Information Technology

The software company targeted by Russian hackers as part of one of the most wide-ranging cyber espionage in recent years has the hired former US government cybersecurity chief Chris Krebs to help recover and learn lessons from the incident.
Hackers breached the network of SolarWinds before planting Sunburst malware into its Orion software update packages. As a result of this supply chain attack, hackers had access to the networks of around 18,000 SolarWinds customers around the world, including the US government.
Agencies targeted included the Department of State; Department of Homeland Security; National Institutes of Health; the Pentagon; Department of the Treasury; Department of Commerce; and the Department of Energy, including the National Nuclear Security Administration.
Cybersecurity company FireEye was also targeted as part of the espionage campaign as what they described a state-sponsored hackers looked for information on government customers.
The US government has formally blamed Russia for being behind the massive supply chain attack, the full consequences of which may still not be known.
SEE: Security Awareness and Training policy (TechRepublic Premium)
Now SolarWinds has brought in Chris Krebs, who served as Director of the Cybersecurity and Infrastructure Security Agency (CISA) until November last year when he was fired by Donald Trump. Krebs was fired by Trump via Twitter for debunking the outgoing President’s dubious claims about election fraud following his loss to Joe Biden.

Krebs has been hired by SolarWinds as an independent consultant after forming a new business with Stanford University professor and ex-Facebook chief security officer Alex Stamos. The pair will be working with SolarWinds to repair the damage of the attack and improve the company’s security.
“Armed with what we have learned of this attack, we are also reflecting on our own security practices and seeking opportunities to enhance our posture and policies,” a SolarWinds spokesperson told ZDNet by email.
“We have brought in the expertise of Chris Krebs and Alex Stamos to assist in this review and provide best-in-class guidance on our journey to evolve into an industry leading secure software development company”.
The hiring of Krebs and Stamos comes as SolarWinds president and CEO Sudhakar Ramakrishna – who himself only joined the company this week – outlined plans to learn from the cyber attack.
“We have engaged several leading cybersecurity experts to assist us in this journey and I commit to being transparent with our customers, our government partners, and the general public in both the near-term and long-term about our security enhancements to ensure we maintain what’s most important to us – your trust,” he wrote in a blog post.
READ MORE ON CYBERSECURITY More

Analysts from security firm Trend Micro said in a report today that they’ve spotted a malware botnet that collects and steals Docker and AWS credentials.

Researchers have linked the botnet to a cybercrime operation known as TeamTNT; a group first spotted over the 2020 summer installing cryptocurrency-mining malware on misconfigured container platforms.
Initial reports at the time said that TeamTNT was breaching container platforms by looking for Docker systems that were exposing their management API port online without a password.
Researchers said the TeamTNT group would access exposed Docker containers, install a crypto-mining malware, but also steal credentials for Amazon Web Services (AWS) servers in order to pivot to a company’s other IT systems to infect even more servers and deploy more crypto-miners.
At the time, researchers said that TeamTNT was the first crypto-mining botnet that implemented a feature dedicated to collecting and stealing AWS credentials.
TeamTNT gets more refined
But in a report today, Trend Micro researchers said that the TeamTNT gang’s malware code had received considerable updates since it was first spotted last summer.
“Compared to past similar attacks, the development technique was much more refined for this script,” said Alfredo Oliveira, a senior security researcher at Trend Micro.

“There were no more endless lines of code, and the samples were well-written and organized by function with descriptive names.”
Furthermore, Oliveira says TeamTNT has now also added a feature to collect Docker API credentials, on top of the AWS creds-stealing code.
This feature is most likely used on container platforms where the botnet infects hosts using other entry points than its original Docker API port scanning feature.
Oliveira points out that with the addition of this feature, “implementing [Docker] API authentication is not enough” and that companies should make sure Docker management APIs aren’t exposed online in the first place, even when using strong passwords.
But in case the API ports have to be enabled, the Trend Micro researcher recommends that companies deploy firewalls to limit who can access the port using allow-lists. More

Telehealth (virtual care) usage has skyrocketed during the pandemic. 

When you roll back the tape a few months, healthcare providers were able to (very quickly) stand up virtual care capabilities without having to go through the intensive HIPAA compliance protocols required in the healthcare industry. Some healthcare providers have been able to tap nontraditional technologies such as Apple’s FaceTime as a stopgap measure for virtual care. The accelerated innovation in delivering virtual care to the population was and is a good thing, but when speed takes precedence over security, there will be inevitable challenges. In fact, virtual care platforms have been susceptible to cyberattacks, with evidence indicating attacks on such platforms increased by 30% this year. 
Make no mistake: Virtual care is becoming a core component of patient care moving forward, but healthcare organizations (HCOs) need to prioritize security and privacy as: 
Virtual care platforms are more connected and highly distributed than other healthcare technology systems, which makes them a prime target for attackers. 
Weak patient authentication into healthcare networks and vulnerabilities found in the hardware and software used by providers have offered attackers more direct avenues to critical assets where protected health information could be stolen or ransomware could be deployed. 
The Office for Civil Rights will strengthen its enforcement of HIPAA requirements as the pandemic starts to get under control. Providers will scramble to implement new security protocols, and at worst, organizations will be looking for a new virtual care platform that is more robust. Security practitioners need to plan for these changes now to avoid being caught off guard. 
HCOs Need To Play The Long Game For Virtual Care By Making Preparations Now 
Long-term success for virtual care deployments hinges on balancing ease of use and security and privacy. Providers are already hampered by a significant administrative burden and diverging workflows. There are many steps HCOs can take now to achieve this balance. 
For starters, security professionals must: 
Evaluate their existing vendors’ abilities to scale, integrate, and resolve security issues quickly. 
Look past the “cool” features vendors offer and ensure the core capabilities they actually use can be scaled to meet current and future needs while keeping patients’ data safe. There will always be time to implement additional “nice to have” functions once the foundation is secure. 
The scalability of the technology and the vendor are just two of several factors healthcare providers will need to consider as they transition their virtual care deployments from the pandemic to a long-term viable care model.  
To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here.

This post was written by Senior Analyst Arielle Trzcinski together with a group of Forrester analysts, and it originally appeared here. 

Coronavirus More

A spam campaign which targeted over 100,000 users a day over Christmas and New Year has seen Emotet secure its spot as the most prolific malware threat.
Analysis by cybersecurity company Check Point suggests that Emotet was used to target seven percent of organisations around the world during December.
Emotet has been active since 2014 and is regularly updated by its authors in order to maintain its effectiveness. The malware started life as a banking trojan but has evolved to become much more than that, providing a complete backdoor onto compromised machines which can then be sold on to other cyber criminals to infect victims with additional malware – including ransomware.
While Emotet has worm-like capabilities which allows it to move onto other machines on the same network as the initial victim, it also spreads via the use of phishing emails. But no matter how it arrives, Emotet is excellent at maintaining persistence while also avoiding detection, meaning victims will often have no idea they’ve been compromised until it’s far too late.
“Emotet was originally developed as banking malware which sneaked on to users’ computers to steal private and sensitive information. However, it has evolved over time and is now seen as one of the most costly and destructive malware variants,” said Maya Horowitz, director of threat intelligence and research at Check Point.
“It’s imperative that organizations are aware of the threat Emotet poses and that they have robust security systems in place to prevent a significant breach of their data. They should also provide comprehensive training for employees, so they are able to identify the types of malicious emails which spread Emotet,” she added.
Banking trojan Trickbot is the second most dominant form of malware as we enter 2021. Like Emotet, it’s constantly updated with new capabilities and features, including the ability to customise the malware which allows it to be used in all manner of cyber intrusion campaigns. Like Emotet, Trickbot has become more than a banking trojan and is often installed on systems as a means of providing a gateway to install ransomware.

Credential harvesting malware Formbook was the third most detected malware threat over the reporting period. Formbook is sold on dark web forums at relatively low cost but provides cyber criminal users with everything they need for a powerful information stealing campaign; it harvests usernames and passwords from browsers, collects screenshots, monitors and logs keystrokes and more.
According to Check Point, Trickbot and Formbook campaigns were detected attempting to infiltrate the networks of four percent of organisations around the world each.
Other prominent malware during December included Dridex trojan, XMRig cryptocurrency mining malware and Hiddad Android malware.
One of the best ways for businesses to help prevent falling victim to malware attacks is to ensure the latest security patches are applied across the network as this will prevent cyber attackers from being able to take advantage the known vulnerabilities which cyber criminals exploit to deliver malware.

READ MORE ON CYBERSECURITY More

Nvidia has released a round of security fixes tackling high-severity issues in the Nvidia GPU display driver and vGPU software. 

Released on Thursday, the technology giant said the patches deal with issues that “may lead to denial of service, escalation of privileges, data tampering, or information disclosure.”
In total, Nvidia has resolved 16 vulnerabilities linked to the Nvidia GPU display driver used to support graphics processing units, as well in vGPU software for virtual workstations, servers, apps, and PCs. 
The most severe vulnerability dealt with in Nvidia’s latest security round is CVE‑2021‑1051. Issued a CVSS score of 8.4, the problem impacts the kernel mode layer for the Windows GPU display driver. If exploited, this flaw can lead to denial of service or privilege escalation. 
CVE‑2021‑1052 is the second highest-severity vulnerability in the driver, but this bug impacts both Windows and Linux. The security flaw, awarded a severity score of 7.8, is also found in the kernel mode layer and permits user-mode clients access to legacy, privileged APIs. As a result, an exploit leveraging this vulnerability could lead to denial of service, privileges escalation, and information leaks. 
Nvidia has also resolved CVE‑2021‑1053, a display driver bug for Windows and Linux machines with a CVSS score of 6.6, indicating this vulnerability is considered a moderate/important issue. Improper validation of a user pointer targeted at the same kernel mode layer can lead to denial of service. 
Two other problems impact Windows machines specifically, in the same kernel mode layer, which are tracked as CVE‑2021‑1054 and CVE‑2021‑1055 with severity scores of 6.5 and 5.3, respectively. These vulnerabilities involve failures to perform authorization checks and improper access controls, and are exploitable to cause denial of service. CVE‑2021‑1055 may also lead to data leaks. 

The last vulnerability impacts Linux PCs only. Tracked as CVE‑2021‑1056 and issued a CVSS score of 5.3, this bug has been caused by operating system file system permissions errors, prompting information disclosure and denial of service. 
In total, 10 of the vulnerabilities reported impact Nvidia vGPU, eight of which relate to the vGPU manager.
With the exception of CVE‑2021‑1066, a moderate CVSS 5.5 input validation issue in vGPU manager leading to resource overload and denial of service, each vulnerability has been issued a severity score of 7.8. 
Nvidia has patched eight vGPU manager and plugin vulnerabilities ranging from input data validation errors to race conditions and untrusted source values. These security flaws could lead to information disclosure, integrity and confidentiality loss, and data tampering. 
Two input index validation vulnerabilities, CVE‑2021‑1058 and CVE‑2021‑1060, impact the guest kernel mode driver and vGPU plugin. The first can be triggered to cause an integer overflow, allowing data tampering, data leaks, and denial of service, whereas the second can be exploited for service denial and data manipulation.
In order to stay protected, Nvidia has recommended that users accept automatic security updates, or download them directly. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

In the world of DevSecOps, a little empathy goes a long way — particularly when it comes to expectations for your developers. 

While security pros have been steeped in common security flaws and the OWASP Top 10 for years, most developers never took a security course at the university level. As security pros, our job is to enable and support developers who may have the best intentions for security but who also face competing priorities — they are not security pros, and security is just one of many issues they need to consider. 
Our job is to integrate security into the developer experience and make it easier for them to get secure products in customers’ hands. Many of the advances in application security processes and tooling — gamified training, contextually relevant remediation guidance, integration with the developer’s toolset, developer security champions — have been driven by that reality. 
When my colleague on the application development and delivery team, John Bratincevic, and I started to research low-code security, we realized that security teams were going to need to extend that perspective to a brand-new class of developers. Low-code developers fall into two buckets: professional developers who leverage low-code to improve speed and responsiveness and citizen developers who sit outside of IT and development. Citizen developers not only have never taken a secure development class but likely have not taken any development classes at all — therefore, common application security concepts will be even more foreign. 
What does this mean for security teams? Three key points: 
Application developers may no longer just work on the development team. Spend some time understanding your organization’s low-code strategy, who is developing what sorts of low-code applications, and where they sit. 
It’s time to expand your network again — get to know the citizen developers in your organization and start building the security team’s credibility with these new stakeholders. 
Security training will look different — the abstraction of low-code means that citizen developers are less likely to introduce an SQL injection than they are to misconfigure permissions or leak data. Focus on the security principles most aligned with how low-code developers build applications. 
To understand the business and technology trends critical to 2021, download Forrester’s complimentary 2021 Predictions Guide here.      
This post was written by Principal Analyst Sandy Carielli, and it originally appeared here.  More

The United States Judiciary has announced an audit into its systems, following concerns its case file system has been compromised.
In making the announcement, the Judiciary said the Administrative Office of the US Courts was working with the Department of Homeland Security on a security audit relating to vulnerabilities in the Judiciary’s Case Management/Electronic Case Files system (CM/ECF) that greatly risk compromising highly sensitive non-public documents, particularly sealed filings.
“An apparent compromise of the confidentiality of the CM/ECF system due to these discovered vulnerabilities currently is under investigation,” it said. “Due to the nature of the attacks, the review of this matter and its impact is ongoing.”
With the investigation ongoing, Judiciary said federal courts across the country will be adding new security procedures aimed at protecting highly sensitive confidential documents filed with the courts.
Moving forward, highly sensitive court documents filed with federal courts will be accepted for filing in paper form or via a “secure electronic device”, such as a thumb drive, and stored in a “secure, stand-alone computer system”. The documents will not be uploaded to CM/ECF. 
Filings not considered highly sensitive will continue to be sealed in CM/ECF “as necessary”.
“The federal Judiciary’s foremost concern must be the integrity of and public trust in the operation and administration of its courts,” Secretary of the Judicial Conference of the United States James C. Duff said.

The Judiciary said following guidance from the Department of Homeland Security, its courts have suspended all national and local use of SolarWinds Orion products.
Earlier this week, the US Department of Justice (DOJ) confirmed that the hackers behind the SolarWinds supply chain attack targeted its IT systems, where they escalated access from the trojanized SolarWinds Orion app to move across its internal network and access the email accounts of some of its employees.
The number of impacted DOJ employees is currently believed to be around 3,000 to 3,450. The DOJ said it has now blocked the attacker’s point of entry.
Four US cybersecurity agencies on Monday released a joint statement formally accusing the Russian government of orchestrating the SolarWinds supply chain attack.
US officials said that “an advanced persistent threat actor, likely Russian in origin” was responsible for the SolarWinds hack, which officials described as “an intelligence gathering effort”.
HERE’S MORE More

A duo of French security researchers has discovered a vulnerability impacting chips used inside Google Titan and YubiKey hardware security keys.

The vulnerability allows threat actors to recover the primary encryption key used by the hardware security key to generate cryptographic tokens for two-factor authentication (2FA) operations.
Once obtained, the two security researchers say the encryption key, an ECDSA private key, would allow threat actors to clone Titan, YubiKey, and other keys to bypass 2FA procedures.
Attack requires physical access
However, while the attack sounds disastrous for Google and Yubico security key owners, its severity is not what it seems.
In a 60-page PDF report, Victor Lomne and Thomas Roche, researchers with Montpellier-based NinjaLab, explain the intricacies of the attack, also tracked as CVE-2021-3011.
For starters, the attack won’t work remotely against a device, over the internet, or over a local network. To exploit any Google Titan or Yubico security key, an attacker would first need to get their hands on a security key in the first place.
Temporarily stealing and then returning a security key isn’t impossible and is not out of the threat model of many of today’s government workers or high profile executives, which means this attack can’t be entirely ruled out or ignored.
Titan casing is hard to open, leaves marks

However, Lomne and Roche argue that there are other unexpected protections that come with Google Titan keys, in the form of the key’s casing.
“The plastic casing is made of two parts which are strongly glued together, and it is not easy to separate them with a knife, cutter or scalpel,” the researchers said.
“We used a hot air gun to soften the white plastic,and to be able to easily separate the two casing parts with a scalpel. The procedure is easy toperform and, done carefully, allows to keep the Printed Circuit Board (PCB) safe,” the two added.
However, Lomne and Roche also point out that “one part of the casing, soften[ed] due to the application of hot air,” and usually permanently deforms, leaving attackers in the position of being unable to put the security key back together once they’ve obtained the encryption key — unless they come prepared with a 3D-printed casing model to replace the original.

Image: NinjaLab
A side-channel attack using electromagnetic radiations
But once the casing has been opened and the attackers have access to the security key’s chip, researchers say they can then perform a “side-channel attack.”
The term, which is specific to the cyber-security world, describes an attack where threat actors observe a computer system from the outside, record its activity, and then use their observations on how the device activity fluctuates to infer details about what’s going on inside.
In this case, for their side-channel attack, the NinjaLab researchers analyzed electromagnetic radiations coming off the chip while processing cryptographic operations.
Researchers said that by studying around 6,000 operations taking place on NXP A7005a microcontroller, the chip used inside Google Titan security keys, they were able to reconstruct the primary ECDSA encryption key used in signing every cryptographic token ever generated on the device.
The good news for Titan and YubiKey owners is that this process usually takes hours to execute, requires expensive gear, and custom software.

Image: NinjaLab
Normally, this type of attack would be out of the reach of regular hackers, but security researchers warn that certain threat actors, such as three-letter intelligence agencies, usually have the capabilities to pull this off.
“Users that face such a threat should probably switch to other FIDO U2F hardware security keys, where no vulnerability has yet been discovered,” Lemne and Roche said.
What’s vulnerable?
As for what’s vulnerable, the researchers said they tested their attack on the NXP A7005a chip, which is currently used for the following security key models:
Google Titan Security Key (all versions)
Yubico Yubikey Neo
Feitian FIDO NFC USB-A / K9
Feitian MultiPass FIDO / K13
Feitian ePass FIDO USB-C / K21
Feitian FIDO NFC USB-C / K40
In addition, the attack also works on NXP JavaCard chips, usually employed for smartcards, such as J3A081, J2A081, J3A041, J3D145_M59, J2D145_M59, J3D120_M60, J3D082_M60, J2D120_M60, J2D082_M60, J3D081_M59, J2D081_M59, J3D081_M61, J2D081_M61, J3D081_M59_DF, J3D081_M61_DF, J3E081_M64, J3E081_M66, J2E081_M64, J3E041_M66, J3E016_M66, J3E016_M64, J3E041_M64, J3E145_M64, J3E120_M65, J3E082_M65, J2E145_M64, J2E120_M65, J2E082_M65, J3E081_M64_DF, J3E081_M66_DF, J3E041_M66_DF, J3E016_M66_DF, J3E041_M64_DF, and J3E016_M64_DF.
Contacted via email, Google echoed the research team’s findings, namely that this attack is hard to pull off in normal circumstances.
In addition, Google also added that its security keys service is also capable of detecting clones using a server-side feature called FIDO U2F counters, which the NinjaLab team also recommended as a good countermeasure for their attack in their paper. However, the research team also points out that even if counters are used, there is a short time span after the clone has been created when it still could be used.
Nonetheless, as a closing note, the French security researchers also urged users to continue using hardware-based FIDO U2F security keys, such as Titan and YubiKey, despite the findings of their report. Instead, users should take precautions to safeguard devices if they believe they might be targets of interest to advanced threat actors. More