Archive for January 14, 2022

A Bug In The Zoom Mac Client Makes It Appear That Zoom Is Spying On Mac Users

Posted in Commentary with tags on January 14, 2022 by itnerd

A question a couple of my clients have called me to troubleshoot an issue that I want to bring to light. And it’s one that I have been able to reproduce rather easily.

Here’s the rundown.

If you have Zoom 5.91 or earlier installed on your Mac, and you’re running macOS Monterey 12.1 or earlier, and the Zoom app is running but not in a meeting of any sort, you’ll eventually notice that the orange dot that denotes when your microphone is in use appears in the top right corner on the menu bar. It will look like this:

One of the things that was added to macOS Monterey was a notification that lets you know when the microphone is in use. And that notification is the orange dot that you see above. And it appears that the Zoom app is apparently using the microphone. Which I confirmed by checking control center.

I tested this after reboots and in one case a reinstall of macOS and always got this result. Now to be clear, my guess is that Zoom are not spying on their users. But this isn’t a good look for Zoom regardless as many people are going to assume that they are. And in the process of researching this, I found out two things:

  • First, this was supposedly fixed in version 5.91 of Zoom as per these release notes. But that apparently does not seem to be true as I was able to reproduce this numerous times on numerous macOS computers with version 5.91. This takes away Zoom’s ability to say that users should simply update to the latest version.
  • Second, I am not alone in seeing this. This thread in the Zoom community along with this thread on Stackexchange details people seeing this as well. So clearly this is a pervasive problem that hasn’t been addressed by Zoom.

My advice is that you should only run the Zoom client when you actually need it until this gets addressed. Or if you’re really paranoid, use another conferencing product. As for Zoom, they’ve had their issues with security over the years. If you search my blog you will find those stories with ease. They need to step up and put this to bed quickly if they want to avoid going back to the days where trust in their product was questionable at best.

UPDATE 2/11/22: Zoom said that it has fixed the issue in version 5.9.3. But they said that in version 5.9.1 so I would only run Zoom when you need to run it to mitigate this issue should it still be present.

Ukrainian Government Websites Hit With Cyberattack

Posted in Commentary with tags on January 14, 2022 by itnerd

BuzzFeed Correspondent Christopher Miller is reporting on Twitter that several Ukrainian Government websites have been hit with some sort of a cyberattack.

The websites of several government departments including the ministry of foreign affairs and the education ministry have been taken out by this attack.

Elizabeth Wharton who is the VP Operations for SCYTHE had this to say:

This is not surprising. It’s cyber harassment typical with Russian active measures doctrine, which uses disinformation, propaganda, and deception in an attempt to influence world events and disrupt governments.

Saryu Nayyar, CEO and Founder, Gurucul had this to say:

“Nation state threat actors continue to take an active involvement in destabilizing infrastructure, governments, and businesses whether for profit or pure political objectives. Security can no longer continue to be an insurance policy. It must become a critical part of the infrastructure at every step. World governments must start funding and investing in cyber security training, educational programs, and awareness. In addition, without continuous evaluation and investment in next generation security technologies that optimize security operations, threat actor groups will continue to be able to disrupt governments and economies.”

Given the tension between NATO nations and Russia at the moment, it will not be surprising to see more attacks like this in the coming days.

UPDATE: I have additional commentary from Toby Lewis, Head of Threat Analysis at Darktrace:

“It’s too early to discuss technical details – but right now, an attack appears to have targeted and brought down several Ukrainian government websites. Governmental websites are typically built on common software which explains the domino effect of website shutdowns that we are seeing. We should be cautious around labelling this as a ‘sophisticated’ attack. Some cyber-attacks are more successful than others, some are advanced and others less so. A distributed denial of service (DDoS) attack for example, which is an attempt to bring down websites or networks by overwhelming the web server with internet traffic, is not particularly sophisticated and relatively easy to mitigate. Some of the website defacements, such as those left on the Education Website and the Ministry of Foreign Affairs, are designed to mimic “nationalist/separatist groups” with claims that the attack was done in the name of the UPA (Ukrainian Separatist Army) which has not existed for over 50 years. Attribution is impossible to do with digital data alone and it is not unlikely that this is a false flag to divert attention away from the true perpetrators, to stir up unrest or simply impact the credibility of the website owners. While some of the defaced websites are claiming that data was leaked to the public, the Ukranian Government is denying this and no leaked data has appeared yet. We will have to wait to see if more damage has been done beyond website defacement, but if the attacks really have access to sensitive data or have detonated ransomware, why would they shout the loudest about website defacement? Across our customer base we have seen use noisy attack techniques to distract security teams’ attention away from more stealthy attacks, it remains to be seen if that is the case here.”

UPDATE #2: Saumitra Das, CTO and Cofounder, Blue Hexagon had this to say:

“It is interesting that this is happening on the heels of the ReEvil arrests as well as right when the talks have ended in a stalemate. It shows how cyber warfare is becoming a major tool for nation states compared to augment conventional means. The arrest by the authorities related to the ReEvil group is a major win for law enforcement, but make no mistake, another group will attempt to fill the shoes and attempt to recycle the extensive network setup by the ReEvil group.”

BREAKING: REvil Apparently Shut Down By Russian Law Enforcement

Posted in Commentary with tags , on January 14, 2022 by itnerd

This comes as a bit of a surprise, and I have to admit that I am still somewhat skeptical at this. But word is hitting the wires that REvil who is best known for their high profile ransomware attacks and even grabbing the schematics of 2021 MacBook Pros has been taken down by Russian law enforcement. The FSB posted this early today announcing the arrests. But for the benefit of those who don’t read Russian, I have this translation for your reading pleasure.

While no doubt welcomed by some, this comes at a very convenient time given the tensions between Russia and the US as well as other NATO countries. My guess is that this is nothing more than a token gesture. Now if the Russians were willing to extradite these individuals to the US to face justice, then maybe I would take it more seriously. Thus I am going to take this announcement with more than a pinch of salt. 

Guest Post: The Future of Cyber Security: Software supply chain attacks become a given in 2022

Posted in Commentary with tags on January 14, 2022 by itnerd

By Justin Fier, Director of Cyber Intelligence & Analytics, Darktrace

In 2020, the financial services sector was the industry that experienced the most cyber-attacks. For years, attackers targeted these organizations because they were expectedly lucrative targets. 

But in 2021, the financial services sector was no longer the most targeted. Instead, the IT and communications sector, including telecommunications providers, software developers, managed security service providers, and others faced the most attempted cyber-attacks.

This shift in priority target is not surprising for industry experts given the numerous high-profile software supply chain attacks in 2021, including those on SolarWinds, Kaseya, GitLab. Bad actors increasingly see software and developer infrastructure, platforms, and providers as entry vectors into governments, corporations, and critical infrastructure. 

Darktrace’s researchers observed that its artificial intelligence (AI)) autonomously interrupted around 150,000 threats each week against the sector in 2021. These research findings are developed based on Darktrace data generated by ‘early indicator analysis’ that looks at the breadcrumbs of potential cyber-attacks at several stages before attributing them to any actor and before they escalate into a full-blown crisis. 

From this analysis, Darktrace predicts that, in 2022, we will see threat actors embed malicious software throughout the software supply chain, including proprietary source code, developer repositories, open-source libraries, and more. We will likely see further supply chain attacks against software platforms and additional publicized vulnerabilities.

Explaining the shift

This increase in attacks on this sector is likely because more companies rely on third-party trusted suppliers to handle their data while it’s in motion and at rest. This cyber-attack vector has proven substantially profitable for attackers who focused their efforts on related organizations to get to a target’s crown jewels. This shift means that small- and medium-sized companies are now more likely to experience an attack, even if they are not the end target. 

Most recently, the uncovered vulnerability ‘Log4Shell’ embedded in a widely used software library left billions of devices exposed and prompted the Cybersecurity and Infrastructure Security Agency to provide formal guidance.

Unfortunately, many of these libraries are only updated and supported by volunteers, making it easy for vulnerabilities and intentional corruptions to slip through. DevSecOps will be a significant discussion point in 2022 as organizations begin to understand the importance of baking security into applications much earlier in the development process. Risks presented by the dependence on open source will put dev teams front and center. 

Email phishing persists as a reliable method for attackers

Despite this relevant shift in targets, Darktrace found that the most widely used attack method on the IT sector continues to be phishing. Darktrace found that organizations in the industry faced an average of 600 unique email phishing campaigns a month in 2021. These campaigns also matured in sophistication, as most no longer contain a malicious link or attachment as in the typical ill-intended email. 

In 2022, attackers will continue to advance their email attacks to hijack the communications chain more directly. We will see attackers hijack trusted supplier accounts to send spear-phishing emails from genuine, trusted accounts, as we saw in the November 2021 FBI account takeover.

Top cyber-criminals will use ‘clean’ emails containing normal text, with messages carefully crafted to impersonate a trusted third party to induce recipients to reply and reveal sensitive information. 

Facing the increase in attacks head-on

As the global software supply chain becomes increasingly interconnected, governments, corporations, and critical infrastructure organizations are all at risk of breach not only through their software and communications suppliers but via any security flaw in the extensive global software supply chain. 

In the face of this cyber threat, organizations must focus on not only their own cyber resilience but also ensure they can hold their trusted suppliers accountable to best cyber practices. There is no magic solution to finding attacks embedded in your software suppliers, so the real challenge for organizations will be to operate while accepting this risk. This year, like 2021, it is increasingly unrealistic for these companies to hope to avoid breaches via their supply chains. Instead, they must have the ability to detect the presence of attackers after a breach and stop this malicious activity in the early stages. 

If attackers can embed themselves at the beginning of the development process, organizations will have to detect and stop the attacker after they have gotten through. This problem calls for cyber defense technology that can spot vulnerabilities as threat actors exploit them. 

This threat reinforces the need for security to be integrated earlier in the development process and the importance of quickly containing attacks to prevent business disruption. Since these are multi-stage attacks, organizations can use AI at every step to contain and remediate the threat.