Information Technology

Vulcan Cyber has opened its extensive database of vulnerabilities in enterprise IT in a bid to speed up large remediation backlogs and improve team effectiveness.
The Remedy Cloud is a free website with one of the largest databases of common vulnerabilities and exposures (CVEs) along with the best way to fix each one, patches, and relevant notes. 

“Due to process breakdowns there’s never an end — just a growing backlog of vulnerabilities that require remediation,” says Yaniv Bar-Dayan, CEO of Vulcan. 
The complexity of enterprise IT operations carries with it a growing number of vulnerabilities that need to be patched. But organizations struggle to identify every vulnerability and then access which ones are the most important and need to be tackled first. 
Some CVEs have been “weaponized” by criminals and are used to expose sensitive corporate data that can result in massive fines and lost business trust.
The backlog in CVE remediation is partly due to a bottleneck that Vulcan says occurs when security teams hand-off the fix to DevOps, or other IT teams. 
“Vulcan Remedy Cloud streamlines this workflow by providing both teams with remediation playbooks. This one function is extraordinarily effective at creating cross-team alignment and cooperation,” says Bar-Dayan.

The Vulcan remedies database provides the patches, the configuration scripts, and workarounds that have been proven to work with the most challenging vulnerabilities.
Vulcan also announced a remediation analytics feature added to its paid-for Vulcan remediation orchestration platform which automates much of the remediation process.  More

The US Justice Department says it’s seized $1bn in bitcoin allegedly stolen by a hacker from Silk Road creator Ross Ulbricht before his arrest for running the dark-web market. 
Announcing the bitcoin seizure from the unnamed hacker, the Department of Justice revealed it is now seeking forfeiture of the illicit funds, which represent its largest haul of cryptocurrency to date.

Ulbricht operated Silk Road between 2011 and October 2013, when the FBI seized the dark-web site and arrested him. He was convicted in 2015 for money laundering and distributing narcotics, and sentenced to life in prison. He lost an appeal for a new trial in 2017. 
SEE: Network security policy (TechRepublic Premium)
Over that period, the site generated revenues of 9.5 million bitcoins and earned commissions totaling over 600,000 bitcoins.
According to the complaint, earlier this year law enforcement used a bitcoin attribution company to analyze bitcoin transactions carried out by Silk Road and noticed 54 transactions around 2013 that were sent to two addresses totaling 70,411.46 bitcoins. 
Since the transactions weren’t recorded in Silk Road’s database, it was assumed the funds were stolen. 

In April 2013, the bulk of the funds totaling 69,471.082201 bitcoins were sent to an account referred to as ‘1HQ3’, the first characters in the address. 
“Between April 2015 and November 2020, the remainder of the funds, 69,370.082201 bitcoins, remained in 1HQ3. As of November 3, 2020, 1HQ3 had a balance of 69,370.22491543 bitcoin (valued at approximately $1bn as of November 4, 2020),” the document states.
Investigators determined that the unnamed hacker, referred to as ‘Individual X’ in court documents, was involved in a transaction that related to the account. 
The US Internal Revenue Service and the Justice Department reckon Individual X stole the cryptocurrency from Silk Road.
“According to the investigation, Ulbricht became aware of Individual X’s online identity and threatened Individual X for return of the cryptocurrency to Ulbricht. Individual X did not return the cryptocurrency but kept it and did not spend it,” the complaint reads.
SEE: Ransomware victims aren’t reporting attacks to police. That’s causing a big problem
Earlier this week, the unnamed hacker agreed to forfeit the cryptocurrency to the US Attorney’s Office, Northern District of California and on November 3, the US government took possession of the cryptocurrency. 
Now the Justice Department needs to prove that the seized cryptocurrency is subject to forfeiture. 
In 2014 the US government auctioned off about 30,000 of the bitcoins found in the wallet files on Silk Road’s servers.  More

Image: Manthana Chaiwong, ZDNet
Ransomware gangs that steal a company’s data and then get paid a ransom fee to delete it don’t always follow through on their promise.

The number of cases where something like this has happened has increased, according to a report published by Coveware this week and according to several incidents shared by security researchers with ZDNet researchers over the past few months.
These incidents take place only for a certain category of ransomware attacks — namely those carried out by “big-game hunters” or “human-operated” ransomware gangs.
These two terms refer to incidents where a ransomware gang specifically targets enterprise or government networks, knowing that once infected, these victims can’t afford prolonged downtimes and will likely agree to huge payouts.
But since the fall of 2019, more and more ransomware gangs began stealing large troves of files from the hacked organizations before encrypting the victims’ files.
The idea was to threaten the victim to release its sensitive files online if the company wanted to restore its network from backups instead of paying for a decryption key to recover its files.
Some ransomware gangs even created dedicated portals called “leak sites,” where they’d publish data from companies that didn’t want to pay.

Image: ZDNet

If hacked companies agreed to pay for a decryption key, ransomware gangs also promised to delete the data they had stolen.
In a report published this week, Coveware, a company that provides incident response services to hacked companies, said that half of the ransomware incidents it investigated in Q3 2020 had involved the theft of company data before files were encrypted, doubling the number of ransomware incidents preceded by data theft it saw in the previous quarter.
But Coveware says that these types of attacks have reached a “tipping point” and that more and more incidents are being reported where ransomware gangs aren’t keeping their promises.
For example, Coveware said it had seen groups using the REvil (Sodinokibi) ransomware approach victims weeks after the victim paid a ransom demand and ask for a second payment using renewed threats to make public the same data that victims thought was deleted weeks before.
Coveware said it also saw the Netwalker (Mailto) and Mespinoza (Pysa) gangs publish stolen data on their leak sites even if the victim companies had paid the ransom demand. Security researchers have told ZDNet that these incidents were most likely caused by technical errors in the ransomware gang’s platforms, but this still meant that the ransomware gangs hadn’t deleted the data as they promised.
Further, Coveware also said it observed the Conti ransomware gang send victims falsified evidence as proof of having deleted the data. Such evidence is usually requested by the victim’s legal team, but sending over falsified proof means the ransomware gang never intended to delete the data and was most likely intent on reusing at a later point.
On top of this, Coveware said it also saw the Maze ransomware gang post stolen data on their leak sites accidentally, even before they notified victims that they had stolen their files.
This has also happened with the Sekhmet and Egregor gangs; both considered to have spun off from the original Maze operation, Coveware said.
In addition to these, ZDNet also learned of additional incidents from other companies providing incident response services for ransomware attacks.
Most of these incidents involve the Maze gang, the pioneer of the ransomware leak site, and the double-extortion scheme. More exactly, they involve “affiliates,” a term that describes cybercriminals who bought access to the Maze ransomware-as-a-service (RaaS) platform and were using the Maze ransomware to encrypt files.
But while some affiliates play by the rules, some haven’t. There have been cases where a former Maze affiliate who was kicked out of the Maze RaaS program had approached and tried to extort former victims with the same stolen data for the second time, data which they promised to delete.
There have also been cases where Maze affiliates accidentally posted stolen data on the Maze leak site, even after a successful ransom payment. The data was eventually taken down, but not after the posts on the Maze site got hundreds or thousands of reads (and potential downloads).
Things got worse throughout the year for Maze affiliates as antivirus companies started detecting Maze payloads and blocking the encryption and stopping attacks.
In many of these cases, the Maze affiliates had to settle for using only the data they managed to steal before the encryption was blocked and often had to settle for smaller ransom payments.
Seeking new avenues of profits, in at least two cases, a Maze group attempted to sell employee credentials and personal data to security researchers posing as underground data brokers.

These examples confirm what many security researchers had already suspected — namely, that ransomware gangs can’t be trusted or taken on their word.
“Unlike negotiating for a decryption key, negotiating for the suppression of stolen data has no finite end,” Coveware wrote in its report. “Once a victim receives a decryption key, it can’t be taken away and does not degrade with time. With stolen data, a threat actor can return for a second payment at any point in the future.”
The security firm is now recommending that companies never consider that any of their data to be deleted and plan accordingly, which usually involves notifying all impacted users and employees.
The advice needs to be given because some companies have been using the excuse that they’ve paid the ransom demand and that the ransomware gang made a pinky-promise to delete the data as an excuse not to notify their users and employees.
Since many of the documents stolen in ransomware attacks contain sensitive personal and financial details, if resold, these documents can be very useful for a slew of fraudulent operations that a victim company’s customers or employees need to be aware of and prepare for. More

Apple has released security updates today for iOS to patch three zero-day vulnerabilities that were discovered being abused in attacks against its users.
According to Shane Huntley, Director of Google’s Threat Analysis Group, the three iOS zero-days are related to the recent spat of three Chrome zero-days[1, 2, 3] and a Windows zero-day that Google had previously disclosed over the past two weeks.
Just like in the four previous cases, Google has not shared details about the attacker(s) or their target(s).

Targeted exploitation in the wild similar to the other recently reported 0days. Not related to any election targeting.
— Shane Huntley (@ShaneHuntley) November 5, 2020

While it’s unknown if the zero-days have been used against selected targets or en-masse, iOS users are advised to update to iOS 14.2, just to be on the safe side.
The same security bugs have also been fixed in iPadOS 14.2 and watchOS 5.3.8, 6.2.9, and 7.1, and have also been backported for older generation iPhones via iOS 12.4.9, also released today.
According to Google Project Zero team lead Ben Hawkes, whose team discovered and reported the attacks to Apple, the three iOS zero-days are:
CVE-2020-27930 — a remote code execution issue in the iOS FontParser component that lets attackers run code remotely on iOS devices.
CVE-2020-27932 — a privilege escalation vulnerability in the iOS kernel that lets attackers run malicious code with kernel-level privileges.
CVE-2020-27950 — a memory leak in the iOS kernel that allows attackers to retrieve content from an iOS device’s kernel memory.
All three bugs are believed to have been used together, part of an exploit chain, allowing attackers to compromise iPhone devices remotely. More

Image: Licya
Campari Group, the famed Italian beverage vendor behind brands like Campari, Cinzano, and Appleton, has been hit by a ransomware attack and has taken down a large part of its IT network.
The attack took place last Sunday, on November 1, and has been linked to the RagnarLocker ransomware gang, according to a copy of the ransom note shared with ZDNet by a malware researcher who goes online by the name of Pancak3.

Image supplied
The RagnarLocker gang is now trying to extort the company into paying a ransom demand to decrypt its files.
But the ransomware group is also threatening to release files it stole from Campari’s network if the company doesn’t pay its ransom demand in a week after the initial intrusion.
Screenshots of Campari’s internal network and corporate documents have been posted on a dark web portal where the RagnarLocker gang runs a “leak site”, as proof of the intrusion. Included in these proofs is even a copy of the contract signed by Campari with US actor Matthew McConaughey for the Wild Turkey bourbon brand.

In a text chat window available to RagnarLocker victims, a Campari representative has not replied to the ransomware gang.
Instead, the Italian company appears to have chosen to restore its encrypted systems rather than pay the ransom demand, according to a short press release published on Tuesday, where Campari said it’s working on a “progressive restart in safety conditions.”

In the same press release, Campari also said it detected the intrusion as soon as it took place and immediately moved in to isolate impacted systems, and that the incident is not expected to have any significant impact on its financial results.
However, at the time of writing, Campari websites, email servers, and phone lines are still down, five days after the attack.
A Campari representative also couldn’t be reached because of the company’s current state of affairs.
Campari is the second major beverage vendor after Arizona Beverages that’s knocked online because of a ransomware attack in the past two years. More

Working from home has come with problems a few of us ever considered before. Just ask well-known New Yorker writer and pundit Jeffrey Toobin who was caught, uh, amusing himself, on a Zoom call. Wouldn’t it be nice if you could be sure your webcam and microphone were off? Dell thinks so, which is why they’ve offered Linux kernel code to support its Dell Privacy controls.

Must-see offers

The Dell Privacy Drivers support its newest laptops; hardware-based privacy buttons. These key combinations stop any application from accessing its laptops’ built-in microphone and camera. To ensure that the microphone can’t be used to listen in on you, you’ll press ctrl+F4. To lock down the webcam you’ll press  ctrl+F9.
Once this new code is incorporated into the Linux kernel, no program can access the audio or video streams. Since this works at the operating system level, besides making accidents harder to do, it should block spyware or other kinds of malware that try to sneak a peek at you.
Of course, this isn’t the first time privacy has been built into a Linux-powered laptop. The specialist Linux PC vendor Purism, for example, has long made both privacy and strict support for open-source software its trademark. Its machines already come with hardware to block video and audio streams.
That said, it’s still noteworthy that one of the world’s largest PC vendors now thinks Linux is so important to its audience that it’s supporting its new privacy hardware from the start. All too often in the past, companies made Linux support for less common PC hardware features such as fingerprint readers and security mechanisms an afterthought.
Related Stories: More

Image: ZDNet
GitHub has denied rumors today of getting hacked after a mysterious entity shared what they claimed to be the source code of the GitHub.com and GitHub Enterprise portals.
The “supposed” source code was leaked via a commit to GitHub’s DMCA section.
The commit was also faked to look like it originated from GitHub CEO Nat Friedman.
But in a message posted on YCombinator’s Hacker News portal, Friedman denied that it was him and that GitHub got hacked in any way.
Friedman said the “leaked source code” didn’t cover all of GitHub’s code but only the GitHub Enterprise Server product. This is a version of GitHub Enterprise that companies can run on their own on-premise servers in case they need to store source code locally for security reasons but still want to benefit from GitHub Enterprise features.
Friedman said this source code had already leaked months before due to its own error when GitHub engineers accidentally “shipped an un-stripped/obfuscated tarball of our GitHub Enterprise Server source code to some customers.”

Image: ZDNet
Friedman promised that GitHub was going to fix the two bugs exploited by the leaker and prevent unauthorized parties from attaching their code to other people’s projects via faked identities.

“In summary: everything is fine, situation normal, the lark is on the wing, the snail is on the thorn, and all’s right with the world,” Friedman said.
Not the first time
But this is not the first time that this happened on GitHub.
One of the two bugs was used just days earlier when a security researcher attached the source code of the youtube-dl library to GitHub’s DMCA section.
The security researcher’s gesture came as a form of protest after GitHub decided to honor a suspicious DMCA takedown request against the youtube-dl library from music recording industry group RIAA.

Image: ZDNet
While the mystery leaker never explained their actions, it is believed that the person who leak the GitHub Enterprise Server code was also protesting against GitHub’s decision to honor RIAA’s DMCA request and take down youtube-dl, a project that lets users download raw audio and video files from YouTube and other services — which RIAA argued was heavily used to pirate its songs catalog.
For the past week, hundreds of other users have been re-uploading the youtube-dl code on their own accounts and daring RIAA to send them a DMCA request too. GitHub has warned users not to do so, as they risk getting banned by its automated systems. More

Cisco has found a security bug that impacts remote workers using its Webex Meetings Virtual Desktop App for Windows. 
With the company’s Webex Meetings one of the main enterprise options for online video meetings with teammates, the product is probably getting even higher use due to remote working as the COVID-19 pandemic rolls on across the world. 

Networking

Cisco has warned that the bug in Webex Meetings Desktop App for Windows is a high-severity security flaw. 
However, it can only be exploited when Webex Meetings Desktop App is in a virtual desktop environment on a hosted virtual desktop (HVD) and configured to use the Cisco Webex Meetings virtual desktop plug-in for thin clients. 
The plug-in is designed to support HVD users, such as remote workers who are connecting to a corporate network from a personal computer.
The flaw may allow an attacker to execute arbitrary code on a targeted system with the targeted user’s privileges. 
“A successful exploit could allow the attacker to modify the underlying operating system configuration, which could allow the attacker to execute arbitrary code with the privileges of a targeted user,” Cisco explains in an advisory. 

One mitigating factor is that the vulnerability can only be exploited by a local attacker with limited privileges who had sent a malicious message to the affected software by using the virtualization channel interface. 
Nonetheless, Cisco has given the bug, tracked as CVE-2020-3588, a severity rating of 7.3 out of a possible 10. 
The bug has been fixed in the Webex Meetings Desktop App for Windows releases 40.6.9 and later and 40.8.9 and later. The issue was due to the desktop app improperly validating messages.
Cisco also notes that customers must update the affected app in the HVD in the virtual desktop environment. However, the plug-in does not need to be updated. 
Fortunately, Cisco’s Product Security Incident Response Team (PSIRT) has not observed any attacks in the wild and Cisco found the bug during internal testing. 
Cisco is also urging customers to update Webex Meetings sites and Webex Meetings Server due to vulnerabilities affecting the Webex Network Recording Player for Windows and Webex Player for Windows. 
There are three bugs that stem from the playback apps not doing enough to validate elements of Webex recordings stored in the Advanced Recording Format (ARF) – a video format for Webex – or the Webex Recording Format (WRF). 
The bugs are tracked as CVE-2020-3573, CVE-2020-3603, and CVE-2020-3604. They have a severity rating of 7.8. 
Attackers can exploit the flaws by sending target into opening a malicious ARF or WRF file through a link or email attachment, and then tricking the target into opening the file with the two Webex players. 
Webex Network Recording Player is used to play back ARF files, while Webex Player is used to play back WRF files. 
The playback applications are available from Cisco Webex Meetings and Cisco Webex Meetings Server. 
The Webex Network Recording Player is available from Cisco Webex Meetings sites and Cisco Webex Meetings Server. The Cisco Webex Player is available from Cisco Webex Meetings sites but not from the Cisco Webex Meetings Server.
While Cisco’s PSIRT has not observed any malicious activity using these flaws, they were found by security researcher Francis Provencher (PRL) who reported the issue to Cisco via Trend Micro’s Zero Day Initiative. 
Cisco notes there are no workarounds for this bug and has listed in its advisory the releases of Webex Meetings sites and Webex Meetings Server that need to be updated.  
More on Cisco and networking security More