Information Technology

Screengrab of the GrowDiaries website
GrowDiaries, an online community where marijuana growers can blog about their plants and interact with other farmers, has suffered a security breach in September this year.
The breach occurred after the company left two Kibana apps exposed on the internet without administrative passwords.
Kibana apps are normally used by a company’s IT and development staff, as the app allows programmers to manage Elasticsearch databases via a simple web-based visual interface.
Due to its native features, securing Kibana apps is just as important as securing the databases themselves.
But in a report published today on LinkedIn, Bob Diachenko, a security researcher known for discovering and reporting unsecured databases, said GrowDiaries failed to secure two of its Kibana apps, which appear to have been left exposed online without a password since September 22, 2020.
Diachenko says these two Kibana apps granted attackers access to two sets of Elasticsearch databases, with one storing 1.4 million user records and the second holding more than two million user data points.
The first exposed usernames, email addresses, and IP addresses, while the second database also exposed user articles posted on the GrowDiaries site and users’ account passwords.

While the passwords were stored in a hashed format, Diachenko said the format was MD5, a hashing function known to be insecure and crackable (allowing threat actors to determine the cleartext version of each password).

Image: Bob Diachenko
Diachenko said he reported the exposed Kibana apps to GrowDiaries on October 10, with the company securing its infrastructure five days later.
The Ukrainian security researcher said that while GrowDiaries did intervene to secure its server, the company refused other communications, so he was unable to determine if someone else accessed the company’s Elasticsearch databases to download user data.
However, Diachenko said that something like this happening was “likely” as he is certainly not the only one looking for accidentally exposed databases.
A GrowDiaries spokesperson did not return an additional request for comment from ZDNet before this article’s publication.
GrowDiaries users are advised to change their passwords, just in case the data made it into someone else’s hands. With the passwords stored in MD5 format, their old passwords are not secure, and accounts are in danger of getting hijacked. More

Almost two thirds of vulnerabilities on enterprise networks involve flaws which are over two years old which have not been patched, despite fixes being available. This lack of patching is putting businesses at risk of attacks which could often be easily avoided if security updates were applied.
Analysis by Bitdefender found that 64 percent of all reported unpatched vulnerabilities during the first half of 2020 involve known bugs dating from 2018 and previous years, which means organisations are at risk from flaws that somebody should have fixed a long time ago.
“The vast majority of organizations still have unpatched vulnerabilities that were identified anywhere between 2002 and 2018,” the report said.
Applying patches can be time-consuming, tedious and unrewarding work. But for cyber criminals, unpatched vulnerabilities provide a simple way to deploy cyber attacks and malware. But while businesses and users are encouraged to apply security patches to operating systems and software as soon as possible, the figures in Bitdefender’s 2020 Business Threat Landscape Report suggests that some organisations are still slow to apply them.
SEE: Security Awareness and Training policy (TechRepublic Premium)
“With organizations having most of their workforce remote, setting and deploying patching policies has never been more crucial. With six in 10 organizations having machines with unpatched vulnerabilities that are older than 2018, the risks of having those vulnerabilities exploited by threat actors are higher than ever,” the report warned.
In some cases, organisations don’t apply security patches because they fear it could have a negative impact on how they run their systems – and therefore run the risk of a cyber attack instead.

“Backward compatibility plays a vital role in deciding whether or not some applications should be patched. For example, patching or upgrading an application or service could break compatibility with other software that could be mission-critical for the organization. In this case, not patching could be less of a security decision but more of a business decision,” Liviu Arsene, global cybersecurity researcher at Bitdefender told ZDNet.
However, by having a good knowledge of what the network looks like and having a plan to apply patches organisations can go a long way to protecting themselves from falling victim to cyber attacks designed to take advantage if known vulnerabilities.
“Having a patching policy and roll out procedure in place is always the best solution for addressing known vulnerabilities,” said Arsene.
“Systems that are mission-critical but cannot be patched for backward compatibility or business continuity reasons should be isolated and access to them tightly regulated,” he added.
READ MORE ON CYBERSECURITY More

Google Project Zero, the Google security team that finds bugs in all popular software, has disclosed what it classes a high-severity flaw on GitHub after the code-hosting site asked for a double extension on the normal 90-day disclosure deadline.
The bug in GitHub’s Actions feature – a developer workflow automation tool – has become one of the rare vulnerabilities that wasn’t properly fixed before Google Project Zero’s (GPZ) standard 90-day deadline expired. Over 95.8% of flaws are fixed within the deadline, according to Google’s hackers.    

GPZ is known to be generally strict with its 90-day deadline, but it appears GitHub was a little lax in its responses as the deadline approached after Google gave it every chance to fix the bug.
SEE: Virtual hiring tips for job seekers and recruiters (free PDF) (TechRepublic)
As detailed in a disclosure timeline by GPZ’s Felix Wilhelm, the Google security team reported the issue to GitHub’s security on July 21 and a disclosure date was set for October 18. 
According to Wilhelm, Actions’ workflow commands are “highly vulnerable to injection attacks”.
“As the runner process parses every line printed to STDOUT looking for workflow commands, every GitHub action that prints untrusted content as part of its execution is vulnerable. In most cases, the ability to set arbitrary environment variables results in remote code execution as soon as another workflow is executed,” wrote Wilhelm. 

“I’ve spent some time looking at popular GitHub repositories and almost any project with somewhat complex GitHub actions is vulnerable to this bug class.”
GitHub issued an advisory on October 1 and deprecated the vulnerable commands, but argued that what Wilhelm had found was in fact a “moderate security vulnerability”. GitHub assigned the bug the tracking identifier CVE-2020-15228.  
On October 12, GPZ contacted GitHub and proactively offered it a 14-day grace period if GitHub wanted more time to disable the vulnerable commands, according to Wilhelm. 
GitHub then took up the offer of a grace period, and per Wilhelm, it hoped to disable the vulnerable commands after October 19. GPZ then set the new disclosure date to November 2. 
Then on October 28, GPZ alerted GitHub that the deadline was expiring the following week but got no response. 
Due to lack of official response from GitHub, Project Zero contacted informal GitHub contacts who said “the issue is considered fixed and that [GPZ] are clear to go public on 2020-11-02 as planned”, explained Wilhelm. 
SEE: 10 tech predictions that could mean huge changes ahead
But then a day before deadline, GitHub gave its official response and requested a further two days to notify customers of a fix at a future date. 
“GitHub responds and mentions that they won’t be disabling the vulnerable commands by 2020-11-02. They request an additional 48 hours, not to fix the issue, but to notify customers and determine a ‘hard date’ at some point in the future,” wrote Wilhelm. 
So GPZ on Monday proceeded to disclose the bug it reported because it can’t, as per its policy, offer an extension beyond the 104 days – 90 days plus 14 days’ grace. 
“Grace periods will not be granted for vulnerabilities that are expected to take longer than 104 days to fix,” Google Project Zero states on its 2020 disclosure policy.  More

The UK’s National Cyber Security Centre (NCSC) is ‘stepping up support’ for the National Health Service to help protect UK hospitals and other healthcare organisations against cyberattacks.
The NCSC’s Annual Review 2020 reveals that the cyber arm of GCHQ has handled more 200 cyber incidents related to coronavirus during the course of this year – almost a third of the total number of incidents it was called in to help with over that period.

More on privacy

And due to the urgency of securing healthcare during the coronavirus pandemic, the NCSC has been helping the NHS to secure itself against cyberattacks.
SEE: Network security policy (TechRepublic Premium)
That includes performing threat hunting on 1.4 million NHS endpoints in an effort to detect potentially suspicious activity and scanning over one million NHS IP addresses to detect cybersecurity weaknesses.
“The second half of the year for us, as it has for everyone else, has been dominated by the response to COVID,” said Lindy Cameron, CEO of the NCSC.
“What we’ve done as an organisation is really pivot towards the health sector to try and give them the best support we can in thinking about their cyber defence to let them focus on responding to the pandemic,” she added.

The NCSC also helped roll out Active Cyber Defence services, including Web Check, Mail Check and protective DNS, to 235 front-line health bodies across the UK, including NHS Trusts to help protect them against phishing attacks and other threats.
“We’ve taken our active cyber-defence portfolio and pivoted it towards the health sector with 230 health bodies using our active cyber defence. That’s all part of the support we’ve given to NHS Digital to help them help the health sector,” Dr Ian Levy, NCSC technical director, told ZDNet.
“We’re stepping up our support quite significantly,” he continued, adding: “Obviously it’s still for individual trusts to protect themselves along with NHS Digital and ourselves, but we’re really trying to take them the knowledge about the threat and actioning support in the sector at large”.
More than 160 instances of high-risk vulnerabilities have been shared with NHS Trusts during the course of this year while the NCSC has also had to to deal with over 200 incidents related to the UK’s coronavirus response – including Russian cyber espionage targeting coronavirus vaccine development.
The 200 coronavirus-related incidents make up a significant chunk of the total number of 723 cyberattacks involving almost 1,200 victims that the NCSC has helped deal with during the course of the past year, a figure up from 658 in the previous year – and the highest number of incidents since the NCSC was set up. It’s also a number that’s likely to continue rising as cyber criminals get more ambitious.
SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)
The review also notes that the NCSC has dealt with three times more ransomware attacks than it did last year as attacks become more targeted and more aggressive.
“The expertise of the NCSC, as part of GCHQ, has been invaluable in keeping the country safe: enabling us to defend our democracy, counter high levels of malicious state and criminal activity, and protect against those who have tried to exploit the pandemic,” said Jeremy Fleming, director of GCHQ.
“The years ahead are likely to be just as challenging, but I am confident that in the NCSC we have developed the capabilities, relationships and approaches to keep the UK at the forefront of global cybersecurity,” he added.
MORE ON CYBERSECURITY More

Image: FireEye
FireEye, one of today’s top cybersecurity companies, has released a new pre-configured virtual machine (VM) that was specifically set up to help threat intelligence analysts hunt down adversaries.

Named the ThreatPursuit VM, this is a Windows 10 installation that comes with more than 50 software programs that are commonly used by threat intel analysts.
The idea behind ThreatPursuit is to provide companies with a ready-made OS that can be deployed to new workstations before, during, or after a security incident and provide threat intel analysts with a ready-to-use work environment.
For example, ThreatPursuit could be deployed to tens or hundreds of machines at the same time and scale up a security firm’s incident response capabilities.
It can also be deployed on computers inside a customer’s network when providing incident response in a remote location, where a victim company may be lacking a threat analysis environment.
ThreatPursuit comes preinstalled with a wide range of tools
More than 50 tools are currently included with ThreatPursuit. The tools range across multiple categories.
There are tools preinstalled in ThreatPursuit that can be used by threat intel analysts to feed indicators of compromise (IOCs) like URLs and file hashes into local or remote MISP platforms.

There are also tools that can allow analysts to see connections between servers and malware samples using visual graphs. And there are tools that can be used to emulate attackers and their intrusion patterns against a company’s network.
The full list of tools is below, as available today on ThreatPursuit’s GitHub repository:
Development, Analytics and Machine Learning Tools:
Shogun
Tensorflow
Pytorch
Rstudio
RTools
Darwin
Keras
Apache Spark
Elasticsearch
Kibana
Apache Zeppelin
Jupyter Notebook
MITRE Caret
Python (x64)
Visualisation Tools:
Constellation
Neo4J
CMAP
Triage, Modelling & Hunting Tools:
MISP
OpenCTI
Maltego
Splunk
MITRE ATT&CK Navigator
Greynoise API and GNQL
threatcrowd API
threatcmd
ViperMonkey
Threat Hunters Playbook
MITRE TRAM
SIGMA
YETI
Azure Zentinel
AMITT Framework
Adversarial Emulation Tools:
MITRE Calderra
Red Canary ATOMIC Red Team
MITRE Caltack Plugin
APTSimulator
FlightSim
Information Gathering Tools:
Maltego
nmap
intelmq
dnsrecon
orbit
FOCA
Utilities and Links:
CyberChef
KeepPass
FLOSS
peview
VLC
AutoIt3
Google Chrome
OpenVPN
Sublime
Notepad++
Docker Desktop
HxD
Sysinternals
Putty
Installation instructions are included in this FireEye blog post.
Third VM image released by FireEye
This is the third ready-made VM image that FireEye has crafted for security purposes and released as open source software.
In 2018, FireEye released FLARE VM, another Windows 10 image that was specifically pre-configured to come with all the tools security researchers need to crack and analyze malware samples.
In 2019, FireEye also released Commando VM, a Windows 10 VM image that came preinstalled with all the major offensive hacking and penetration-testing tools. This VM was specifically built for “red teams” — a term that describes security researchers who perform on-demand penetration tests against a customer’s network to test a company’s defenses and detection capabilities.
With ThreatPursuit VM, FireEye has now released VM images for all the major cyber-security job categories, all to help security practitioners simplify and automate their daily work routines. More

A Russian cybercriminal has been jailed for eight years for participating in a botnet scheme that caused at least $100 million in financial damage. 

According to the US Department of Justice (DoJ), Aleksandr Brovko was an active member of “several elite, online forums designed for Russian-speaking cybercriminals to gather and exchange their criminal tools and services.”
The 36-year-old, formerly of the Czech Republic, worked with other cybercriminals to scrape information gathered by botnets. 
Brovko wrote scripts able to parse log data from botnet sources and then searched these data dumps to uncover personally identifiable information (PII) and account credentials. 
See also: KashmirBlack botnet behind attacks on CMSs like WordPress, Joomla, Drupal, others
Any account credentials logged by Brovko’s code would then be verified by the Russian national — sometimes manually — to see if it was “worthwhile” using the accounts to conduct fraudulent transactions, prosecutors say. If so, bank accounts would be pillaged by other threat actors and drained of funds. 
“Brovko possessed and trafficked over 200,000 unauthorized access devices during the course of the conspiracy,” the DoJ says. “These access devices consisted of either personally identifying information or financial account details.”

Brovko participated in the scheme from 2007 through 2019. He has pleaded guilty to conspiracy to commit bank and wire fraud and was sentenced to eight years in prison by Senior US District Judge T.S. Ellis III. 
TechRepublic: Hackers have only just wet their whistle. Expect more ransomware and data breaches in 2021
As noted by The Register, Brovko’s indictment (.PDF) reveals he was retained by co-conspirator Alexander Tverdokhlebov, who was jailed for over nine years in 2017 after pleading guilty to running botnets able to control over half a million compromised PCs. 
“Aleksandr Brovko used his programming skills to facilitate the large-scale theft and use of stolen personal and financial information, resulting in over $100 million in intended loss,” said US Attorney Zachary Terwilliger. “Our office is committed to holding these criminals accountable and protecting our communities as cybercrime becomes an ever more prominent threat.”
CNET: Huawei ban timeline: Chinese company may build a chip plant due to US sanctions
Last month, Imperva researchers released an analysis of a sophisticated botnet now making the rounds in order to target websites via their content management system (CMS) platforms. 
Dubbed KashmirBlack, the botnet began operation in late 2019 and is now able to attack thousands of websites on a daily basis for purposes including cryptocurrency mining, spam, and defacement. 
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Oracle has published on Sunday a rare out-of-band security update to address an incomplete patch for a recently disclosed vulnerability in Oracle WebLogic servers that is currently being actively exploited in real-world attacks.
The new patch (tracked as CVE-2020-14750) adds additional fixes to a first bug (tracked as CVE-2020-14882), originally patched with Oracle’s standard quarterly October 2020 security updates.
CVE-2020-14882 is a dangerous vulnerability that allows attackers to execute malicious code on an Oracle WebLogic server with elevated privileges before the server’s authentication kicks in.
To exploit CVE-2020-14882, an attacker only needs to send a booby-trapped HTTP GET request to the WebLogic server’s management console.

Since exploitation is trivial, proof-of-concept (PoC) exploit code was made public within days after the initial Oracle patch [1, 2, 3, 4, 5].
As it happened many times before, these POCs were quickly adopted by threat actor groups, and last week, SANS ISC reported attacks against WebLogic honeypots.
But even patched systems were not considered safe.

According to Adam Boileau, Principal Security Consultant at Insomnia Sec, the original patch for CVE-2020-14882 could be bypassed if attackers changed the case of a single character in the standard POC exploit.

In Oracle’s rush to fix it, they made a pretty simple error: attackers could avoid the new path traversal blacklist (and thus bypass the patch) by … wait for it… changing the case of a character in their request.https://t.co/fHWPkXCAlm
— Brett Winterford (@breditor) November 3, 2020

The recent attacks and the bypass of the original patch are what drove Oracle to issue a second set of patches on Sunday, in a rare out-of-band security update.
Companies that run WebLogic servers are now advised to install the additional CVE-2020-14750 patch to protect from both the original CVE-2020-14882 exploit and its bypass.
According to security firm Spyse, more than 3,300 WebLogic servers are currently exposed online and considered to be vulnerable to the original CVE-2020-14882 vulnerability.
Obligatory Simpsons meme: More

Image: Brave
Kicking off in 2016, Brave saw its first 1.0 release almost 4 years later, and following another trip around the Sun, it has hit the milestone of 20.5 million active monthly users.
At the same time last year, the browser had 8.7 million active monthly users, and of the 20 million monthly users, 7 million are daily users, which represents more than a doubling of last year’s 3 million.
Brave added that since Apple allowed browsers other than its own to be the default option on iOS, it has seen its iOS user base increase by a third.
One of the touted features of the browser is that it hates ads, and will go out of its way to block them, unless users decide to see Brave-powered advertisements. To that end, Brave has hit “2 billion ad confirmation events” and completed 2,215 campaigns from over 460 companies. The browser maker says its users have a click-through rate of 9%, way and away outstripping industry averages.
The browser also has its own cryptocurrency, Basic Attention Tokens, that users use to “tip” content creators. Thus far, 26 million of the tokens have been sent to creators. At the time of writing, the blockchain-based token is trading for just under 18 cents, meaning $4.6 million has been sent from users.
“Users are fed up with surveillance capitalism, and 20 million people have switched to Brave for an entirely new web ecosystem with an opt-in ad economy that puts them back in control of their browsing experience,” said Brendan Eich, CEO and co-founder of Brave.
“The global privacy movement is gaining traction, and this milestone is just one more step in our journey to make privacy-by-default a standard for all Web users.”

In June, Brave was caught out for auto-completing certain URLs to append a referral id.
Eich said at the time it was a mistake, while others looked at Brave’s source code and found it was doing the same thing to links to Ledger, Trezor, and Coinbase.
“The autocomplete default was inspired by search query clientid attribution that all browsers do, but unlike keyword queries, a typed-in URL should go to the domain named, without any additions. Sorry for this mistake – we are clearly not perfect, but we correct course quickly,” Eich said.
A patch was later made to disable the functionality by default.
While Brave boasts of hitting its 20 million number, Firefox has reported having 10 times that number to sit above 220 million. According to Statcounter, Firefox’s market share is 4%, while Chrome itself has 66% of the market, giving it an install base measured in multiple billions.
Related Coverage More