Information Technology

As many experts anticipated, patches for the BootHole vulnerability in the GRUB2 bootloader that is used by all major Linux distributions are causing problems and preventing some users from booting their systems.
While the list of affected distros only included Red Hat yesterday, it has now expanded to include users of Ubuntu [1, 2, 3], Debian, CentOS [1, 2], and Fedora.
Microsoft security researcher Kevin Beaumont, also reports issues in cloud environments, namely where “a bug in cloud-init is causing problems across major cloud providers with Grub, such as Digital Ocean and Azure, having the same impact: patched systems then fail to boot.”
What is BootHole
Details about the BootHole vulnerability were published earlier this week, on Wednesday. Discovered by security firm Eclypsium, the vulnerability impacts GRUB2, a bootloader component used to help launch operating systems on servers and desktops.
GRUB2 is currently the default bootloader on all major Linux systems but is also used for Windows, in some scenarios, such as a custom bootloader or for dual-boot purposes.

The BootHole vulnerability allows attackers or malware to modify the GRUB2’s config file and insert malicious code in the bootloader, and inherently the operating system that it launches.
Systems using GRUB2 in a Secure Boot mode were also deemed vulnerable, as the GRUB2 config file is not protected by the Secure Boot process checks.
The vulnerability was deemed serious enough that all major Linux distros had patches ready when Eclypsium went public with its research earlier this week.
Most experts anticipated problems
The issues were to be expected, Kelly Shortridge, VP of cybersecurity firm Capsule8, said in a blog post this week, where she analyzed the impact of the BootHole vulnerability on system administrators.
The issues primarily arise because patching BootHole involves dancing around advanced cryptography, the safety checks of the Secure Boot process, and working with an allowlist-denylist managed by Microsoft, everyone expected issues to arise.
And so they did. As ZDNet reported yesterday, the first issues were reported with Red Hat, but more bug reports are now coming in from other distros.
Because a bug in GRUB2 usually stops the entire OS from booting, the issues result in downtime for those affected. In all cases, users reported that downgrading systems to a previous release to reverse the BootHole patches usually fixed their problems.
Regardless of the reported problems, users are still advised to apply the BootHole patches, as security researchers expect this bug to be weaponized by malware operators at some point in the future — primarily because it allows malware to implant a bootkit component on infected systems that operates below the antivirus level and survive OS reinstalls. More

China has arrested 109 individuals suspected of involvement in the PlusToken cryptocurrency fraud ring.

South Korea-based PlusToken was marketed as a high-yield investment opportunity for traders interested in cryptocurrencies. 9% to 18% in monthly returns were dangled in front of investors mainly based in China and South Korea, who then stored Bitcoin (BTC), Ethereum (ETH), and EOS on the platform.
Members were encouraged to bring others to the fold in exchange for a commission, creating what is thought to be a Ponzi scheme of massive proportions. 
See also: DoJ arrests Ponzi operators planning to retire ‘RAF’ through cryptocurrency scam
Last year, the operators of PlusToken performed a suspected exit scam, in which roughly $3 billion in deposits was taken from up to four million users who suddenly found themselves unable to access their funds. 

Local media outlet Chain News now suggests this figure could be closer to $6 billion. 
PlusToken’s dissolution led to an international hunt for those responsible. In 2019, Chinese law enforcement arrested six suspects — while many others fled abroad — and now, a further 27 individuals are in custody. 
CNET: Twitter says massive hack was result of spear phishing attack
The Ministry of Public Security and Chinese police have apprehended 27 “major criminal suspects” and a further 82 “key” members of PlusToken, described as a “network pyramid scheme.” 
Law enforcement added that 3,000 “hierarchical relationships” have since been traced throughout the PlusToken network. 
TechRepublic: How to add fingerprint authentication to your Windows 10 computer
The suspects may have been cornered, but investor funds are still on the move. Over 6,000 separate wallet addresses have been used to divide up and move the cryptocurrencies around in what is likely to be an effort at obfuscation, but researchers have still managed to keep a close eye on where the cryptocurrencies are going — at least, for now. 
In the UK, authorities forcefully closed down a cryptocurrency scam platform, GPay Ltd, earlier this month. The UK High Court ordered the windup of GPay following the “loss” of £1.5 million ($1.8m) in investor funds. 
GPay is also accused of fraudulently using celebrity images to endorse its business. 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Mimecast has acquired MessageControl to enhance the firm’s defensive capabilities against phishing attacks. 

Announced on Thursday, the deal will see MessageControl — also known as eTorch — join the Mimecast team and the company’s portfolio will be used to bolster existing Mimecast security solutions. 
See also: US prosecutors seek years in prison for Uber self-driving exec who stole Google trade secrets
Financial details were not disclosed beyond the statement that the purchase is not expected to have any material impact on Mimecast’s 2021 revenue or financial reports. 
According to recent research conducted by the email and web security firm, online fraud including phishing, impersonation, and data leaks are on the rise, with IT professionals reporting an increase in incidents over the past year. 

This may be unsurprising considering the upheaval caused by the novel coronavirus pandemic, in which the workforce has been required to work outside of the office and the usual access to corporate networks and resources has been changed to allow for remote working — creating an opportunity for fraudsters to take advantage of. 
CNET: Twitter says massive hack was result of spear phishing attack
Mimecast CEO Peter Bauer says that “the first half of 2020 has been unlike anything we’ve experienced before,” and as such, “it’s becoming increasingly clear that better innovation is required to protect against the latest weaponized and unweaponized attacks.”
Founded in 2015, MessageControl first began its journey in email security but quickly branched out to explore artificial intelligence (AI), machine learning (ML), and behavioral algorithms that could be harnessed to create additional layers of protection. 
The firm now specializes in graph technology and ML able to inspect emails and cloud content, apply what it knows about the user’s usual behavioral patterns, and flag up any suspicious activity in real-time. 
TechRepublic: How to add fingerprint authentication to your Windows 10 computer
MessageControl has also created a system to notify employees when they may be on the verge of sending information to the wrong recipients “by using historical sending patterns to predict future anomalies,” according to the firm. 
The overall aim is to create an additional barrier for fraudsters to overcome by detecting phishing attempts, impersonation, and spoofing, as well as by preventing unwitting employees from sending sensitive information to attackers. 
Bauer calls the acquisition a “natural complement” to Mimecast’s existing cybersecurity portfolio, and says the AI element could improve customer defenses gradually by “evolving and ‘learning’ the customer environment and user behaviors over time.” 

Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Two weeks ago, ZDNet reported on the results of a very interesting experiment that analyzed how banks implemented EMV (chip) cards on their networks.
In the experiment, researchers from Cyber R&D Lab signed up for EMV (chip) cards at 11 banks from the US, the UK, and the EU.
The research team then used tools similar to the ones used by criminal gangs to copy the information stored on EMV cards and their magnetic stripes.
Researchers took the data from the EMV card and created a magnetic stripe version of the same card, but without the actual chip.
This is possible because all EMV cards also come with a magnetic stripe, for fallback purposes, in case the user travels abroad to non-EMV countries, or has to use an older point-of-sale terminal.

The fact that you could create a magstripe version from EMV cards has been known since 2008; however, fears that it could be abused have been dismissed, as banks expected to move all users to EMV cards and eliminate magstripe cards from the market altogther.
But until that happened and all magstripe versions were removed, banks were supposed to follow a series of security checks before approving inter-technology payments.
This hasn’t happened, however, and the loophole first described in 2008 has remained. Case and point, the Cyber R&D Labs experiment, during which researchers said they were able to make valid transactions using four of the EMV-to-magstripe cloned cards.

Image: Cyber R&D Lab
Researchers blamed banks for failing to follow security checks when approving transactions. However, two weeks ago, the issue was thought to have remained a theoretical problem only.
More than a theoretical threat
But in a report published yesterday, security firm Gemini Advisory said it tracked down two instances on cybercrime forums where hackers had collected EMV card data and were offering it for sale.
This included EMV card data stolen from US supermarket chain Key Food Stores Co-Operative Inc. and US wine and liquor store Mega Package Store, Gemini said.
Furthermore, a Visa alert [PDF] sent out this month also seems to confirm that criminals are now targeting EMV card data. Visa said that that POS malware strains like Alina POS, Dexter POS, and TinyLoader had been updated to collect EMV card data, something they hadn’t done before, primarily because the data couldn’t be monetized.
Gemini says that both of these incidents — the ads posted on cybercrime forums and the Visa alert — suggest that hackers have figured out they could abuse EMV card data.
Gemini now believes that the method criminals are using is the one described many years ago, and the subject of Cyber R&D Labs’ recent research — a method they named EMV-Bypass Cloning.
Blocking this type of fraud should be easy, though, as banks only need to implement more thorough checks when processing magstripe transactions from cards previously associated with EMV technology.
As the Cyber R&D Labs research showed, some banks do, but some do not. More

The total number of reported data breaches in Australia for the 2019-20 financial year totalled 1,050, the first of two half-year reports from the Office of the Australian Information Commissioner (OAIC) has shown.
For the six months spanning January to June 2020, 518 breaches were notified under the Notifiable Data Breaches (NDB) scheme, down 3% from the 532 reported in July to December 2019.

Breaches notified each month since the scheme commenced
Image: OAIC
124 of those breaches occurred during May, the most reported in any calendar month since the scheme began in February 2018.
Most of these were attributed to human error, but OAIC said it has yet to identify a specific cause for the increase, explaining in its report [PDF] it was not aware of any evidence that suggested the increase was related to changed business practices resulting from COVID-19, given that notifications across the period were otherwise broadly consistent with longer term trends.

Attribution of breaches
Image: OAIC
Malicious or criminal activity accounted for 317 notifications during the reported period.

Attacks included cyber incidents such as phishing and malware, data breaches caused by social engineering or impersonation, theft of paperwork or storage devices, and actions taken by a rogue employee or insider threat, the OAIC said.
The majority of cyber incidents during the reporting period were linked to malicious actors gaining access to accounts either through phishing attacks or by using compromised account details. Compromised credentials were the case for 133 notifications, ransomware attack for 33 notifications, and “hacking” for 29.
With ransomware this year taking out beverage company Lion and logistics giant Toll, twice, the OAIC report highlighted they weren’t alone, with 33 cases of ransomware reported from January to June 2020.
See also: Ransomware: How clicking on one email left a whole business in big trouble
Data breaches resulting from human error was the case for 176 breaches from January through June, with personal information sent to the wrong recipient via email accounting for 68 of those cases. In two cases, a fax with personal information was sent to the wrong recipient.
There was a loss of paperwork or storage device on 14 of the reported occasions.
System faults accounted for 5% of data breaches during this reporting period.
The health sector is again the highest reporting sector, notifying 115 breaches, and finance is next down the line, notifying 75 breaches had occurred during the six-month period. Education reported 44, insurance 35, and legal, accounting, and management services reported 26 breaches.
Most NDBs in the period involved the personal information of 100 individuals or fewer. In one instance, the number of individuals affected was over 10 million. The OAIC noted that in counting individuals affected, it also took into consideration the global presence of the reporting entity.
In 84% of reported instances, contact information such as an individual’s home address, phone number, or email address was breached, while over a third of all breaches notified during the period involved identity information such as passport number, driver licence number, or other government identifiers.
Data breaches notified in the six-month period also involved tax file numbers; financial details, such as bank account or credit card numbers; and health information.
The OAIC said there have been multiple instances of incomplete notifications of data breaches where entities may not have fully met their obligations with regard to the content of the notification to individuals affected by a data breach.
Need to disclose a breach? Read this: Notifiable Data Breaches scheme: Getting ready to disclose a data breach in Australia
RELATED COVERAGE More

Enterprise Software

Sometimes the cure really is worse than the disease. The recently revealed Boothole security problem with GRUB2 and Secure Boot can, theoretically, be used to attack Linux systems. In practice, the only vulnerable Linux systems are ones that have already been successfully breached by an attacker. Still, the potential for damage was there, so almost all enterprise Linux distributors have released patches. Unfortunately, for at least one — Red Hat — the fix has gone wrong.
Many users are reporting that, after patching Red Hat Enterprise Linux (RHEL) 8.2, it has rendered their systems unbootable. The problem also appears to affect RHEL 7.x and 8.x computers as well. It seems, however, to be limited only to servers running on bare iron. RHEL virtual machines (VM)s, which don’t deal with Secure Boot firmware, are working fine. 
RHEL isn’t the only Linux with this problem: CentOS 7.x and 8.x users are also reporting trouble. There have been sporadic reports of Boothole boot problems with other Linux distros, too.
A repair is on its way.  Peter Allor, director of Red Hat’s Product Security Incident Response Team, told me: 

“Red Hat has been made aware of a potential issue with the fix for CVE-2020-10713, also known as Bootjole, whereby some Red Hat Enterprise Linux 7 and Red Hat Enterprise Linux 8 systems may not successfully reboot after the remediation is applied, requiring manual intervention to fix. We are currently investigating this issue and will provide more information as it becomes available.”

Other Red Hat employees say the fix to the fix will be on its way shortly. So, if you haven’t patched yet, hold off. If you have, and you’re having trouble, help is on its way. 
Related Stories: More

Adopting containers has become increasingly popular — consider that, as of 2019, 33% of global developers indicated that their development organizations currently use containers, and another 25% said they want to do so over the next 12 months. These numbers are not surprising when we consider the value containers offer, such as scalability, agility, and cost reduction. The allure of containers, however, is largely to the benefit of the DevOps side of the house. Security pros are brought in later and left with the suboptimal task of applying existing tools and traditional security mindsets to secure containers — and discovering that those are ill-equipped to the task. 

This glaring disadvantage for security orgs led my colleague Andras Cser and I to investigate whether or not there were still best practices that organizations should use to secure containers. Our preliminary expectations were validated: Despite the dynamic, rapidly changing nature of containers, there are best practices that will meet security requirements. In new research, we categorized the most important best practices into technical and non-technical perspectives.  
Here are the key ones: 
Automation. Throw manual processes out the window when dealing with containers: Manual processes are slow, inaccurate, and insecure. Instead, ensure that everything is scripted and automated, including vulnerability scanning. 
Templating. Create uniform templates that encapsulate basic security baselines such as secure network and kernel configurations or regulatory specific baselines that meet HIPAA, PCI, CIS, etc., requirements. The build process must carefully log and audit template changes and track which final container images inherit from which templates. 
Training. Containers are different than virtual machines and hosts, and security pros must understand what those differences mean to their organization. Conduct regular training, tailored to team issues, to drive home the required mindset shift. 
This post was written by Principal Analyst Sandy Carielli, and it originally appeared here.  More

European Union bits and bytes in ripple waving pattern with glowing EU stars
Getty Images/iStockphoto
The European Union has imposed sanctions today against China, Russia, and North Korea for past cyber-attacks carried out against European citizens and businesses.
In a ruling from the European Council, the EU has sanctioned:
China for “Operation Cloud Hopper” [PDF] — a series of intrusions against cloud providers.
Russia for NotPetya — a ransomware strain created and released by the Russian military in Ukraine, but which spread to all over the globe.
Russia for an attempted cyber-attack on the Organisation for the Prohibition of Chemical Weapons (OPCW) in the Netherlands. At the time, the Dutch government was investigating the crash of Malaysia Airlines flight MH17 in Ukraine, brought down by a Russian missile.
North Korea for WannaCry — a ransomware strain created by government hackers for the purpose of raising money for the regime, but which they lost control over.
The sanctions consist of a travel ban an asset freeze.
EU citizens and businesses are also prohibited from engaging in transactions with entities on the sanctions list, which includes six individuals and three companies:
GAO Qiang (China)
ZHANG Shilong (China)
Alexey Valeryevich MININ (Russia)
Aleksei Sergeyvich MORENETS (Russia)
Evgenii Mikhaylovich SEREBRIAKOV (Russia)
Oleg Mikhaylovich SOTNIKOV (Russia)
Tianjin Huaying Haitai Science and Technology Development Co. Ltd (Huaying Haitai) (China)
Chosun Expo (North Korea)
Main Centre for Special Technologies (GTsST) of the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GU/GRU) (Russia)
EU officials said the two Chinese citizens were members of APT10, the Chinese hacking group behind Operation Cloud Hopper, while the four Russians were four GRU agents involved in the attempted hack against the WiFi network of the OPCW.

The EU said these are the first sanctions it imposed due to other countries launching cybre-attacks against member countries.
The US has already sanctioned some of the same individuals for the same cyber-attacks, and Washington has heavily pressured its trans-Atlantic partner to impose similar measures.
Furthermore, Germany has also recently asked its European partners for similar sanctions against Russia for the 2014 German Parliament (Bundestag) hack.
In a response last month, Russia said the German government hasn’t not bothered providing evidence of the hack, claiming Berlin was actually interested in imposing the sanctions rather than proving its case. More