defeat takedown attempts.”
The attack chain begins with the exploit of remote code execution (RCE) vulnerabilities impacting software including Hadoop Yarn and Elasticsearch, such as CVE-2015-1427 and CVE-2019-9082. 
In some attacks, rather than outright system hijacking, RCEs are also being modified to create Redis server scanners that find additional Redis targets for cryptocurrency mining purposes. 
A shell script is deployed to trigger an RCE on a vulnerable system and Skidmap mining malware is deployed. The initial script may also kill off existing miners, modify SSH keys, or disable security features. 

Cron jobs — time-based job schedulers — and rootkits are used to maintain persistence and further distribute the malware. However, in order to maintain and re-infect target systems, domains and static IP addresses are used — and these addresses are eventually identified and killed by security teams. 
“Predictably these domains and IP addresses get identified, burned, and/or seized,” the researchers say. “The operators of this campaign expected this and included backup infrastructure where infections could fail over and download an updated infection that would, in turn, update the infected machine to use new domains and infrastructure.”
In December, Akamai noted a BTC wallet address was being included in new variants of the cryptomining malware. Additionally, a URL for a wallet-checking API and bash one-liners were found, and it appears that the wallet data being fetched by the API was being used to calculate an IP address. 
This IP address is then used to maintain persistence. The researchers say that by fetching addresses via the wallet API, the malware’s operators are able to obfuscate and stash configuration data on the blockchain. 
“By pushing a small amount of BTC into the wallet, they can recover infected systems that have been orphaned,” Akamai says. “They essentially have devised a method of distributing configuration information in a medium that is effectively unseizable and uncensorable.”
To convert wallet data into an IP address, the operators use four bash one-liner scripts to send an HTTP request to the blockchain explorer API for the given wallet, and then the Satoshi values — the smallest, pre-defined value of BTC units — of the most recent two transactions are then converted into the backup C2 IP. 
“The infection is using the wallet address as a DNS like record, and the transaction values as a type of A record,” Akamai explains. “In Fig. 2 [below], the variable aa contains the Bitcoin wallet address, variable bb contains the API endpoint that returns the latest two transactions used to generate the IP address, and variable cc contains the final C2 IP address after the conversion process is completed. To achieve this conversion, four nested Bash one-liners (one each, per-octet) are concatenated together. While the mess of cURLs, seds, awks, and pipes is hard to make sense of at first glance, it’s a fairly simple technique.”

Bash script example of Satoshis to C2 IP conversion
Akamai
Akamai estimates that to date, over $30,000 in Monero (XMR) has been mined by the operators.
“The technique isn’t perfect,” the researchers noted. “There are improvements that can be made, which we’ve excluded from this write-up to avoid providing pointers and feedback to the botnet developers. Adoption of this technique could be very problematic, and it will likely gain popularity in the near future.”
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Mozilla, the maker of the Firefox browser, has rolled out a feature called Total Cookie Protection as part of its Enhanced Tracking Protection “Strict Mode” that promises to stifle cross-site tracking. 
If you’re bugged by companies using cookies to track your online activities across websites, Mozilla might have an answer.  

More on privacy

“Total Cookie Protection confines cookies to the site where they were created, which prevents tracking companies from using these cookies to track your browsing from site to site,” Mozilla says in a new blogpost. 
SEE: Network security policy (TechRepublic Premium)
The feature is available as part of Firefox’s feature called Enhanced Tracking Protection.
Mozilla argues that most browsers allow cookies to be shared between websites, allowing marketing folks to “tag” a browser and track the user as they browse across sites. 
“This type of cookie-based tracking has long been the most prevalent method for gathering intelligence on users. It’s a key component of the mass commercial tracking that allows advertising companies to quietly build a detailed personal profile of you,” Mozilla says. 

Apple introduced Intelligent Tracking Prevention (ITP) last year to Safari via its WebKit project in order to block all third-party cookies in Safari by default.
Mozilla embarked on its own take on this technology to tackle the online ad businesses in 2019. Privacy is one of the key pillars that Mozilla is using to differentiate itself from a web that’s increasingly dominated by the Chromium project, which has seen even Microsoft migrate its Edge browser to Google’s browser. 
Mozilla says the Total Cookie Protection provides a separate “cookie jar” for each website that’s visited. 
“Any time a website, or third-party content embedded in a website, deposits a cookie in your browser, that cookie is confined to the cookie jar assigned to that website, such that it is not allowed to be shared with any other website,” Mozilla says. 
SEE: Phishing: These are the most common techniques used to attack your PC
Cookies, however, are useful for purposes such as logging in easily to a website that was visited in the past. Mozilla’s Total Cookie Protection will support this use of cookies. The exception is based around an expression from the user that they intended to use a particular site. 
“Total Cookie Protection makes a limited exception for cross-site cookies when they are needed for non-tracking purposes, such as those used by popular third-party login providers,” Mozilla notes.  
“Only when Total Cookie Protection detects that you intend to use a provider, will it give that provider permission to use a cross-site cookie specifically for the site you’re currently visiting. Such momentary exceptions allow for strong privacy protection without affecting your browsing experience.” More

The founder of the Start Options and Bitcoiin2Gen (B2G) digital asset investment platforms has been indicted on charges of investor fraud and money laundering. 

The US Department of Justice (DoJ) said on Tuesday that Kristijan Krstic, a Serbian national, has been charged in an indictment for allegedly participating in international, cryptocurrency-related fraud. 
According to the complaint, the 45-year-old founded two platforms, Start Options and B2G, and also served as the Chief Financial Officer (CFO) of Start Options.
It has been alleged that between roughly 2017 and 2018, Krstic and co-conspirators targeted investors in the United States, luring them to purchase securities in the form of investment contracts in both companies, marketed as successful trading services.
Prosecutors say that Start Options claimed to be a digital asset trading service that was “the largest Bitcoin (BTC) exchange in euro volume and liquidity,” apparently “consistently rated the best and most secure Bitcoin exchange by independent news media.”
B2G touted itself as an “ecosystem” for trading tokens, digital, and fiat currencies, and also offered a form of wallet for storing and managing cryptocurrencies. 
Both companies, however, are allegedly scams, according to the indictment. 

“The money sent by investors in Start Options and B2G allegedly was never invested and instead was laundered internationally to a Phillippines-based financial account and digital currency wallet, and diverted to a US-based promoter of the fraud,” the DoJ claims. 
In addition, in 2018, the DoJ says that Start Options investors trying to redeem their funds were told of a time-sensitive “opportunity” to roll over their funds and participate in an Initial Coin Offering (ICO) for BG2 tokens. 
“Start Options investors were forced to take part in this “opportunity,”” prosecutors allege, adding that “all Start Options investors’ accounts were rolled into new B2G accounts, and even those Start Options investors who tried to decline the “opportunity” were unable to cash in their shares.” 
Approximately $7 million of these proceeds was allegedly transferred from the promoter to Krstic — who then stopped communicating with investors and “absconded” with the cash — while Start Options claimed that the company had been sold to a Russian venture capitalist.
The US Securities and Exchange Commission (SEC) estimates that “hundreds” of investors may have been defrauded out of as much as $11 million through the “fraudulent and unregistered digital asset securities offerings.”
The DoJ added that Krstic used the alias “Felix Logan” when communicating with investors in both companies. According to his alleged Twitter handle, which has posted a variety of Bitcoin-related content and messages, “Logan” left his post at Start Options in 2018.
Charges filed with the US Eastern District of New York court on Tuesday accuse Krstic of one count of securities fraud and conspiracy to commit securities fraud, one count of conspiracy to commit wire fraud, and one count of conspiracy to commit money laundering.
John DeMarr, the ex-director of North American Operations for both companies — and a former private investigator — has been previously charged for his alleged participation. 
On February 1, 2021, the SEC charged Krstic and DeMarr with violating antifraud and registration laws. The US agency is seeking damages, disgorgement of proceeds, penalties, and an officer/director ban for both individuals. 
In addition, the SEC has also charged Robin Enos, who was allegedly drafted in to create promotional materials for the firms. Prosecutors say that Enos knew the content would be presented to investors and the material allegedly contained false statements — such as the use of investor funds toward mineable coins, and the claim that the B2G coin would be offered on the Ethereum blockchain. 
“Bitcoiin2Gen was a sham, and Krstic and DeMarr allegedly misappropriated millions of dollars of investor funds for their own personal benefit,” the SEC says. 
“The conduct alleged in this action was a blatant attempt to victimize those interested in digital asset technology and these defendants should be held accountable,” commented Kristina Littman, the SEC Enforcement Division Cyber Unit chief. “In reality, we allege, these ventures were fraudulent enterprises aimed simply at misappropriating funds from investors.”
In January, a US resident and former journalist, Jerry Ji Guo, was jailed for six months based on claims that he pretended to be a cryptocurrency and Initial Coin Offerings (ICOs) consultant to conduct investor fraud.
According to the DoJ, the 33-year-old promised investors that he would perform “consultancy, marketing, and publicity services” in return for crypto and cash investments, but these services never materialized. Guo must also pay $4.4 million in damages.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More