Zyxel 0day Affects its Firewall Products, Too

/0 Comments/in /by

On Monday, networking hardware maker Zyxel released security updates to plug a critical security hole in its network attached storage (NAS) devices that is being actively exploited by crooks who specialize in deploying ransomware. Today, Zyxel acknowledged the same flaw is present in many of its firewall products.

This week’s story on the Zyxel patch was prompted by the discovery that exploit code for attacking the flaw was being sold in the cybercrime underground for $20,000. Alex Holden, the security expert who first spotted the code for sale, said at the time the vulnerability was so “stupid” and easy to exploit that he wouldn’t be surprised to find other Zyxel products were similarly affected.

Now it appears Holden’s hunch was dead-on.

“We’ve now completed the investigation of all Zyxel products and found that firewall products running specific firmware versions are also vulnerable,” Zyxel wrote in an email to KrebsOnSecurity. “Hotfixes have been released immediately, and the standard firmware patches will be released in March.”

The updated security advisory from Zyxel states the exploit works against its UTM, ATP, and VPN firewalls running firmware version ZLD V4.35 Patch 0 through ZLD V4.35 Patch 2, and that those with firmware versions before ZLD V4.35 Patch 0 are not affected.

Zyxel’s new advisory suggests that some affected firewall product won’t be getting hotfixes or patches for this flaw, noting that the affected products listed in the advisory are only those which are “within their warranty support period.”

Indeed, while the exploit also works against more than a dozen of Zyxel’s NAS product lines, the company only released updates for NAS products that were newer than 2016. Its advice for those still using those unsupported NAS devices? “Do not leave the product directly exposed to the internet. If possible, connect it to a security router or firewall for additional protection.”

Hopefully, your vulnerable, unsupported Zyxel NAS isn’t being protected by a vulnerable, unsupported Zyxel firewall product.

CERT’s advisory on the flaw rate this vulnerability at a “10” — its most severe. My advice? If you can’t patch it, pitch it. The zero-day sales thread first flagged by Holden also hinted at the presence of post-authentication exploits in many Zyxel products, but the company did not address those claims in its security advisories.

Recent activity suggests that attackers known for deploying ransomware have been actively working to test the zero-day for use against targets. Holden said the exploit is now being used by a group of bad guys who are seeking to fold the exploit into Emotet, a powerful malware tool typically disseminated via spam that is frequently used to seed a target with malcode which holds the victim’s files for ransom.

“To me, a 0day exploit in Zyxel is not as scary as who bought it,” he said. “The Emotet guys have been historically targeting PCs, laptops and servers, but their venture now into IoT devices is very disturbing.”

CircleCI-AWS GovCloud partnership aims to bring modern development to US government

/0 Comments/in /by

Much like private businesses, the United States government is in the process of moving workloads to the cloud, and facing a similar set of challenges. Today, CircleCI, the continuous delivery developer service, announced a partnership with AWS GovCloud to help federal government entities using AWS’s government platform to modernize their applications development workflows.

“What this means is that it allows us to run our server offering, which is our on-prem offering, and our government customers can run that on dedicated pure cloud resource [on AWS GovCloud],” CircleCI CEO Jim Rose told TechCrunch.

GovCloud is a dedicated, single tenant cloud platform that lets government entities build FedRAMP-compliant secure cloud solutions (other cloud vendors have similar offerings). FedRAMP is a set of government cloud security standards every cloud vendor has to meet to work with the federal government

CircleCI builds modern continuous delivery/continuous integration (CI/CD) pipelines for development teams pushing changes to the application in a rapid change cycle.

“What GovCloud allows us to do is now provide that same level of security and service for government customers that wanted us to do so in an on prem environment in a dedicated single tenant environment [in the cloud],” Rose explained.

While there are a number of steps involved in building cloud applications, Rose said they are sticking to their core strength around building continuous delivery pipelines. As he says, if you have a legacy mainframe application that changes once every year or two, using CircleCI wouldn’t make sense, but as you begin to modernize, that’s where his company could help.

“[CircleCi comes into play] when you get into more modern cloud applications that are changing in some cases hundreds of times a day, and the sources of change for those applications is getting really diverse and managing that is becoming more complex,” Rose said.

This partnership could involve working directly with an agency, as it has done with the Small Business Administration (SBA), or it might involve a systems integrator, or even AWS, inviting them to be part of a larger RFP.

Rose says he realizes that working with the government can sometimes be controversial. Companies from Chef to Salesforce to Google have run afoul with employees who don’t want to work with certain agencies like DoD or ICE. He says his company has tended to focus on areas where agencies are looking to improve citizen interactions and steered away from other areas.

“From our perspective, given that we’re not super involved in a lot of those areas, but we want to get in front of it, both commercially, as well as on the government side, and determine what falls within the fence line and what’s outside of it,” he said.

Salesforce co-CEO Keith Block steps down

/0 Comments/in /by

Salesforce today announced that Keith Block, the company’s co-CEO, is stepping down. This leaves company founder Marc Benioff as the sole CEO and chair of the CRM juggernaut. Block’s bio has already been wiped from Salesforce’s leadership page.

Block stepped into the co-CEO role in 2018, after a long career at the company that saw him become vice chairman, president and director before he took this position. Block spent the early years of his career at Oracle . He left there in 2012 after the release of a number of documents in which he criticized then-Oracle CEO Mark Hurd, who passed away last year.

Industry pundits saw his elevation to the co-CEO role as a sign that Block was next in line as the company’s sole CEO in the future (assuming Benioff would ever step down). After this short tenure as co-CEO, it doesn’t look like that will be the case, but for the time being, Block will stay on as an advisor to Benioff.

“It’s been my greatest honor to lead the team with Marc [Benioff] that has more than quadrupled Salesforce from $4 billion of revenue when I joined in 2013 to over $17 billion last year,” said Block in a canned statement that was surely not written by the Salesforce PR team. “We are now a global enterprise company, focused on industries, and have an ecosystem that is the envy of the industry, and I’m so grateful to our employees, customers, and partners. After a fantastic run I am ready for my next chapter and will stay close to the company as an advisor. Being side-by-side with Marc has been amazing and I’m forever grateful for our friendship and proud of the trajectory the company is on.”

In related news, the company also today announced that it has named former BT Group CEO Gavin Patterson as its president and CEO of Salesforce International.

Keith Block talks life at Salesforce and being a Boston sports fan in San Francisco

Salesforce promotes COO Keith Block to co-CEO alongside founder Marc Benioff

HP offers its investors billions in shareholder returns to avoid a Xerox tie-up

/0 Comments/in /by

To ward off a hostile takeover bid by Xerox, which is a much smaller company, HP (not to be confused with Hewlett Packard Enterprise, a separate public company) is promising its investors billions and billions of dollars.

All investors have to do to get the goods is reject the Xerox deal.

In a letter to investors, HP called Xerox’s offer a “flawed value exchange” that would lead to an “irresponsible capital structure” that was being sold on “overstated synergies.” Here’s what HP is promising its owners if they do allow it to stay independent:

  • About $16 billion worth of “capital return” between its fiscal 2020 and fiscal 2022 (HP’s Q1 fiscal 2020 wrapped January 31, 2020, for reference). According to the company, the figure “represents approximately 50% of HP’s current market capitalization.” TechCrunch rates that as true, before the company’s share-price gains posted after this news became known.
  • That capital return would be made up of a few things, including boosting the company’s share repurchase program to $15 billion (up from $5 billion, previously). More specifically, HP intends to “repurchase of at least $8 billion of HP shares over 12 months” after its fiscal 2020 meeting. The company also intends to raise its “target long-term return of capital to 100% of free cash flow generation,” allowing for the share purchases and a rising dividend payout (“HP intends to maintain dividend per share growth at least in line with earnings.”)

If all that read like a foreign language, let’s untangle it a bit. What HP is telling investors is that it intends to use all of the cash it generates to reward their ownership of shares in its business. This will come in the form of buybacks (concentrating future earnings on fewer shares, raising the value of held equity) and dividends (rising payouts to owners as HP itself makes more money), powered in part by cost-cutting (boosting cash generation and profitability).

HP is saying, in effect: Please do not sell us to Xerox; if you do not, we will do all that we can to make you money. 

Shares of HP are up 6% as of the time of writing, raising the value of HP’s consumer-focused spinout to just under $34 billion. We’ll see what investors choose for the company. But now, how did we get here?

The road to today

You may ask yourself, how did we get here (to paraphrase Talking Heads). It all began last Fall when Xerox made it known that it wanted to merge with HP, offering in the range of $27 billion to buy the much larger company. As we wrote at the time:

What’s odd about this particular deal is that HP is the company with a much larger market cap of $29 billion, while Xerox is just a tad over $8 billion. The canary is eating the cat here.

HP never liked the idea of the hostile takeover attempt and the gloves quickly came off as the two companies wrangled publicly with one another, culminating with HP’s board unanimously rejecting Xerox’s offer. It called the financial underpinnings of the deal “highly conditional and uncertain.” HP also was unhappy with the aggressive nature of the offer, writing that Xerox was, “intent on forcing a potential combination on opportunistic terms and without providing adequate information.”

Just one day later, Xerox responded, saying it would take the bid directly to HP shareholders in an attempt to by-pass the board of directors, writing in yet another public letter, “We plan to engage directly with HP shareholders to solicit their support in urging the HP Board to do the right thing and pursue this compelling opportunity.”

In January, the shenanigans continued when Xerox announced it was putting forth a friendly slate of candidates for the HP board to replace the ones that had rejected the earlier Xerox offer. And more recently, in an attempt to convince shareholders to vote in favor of the deal, Xerox sweetened the deal to $34 billion or $24 a share.

Xerox wrote that it had on-going conversations with large HP shareholders, and this might have gotten HP’s attention— hence the most recent offer on its part to make an offer to shareholders that would be hard to refuse. The company’s next shareholder meeting is taking place in April when we will finally find out the final reckoning.

Xerox sweetens HP offer to $24 per share as take-over drama continues

 

What is Hacktivism? And Why Should Enterprise Care?

/0 Comments/in /by

Only a few years ago, the antics of hacktivists regularly populated media headlines with grand stunts and ominous threats, defacing websites, knocking global brands offline and leaking data belonging to multinational, multi-billion dollar corporations. Hacktivists styled themselves as “rebels with a cause” while media headlines typically portrayed them as juvenile script kiddies or malcontents with nothing but mischief on their minds. About the only thing both sides largely agreed on was that hacktivists were collectives acting out of some sense – either noble or misguided (delete as appropriate) – of wider purpose or shared ideology, rather than committing cybercrimes merely for the sake of selfish, financial gain like typical cybercriminals

Today, hacktivists and hacktivism rarely make the news headlines at all. So what happened to them? Are they still a threat to organizations or has their time been and gone? In this post, we take a look at hacktivism from its origins to the present day, discuss its motivations and explain why hacktivist groups should still be on your threat assessment radar.

image of what is hacktivism

What is Hacktivism? Who Are These “Hacktivists”?

Merriam-Webster dictionary defines Hacktivism as “computer hacking (as by infiltration and disruption of a network or website) done to further the goals of political or social activism”.

The term “Hacktivism” was coined in the early 90s by the (in)famous hacker collective, Cult of the Dead Cow. As the word suggests, Hacktivism is a means of collective political or social activism manifest through hacking computers and networks. Hacktivism began as a sub-culture of hacking, gaming and web communities, and allowed technically-inclined individuals to use the connectivity and anonymity of the web to join together with others and operate towards common causes. As such, hacktivists were originally mostly young males who enjoyed surfing the web, visiting forums and newsgroups, sharing information on illegal download sites, chatting in “private rooms” and colluding with like-minded drifters of the net.

The net granted them the opportunity to use any alias they wanted, and using that persona they engaged in joint adventures from pursuing pornographic materials, sharing pirated copies of desired software, pranks and sometimes illegal activities – mostly aimed at “The establishment”. Some of the more widely known groups to have caught public attention connected with Hacktivism are Anonymous, Lulzsec, and the Syrian Electronic Army. 

Here we come to the second trait of the hacktivists – the desire to “fight” against a common enemy. When the world became more connected, these individuals realized that they could act (with minimal personal risk) against others. But these activities (which soon became known as “Operations” or “Ops”) required more than a handful of online friends. They required an army. So the final ingredient of hacktivism was born – the “Legion”. The new narrative, created over a period of two decades, was that of an underground, faceless army fighting together as a collective to break the chains of the old world.  

What Do Hacktivists Want?

One of the defining characteristics of a hacktivist group is that they are united around some ideology, principle or cause. These can range from political, religious, regional, personal and even anarchist. Perhaps the first hacktivist ‘op’ occurred back in 1989, when, according to Julian Assange, the US Department of Energy and NASA computers were penetrated by the anti-nuclear Worm Against Nuclear Killers (WANK) worm. This might have been the first recorded incident, but it was not widely reported and went mostly unnoticed by the public at large. 

A later incident that occurred in 1994 received much more attention. A group of British activists protested against an “Anti-Rave” law by launching a DDoS attack against British Government websites. The protesters argued that the law was an infringement of people’s basic human rights. 

The following year, Italian protesters engaged in electronic civil disobedience with the first Netstrike, a precursor to automated DDoS attacks which involved individuals repeately clicking on a government website link in an attempt to overload the server as protest, again, against nuclear weapons. At the time it was described as a form of ‘virtual protest’ as the term ‘Hacktivist’ was not widely in use. 

Further hacktivist activities happened throughout the 90s and the first decade of the new millennium, but hacktivism only really achieved widespread public attention in later years of that decade. 

The Rise and Fall of Anonymous

By that time, the internet was vastly different than before, in ways that made it possible for hacktivism to leave its mark. Now, major commercial activities were taking place online, governments all over the world were also offering their services online, and millions of users were populating social media sites, YouTube, Reddit, 4chan and others: these communities were all ripe for recruiting people willing to participate in collective, hacktivist campaigns. 

In the early 2000s, one such collective, known as Anonymous, came to define and symbolize the hacktivist movement for a generation. Originating out of 4chan and famous for its use of the Guy Fawkes mask, Anonymous conducted high profile operations against well known “targets” such as the Church of Scientology, Amazon, PayPal, Visa, Mastercard and multiple government sites, including the CIA. Starting in 2011, Anonymous also became affiliated with political struggles such as the “Arab Spring”. 

But like any global movement without any clear structure or ideology, it started to disintegrate into local factions who often fought between themselves. In addition, law-enforcement agencies stepped up their efforts to unmask and prosecute the hacktivists, leading to the arrest of some prominent members of the community, which in turn crippled Anonymous’ ability to organize and execute large-scale attacks.  

Hacktivism Today

If media headlines are anything to go by, it might seem that the hacktivism heyday is over. Recorded Future, which monitors hacktivist activity, recently reported that it had been tracking 28 active hacktivist groups in 2016 but now is only tracking 7 such groups. 

But the headlines don’t quite paint the whole picture. Remnants of Anonymous, as well as hacktivist groups Ghost Squad Hackers, the Sudan Cyber Army and others have been active recently in political events in the Sudan and attacks on the Sudanese Ministry of Defense, for instance. Meanwhile, Anonymous also made threats against both Ecuador and the U.K. governments over the eviction of Julian Assange from Ecuador’s London embassy and his subsequent arrest in 2019. The Ecuadorian government claimed that over 40 million cyberattacks had been launched against government institutions in the wake of Assange’s eviction and arrest.

More recently, hacktivist group Lizard Squard were responsible for an attack on the U.K.’s Labour party during the country’s general election last December. The botnet-powered DDoS attack targeted the then-leader of the party, Jeremy Corbyn, as well as his party’s websites. The group promised more attacks on both government and Labour party websites should Labour win the election (something they failed to do). In the past, Lizard Squad had claimed responsibility for attacks on Sony, Microsoft XBox and even Taylor Swift, but this was its first known outing for some years. According to one report, the group may have turned to financially motivated crime in the interim, quietly building and hiring out its botnet in a DDoS-for-hire service.

More concerning is that hacktivism just might be taking a much more sinister turn right in front of our eyes. It seems that hacktivism is now being used in ‘false flag’ or covert operations, as nations exchange virtual blows without taking responsibility by means of supposedly “volunteer” hacktivist groups. For instance, in a recent skirmish between Turkish and Greek hacktivists, there were numerous DDoS attacks from both sides. However, the tenacity of the attacks hints that there might be more at play here than mere script kiddies using makeshift tools. 

Following the initial attack and counter-attack (which disabled Turkey’s internet infrastructure for several hours), Turkish hackers unleashed an attack on at least 30 entities, including government ministries, embassies and security services as well as corporations in multiple locations, among them Cyprus, Greece and Iraq. According to Reuters, the target selection hints at the involvement of the Turkish government. This pattern has been utilized around the world by nations such as China, Iran, and Russia – all notorious for operating “non-official” proxies for political goals.

It is likely that hacktivist groups affiliated with certain nations will continue to flourish and may even be given tools, funds and training to allow them to operate in a semi-independent way (as long as they please their masters).

Why Should Enterprise Care About Hacktivism?

Enterprises have enough threat actors to worry about as it is, so are hacktivists really something they need to be concerned about today? 

Hacktivists have been known for attacking enterprises who appeared to them as engaging in activities that were anathema to their ideology, such as Visa refusing to process donations made for Julian Assange, and subsequently being attacked in Operation Payback, as well as the aforementioned attacks on Sony and Microsoft. 

More commonly, enterprises are hit as collateral damage. They can suffer from general disruptions (like nationwide internet service outages), specific denial of service attacks, defacement attacks and attempts to identify and steal sensitive information. 

The rule of thumb is that enterprises and organizations who are closely affiliated with a nation (such as a national bank, or an enterprise named after the said country) are more likely to be attacked. It is true that most of these attacks can be categorized as nuisance, but even short-term website defacement can cause reputation damage, and business disruption through large-scale DDoS attacks and data leaks can even cause actual financial harm. 

Conclusion

As the line between ‘hacktivists’ and state-sponsored APTs starts to blur, and as low cost malware and ransomware-as-a-service (RaaS) options continue to increase in availability, more serious cyber attacks from hacktivists utilising such cyber weapons should be considered as a possibility in your threat assessment. Therefore, it is a good idea to consume threat intelligence covering the latest hacktivist trends and prepare accordingly. 

If you would like to see how SentinelOne can help protect your organization against all kinds of threat actors including hacktivists, please contact us for more information or request a free demo.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Databricks makes bringing data into its ‘lakehouse’ easier

/0 Comments/in /by

Databricks today announced the launch of its new Data Ingestion Network of partners and the launch of its Databricks Ingest service. The idea here is to make it easier for businesses to combine the best of data warehouses and data lakes into a single platform — a concept Databricks likes to call “lakehouse.”

At the core of the company’s lakehouse is Delta Lake, Databricks’ Linux Foundation-managed open-source project that brings a new storage layer to data lakes that helps users manage the lifecycle of their data and ensures data quality through schema enforcement, log records and more. Databricks users can now work with the first five partners in the Ingestion Network — Fivetran, Qlik, Infoworks, StreamSets, Syncsort — to automatically load their data into Delta Lake. To ingest data from these partners, Databricks customers don’t have to set up any triggers or schedules — instead, data automatically flows into Delta Lake.

“Until now, companies have been forced to split up their data into traditional structured data and big data, and use them separately for BI and ML use cases. This results in siloed data in data lakes and data warehouses, slow processing and partial results that are too delayed or too incomplete to be effectively utilized,” says Ali Ghodsi, co-founder and CEO of Databricks. “This is one of the many drivers behind the shift to a Lakehouse paradigm, which aspires to combine the reliability of data warehouses with the scale of data lakes to support every kind of use case. In order for this architecture to work well, it needs to be easy for every type of data to be pulled in. Databricks Ingest is an important step in making that possible.”

Databricks VP of Product Marketing Bharath Gowda also tells me that this will make it easier for businesses to perform analytics on their most recent data and hence be more responsive when new information comes in. He also noted that users will be able to better leverage their structured and unstructured data for building better machine learning models, as well as to perform more traditional analytics on all of their data instead of just a small slice that’s available in their data warehouse.

Lightspeed leads Laiye’s $42M round to bet on Chinese enterprise IT

/0 Comments/in /by

Laiye, a Chinese startup that offers robotic process automation services to several major tech firms in the nation and government agencies, has raised $42 million in a new funding round as it looks to scale its business.

The new financing round, Series C, was co-led by Lightspeed Venture Partners and Lightspeed China Partners. Cathay Innovation, which led the startup’s Series B+ round and Wu Capital, which led the Series B round, also participated in the new round.

China has been the hub for some of the cheapest labor in the world. But in recent years, a number of companies and government agencies have started to improve their efficiency with the help of technology.

That’s where Laiye comes into play. Robotic process automation (RPA) allows software to mimic several human behaviors such as keyboard strokes and mouse clicks.

“For instance, a number of banks did not previously offer APIs, so humans had to sign in and fetch the data and then feed it into some other software. Processes like these could be automated by our platform,” said Arvid Wang, co-founder and co-chief executive of Laiye, in an interview with TechCrunch.

The four-and-a-half-year-old startup, which has raised more than $100 million to date, will use the fresh capital to hire talent from across the globe and expand its services. “We believe robotic process automation will achieve its full potential when it combines AI and the best human talent,” he said.

Laiye’s announcement today comes as the market for robotic automation process is still in nascent stage in China. There are a handful of startups looking into this space, but Laiye, which counts Microsoft as an investor, and Sequoia-backed UiPath are the two clear leaders in the market.

As my colleague Rita Liao wrote last year, it was only recently that some entrepreneurs and investors in China started to shift their attention from consumer-facing products to business applications.

Globally, RPA has emerged as the fastest growing market in enterprise space. A Gartner report found last year that RPA market grew over 63% in 2018. Recent surveys have shown that most enterprises in China today are also showing interest in enhancing their RPA projects and AI capabilities.

Laiye today has more than 200 partners and more than 200,000 developers have registered to use its multilingual UiBot RPA platform. UiBot enables integration with Laiye’s native and third-party AI capabilities such as natural language processing, optical character recognition, computer vision, chatbot and machine learning.

“We are very bullish on China, and the opportunities there are massive,” said Lightspeed partner Amy Wu in an interview. “Laiye is doing phenomenally there, and with this new fundraise, they can look to expand globally,” she said.

Zyxel Fixes 0day in Network Storage Devices

/0 Comments/in /by

Patch comes amid active exploitation by ransomware gangs

Networking hardware vendor Zyxel today released an update to fix a critical flaw in many of its network attached storage (NAS) devices that can be used to remotely commandeer them. The patch comes 12 days after KrebsOnSecurity alerted the company that precise instructions for exploiting the vulnerability were being sold for $20,000 in the cybercrime underground.

Based in Taiwan, Zyxel Communications Corp. (a.k.a “ZyXEL”) is a maker of networking devices, including Wi-Fi routers, NAS products and hardware firewalls. The company has roughly 1,500 employees and boasts some 100 million devices deployed worldwide. While in many respects the class of vulnerability addressed in this story is depressingly common among Internet of Things (IoT) devices, the flaw is notable because it has attracted the interest of groups specializing in deploying ransomware at scale.

KrebsOnSecurity first learned about the flaw on Feb. 12 from Alex Holden, founder of Milwaukee-based security firm Hold Security. Holden had obtained a copy of the exploit code, which allows an attacker to remotely compromise more than a dozen types of Zyxel NAS products remotely without any help from users.

A snippet from the documentation provided by 500mhz for the Zyxel 0day.

Holden said the seller of the exploit code — a ne’er-do-well who goes by the nickname “500mhz” –is known for being reliable and thorough in his sales of 0day exploits (a.k.a. “zero-days,” these are vulnerabilities in hardware or software products that vendors first learn about when exploit code and/or active exploitation shows up online).

For example, this and previous zero-days for sale by 500mhz came with exhaustive documentation detailing virtually everything about the flaw, including any preconditions needed to exploit it, step-by-step configuration instructions, tips on how to remove traces of exploitation, and example search links that could be used to readily locate thousands of vulnerable devices.

500mhz’s profile on one cybercrime forum states that he is constantly buying, selling and trading various 0day vulnerabilities.

“In some cases, it is possible to exchange your 0day with my existing 0day, or sell mine,” his Russian-language profile reads.

The profile page of 500mhz, translated from Russian to English via Google Chrome.

PARTIAL PATCH

KrebsOnSecurity first contacted Zyxel on Feb. 12, sharing a copy of the exploit code and description of the vulnerability. When four days elapsed without any response from the vendor to notifications sent via multiple methods, this author shared the same information with vulnerability analysts at the U.S. Department of Homeland Security (DHS) and with the CERT Coordination Center (CERT/CC), a partnership between DHS and Carnegie Mellon University.

Less than 24 hours after contacting DHS and CERT/CC, KrebsOnSecurity heard back from Zyxel, which thanked KrebsOnSecurity for the alert without acknowledging its failure to respond until they were sent the same information by others.

“Thanks for flagging,” Zyxel’s team wrote on Feb. 17. “We’ve just received an alert of the same vulnerabilities from US-CERT over the weekend, and we’re now in the process of investigating. Still, we heartily appreciate you bringing it to our attention.”

Earlier today, Zyxel sent a message saying it had published a security advisory and patch for the zero-day exploit in some of its affected products. The vulnerable devices include NAS542, NAS540, NAS520, NAS326, NSA325 v2, NSA325, NSA320S, NSA320, NSA310S, NSA310, NSA221, NSA220+, NSA220, and NSA210. The flaw is designated as CVE-2020-9054.

However, many of these devices are no longer supported by Zyxel and will not be patched. Zyxel’s advice for those users is simply “do not leave the product directly exposed to the internet.”

“If possible, connect it to a security router or firewall for additional protection,” the advisory reads.

Holden said given the simplicity of the exploit — which allows an attacker to seize remote control over an affected device by injecting just two characters to the username field of the login panel for Zyxel NAS devices — it’s likely other Zyxel products may have related vulnerabilities.

“Considering how stupid this exploit is, I’m guessing this is not the only one of its class in their products,” he said.

CERT’s advisory on the flaw rates it at a “10” — its most severe. The advisory includes additional mitigation instructions, including a proof-of-concept exploit that has the ability to power down affected Zyxel devices.

EMOTET GOES IOT?

Holden said recent activity suggests that attackers known for deploying ransomware have been actively working to test the zero-day for use against targets. Specifically, Holden said the exploit is now being used by a group of bad guys who are seeking to fold the exploit into Emotet, a powerful malware tool typically disseminated via spam that is frequently used to seed a target with malcode which holds the victim’s files for ransom.

Holden said 500mhz was offering the Zyxel exploit for $20,000 on cybercrime forums, although it’s not clear whether the Emotet gang paid anywhere near that amount for access to the code. Still, he said, ransomware gangs could easily earn back their investment by successfully compromising a single target with this simple but highly reliable exploit.

“From the attacker’s standpoint simple is better,” he said. “The commercial value of this exploit was set at $20,000, but that’s not much when you consider a ransomware gang could easily make that money back and then some in a short period of time.”

Emotet’s nascent forays into IoT come amid other disturbing developments for the prolific exploitation platform. Earlier this month, security researchers noted that Emotet now has the capability to spread in a worm-like fashion via Wi-Fi networks.

“To me, a 0day exploit in Zyxel is not as scary as who bought it,” he said. “The Emotet guys have been historically targeting PCs, laptops and servers, but their venture now into IoT devices is very disturbing.”

DISCLOSURE DEBATE

This experience was a good reminder that vulnerability reporting and remediation often can be a frustrating process. Twelve days turnaround is fairly quick as these things go, although probably not quick enough for customers using products affected by zero-day vulnerabilities.

It can be tempting when one is not getting any response from a vendor to simply publish an alert detailing one’s findings, and the pressure to do so certainly increases when there is a zero-day flaw involved. KrebsOnSecurity ultimately opted not to do that for three reasons.

Firstly, at the time there was no evidence that the flaws were being actively exploited, and because the vendor had assured DHS and CERT-CC that it would soon have a patch available.

Perhaps most importantly, public disclosure of an unpatched flaw could well have made a bad situation worse, without offering affected users much in the way of information about how to protect their systems.

Many hardware and software vendors include a link from their home pages to /security.txt, which is a proposed standard for allowing security researchers to quickly identify the points of contact at vendors when seeking to report security vulnerabilities. But even vendors who haven’t yet adopted this standard (Zyxel has not) usually will respond to reports at security@[vendordomainhere]; indeed, Zyxel encourages researchers to forward any such reports to security@zyxel.com.tw.

On the subject of full disclosure, I should note that while this author is listed by Hold Security’s site as an advisor, KrebsOnSecurity has never sought nor received remuneration of any kind in connection with this role.

The Good, the Bad and the Ugly in Cybersecurity – Week 8

/0 Comments/in /by

The Good

“Ring! Ring!”
“Who’s There?”
“Multi-Factor Authentication !!!”

On February 18, Ring (parent company Amazon) announced that they would be implementing new, mandatory layers of security for Ring customer accounts. Specifically, MFA will be required for all customers upon logging in to their Ring accounts. Customers can choose to receive a token via email or SMS as the second method of authentication. These changes come after multiple stories came to light surrounding the hijacking of Ring accounts…and as a result..devices. While not all are accustomed to ‘mandatory’ MFA, this should be viewed as a positive and necessary step forward.

Recent history has already shown that strong controls are required in order to secure these and all other IoT devices. MFA, while not perfect, is a step in the right direction for the ongoing quest to secure IoT devices and services. We all like to resist change, and it can be hard to work against that ‘friction’. However, the same could be said for giving up on floppy disk drives, or headphone jacks, etc. When driving toward the greater-good, a small process change (mandatory MFA), which stands between the good guys and the villains, should be seen as an admirable example of moving forward.

image of tweet of ring adding extra layers of security

The Bad

Critical Plant Shuts Down for Two Days After Ransomware ‘Hits the Gas’

A ransomware attack recently forced the shutdown of a U.S.-based natural gas plant. The infection had a direct effect on safety and operational systems. According to reports, The Department of Homeland Security said that “personnel were prevented from receiving crucial real-time operational data from control and communications equipment”.

It is reported that the attack started with a malicious email. This serves as a great reminder that email is still the top delivery vector for malware. The US Cybersecurity and Infrastructure Security Agency (CISA) released Alert (AA20-049A), providing additional information surrounding the event. The alert confirms the spear-phishing delivery mechanism. This established a foothold on the “IT network” and subsequently pivoted to the OT network, which provided access to HMIs (human machine interfaces), polling servers and historical data storage. CISA states that no PLCs were affected, nor was control lost on any specific system. The shutdown was done in direct response to events as they unfolded, with the decision being made to shutdown the plant’s operations in a deliberate and controlled manner.   

image of US-Cert twitter home page

The Ugly

APT28 and 2019 Attack Campaigns Against Georgia

By now we should all be familiar with APT28 (aka Fancy Bear, G74, Sofacy, Sednit, etc). The state-backed group has been focusing their efforts on high-value targets in the Chemical Engineering, Defense, Government, Industrial Systems, and Intelligence agencies for well over a decade. Notable campaigns include “Pawn Storm”, “Russian Doll”, breaching the International Olympic Committee, and more. This week the UK’s NCSC (National Cyber Security Centre) announced that it was this same group behind a series of cyberattacks against Georgia in October 2019. The NSCS emphasized this claim with “the highest level of probability”. 

image of tweet stating Russian APT GRU behind attacks on Georgia

The attacks in question were focused on a number of Georgian web hosting companies, along with media entities. Multiple Georgian TV stations were forced offline in addition to the defacements and availability attacks. The U.K. has come out strongly on this series of attacks (and subsequent attribution). Britain and Georgia are allies and therefore there are both cyber & political ramifications to the ongoing behavior being observed out of the Russian GRU.

It’s worth noting that these attribution stories can be difficult to interpret sometimes. In some cases, their release may be timed in strategic ways so as to coincide with other worldly events. However, we can be sure that the more that is exposed by these state-backed groups, the better. And when we have ally nations pointing the finger, that makes the message far more serious.

Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

DSP Concepts raises $14.5M for its Audio Weaver platform

/0 Comments/in /by

DSP Concepts — a startup whose Audio Weaver software is used by companies as varied as Tesla, Porsche, GoPro and Braun Audio — is announcing that it has raised $14.5 million in Series B funding.

The startup goal, as explained to me by CEO Chin Beckmann and CTO Paul Beckmann (yep, they’re a husband-and-wife founding team), is to create the standard framework that companies use to develop their audio processing software.

To that end, Chin told me they were “picky about who we wanted on the B round, we wanted it to represent the support and endorsement of the industry.”

So the round was led by Taiwania Capital, but it also includes investments from the strategic arms of DSP Concepts’ industry partners — BMW i Ventures (which led the Series A), the Sony Innovation Growth Fund by Innovation Growth Ventures, MediaTek Ventures, Porsche Ventures and the ARM IoT Fund.

Paul said Audio Weaver started out as the “secret weapon” of the Beckmanns’ consulting business, which he could use to “whip out” the results of an audio engineering project. At a certain point, consulting customers started asking him, “Hey, how about you teach me how to use that?,” so they decided to launch a startup focused on the Audio Weaver platform.

Audio Weaver - AWE Designer

Paul described the software as a “graphical block diagram editor.” Basically, it provides a way for audio engineers to combine and customize different software modules for audio processing.

“Audio is still in the Stone Ages compared to other industries,” he said. “Suppose you’re building a product with a touchscreen — are you going write the graphics from scratch or use a framework like Qt?”

Similarly, he suggested that while many audio engineers are still “down in the weeds writing code,” they can take advantage of Audio Weaver’s graphical interface to piece everything together, as well as the company’s “hundreds of different modules — pre-written, pre-tested, pre-optimized functions to build up your system.”

For example, Paul said that by using the Audio Weaver platform, DSP Concepts engineers could test out “hundreds of ideas” for algorithms for reducing wind noise in the footage captured by GoPro cameras, then ultimately “hand the algorithms over to GoPro,” whose team could them plug the algorithms into their software and modify it themselves.

The Beckmanns said the company also works closely with chip manufacturers to ensure that audio software will work properly on any device powered by a given chipset.

Other modules include TalkTo, which is designed to give voice assistants like Alexa “super-hearing,” so that they can still isolate voice commands and cancel out all the other noise in loud environments, even rock concerts. (You can watch a TalkTo demo in the video below.)

DSP Concepts has now raised more than $25 million in total funding.