Information Technology

Application security pioneer F5 Networks this afternoon reported fiscal Q1 revenue and profit that topped analysts’ expectations, and forecast this quarter’s revenue higher, but profit a bit below, sending its shares sharply lower in late trading.
Revenue in the three months ended in December rose to $625 million, yielding EPS of $2.59. 
Analysts had been modeling $623 million and $2.45 per share. 
Also: F5 to acquire multi-cloud security software maker Volterra for $500 million, raises financial outlook 
The results compare to a raised forecast for $623 million to $626 million in revenue offered two weeks ago, when the company announced it would acquire privately held, Volterra of Santa Clara, California, a maker of distributed multi-cloud application security and load-balancing software.
For the current quarter, the company sees revenue in a range of $625 million to $645 million, higher than the consensus for $621 million; and EPS in a range of $2.32 to $2.44, slightly below consensus for $2.41. 
F5 shares are down about 3% at $203 in after-hours trading and had initially dropped as much as 6%.

Also: F5 Networks tops third quarter earnings targets

Tech Earnings More

Apple has released today security updates for iOS to patch three zero-day vulnerabilities that were exploited in the wild.

All three zero-days were reported to Apple by an anonymous researcher.
One impacts the iOS operating system kernel (CVE-2021-1782), and the other two are in the WebKit browser engine (CVE-2021-1870 and CVE-2021-1871).
The iOS kernel bug was described as a race condition bug that can allow attackers to elevate privileges for their attack code.
The two WebKit zero-days were described as a “logic issue” that could allow remote attackers to execute their own malicious code inside users’ Safari browsers.
Security experts believe the three bugs are part of an exploit chain where users are lured to a malicious site that takes advantage of the WebKit bug to run code that later escalates its privileges to run system-level code and compromise the OS.
However, official details about the attacks where these vulnerabilities were used were not made public, as is typical with most Apple zero-day disclosures these days.

The three bugs today come after Apple patched another set of three iOS zero-days in November last year. The November zero-days were discovered by one of Google’s security teams.
News of another set of iOS zero-days also came to light in December when Citizen Lab reported attacks against Al Jazeera staff and reporters earlier in 2020. These iOS zero-days were inadvertently patched when Apple released iOS 14, an iOS version with improved security features. More

file photo
As most experts predicted last month, the fallout from the SolarWinds supply chain attack is getting bigger as time passes by, and companies had the time to audit internal networks and DNS logs.
This week, four new cyber-security vendors — Mimecast, Palo Alto Networks, Qualys, and Fidelis — have added their names to the list of companies that have installed trojanized versions of the SolarWinds Orion app.
Mimecast hack linked to SolarWinds software
The most important of this week’s announcements came from Mimecast, a vendor of email security products.
Two weeks ago, the company disclosed a major security breach during which hackers broke into its network and used digital certificates used by one of its security products to access the Microsoft 365 accounts of some of its customers.
In an update on its blog today, Mimecast said it linked this incident to a trojanized SolarWinds Orion app installed on its network.
The company has now confirmed that the SolarWinds hackers are the ones who abused its certificate to go after Mimecast’s customers.
Palo Alto Networks discloses Sep & Oct 2020 incidents
Another major security vendor who came forward to disclose a SolarWinds-related incident was Palo Alto Networks, a vendor of cyber-security software and network equipment.

Speaking to Forbes investigative reporter Thomas Brewster this week, Palo Alto Networks said it detected two security incidents in September and October 2020 that were linked to SolarWinds software.
“Our Security Operation Center […] immediately isolated the server, initiated an investigation and verified our infrastructure was secure,” Palo Alto Networks told Forbes on Monday.
However, the company said it investigated the breaches as separate solitary incidents and didn’t detect the broader supply chain attack, which would be spotted only months later when hackers breached fellow security vendor FireEye.
Palo Alto Networks said the investigation into the September and October SolarWinds-linked intrusions didn’t yield much and concluded that “the attempted attack was unsuccessful and no data was compromised.”
Qualys: It was only a test system
But the Forbes report also cited the findings of Erik Hjelmvik, founder of network security company Netresec, who published on Monday a report detailing 23 new domains that were used by the SolarWinds hackers to deploy second-stage payloads into infected networks they deemed as high value.
Two of these 23 new domains were “corp.qualys.com,” suggesting that cybersecurity auditing giant Qualys might have been targeted by the attackers.
However, in a statement to Forbes, Qualys said that the intrusion was not as big as it appears, claiming that its engineers installed a trojanized version of the SolarWinds Orion app inside a lab environment for testing purposes, separate from its primary network.
A subsequent investigation did not find any evidence of further malicious activity or data exfiltration, Qualys said.
However, some security researchers are not buying the company’s statement, suggesting that the “corp.qualys.com” domain suggested that hackers did get access to its primary network and not a laboratory environment, as the company claims.
Fidelis also discloses second-stage targeting
The fourth and latest major disclosure came today from Fidelis Cybersecurity in the form of a blog post from the company’s CISO, Chris Kubic.
The Fidelis exec said they, too, had installed a trojanized version of the SolarWinds Orion app in May 2020 as part of a “software evaluation.”
“The software installation was traced to a machine configured as a test system, isolated from our core network, and infrequently powered on,” Kubic said.
Fidelis said that despite efforts from the attacker to escalate their access inside the Fidelis internal network, the company believes that the test system was “sufficiently isolated and powered up too infrequently for the attacker to take it to the next stage of the attack.”
This week’s disclosures bring the total number of cyber-security vendors targeted by the SolarWinds hackers to eight. Previous disclosures came from FireEye (initial intrusion which uncovered the entire SolarWinds supply chain attack in the first place), Microsoft (intruders accessed some of the company’s source code), CrowdStrike (failed intrusion), and Malwarebytes (attackers accessed some of the company’s email accounts).

SolarWinds Updates More

Image: Mozilla
Mozilla has released today Firefox 85 to the stable channel, a new version of its beloved browser that removes support for the Adobe Flash Player plugin but also boosts privacy protections by adding more comprehensive defenses against “supercookies.”

The removal of the Flash plugin comes after Mozilla announced its intention to drop Flash in July 2017 as part of a coordinated industry-wide Flash deprecation and End-of-Life plan, together with Adobe, Apple, Google, Microsoft, and Facebook.
The EOL date was set to Dec. 31, 2020, a date after which Adobe agreed to stop providing updates for the software.
Firefox now joins Chrome and Edge, both of which removed support for Flash earlier this month with the release of Chrome 88 and Edge 88.
Network partitioning and supercookies protection
But even if Firefox 85 is the first version that ships without the much-maligned Flash plugin, the bigger feature in this release is “network partitioning.”
First reported by ZDNet last month, the network partitioning feature works by splitting the Firefox browser cache on a per-website basis, a technical solution that prevents websites from tracking users as they move across the web.
In a blog post today, Mozilla said this new feature has effectively blocked the use of supercookies inside Firefox going forward.

“Supercookies can be used in place of ordinary cookies to store user identifiers, but they are much more difficult to delete and block,” Mozilla said today.
“Over the years, trackers have been found storing user identifiers as supercookies in increasingly obscure parts of the browser, including in Flash storage, ETags, and HSTS flags.
“The changes we’re making in Firefox 85 greatly reduce the effectiveness of cache-based supercookies by eliminating a tracker’s ability to use them across websites,” the browser maker said.
Mozilla said that while they expected a big impact on website performance after splitting the Firefox cache, internal metrics show that the impact was minimal.
“Our metrics show a very modest impact on page load time: between a 0.09% and 0.75% increase at the 80th percentile and below, and a maximum increase of 1.32% at the 85th percentile,” Mozilla said.
The browser maker viewed this performance impact as acceptable for improving overall user privacy.
Other changes
But other features shipped with Firefox 85 today. The first is a change in how bookmarks are saved inside Firefox.
Starting with this version, Firefox now remembers where users saved their last bookmark and saves all other bookmarks to the same location. 
Furthermore, Firefox has also added a bookmarks folder to the bookmarks toolbar. This last feature caused some problems last week, when some Firefox users saw it in their browsers, but without an easy way of disabling it. With Firefox 85, removing that folder from the bookmarks toolbar is possible via a right-click menu option.
In addition, Firefox 85 also ships with a button to remove all saved credentials, which could be a very useful feature in case users need to clear a Firefox installation and make it available for other users.
Other changes are detailed in the Firefox 85 changelog here, while security updates are listed here. More

Image: ZDNet
The South African Revenue Service has released this week its own custom web browser for the sole purpose of re-enabling Adobe Flash Player support, rather than port its existing website from using Flash to HTML-based web forms.
Flash Player reached its official end of life (EOL) on December 31, 2020, when Adobe officially stopped supporting the software.
To prevent the app from continuing to be used in the real-world to the detriment of users and their security, Adobe also began blocking Flash content from playing inside the app starting January 12, with the help of a time-bomb mechanism.
As Adobe hoped, this last step worked as intended and prevented companies from continuing using the software, forcing many to update systems and remove the app.
As SARS tweeted on January 12, the agency was impacted by the time-bomb mechanism, and starting that day, the agency was unable to receive any tax filings via its web portal, where the upload forms were designed as Flash widgets.

SARS is aware of certain forms not loading correctly due to Adobe Flash. We are currently working on resolving the matter and will advise once the problem has been resolved. We sincerely apologise for the current inconvenience.
— SA Revenue Service (@sarstax) January 12, 2021

But despite having a three and a half years heads-up, SARS did not choose to port its Flash widgets to basic HTML & JS forms, a process that any web developer would describe as trivial.
Instead, the South African government agency decided to take one of the most mind-blowing decisions in the history of bad IT decisions and release its own web browser.

Chrome, Firefox, Edge: Hey, we no longer support Adobe Flash Player due to security reasons.SARS: mxm okay, we’ll build our own browser ke! 🤡
— Monsieur Elon Masakhane (@VendaVendor) January 26, 2021

Released on Monday on the agency’s official website, the new SARS eFiling Browser is a stripped-down version of the Chromium browser that has two features.
The first is to re-enable Flash support. The second is to let users access the SARS eFiling website.
As Chris Peterson, a software engineer at Mozilla, pointed out, the SARS browser only lets users access the official SARS website, which somewhat reduces the risk of users getting their systems infected via Flash exploits while navigating the web.
But as others have also pointed out, this does nothing for accessibility, as the browser is only available for Windows users and not for other operating systems such as macOS, Linux, and mobile users, all of which are still unable to file taxes.

Do tell me about the Linux, iOS, Android and MacOS versions of this browser
— Stephan Eggermont (@StOnSoftware) January 26, 2021

Pressed for more answers on its decision to focus on a narrow-minded solution via its custom browser rather than port some forms on its website, a SARS spokesperson did not return a request for comment.
But in spite of its unexpected response to the Flash EOL, SARS is only an outlier in the grand scheme of things, as most companies have already moved operations away from Adobe Flash.
Sure, there are a few exceptions here and there that can grab headlines due to poor decisions, but most companies have known long in advance that this day was coming and have taken steps to avoid any downtime.
Another of these outlier cases that made headlines over the past week was the case of the local train station in the Chinese city of Dalian. Initial reports claimed that the rail station had to stop all rail traffic after its internal systems, built around Flash, stopped working.
This turned out to be false, and later reports from Chinese media clarified that railway traffic never stopped in Dalian because of the Flash EOL. However, the reports also admitted that there’s some truth in the original report and that, indeed, some internal traffic statistics system had stopped working at the rail station on January 12, when Adobe blocked Flash content from working.
That system was eventually upgraded to a Flash Player version that Adobe offers inside China only, which does not contain the January 12 time-bomb mechanism, allowing the system to continue working beyond the Flash EOL. More

Cybercriminals will often use brute-force attacks, phishing emails, and existing data dumps to break into corporate networks but there is one area that is often ignored to a company’s detriment: ghost accounts. 

It is not always the case that when a staff member leaves their employ, whether due to a new job offer, changes of circumstance, illness, or in unfortunate cases, death, that their accounts are removed from corporate networks. 
This oversight is one that cybercriminals are now taking advantage of, and in a recent case, actively exploited in order to spread ransomware. 
In a case study documented by Sophos’ cyberforensics group Rapid Response on Tuesday, an organization reached out after being infected by Nemty ransomware. 
According to Sophos, the ransomware — also known as Nefilim — impacted over 100 systems, encrypting valuable files and demanding payment in return for a decryption key. 
First detected in 2019, Nemty was a Ransomware-as-a-Service (RaaS) variant of malware that could be purchased in underground forums. In 2020, the developers took Nemty private, reserving the code’s future development for select partners. 
During an investigation into the source of the infection, Sophos narrowed down the original network intrusion to a high-level administrator account. Over the course of a month, the threat actors quietly explored the company’s resources, obtaining domain admin account credentials and exfiltrating hundreds of gigabytes’ worth of data. 

Once the cyberattackers had finished their reconnaissance and taken everything of value, Nemty was deployed.
“Ransomware is the final payload in a longer attack,” noted Peter Mackenzie, Rapid Response manager. “It is the attacker telling you they already have control of your network and have finished the bulk of the attack. Identifying you are under a ransomware attack is easy, identifying the attacker was on your network a week earlier is what counts.”
The cybersecurity team asked who the high privilege administration account belonged to. The victim company said the account belonged to a former member of staff who passed away approximately three months before the cyberintrusion. 
Instead of revoking access and closing down the ‘ghost’ account, the firm chose to keep it active and open “because there were services that it was used for.”
Sophos suggests that any ghost account allowed to stay connected to corporate resources once the user has no need of it should have interactive logins disabled, or if the account is really needed, a service account should be created in its stead. 
In addition, the team says that zero-trust measures should be implemented companywide to reduce potential attack surfaces.
In another case noted by Sophos, a new user account was covertly created on a corporate network and added to a domain admin group in Active Directory, and this account was used to delete roughly 150 virtual servers and deploy Microsoft BitLocker to encrypt existing server backups, piling on the pressure for payment. 
Update 16.03 GMT: Added detail for additional clarity concerning the two case studies.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Veritas Technologies and Fortinet are rolling out new efforts to better secure and backup multi-cloud deployments and automate threat detection, investigation, and response, respectively. 

Veritas Technologies is launching Veritas NetBackup 9, which is designed to secure edge, data center, and cloud deployments.
The company said NetBackup 9 includes Flex Scale, a scale-out deployment option that plays well with multi-cloud deployments. The architecture behind NetBackup 9 brings a cloud experience to on-premise data centers and the ability to add nodes as needed.
Also: Best VPNs • Best security keys • Best antivirus       
Veritas is also adding new deployment modes to NetBackup including options for cloud, appliances, and build-your-own-server, containerize options, and a hyper-converged offering.
NetBackup 9 new features include:
Policy automation to manage deployment, provisioning, scaling, load balancing, recovery, and cloud integration.
Auto-discovery of workloads as well more integrations via API.
OpenStack-based enterprise data protection via native OpenStack APIs.
Doug Matthews, vice president of Enterprise Data Protection and Compliance at Veritas Technologies, said that less than 10% of the customer base overall is using OpenStack technologies, but the company’s largest customers are. “Multicloud is more ubiquitous in the enterprise, specifically large enterprises,” said Matthews.  

Fortinet rolled out a new extended detection and response (XDR) offering that aims to use artificial intelligence to improve cyber attack responses. FortiXDR is cloud-native and expands on Fortinet’s security fabric, services, and automation tools.
Must read:
According to Fortinet, FortiXDR is designed to cut through the security data clutter. The argument is that security teams are struggling with multiple vendors and information overflow. FortiXDR’s AI engine is continually trained and informed by FortiGuard Labs research.
Features of FortiXDR include:
Contextual responses and filtering reduce the number of alerts across products by 77% on average.
Automation for complex tasks to save time and minimize human error.
Automation of incident investigation. More

Group of hooded hackers shining through a digital north korean flag cybersecurity concept
Michael Borgers, Getty Images/iStockphoto
Google said today that a North Korean government hacking group has targeted members of the cyber-security community engaging in vulnerability research.

The attacks have been spotted by the Google Threat Analysis Group (TAG), a Google security team specialized in hunting advanced persistent threat (APT) groups.
In a report published earlier today, Google said North Korean hackers used multiple profiles on various social networks, such as Twitter, LinkedIn, Telegram, Discord, and Keybase, to reach out to security researchers using fake personas.
Email was also used in some instances, Google said.
“After establishing initial communications, the actors would ask the targeted researcher if they wanted to collaborate on vulnerability research together, and then provide the researcher with a Visual Studio Project,” said Adam Weidemann, a security researcher with Google TAG.
The Visual Studio project contained malicious code that installed malware on the targeted researcher’s operating system. The malware acted as a backdoor, contacting a remote command and control server and waiting for commands.
New mysterious browser attack also discovered
But Wiedemann said that the attackers didn’t always distribute malicious files to their targets. In some other cases, they asked security researchers to visit a blog they had hosted at blog[.]br0vvnn[.]io (do not access).

Google said the blog hosted malicious code that infected the security researcher’s computer after accessing the site.
“A malicious service was installed on the researcher’s system and an in-memory backdoor would begin beaconing to an actor-owned command and control server,” Weidemann said.
But Google TAG also added that many victims who accessed the site were also running “fully patched and up-to-date Windows 10 and Chrome browser versions” and still got infected.
Details about the browser-based attacks are still scant, but some security researchers believe the North Korean group most likely used a combination of Chrome and Windows 10 zero-day vulnerabilities to deploy their malicious code.
As a result, the Google TAG team is currently asking the cyber-security community to share more details about the attacks, if any security researchers believe they were infected.
The Google TAG report includes a list of links for the fake social media profiles that the North Korean actor used to lure and trick members of the infosec community.
Security researchers are advised to review their browsing histories and see if they interacted with any of these profiles or if they accessed the malicious blog.br0vvnn.io domain.

Image: Google
In case they did, they are most likely to have been infected, and certain steps need to be taken to investigate their own systems.
The reason for targeting security researchers is pretty obvious as it could allow the North Korean group to steal exploits for vulnerabilities discovered by the infected researchers, vulnerabilities that the threat group could deploy in its own attacks with little to no development costs.
In the meantime, several security researchers have already disclosed on social media that they received messages from the attackers’ accounts, although, none have admitted to having systems compromised.

WARNING! I can confirm this is true and I got hit by @z0x55g who sent me a Windows kernel PoC trigger. The vulnerability was real and complex to trigger. Fortunately I only ran it in VM.. in the end the VMDK I was using was actually corrupted and non-bootable, so it self-imploded https://t.co/dvdCWsZyne
— Richard Johnson (@richinseattle) January 26, 2021 More