The developers of Zeppelin ransomware have resumed their activity after a period of relative silence that started last Fall and started to advertise new versions of the malware.

A recent variant of the malware became available on a hacker forum at the end of last month, offering cybercriminals in the ransomware business complete independence.

New versions for sale

Zeppelin ransomware is also referred to as Buran and has its origin in the Vega/VegaLocker family, a Delphi-based ransomware-as-a-service (RaaS) observed on Russian-speaking hacker forums in 2019.

The developers of the Zeppelin ransomware strain, however, sell it on underground forums, letting buyers decide how they want to use the malware. The developers also have some sort of individual partnership with certain users of their malware.

This is in contrast with the classic RaaS operations, where developers typically look for partners to breach into a victim network, to steal data, and deploy the file-encrypting malware. The two parties then split paid ransoms, with developers getting the smaller piece (up to 30%). 

Threat prevention and loss avoidance company Advanced Intel (AdvIntel) found that the developers of Zeppelin ransomware have revigorated their activity in March.

They announced “a major update for the software” along with a new round of sales. In an intelligence report, AdvIntel head of research Yelisey Boguslavskiy says that the current Zeppelin version comes with a price tag of $2,300 per core build.

Following the major update, Zeppelin developers released a new variant of the malware on April 27 that brought little change in terms of features but increased the stability of the encryption.

Perks for regular customers

They also assured regular customers that work on the malware continues and that long-term users, referred to as “subscribers,” will benefit from special treatment.

Zeppelin is one of the few ransomware operations on the market that does not adopt the pure RaaS model and also one of the most popular of the bunch, enjoying recommendations from high-profile members of the cybercrime community.

Boguslavskiy explained how Zeppelin developers work by saying that they work on "a more extended scope of operations" with close partners that purchased the malware.

AdvIntel warns that despite the lack of organization typical to the RaaS model, Zeppelin could make it more difficult to fight the ransomware threat since access to the malware allows other developers to steal features for their products.

The company says that Zeppelin users are individual buyers that do not complicate their attacks and rely on common initial attack vectors like RDP, VPN vulnerabilities, and phishing.

Furthermore, Zeppelin operators do not have a leak site, like most RaaS groups, and they focus on encrypting the data, not steal it.

AdvIntel recommends monitoring and auditing external remote desktop and VPN connections as an efficient defense against the Zeppelin ransomware threat.

Even without the complexity of a RaaS operation, Zeppelin ransomware is concerning as attacks with this strain can difficult to detect, especially when new downloaders are used, as Juniper Threat Labs discovered last August.

Source: Zeppelin ransomware comes back to life with updated versions

The company was informed about the exposed data in December 2020 but it only responded and secured the data in March 2021.

FastTrack Reflex Recruitment firm recently joined the ranks of other companies that have been affected by data leaks due to misconfigured AWS S3 buckets. This data breach majorly affected the applicants whose CVs containing personal information were leaked, reports the research team at Website Planet.

Attached to numerous CVs were the personal IDs of applicants, including passports, citizen ID cards, driver’s licenses, and skilled worker IDs. All of these constitute direct and indirect applicant PII. Examples of directly identifiable PII include the following:

• Full names
• Email addresses
• Home addresses
• Dates of birth
• Passport numbers
• Applicant photos
• Mobile phone numbers
• Social network URLs for some applicants.

It is worth noting that the configuration of the server is not the responsibility of Amazon but rather the company, FastTrack, that is using it as a public cloud storage resource.

Example of leaked data (Image: Website Planet)

The bucket, according to Website Planet’s blog post, included 21,000 client files (including duplicates), equating to 5GB of data, which were left unprotected for any hacker or cyber criminal with a malicious intent to take advantage of.

Moreover, tens of thousands of people could be affected by this. As a result of this exposure, FastTrack could receive legislative action from GDPR and the UK’s Data Protection Act 2018. 

The clients could be affected through various criminal acts if cybercriminals found this unprotected database. These include identity theft, fraud, scams, phishing, malware, theft, and account takeover.

The company, on the other hand, will be affected due to their failure to adhere to data privacy laws such as GDPR which could fine it around €20 million, or 4% of the company in question’s annual turnover (whichever is higher).

Additionally, they could possibly face a loss of business due to their existing customers losing trust in their firm and their potential new applicants being driven away. 

The data breach was first discovered on 29th December 2020 by the Website Planet research team and the company was contacted on 15th and 17th January 2021 but they only replied on 17th March, after several attempts of contacting them, and the bucket was secured on 23rd March 2021. 

Source: A UK recruitment firm exposed sensitive applicants data for months

Hear ye, DarkSide! This honorable ransomware court is now in session

Colonial Pipeline hackers have cashed in spectacularly. Now, they're feeling the heat.

It's not surprising that XSS organizers would police their site in precisely the way seen in these discussions. After all, the cybercrime economy is booming, but for XSS to cash in, the forum has to be viewed as operating on a level playing field. Ultimately, though, it's impossible to know if these proceedings are for real or just an act.

"This is a community of cybercriminals who know their forum is being monitored by LE, security companies and the press," Brett Callow, threat analyst with security firm Emsisoft, said. "It’s highly likely that some communications are made solely to confuse issues. Smoke and mirrors."

With DarkSide disrupting gasoline supply for huge swaths of the US two weeks ago, the FBI will no doubt bring the full force of its might on this enterprise if it gets the chance. DarkSide owners are no doubt feeling the heat, even if the ransomware court proceedings are just an act.

Hear ye, DarkSide! This honorable ransomware court is now in session

The U.S. Department of Justice (DoJ) indicted an employee of the Federal Bureau of Investigation (FBI) for illegally removing numerous national security documents and willfully retaining them at her personal residence during a 13-year period from June 2004 to December 2017.

The federal indictment charged Kendra Kingsbury, 48, with two counts of having unauthorized possession of documents relating to the national defense, according to an unsealed indictment that was made public on Friday. Kingsbury worked as an intelligence analyst in the FBI's Kansas City Division for more than 12 years, until her suspension in 2017.

"The breadth and depth of classified national security information retained by the defendant for more than a decade is simply astonishing," said Alan E. Kohler, Jr. Assistant Director of the FBI's Counterintelligence Division, in a statement.

Stating that Kingsbury knew she was not authorized to remove and retain access to these sensitive government materials, the Justice Department charged the defendant with failing to deliver the secret documents to relevant employees who were entitled to receive them.

Kingsbury is alleged to have kept a total of 20 documents that cover a wide swathe of classified information spanning across intelligence notes and bulletins, email messages, internal correspondence, and a presentation that delve into different sources and methods the agency uses to defend against counterterrorism and cyber threats as well as details about intelligence gathered on emerging terrorist groups.

Some of the documents unlawfully accessed by Kingsbury also involve specifics about open investigations, human sources, and intelligence gaps pertaining to hostile foreign intelligence services and terrorist outfits, and the technical capabilities the FBI possesses to neutralize counterterrorism targets.

"As an intelligence analyst for the FBI, the defendant was entrusted with access to sensitive government materials," said Assistant Attorney General John C. Demers for DoJ's National Security Division. "Kingsbury is alleged to have violated our nation's trust by stealing and retaining classified documents in her home for years. Insider threats are a significant danger to our national security, and we will continue to work relentlessly to identify, pursue and prosecute individuals who pose such a threat."

Source

Air India disclosed a data breach after personal information belonging to roughly 4.5 million of its customers was leaked two months following the hack of Passenger Service System provider SITA in February 2021.

The Indian national carrier first informed passengers that SITA was the victim of a cyberattack on March 19.

"This is to inform that SITA PSS our data processor of the passenger service system (which is responsible for storing and processing of personal information of the passengers) had recently been subjected to a cybersecurity attack leading to personal data leak of certain passengers," Air India said in a breach notification sent over the weekend. 

"This incident affected around 4,500,000 data subjects in the world."

The airline added that the breach impacted the data of passengers registered between August 2011 and February 2021.

Nevertheless, after investigating the security incident, it was found that no credit card information or password data was accessed during the breach.

However, Air India urges its passengers to change their credentials to block potential breach attempts and ensure their data security.

"The breach involved personal data registered between 26th August 2011 and 3rd February 2021, with details that included name, date of birth, contact information, passport information, ticket information, Star Alliance, and Air India frequent flyer data (but no passwords data were affected) as well as credit cards data," Air India added [PDF].

"However, in respect of this last type of data, CVV/CVC numbers are not held by our data processor."

The protection of our customers’ personal data is of highest importance to us and we deeply regret the inconvenience caused and appreciate the continued support and trust of our passengers. — Air India

Data breach impacts Star Alliance members

Almost a dozen more air carriers besides Air India informed passengers that some of their data was accessed during a breach of SITA's Passenger Service System (PSS), which handles transactions from ticket reservations to boarding.

SITA also confirmed the incident saying that it reached out to affected PSS customers and all related organizations in early March.

At the time, a SITA spokesperson told BleepingComputer that the breach impacts data of passengers from multiple airlines, including:

• Lufthansa - combined with its subsidiaries, it is the second-largest airline in Europe in terms of passengers carried; Star Alliance member and Miles & More partner
• Air New Zealand - flag carrier airline of New Zealand
• Singapore Airlines - flag carrier airline of Singapore
• SAS - Scandinavian Airlines (disclosure here); 
• Cathay Pacific - flag carrier of Hong Kong
• Jeju Air - the first and largest South Korean low-cost airline
• Malaysia Airlines - flag carrier airline of Malaysia
• Finnair - flag carrier and largest airline of Finland

Some of these air carriers (including Air India) are part of the Star Alliance, a global airline network with 26 members, including Lufthansa, the largest in Europe.

Star Alliance told BleepingComputer that its members also share customer details relevant to awarding traveling benefits. 

The information is limited to membership names, frequent flyer program membership numbers, and program tier status.

Source: Air India data breach impacts 4.5 million customers

The massive data leak occurred due to misconfigured cloud services used by Android apps with millions of downloads.

Personal data of over 100 million Android users were exposed due to misconfigured cloud services. The issue was identified in around 23 applications, which boasted up to 10 million downloads and included internal developer resources.

The issue was identified by Check Point researchers who wrote in their blog that when configuring/integrating third-party cloud services into apps, it is extremely important to follow best practices.

“By not following best-practices when configuring and integrating third-party cloud-services into applications, millions of users’ private data was exposed,” researchers noted.

Millions of Users Affected

This type of misuse not just impacts the users but also the developers. That’s because users’ personal data is exposed and put at risk, and also at risk are the developers’ internal resources like access to storage and updating mechanism.

As per Check Point’s blog post, the apps were available on Google Play Store. Some of the names they shared include:

• iFax
• T’Leva
• Astro Guru,
• Logo Maker
• Screen Recorder.

Researchers noted that a password didn’t protect many databases used by app developers to store data on Cloud. Therefore, anyone could access the sensitive, personal information of more than 100 million users, including:

• Names
• Dates of birth
• Location
• Email addresses
• Passwords
• Photos
• Gender
• Chat messages,
• payment details
• Contact information
• Push information, etc.

Sample data:

Leaked data and targeted apps

App Data Leakage- A Largely Underrated Issue

The sheer number of applications having misconfiguration issues indicates a deep-rooted and widespread problem, and cyber crooks can easily leverage such apps to fulfill their nefarious objectives.

Since app developers use real-time databases for data storage in Cloud services and sync it with connected clients in real-time, a slight mistake can cause massive data exposure.

Check Point researchers could obtain data of those using the Angola-based taxi app T’Leva. They easily accessed messages exchanged between passengers and drivers, along with riders’ full names, destination/pick-up locations, and phone numbers. All this was possible because the database wasn’t secured properly.

Moreover, app developers embedded key needed to send push notifications and access cloud services directly from the app. This could allow cybercriminals/scammers to send a fake notification to users from the developers’ side or redirect users to a phishing page.

Source: 23 Android apps caught leaking sensitive data of 100 million users

Data poisoning attacks against the machine learning used in security software may be attackers’ next big vector, said Johannes Ullrich, dean of research of SANS Technology Institute.

Machine learning is based on pattern recognition in a pool of data. Data poisoning is adding intentionally misleading data to that pool so it begins to misidentify its inputs.

“One of the most basic threats when it comes to machine learning is one of the attacker actually being able to influence the samples that we are using to train our models,” said Ulrich, speaking during a keynote at the RSA Conference.

Ulrich noted that hackers could provide a stream of bad information by, say, flooding a target organization with malware designed to refine ML detection away from the techniques they actually plan to use for the main attack.

The future threats panel offerred four experts taken from the SANS Institute instructor pool the opportunity to present on one threat they expected to see balloon in the near future. Katie Nickels, director of intelligence at Red Canary, presented on the growth of leaking as a component of ransom, which she noted had been on the rise since 2019. Heather Mahalik, director of digital intelligence for Cellibrite, talked about token abuse expanding with increased work from home. And Ed Skoudis, CEO of Counter Hack discussed software integrity and the growth of supply chain, dependency and malicious update attacks in the wake of Sunburst.

Data poisoning has been involved signature-based antivirus in the past. In 2013, Microsoft presented research that someone had uploaded false samples to malware repositories to create signature collisions with system files. That said, there do not appear to be any known data poisoning attacks against artificial intelligence defenses of individual networks.

“You need to understand these models,” said Ulrich. “If you don’t understand what protects you, then you can’t really evaluate the efficacy of these techniques, and these tools.”

Source: ‘Data poisoning’ that leverage machine learning may be the next big attack vector

The app makers have 15 working days to fix issues.

A host of major app developers will have to rethink their data collection habits, at least in China. The South China Morning Post reports that the Chinese government has named and shamed 105 apps for allegedly violating laws and privacy through their data collection and usage. ByteDance caught flak for Douyin, the China-oriented equivalent to TikTok, while Microsoft faced similar accusations for LinkedIn and Bing.

Other prominent examples include the short video app Kuaishou, Baidu's mobile web browser and the streaming music service Kugou.

All the developers have 15 days to fix their claimed privacy violations. We've asked Microsoft for comment.

The crackdown is the latest and most significant after new privacy regulations took effect on May 1st limiting the scope of data collection. The SCMP notes that it's also part of a larger effort to rein in technology companies, particularly Chinese firms. China's government wants to clean up business on its terms — and while this might have positive effects on privacy and competition, it's also prompting companies to make big changes on short notice.

Source: China says TikTok's creator and LinkedIn are violating data privacy laws

Microsoft has released an open source tool that helps defenders simulate attacks used in real world attacks.

Microsoft has released SimuLand, an open-source project which aims to help security teams reproduce known attack scenarios - and test just how good Microsoft's core security products are. 

SimuLand is a set of lab environments that allow researchers to test their Microsoft defenses. The framework can be used by researchers to test and verify the effectiveness of related Microsoft 365 Defender, Azure Defender, and Azure Sentinel detections. 

Microsoft plans to add more attack scenarios in future, but said the aim of the project is to help security teams understand the underlying behavior and functionality of adversary tradecraft, and identify mitigations and attacker paths by documenting preconditions for each attacker action, and thus validate and tune detection capabilities.

Currently, it only includes the environment for "Golden SAML AD FS Mail Access" — an attack on Microsoft's Active Director Federation Services (AD FS) authentication scheme. That's a notable one, which affects Microsoft 365, and something similar was used in conjunction with the Solar Winds software supply chain attack that impacted FireEye and Microsoft.   

The US and UK accused Russian intelligence of the SolarWinds attack. As FireEye explained last month, the hackers stole the token-signing certificate from an organization's AD FS server, which let them bypass MFA and access Microsoft cloud services as if they were an approved user. It took advantage of the design of processes for on-premise AD servers authenticating to cloud-based Microsoft 365 services, such as email.   

According to Microsoft, its tool will allow researchers to "simulate an adversary stealing the AD FS token signing certificate, from an "on-prem" AD FS server, in order to sign SAML token, impersonate a privileged user and eventually collect mail data in a tenant via the Microsoft Graph API."

Microsoft promises that SimuLand will "extend threat research using telemetry and forensic artifacts generated after each simulation exercise."

Future improvements to the project include: 

• A data model to document the simulation steps in a more organized and standardized way.
• A CI/CD pipeline with Azure DevOps to deploy and maintain infrastructure.
• Automation of attack actions in the cloud via Azure Functions.
• Capabilities to export and share telemetry generated with the InfoSec community.
• Microsoft Defender evaluation labs integration.

Azure Sentinel, Microsoft's cloud-based security information and event management (SIEM) system is also in focus. SimuLand will help users map out threats in Sentinel when investigating an attack. 

Source: Microsoft: This new open source tool helps you test your defences again hacker attacks

A massive malware campaign pushed the Java-based STRRAT remote access trojan (RAT), known for its data theft capabilities and the ability to fake ransomware attacks.

In a series of tweets, the Microsoft Security Intelligence team outlined how this "massive email campaign" spread the fake ransomware payloads using compromised email accounts.

The spam emails lured the recipients into opening what looked like PDF attachments but instead were images that downloaded the RAT malware when clicked.

"The emails contained an image that posed as a PDF attachment but, when opened, connected to a malicious domain to download the STRRAT malware," Microsoft said.

"This RAT is infamous for its ransomware-like behavior of appending the file name extension .crimson to files without actually encrypting them."

Image: Microsoft

As the Microsoft Security Intelligence team mentioned in their tweets, the STRRAT malware is designed to fake a ransomware attack while stealing its victims' data in the background.

G DATA malware analyst Karsten Hahn said in June 2020 that the malware infects Windows devices via email campaigns pushing malicious JAR (Java ARchive) packages that deliver the finally RAT payload after going through two stages of VBScript scripts.

STRRAT logs keystrokes, allows its operators to run commands remotely and harvests sensitive information including credentials from email clients and browsers including Firefox, Internet Explorer, Chrome, Foxmail, Outlook, and Thunderbird.

It also provides attackers with remote access to the infected machine by installing the open-source RDP Wrapper Library (RDPWrap), enabling Remote Desktop Host support on compromised Windows systems.

STRRAT infection chain (G DATA)

However, the thing that makes it stand out from other RATs is the ransomware module that doesn't encrypt any of the victims' files but will only append the ".crimson" extension to files.

While this doesn't block access to the files' contents, some victims might still get fooled and, potentially, give in to attackers' ransom demands.

"This might still work for extortion because such files cannot be opened anymore by double-clicking," Hahn said.

"Windows associates the correct program to open files via their extension. If the extension is removed, the files can be opened as usual."

As Microsoft found while analyzing last week's massive STRRAT campaign, the malware developers haven't stopped improving it, adding more obfuscation and expanding its modular architecture.

Nonetheless, the RAT's main functionality remained mostly untouched, as it is still used to steal browser and email client credentials, running remote commands or PowerShell scripts, and logging victims' keystrokes.

Source: Microsoft: Massive malware campaign delivers fake ransomware

It could be one of the biggest ransom payouts to date.

A US insurance company may have paid one of the most expensive malware ransoms to date. According to Bloomberg, CNA Financial shelled out $40 million in late March to regain control of its network following a two-week lockout. To put that payout in perspective, the CEO of the Colonial Pipeline told The Wall Street Journal this week his company paid $4.4 million to hackers. That's a ransomware attack that led to fuel shortages across the US.

"CNA is not commenting on the ransom," a spokesperson for the company told Bloomberg. "CNA followed all laws, regulations and published guidance, including OFAC's 2020 ransomware guidance, in its handling of this matter."

The company fell victim to Phoenix Locker, an offshoot of the Hades ransomware created by infamous Russian cybercrime operation Evil Corp. Some security researchers believe Evil Corp is also behind WastedLocker, the malware linked to last year's Garmin ransomware attack. In 2019, the US Treasury Department sanctioned the group for its activities. It's unclear if Phoenix, the group behind the CNA attack, is affiliated with Evil Corp.

Ransomware attacks have become increasingly common and disruptive in recent years. In April and March, the REvil ransomware gang demanded $50 million from Apple supplier Quanta and Acer. Even Cyberpunk 2077 developer CD Projekt Red had to deal with a lockout, which led to a delay in the game's second major patch coming out.

Source: CNA Financial reportedly paid $40 million to resolve a ransomware attack

On Wednesday, Craig Federighi testified in the Epic Games v. Apple trial. Presented with the fact that users are not locked into getting software from the App Store on macOS, he was asked why iOS did not follow the same model. Protocol notes, Federighi admitted that macOS is not perfect and currently has a problem with malware that Apple finds unacceptable.

"Today, we have a level of malware on the Mac that we don't find acceptable," explained Federighi, Apple's senior vice president of software engineering. "If you took Mac security techniques and applied them to the iOS ecosystem, with all those devices, all that value, it would get run over to a degree dramatically worse than is already happening on the Mac."

For years, Apple has bragged about Macs being more secure than Windows, so it appeared Federighi was throwing Mac security under the bus. However, he added that Apple's bar for protection against malware is much higher and that macOS is still more secure than Windows.

Federighi also pointed out that there is less than one-tenth the number of macOS users compared to iOS. Having that many devices out in the wild makes iOS a much more tempting target for malware.

How much, if any, damage Federighi's testimony has done to Apple's case remains to be seen. Epic's attack foundation is that since Apple allows Mac users to download from outside the App Store, it should allow iPhone users the same freedom.

From a legal standpoint, making yourself or your company look foolish is not grounds enough to rule in favor. Federighi's reasoning for not mimicking the macOS platform on the iPhone still refutes Epic's argument. As far as the judge is concerned, the question is not whether Apple is left with egg on its face, but whether or not allowing sideloading on iOS will help or harm the consumer.

Source

Apple is still a corporation at the end of the day, and it's not as if they never do anything anti-consumer (right to repair, anyone?). But where privacy is concerned, iPhones are often the better option than much of the competition (not taking into account any other key considerations like price, value, hardware configuration, or customizability).

That point was hammered home recently with the launch of Apple's long-awaited App Tracking Transparency feature for iOS 14.5. The tool allows users to block apps from tracking them if they so desire, and it has already been enabled by a whopping 96 percent of users if recent analytics are to be believed.

As you'd expect, Apple is pretty proud of the functionality's success, and has decided to make the feature a focal point of its latest ad, aptly called "Tracked" -- see that above.

Throughout the ad, the user gathers more and more stalkers (trackers), each more invasive than the last. They dig through his personal belongings at home, swipe copies of his financial documents and stare over his shoulder at his phone screen. Earlier in the video, a barista even forces his way into the user's taxi.

In the end, our protagonist denies data collection permissions, and all of the stalkers evaporate on the spot. It's an amusing, relatable, and remarkably well-directed ad, so we recommend giving it a watch if you haven't already -- even if you aren't an Apple fan.

Source

• ‘TeamTNT’ is using a new harvester that targets a wide spectrum of cloud services and software apps.
• The actors are still targeting Monero wallets and configuration files and are still DDoSing some victims.
• The hacking group that started as an opportunistic actor is now evolving into a serious threat.

‘TeamTNT,’ the hacking group that was mostly occupied with disseminating XMR cryptominers on exposed Dockers last year, is now targeting cloud service credentials. This change in activity was first noticed and reported by researchers at TrendMicro at the beginning of March, and now, the same team has sampled and analyzed a new credential harvester used by the threat actors.

The intruders deploy a rich repertoire to access the network, including the exploitation of vulnerabilities, using stolen passwords or taking advantage of the existence of misconfigurations. From there, they focus on a range of system types depending on what they can find, then perform network reconnaissance, and finally deploy their new credential harvester.

This malware helps TeamTNT steal user IDs and passwords from the following software and services:

• Google Cloud
• Cloudflare
• Amazon Web Services
• Shodan
• Docker
• SSH
• Git
• FileZilla
• Jupyter
• Monero wallet
• SMB clients
• WebDAV
• Ngrok2
• HexChat
• Pidgin
• PostgreSQL

Source: TrendMicro

So, why is TeamTNT interested in stealing cloud service and software app credentials? One very probable reason would be to engage in planting XMR cryptominers in places where they are unlikely to be found and uprooted before making significant amounts of money for the actors. Another would be to resell these credentials to ransomware groups on the dark web. And a third would be to exfiltrate data from cloud-hosted databases and then sell them to phishing actors and scammers.

Source: TrendMicro

TrendMicro points out that the malware actively looks for Monero configuration files and any accessible wallets, so the anonymous crypto remains a key motivation for the actors, or at least that’s what it looks like. When the malware reaches the end of its routine, it attempts to delete itself from the infected system. Still, according to the analysts, this function isn’t implemented properly yet, so it fails.

One more thing to note is that TeamTNT also engages in DDoS attacks once inside a network, as long as they have some form of an RCE to execute it. This is happening through a special IRC bot called ‘TNTbotinger.’ DDoS attacks can help the actors draw the attention of response teams elsewhere, slow down malware detection and clean-up efforts, or even aid extortion efforts.

In general, TeamTNT has evolved into a significant and wide-scope threat now. Their new harvester is an indication that the particular malware authors are serious about their operation and care to take things to the next level.

Source: ‘TeamTNT’ Has a New Credential Harvester Targeting Cloud Services on the Loose

According to info provided by Google's Project Zero team, four Android security vulnerabilities were exploited in the wild as zero-day bugs before being patched earlier this month.

Attacks attempting to exploit these flaws were targeted and impacted a limited number of users based on information shared after this month's Android security updates were published.

"There are indications that CVE-2021-1905, CVE-2021-1906, CVE-2021-28663 and CVE-2021-28664 may be under limited, targeted exploitation," a recently updated version of the May 2021 Android Security Bulletin reveals.

For 2021, we've surpassed the number of 0-days detected in-the-wild in all of 2020. That's great!https://t.co/o4F74b68Fh

— Maddie Stone (@maddiestone) May 19, 2021

The four Android vulnerabilities impact Qualcomm GPU and Arm Mali GPU Driver components.

Qualcomm and Arm have published further details on each vulnerability via security advisories issued separately [1, 2].

Android users are recommended to install this month's security updates as soon as possible if they are impacted by these issues.

This month's Android security updates also include patches for critical vulnerabilities in the System component that could be exploited by remote attackers using specially crafted files to execute arbitrary malicious code within the context of a privileged process.

Regrettably, users who haven't switched to new devices that still receive monthly security updates might not be able to install these patches.

To put things into perspective, more than 9% of all Android devices are still running Android 8.1 Oreo (released in December 2017), and roughly 19%  Android Pie 9.0 (released in August 2018), according to StatCounter data.

In December, Qualcomm also addressed a high severity security vulnerability in Mobile Station Modem (MSM) chips (including the latest 5G-capable versions) that could allow attackers to access smartphone users' text messages, call history, and listen in on their conversations.

Last year, Qualcomm fixed more vulnerabilities impacting the Snapdragon chip Digital Signal Processor (DSP) chip and enabling attackers to take control of smartphones without user interaction and create unremovable malware that can evade detection.

Other bugs that could allow decrypting some WPA2-encrypted wireless network packets, accessing critical data, and two flaws in the Snapdragon SoC WLAN firmware allowing over the air compromise of the modem and the Android kernel were also patched during the last two years.

Source: May Android security updates patch 4 zero-days exploited in the wild

Last week, in a submission to parliament regarding the proposed powers, ACIC made an inaccurate and concerning claim about privacy and information security. ACIC claimed "there is no legitimate reason for a law-abiding member of the community to own or use an encrypted communication platform."

Encrypted communication platforms, including WhatsApp, Signal, Facetime and iMessage, are in common use, allowing users to send messages that can only be read by the intended recipients. There are many legitimate reasons law-abiding people may use them. And surveillance systems, no matter how well-intentioned, may have negative effects and be used for different purposes or by different people than those they were designed for.

How surveillance can go wrong

Surveillance systems often produce unintended effects.

In 1849, the authorities at Tasmania's Port Arthur penal colony built the Separate Prison, intended as a humane and enlightened method of imprisonment. Based on the ideas of Jeremy Bentham's Panopticon, the design emphasized constant surveillance and psychological control rather than corporal punishment. However, many inmates suffered serious psychological problems resulting from the lack of normal communication with others.

From 2006 onwards, Facebook developed a privacy-invading apparatus intended to facilitate making money through targeted advertising. Facebook's system has since been abused by Cambridge Analytica and others for political manipulation, with disastrous consequences for some democracies.

In 2018, Australia's parliament passed the Telecommunications and Other Legislation Amendment (Assistance and Access) Act, with the ostensible purpose of helping police to catch terrorists, pedophiles and other serious criminals. The act gave the Australian Federal Police powers to "add, copy, delete or alter" material on computers. These powers were used the following year to raid the Australian Broadcasting Corporation in connection with a story on alleged war crimes in Afghanistan.

These examples demonstrate two facts about security and surveillance. First, surveillance may be used by people of any moral character. Second, a surveillance mechanism may be used by different people, or may achieve a completely different effect, from its original design.

We therefore need to consider what avoiding, undermining or even outlawing the use of encrypted platforms would mean for law-abiding members of the community.

Encryption limits the power of security agencies

There are already laws that decide who is allowed to listen to communications taking place over a telecommunications network. While such communications are generally protected, law enforcement and national security agencies can be authorized to intercept them.

However, where communications are encrypted, agencies will not automatically be able to retrieve the content of the conversations they intercept. The Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018 was passed to enable agencies to get assistance to try to maintain their ability to get access to the (unencrypted) content of communications. For example, they can ask that one or more forms of electronic protection be removed.

There are also federal, state and territory laws that can require people to assist law enforcement and national security agencies in accessing (unencrypted) data. There are also numerous proposals to clarify these laws, extend state powers and even to prevent the use of encryption in certain circumstances.

More surveillance power is not always better

While people may hold different views on particular proposals about state powers and encryption, there are some things on which we should all be able to agree.

First, facts matter. If the ACIC is wrong about lawful uses of encryption, its assertion should be withdrawn or discounted.

Second, people need both security and privacy. In fact, privacy can facilitate security (the more people know about you, the easier it is to trick you, track you and/or harm you).

Third, law enforcement and national security agencies need some surveillance powers to do their jobs. Most of the time, this contributes to the social good of public safety.

Fourth, more is not necessarily better when it comes to surveillance powers. We must ask what purpose the powers serve, whether they are reasonably necessary for achieving that purpose, whether they are likely to achieve the purpose, what negative consequences might result, and whether the powers are proportionate.

Lawful use of encrypted communication is common

We can only develop good policy in this area if we have the facts on lawful uses of encryption.

There are many good reasons for law-abiding citizens to use end-to-end encrypted communication platforms. Parents may send photos or videos of their children to trusted friends or relatives, but prefer not to share them with third parties. The explosion of telehealth during the COVID-19 pandemic has led many patients to clarify that they do not want their consultation with their doctor to be shared with an intermediary such as Facebook or Google (or Huawei or WeChat).

Even the New South Wales iVote online voting system—hardly a standout example of excessive security given that it contained a defect that potentially allowed vote manipulation to take place—advertises the use of end-to-end encryption to protect the privacy of votes in transit. The necessity of privacy to protect a citizen's right to vote without coercion is one of the oldest examples of legal privacy requirements.

Undermining encryption will hurt legitimate users

As law-abiding citizens do have legitimate reasons to rely on end-to-end encryption, we should develop laws and policies around government surveillance accordingly. Any legislation that undermines information security across the board will have an impact on lawful users as well as criminals.

There will likely be significant disagreement in the community about where to go from there. But we have to get the facts right first.

We should not consider legislation to deliberately undermine the communications security of all individuals without acknowledging the potential harm this could cause to law-abiding citizens.

Source

Every hour, a threat actor starts a new scan on the public web for vulnerable systems, moving at a quicker pace than global enterprises when trying to identify serious vulnerabilities on their networks.

The adversaries’ efforts increase significantly when critical vulnerabilities emerge, with new internet-wide scans happening within minutes from the disclosure.

Mind the gap

Attackers are tireless in their quest for new victims and strive to win the race to patched vulnerable systems. While companies strive to identify issues on their networks before it’s too late, they move at a much lower rate.

The data comes from the Palo Alto Networks Cortex Xpanse research team, who between January and March this year monitored scans from 50 million IP addresses of 50 global enterprises, some of them in Fortune 500.

The researchers found that companies take an average of 12 hours to find a new, serious vulnerability. Almost a third of all identified issues related to the Remote Desktop Protocol, a common target for ransomware actors as they can use it to gain admin access to servers.

Misconfigured database servers, zero-day vulnerabilities in critical products from vendors like Microsoft and F5, and insecure remote access (Telnet, SNMP, VNC) complete the list of high-priority flaws.

According to Palo Alto Networks, companies identified one such issue every 12 hours, in stark contrast with the threat actors’ mean time to inventory of just one hour.

In some cases, though, adversaries increased the scan frequency to 15 minutes when news emerged about a remotely exploitable, critical bug in a networking device; and the rate dropped to five minutes after the disclosure of the ProxyLogon bugs in Microsoft Exchange Server and Outlook Web Access (OWA) issues.

Palo Alto Networks recommends security teams look at the following list of services and systems to limit the attack surface.

The researchers note that they compiled the list based on two principles: certain things should not be exposed to the public web (bad protocols, admin portals, VPNs) and secure assets may become vulnerable over time.

1. Remote access services (e.g., RDP, VNC, TeamViewer)
2. Insecure file sharing/exchange services (e.g., SMB, NetBIOS)
3. Unpatched systems vulnerable to public exploit and end-of-life (EOL) systems
4. IT admin system portals 5. Sensitive business operation applications (e.g., Jenkins, Grafana, Tableau)
5. Unencrypted logins and text protocols (e.g., Telnet, SMTP, FTP)
6. Directly exposed Internet of Things (IoT) devices
7. Weak and insecure/deprecated crypto
8. Exposed development infrastructure
9. Insecure or abandoned marketing portals (which tend to run on Adobe Flash)

Why companies fall behind

One explanation for this lag in identifying the risks on the network is a faulty vulnerability management process relying on a database of known vulnerabilities.

The scanners using this database won’t find new issues until the database receives an update, which may come with a delay of hours, or even days. Furthermore, scanners don’t see all devices on the network.

At the other end, attackers take advantage of the cheap cloud computing power that enables them to run internet-wide scans.

Currently, scanning the internet is no longer restricted to well-funded actors. Cloud technology made it possible to set up infrastructure that can “talk” over one port-protocol pair with every device on the public face of the web in just 45 minutes.

Source: Hackers scan for vulnerable devices minutes after bug disclosure