Mediaboss Marketing

Throughout 2020, an unprecedented portion of the world's office workers have been forced to work from home as a result of the Covid-19 pandemic. That dispersal has created countless opportunities for hackers, who are taking full advantage. In an advisory today, the National Security Agency said that Russian state-sponsored groups have been actively attacking a vulnerability in multiple enterprise remote-work platforms developed by VMware. The company issued a security bulletin on Thursday that details patches and workarounds to mitigate the flaw, which Russian government actors have used to gain privileged access to target data.

Institutions have scrambled to adapt to remote work, offering employees secure remote access to enterprise systems. But the change comes with different risks and has created new exposures versus traditional office networks. Flaws in tools like VPNs have been especially popular targets, since they can give attackers access to internal corporate networks. A group of vulnerabilities affecting the Pulse Secure VPN, for example, were patched in April 2019, but US intelligence and defense agencies like the Cybersecurity and Infrastructure Security Agency issued warnings in October 2019, and again in January and April, that hackers were still attacking organizationsincluding government agencies that had not applied the patch.

On Thursday, CISA issued a brief advisory encouraging administrators to patch the VMware vulnerability immediately. "An attacker could exploit this vulnerability to take control of an affected system," the agency said.

In addition to warning the general public about the VMware bug, the NSA emphasized repeatedly that it "encourages National Security System (NSS), Department of Defense (DOD), and Defense Industrial Base (DIB) network administrators to prioritize mitigation of the vulnerability on affected servers."

Its one of those things where the messenger is notable as well as the message, says Ben Read, senior manager of cyberespionage analysis at the threat intelligence firm FireEye. Its a remote code execution vulnerability, its something that people definitely want to patch, but these things happen. So the fact that the NSA wanted to make a big deal about it is likely based on the fact that it was being used by Russias folks in the wild and presumably against a target that the NSA is worried about.

The affected VMware products all relate to cloud infrastructure and identity management, including VMware Workspace One Access, its predecessor, VMware Identity Manager, and VMware Cloud Foundation. VMware said in a statement that "upon notification of the issue, VMware has worked to assess this issue, and has provided the appropriate updates and patches to mitigate this issue."

The company noted in its advisory that it rates the flaw's severity as "Important," a step below "Critical," because attackers must have access to a web-based, password-protected management interface before they can exploit the vulnerability. The NSA points out that securing this interface with a strong, unique password, or setting it up so it isn't accessible from the public internet, are both steps that can reduce the risk of attack. Fortunately, VMware did not design the affected systems with the option to use default passwords that would be trivially easy for attackers to guess.

Once a hacker has access, they can exploit the vulnerability to manipulate authentication requests called "SAML assertions" (from Security Assertion Markup Language, an open standard) as a way of burrowing deeper into an organization's network. And they can use that position to access other servers that contain potentially sensitive information.

FireEyes Read notes that while the bug does first require a legitimate password to exploit, that's not an insurmountable hurdle, particularly for Russian hackers who have a known facility with credential theft techniques like password spraying. I would guess the NSA is writing something because they have seen it work, even if it is in theory not the worst vulnerability out there, he says.

"The messenger is notable as well as the message."

Ben Read, FireEye

When so many employees are working remotely, it can be difficult to use traditional network monitoring tools to flag potentially suspicious behavior. But the NSA points out that vulnerabilities like the VMware bug present a unique challenge regardless, because the malicious activity would all happen in encrypted connections to the web interface that aren't distinguishable from legitimate logins. The NSA recommends instead that organizations comb their server logs for what are known as "exit statements" that can indicate suspicious activity.

Here is the original post:
The NSA Warns That Russia Is Attacking Remote Work Platforms - WIRED

Written by Joe Warminsky Dec 8, 2020 | CYBERSCOOP

The former National Security Agency contractor convicted in 2018 of illegally leaking top secret information to a news organization will remain in federal prison after an appeals court upheld a ruling against a compassionate release amid the COVID-19 pandemic.

The eight-page opinion Monday from the U.S. Court of Appeals for 11th Circuit backed an earlier ruling that lawyers for Reality Winner had not sufficiently shown that her medical conditions or prison conditions justified an early release. The appeals court didnt rule on the merits of Winners argument it simply said the lower court had considered her request properly.

After careful consideration and with the benefit of oral argument, we conclude that the District Court did not abuse its discretion in denying Ms. Winners motion, Mondays opinion says. Because we resolve her appeal on this basis alone, we need not (and do not) address Ms. Winners other arguments.

In early April, Winner, now 29, had filed a motion for compassionate release with the U.S. District Court for the Southern District of Georgia, saying that she suffers from depression and an eating disorder, and that COVID-19 related prison lockdowns affected her ability to cope with those conditions, thus making her more susceptible to further illness. The district court rejected Winners motion without holding an evidentiary hearing.

Winner was working as a linguist for Pluribus International Corp., a government contractor, when she was accused of leaking leaking a report on Russian interference in U.S. elections. The Intercept published details from the document but says it did not know the exact source. Afterward, Winner was arrested and pleaded guilty to violating the Espionage Act.

Some have branded Winner a whistleblower, given that the leaked document expanded the publicly available information about the Russian threat to elections at a time when the White House was claiming it was a hoax.

Winner is serving her 63-month prison sentence at Federal Medical Center Carswell in Fort Worth, Texas, where it was reported this summer that she and about 500 other detainees had contracted COVID-19. She could be released by November 2021.

Her lawyers have noted that she is a nonviolent first offender who admitted her mistake. Those arguments and others werent enough to persuade the district court.

Winner has not carried the burden of demonstrating that her specific medical conditions under the particular conditions of confinement at FMC Carswell place her at a risk substantial enough to justify early release, U.S. District Judge J. Randal Hall wrote in April, in rejecting Winners motion. In fact, the court is constrained to observe that Winner is in a medical prison, which is presumably better equipped than most to deal with any onset of COVID-19 in its inmates.

U.S. courts have been hearing many requests like Winners this year as the COVID-19 pandemic rips through prison populations. In some cases, motions for compassionate release do succeed: Late last week a federal judge in Virginia sent a native of Kosovo back to his home country after the convicted hacker argued for his release.

Read the original here:
Former NSA contractor Reality Winner loses appeal, will remain imprisoned - CyberScoop

New Delhi: The Allahabad high court on Monday quashed the detention order of Javed Siddiqui under the stringent National Security Act (NSA) on the grounds that the authorities did not present his petition report before the advisory board on time.

According to a report in the Indian Express, a division bench of Justice Pradeep Kumar Srivastava and Justice Printinker Diwaker quashed the detention order on a habeas corpus plea by Siddiqui and observed that a law such as the NSA had to be exercised by the executive with extreme care.

Where the law confers extraordinary power on the executive to detain a person without recourse to the ordinary law of the land and to trial by courts, such a law has to be strictly construed and the executive must exercise the power with extreme care, the court said and noted that the executive was under obligation to pass detention order according to procedure established by law.

The court also ordered the forthwith release of Siddiqui, if he was not required in any other case.

The history of personal liberty is largely the history of insistence on observation of the procedural safeguards. The law of preventive detention, though is not punitive, but only preventive, heavily affects the personal liberty of individual enshrined under Article 21 of the Constitution of India and, therefore, the Authority is under obligation to pass detention order according to procedure established by law and will ensure that the constitutional safeguards have been followed, the high court observed.

Siddiqui was arrested earlier this year in June and booked under for arson and rioting after a number houses belonging to people from the Dalit community had been burnt down at Bhadethi village in the Sarai Khwaja locality of Jaunpur.

As per the courts order, the detention order against Siddiqui was passed on July 10 and the petitioner gave his representation July 20. The detention order for Siddiqui was approved on July 21, 2020. It is evident that the representation so given by the petitioner (Siddique) was well within the prescribed period of 12 days, the court said and noted that Siddiquis representation was rejected on August 14, 2020, after the advisory board had already made the recommendation for approval of the detention order on August 12.

Also read: UP is Primarily Using the National Security Act Against Those Accused of Cow Slaughter

The record shows that the representation of the petitioner was not placed before the Advisory Board till 12.08.2020 (August 12) even though the same was filed on 20.07.2020 (July 20). It remained pending with the State Government and after two days from the date the Advisory Board sent the recommendation, the same was rejected, the high court said.

The court also said that the state authority had given no reasonable explanation for the delay in forwarding the petitioners representation and not placing it before the advisory board. It is evident from the record that while extraordinary haste was shown in taking action against the petitioner, the authorities remained reluctant and there was complete inaction on their part causing an unjustified delay in processing the detenues representation against his detention under the NSA, the bench said in its order.

This inaction on the part of the authorities certainly resulted in deprivation on the right of the petitioner of the fair opportunity of hearing and it also resulted in denial of the opportunity of fair hearing to the petitioner as provided under the law. This is not permissible and is in gross violation of established legal and procedural norms and legal and constitutional protection, the Allahabad high court said.

The court said that it was of the opinion that delaying and not placing the representation before the advisory board speaks in volume about the reluctance on the part of opposite parties.

The plea of Covid-19, officials suffering from pandemic, intervening holiday or negligence on the part of an official on account of which he was suspended, are no reason, which could be attributed towards any fault or lapse on the part of the petitioner. Even on the date when the case was fixed before the Advisory Board, the authorities could have placed the representation of the petitioner before the Board. Thus, we find that no reasonable explanation has been given for the delay and not placing the representation before the Board, the high court said.

Reportedly in June, following an alleged brawl among children, over a dozen huts of people from the Dalit community were set ablaze and massive damages were caused to 14 other houses. The FIR registered against Javed Siddiqui accused him of attacking the Bhadethi village slums along with 80 people and indulging in riots and arson there while heaping anti-Dalit abuses on the slum inhabitants.

Siddiqui was later arrested and the Jaunpur district magistrate subsequently on July 10 issued a detention order against him under section 3(2) of the National Security Act.

In his habeas corpus plea, Siddiqui contended that he was not given a fair opportunity to present his case before the UP advisory board, Lucknow to challenge the detention order. He alleged that neither his representation was placed before the advisory board in time nor he was supplied relevant documents about his detention under the NSA.

Earlier this year, in response to the Uttar Pradesh governments repeated instances of invoking the National Security Act against alleged cow slaughter cases, the Allahabad high court raised concerns that the law was being misused to target innocent people.

(With inputs from PTI)

See more here:
Quashing Detention Order, Allahabad HC Asks Govt to Exercise NSA With 'Extreme Care' - The Wire

VMware has released security updatesto address a zero-day vulnerability inVMware Workspace One Access, Access Connector, Identity Manager, and Identity Manager Connector.

The vulnerabilityis a command injection bug tracked asCVE-2020-4006 and publicly disclosed two weeks ago.

While it did not issue any security updates at the time it disclosed the zero-day, VMware provided a workaround to help admins mitigatethe bug on affected devices.

If successfully exploited, the vulnerabilityenables attackers to escalate privileges and execute commands on the host Linux and Windows operating systems.

The full list of VMware product versions affected by thezero-day includes:

While initially, the company didn't disclose the identity of the organization or researcher who reported the vulnerability, VMware acknowledged the US DefenseDepartment'sintelligence agency contribution in an update to the security advisory made on Thursday.

VMware also lowered the bug'sCVSSv3 base score to 7.2/10 and the maximum severity rating from 'Critical' to 'Important.'

CVE-2020-4006 exists intheadministrative configurator of some releases of VMware Workspace ONE Access, Access Connector, Identity Manager, and Identity Manager Connector.

"A malicious actor with network access to the administrative configurator on port 8443 and a valid password for the configurator admin account can execute commands with unrestricted privileges on the underlying operating system," the advisory explains.

"This account is internal to the impacted products and a password is set at the time of deployment. A malicious actor must possess this password to attempt to exploit CVE-2020-4006."

Threat actors can obtain the password needed to exploit the vulnerability using techniques documented in the MITRE ATT&CK database.

VMware released security updates that fully mitigate the vulnerability on devices running one of the affected products.

Information onpatch deployment steps, expected changes, and how to confirm that the patch has been applied are available within the patch files.

Links to download security updates forCVE-2020-4006 are available in the table embedded below.

DHS-CISAencouragedadmins and users on Thursday to apply the patchissued by VMware to thwart attackers' attempts to take over vulnerable systems.

Admins who can't immediately download and deploy the patch can still use the temporary workaroundthat fully removes the attack vector on impacted systems and prevents CVE-2020-4006 exploitation.

Details on how to implement and revert the workaroundonLinux-based appliances andWindows-based servers are available HERE.

However, once the workaround is applied, "configurator-managed setting changes will not be possible" asVMware explains.

More:
VMware fixes zero-day vulnerability reported by the NSA - BleepingComputer

Researchers at Forescout this morning released a report on a set of TCP/IP vulnerabilities theyre calling AMNESIA:33, the 33 referring to the number of vulnerabilities theyve found. Four they consider critical, and in general the issues are believed to broadly and deeply affect Internet-of-things devices. SC Magazine says that the US Department of Homeland Security is expected to release a report on the vulnerabilities soon, perhaps as early as today.

Both Haaretz and the Guardian are reporting on Forbidden Stories Cartel Project, which describes the ways in which Mexican police, users of NSO Groups lawful intercept products, have allegedly been reselling that technology to drug cartels, which in turn have used the spyware to monitor journalists and other third-parties. Some of the allegations are attributed to sources in the US Drug Enforcement Agency.

According to the Washington Post, despite the prospect of a Presidential veto, the US House appears ready to pass the National Defense Authorization Act (NDAA). CyberScoop summarizes the significant cybersecurity measures the NDAA ("biggest cyber bill ever") includes.

ZDNet reports that 2,732 PickPoint package delivery lockers across Moscow were opened by a criminal who hacked the PickPoint app. Landlords and guards responded quickly to keep an eye on obviously malfunctioning lockers. Russian security organizations (and by implication law enforcement organizations) take a lot of stick in these pages (see, for example, yesterdays warning from NSA that Russian intelligence services are actively exploiting a VMware bug), but this is one case where we wish the Militia good hunting.

View original post here:
AMESIA:33 IoT device vulnerabilities. Mexican police alleged to pass spyware to cartels. The US NDAA nears passage. Hacking lockers. - The CyberWire