Chinese hackers target Linux systems with RedXOR backdoor


Keumars Afifi-Sabet

11 Mar, 2021

Hackers are targeting legacy Linux systems with sophisticated malware believed to have been developed by cyber criminals backed by the Chinese state.

The malware, branded RedXOR, encodes its network data with a scheme based on the XOR Boolean logic operation used in cryptography, and is compiled with a legacy compiler on an older release of Red Hat Enterprise Linux (RHEL).

This, according to Intezer researchers, suggests RedXOR is being used in targeted attacks against legacy systems.

Its operators deploy RedXOR to infiltrate Linux endpoints and systems in order to browse files, steal data, upload or download data, as well as tunnel network traffic. The backdoor is also difficult to identify, disguising itself as a polkit daemon, which is a background process for managing a component that controls system-wide privileges.

“Based on victimology, as well as similar components and Tactics, Techniques, and Procedures (TTPs), we believe RedXOR was developed by high profile Chinese threat actors,” said Intezer researchers Avigayil Mechtinger and Joakim Kennedy.

“Linux systems are under constant attack given that Linux runs on most of the public cloud workload. Along with botnets and cryptominers, the Linux threat landscape is also home to sophisticated threats like RedXOR developed by nation-state actors.”

Upon installation, the malware moves its binaries to a hidden folder dubbed ‘po1kitd.thumb’, as part of its efforts to disguise itself as the polkit daemon. The malware then communicates with the command and control server in the guise of HTTP traffic, from where instructions are then sent.

Researchers have monitored the server issuing a total of 19 separate commands, including requesting system information and issuing updates to the malware. The presence of “on and off” availability in the command and control server also indicates the operation is still active, the researchers claim.

To build the backdoor, the hackers used the Red Hat 4.4.7 GNU Compiler Collection (GCC) compiler, which is the default GCC for RHEL 6. This was first released in 2010.

Mainstream support for RHEL 6 only ended recently, in November 2020, meaning a swathe of servers and endpoints are likely still running RHEL 6. Intezer, however, hasn’t disclosed the number of, or nature of, the victims it’s identified. According to Enlyft, roughly 50,000 companies use RHEL installations.

Although the discovery of Linux malware families has increased in recent times, backdoors attributed to advanced threat groups, such as nation state-backed attackers, are far rarer.

Researchers are confident in their attribution, however, identifying 11 distinct similarities between RedXOR and the PWNLNX backdoor, as well as parallels with the XOR.DDOS and Groundhog botnets – all associated with hackers supported by the Chinese state.

The samples discovered were also uploaded from Indonesia and Taiwan, countries known to be targeted by state-backed hackers operating from China.

Google and Red Hat team up with Linux Foundation for software-signing service


Keumars Afifi-Sabet

10 Mar, 2021

The Linux Foundation has launched a free-to-use service for open source developers to cryptographically sign software to reassure users further down the supply chain that the software they’re using is legitimate.

Developed in partnership with Google and Red Hat, the sigstore project will allow the open source community to sign software artefacts including release files, container images and binaries before these elements are stored in a public log.

The aim is to make it easier for developers to sign releases and for users to verify them, with widespread uptake translating to a reduction in the threat of open source supply chain attacks. This is because one of the major issues with open source software is it’s often difficult to determine where the software came from, and how it was built.

“Installing most open source software today is equivalent to picking up a random thumb-drive off the sidewalk and plugging it into your machine,” said Google’s product manager Kim Lewandowski and product engineer Dan Lorenc. “To address this we need to make it possible to verify the provenance of all software – including open source packages.

“The mission of sigstore is to make it easy for developers to sign releases and for users to verify them. You can think of it like Let’s Encrypt for Code Signing. Just like how Let’s Encrypt provides free certificates and automation tooling for HTTPS, sigstore provides free certificates and tooling to automate and verify signatures of source code.”

Sigstore takes a unique approach to key management by issuing short-lived certificates based on OpenID Connect grants, and storing all activity in logs backed by the Trillian instant management software. This is so the team can detect compromises, and recover from them, when they do occur.

This approach has been devised in light of the fact that key distribution is “notoriously difficult”, leading developers to design away the need for a management hub by building a Root Certificate Authority (CA) which will be made available for free.

News of this project follows Google’s commitment to help fund two Linux developers in their ambitions to fix kernel security problems. This responded to a need for additional work on open source software security that recent research identified.

“I am very excited about sigstore and what this means for improving the security of software supply chains,” said Luke Hinds, one of the lead developers on sigstore and Red Hat’s security engineering lead.

“Sigstore is an excellent example of an open source community coming together to collaborate and develop a solution to ease the adoption of software signing in a transparent manner.”

The team behind the sigstore project will build on this momentum in the near future with further tweaks, including hardening the system, adding support for other OpenID Connect providers, and updating documentation.

Chrome OS gets enterprise overhaul


Zach Marzouk

10 Mar, 2021

Google has announced a number of new features for Chrome OS to mark the operating system’s 10th birthday, including some new ones for enterprise users. 

Starting today, businesses can download the Chrome OS Readiness Tool to help them identify which Windows devices in their organisation are ready to switch fully to Chrome OS and which need support from VDI or Parallels Desktop.

This is a free, completely private and customisable tool that allows enterprises to see if apps are compatible or whether they are cloud-ready or not.

Organisations can also now configure over 500 policies in the Google Admin console. New policies have been added over the past year including those affecting new security, updates, accessibility, network file sharing and more. Importantly, all policies default to a Google recommended setting ensuring that users only have to set up the ones they need.

Moreover, to help enterprises configure their policies at scale, Chrome is launching the Chrome Policy API. This allows user and printer settings to be managed via an API and enables users to configure settings through a script or command line. Chrome is looking to expand this in the future so it also applies to apps, extensions and device settings too.

These new additions come on top of other features announced including the Phone Hub, where users can respond to their phone messages, check its battery life and even locate it from their Chromebook.

In the coming months, the company plans to release “Nearby share”, a feature that allows users to securely share files between a Chromebook and other Chrome OS or Android devices without needing to share contact details.

These new features come after Google announced in December it was teaming up with other tech giants such as Intel and Dell to form the Modern Computing Alliance. The group hopes to foster greater collaboration and integration between their different systems.

Dropbox to acquire DocSend for £118 million


Zach Marzouk

9 Mar, 2021

Dropbox announced today it will acquire DocSend, a secure document sharing and analytics company with over 17,000 customers, for $165 million (£118 million).

Organisations that use Dropbox will now be able to use Docsend to deliver proposals and track engagement. Through this service, users can share documents easily and securely and customise who has access to them. 

Dropbox co-founder and CEO Drew Houston said that the plan is to package together Dropbox, DocSend, and HelloSign – which Dropbox bought for $230m in 2019 – as an “end-to-end suite” of products spanning collaboration, sharing, and e-signatures

“DocSend is a perfect complement to our product roadmap and we’re thrilled to welcome them to our team,” Houston said.

“By bringing Dropbox, HelloSign, and DocSend together, we’ll be able to offer a full suite of secure, self-serve products to help them manage critical document workflows from start to finish.”

Russ Heddleston, DocSend co-founder and CEO,  had interned at Dropbox over a decade ago before their paths crossed again in 2019 when the two companies became extension partners.

Heddlestone said: “As we’ve grown, we’ve realized that the ability to securely share content and engage with documents after they are sent offers powerful benefits to a variety of customer segments.

“By joining Dropbox, we’ll be able to rapidly scale, bringing our vision and capabilities to the hundreds of millions of people around the world who already trust Dropbox with their most important content.”

This is the first acquisition the company has announced since declaring its shift to a remote working strategy. It had reported a “one-off” loss of $398.2 million in its fourth-quarter report last year as the company made a decision to sublease most of its office space.

Following that decision, Dropbox announced on Monday that the building it was leasing as its headquarters in San Francisco would be sold for $1.08 billion. According to Kilroy Realty Corporation, its owner, this was a new high in the San Francisco commercial real estate market, as reported by Yahoo! Finance.

Microsoft was warned about Exchange Server flaws two months ago


Sabina Weston

9 Mar, 2021

Microsoft was aware of the Exchange Server vulnerabilities two months prior to the attack orchestrated by state-backed hackers, having confirmed that it was initially notified in “early January”.

The tech giant made the statement to cyber security journalist Brian Krebs, who has compiled a basic timeline of the hack on his blog

Krebs’ research shows that, on 5 January, Microsoft was first notified of two of the four zero-day vulnerabilities by a researcher at security testing firm DevCore. On 2 February, cyber security solutions provider Volexity also reported the same two vulnerabilities to Microsoft, having witnessed attack traffic going back to 3 January.

Warnings also came from Danish cyber security provider Dubex, which first witnessed clients being hit on 18 January. The company reported their incident response findings to Microsoft on 27 January.

In a blog post, Dubex detailed how hackers took advantage of the ‘unifying messaging’ module in Exchange, which allows organisations to store voicemail and fax files, as well as emails, calendars, and contacts in users’ mailboxes, in order to install web shell backdoors.

“A unified messaging server also allows users access to voicemail features via smartphones, Microsoft Outlook and Outlook Web App. Most users and IT departments manage their voicemail separately from their email, and voicemail and email exist as separate inboxes hosted on separate servers. Unified Messaging offers an integrated store for all messages and access to content through the computer and the telephone,” Dubex revealed.

However, Dubex’s CTO Jacob Herbst told KrebsOnSecurity that the company “never got a ‘real’ confirmation [from Microsoft] of the zero-day before the patch was released”.

The four zero-day vulnerabilities were ultimately patched on 2 March, a week earlier than previously planned. However, only a day later it was revealed that tens of thousands of Exchange servers had been compromised worldwide, with the number of victims increasing by the hour.

Krebs questioned Microsoft’s response timing, saying that the timeline illustrates that the company “had almost two months to push out the patch it ultimately shipped Mar. 2, or else help hundreds of thousands of Exchange customers mitigate the threat from this flaw before attackers started exploiting it indiscriminately”.

IT Pro has contacted Microsoft for comment but is yet to hear back from the company.

The number of victims is estimated to be in the hundreds of thousands, with the European Banking Authority (EBA) becoming the latest major public body to be compromised by the hack.

In a statement, the EBA said that it “is working to identify what, if any, data was accessed”, adding that it had “decided to take its email systems offline” as a “precautionary measure”. 

Chinese state-sponsored hacking group Hafnium is believed to be behind the attack.

Dell and Faction debut multi-cloud backup


Praharsha Anand

9 Mar, 2021

Dell and Faction have announced new multi-cloud storage and data protection solutions for enterprises looking to monitor their critical data from a centralised location.

“Protecting against ransomware and other cyber attacks is quickly rising in importance for both IT and business executives,” said Joe CaraDonna, CTO of public cloud and APEX offerings at Dell Technologies.

“With the average cost of an attack being $13m, it’s easy to see why this is so concerning. As IT deployments become more complex, with on-prem deployments combined with applications running in multiple public clouds, it is hard to build a world class centralized solution to protect critical data from the modern threat of sophisticated cyberattacks… until today.”

Dell’s Cloud PowerProtect for Multi-cloud is a fully managed service that allows users to safeguard their data in multiple clouds from a single location. Building on this solution, Dell has announced a new security capability called Dell EMC PowerProtect Cyber Recovery. 

Enhanced PowerProtect for Multi-cloud will enable customers to physically and logically isolate their critical data in an air-gapped cloud Cyber Recovery vault in a Faction-powered data center. Data immutability and CyberSense intelligent analytics are also included in the service to ensure enterprise-grade security. In the event of a cyber attack, users can easily move data from the vault to their data center choice, including AWS, Azure, Google Cloud, or Oracle Cloud. 

What’s more, using Superna Eyeglass DR Manager with PowerScale for Multi-cloud, customers can mirror data from their data centers to Faction’s cloud-adjacent center. Users can also choose to recover and save applications in Faction’s data center or any other public cloud listed under Dell’s offerings. 

Superna Eyeglass DR Manager’s other interesting capabilities include one-button failover, flexible SyncIQ scheduling, continuous readiness monitoring, disaster recovery (DR) testing, data loss exposure analysis, and reporting.

According to IT analyst research and validation agency Enterprise Strategy Group, PowerScale for Multi-cloud lowers storage costs by up to 89%. The solution can also reach up to 2Tbps multi-cloud throughput via multiprotocol data access on PowerScale for network file system (NFS), server message block (SMB), Hadoop distributed file system (HDFS), and Amazon’s simple storage service (S3).

“The future of IT is hybrid – a world that balances the right public cloud services with the right on-premises infrastructure to provide the performance, scale, functionality and control required of modern applications and development paradigms. As customers consider this hybrid model, it is important to take a data-first approach,” added CaraDonna.

Intel and DARPA to build advanced cloud encryption


Zach Marzouk

9 Mar, 2021

Intel has announced it is working with the Defense Advanced Research Projects Agency (DARPA) to help develop the ‘holy grail’ of encryption.

Intel and DARPA, a research and development US government agency, will work together to develop an accelerator for fully homomorphic encryption (FHE).

FHE is essentially encryption that allows users to perform calculations on encrypted data without decrypting it first, reducing the risk of the information being stolen when in a vulnerable state.

Intel will perform in DARPA’s Data Protection in Virtual Environments (DPRIVE) programme which aims to develop FHE. The organisation will work alongside Microsoft who will lead the commercial adoption of the technology once it has been tested in its cloud offerings, including Microsoft Azure and the JEDI cloud, with the US government.

Rosario Cammarota, principal engineer at Intel Labs and the principal investigator as part of the DARPA DPRIVE programme said: “Fully homomorphic encryption remains the holy grail in the quest to keep data secure while in use. 

“Despite strong advances in trusted execution environments and other confidential computing technologies to protect data while at rest and in transit, data is unencrypted during computation, opening the possibility of potential attacks at this stage. This frequently inhibits our ability to fully share and extract the maximum value out of data.”

According to Intel, many businesses rely on a variety of data encryption methods to protect their information while it is in transit, in use and at rest. These techniques mean that data must be decrypted for processing and during this state it can be vulnerable for misuse.

With FHE, it aims to allow users to compute on always-encrypted data, or cryptograms, which means the data doesn’t need to be decrypted and reduces the risk of potential threats. This will help organisations to use large datasets in techniques like machine learning while protecting the data.

Intel isn’t the only company looking at this technology, as last year IBM released a toolkit to allow macOS and iOS developers to utilise FHE while building apps. FHE was first discovered over a decade ago by IBM researcher Craig Gentry.

A New Age of Collaboration Tools


David Howell

9 Mar, 2021

One of the starkest consequences of the pandemic is the fragmentation of workforces. Mass working from home was at first expected to be short-term, but now looks set to become permanent as companies look to radically alter how they organise and manage their employees.

Businesses have used collaboration tools for decades, allowing individuals and teams to work efficiently together. COVID-19 made these tools vital and a hub around which workers could congregate. However, the speed at which some businesses rolled out these tools to remote workers was often hurried anot strategically planned. Now that enterprises have had time to assess what extended home working means to them and what tools they really need to make it work, we may see the emergence of a new age of collaboration tools.

It’s no surprise that the fastest-growing apps during the pandemic have been workspace management and collaboration tools. According to Okta’s Business at Work report, Miro, an app offering whiteboard functionality for teams, experienced 301% growth; measured by unique users, it grew 449% in just a year. 

Deployment of project management app Smartsheet has grown 170% over the past three years. Slack has cemented itself as the leading messaging tool with 190% growth. And deployments of Zoom grew over 45% between March and October 2020, while Webex grew 15% and RingCentral grew 18% during this same period.

Martin Langan, chairman and innovation director at legalmatters, tells Cloud Pro that his company has been using the cloud-based NetDocuments service to help its 20-strong workforce manage their document loads. “The implementation of NetDocuments has played a big part in enabling the firm to continue ‘business as usual’ operations despite employees being unable to work from its office,” he says. “At present, legalmatters is only scratching the surface of what its employees can do with NetDocuments, and the firm expects further benefits to be realised once COVID-19 ‘lockdown’ measures are eased.”

Tools, then, need to be chosen and deployed carefully to ensure they are fit for purpose, but also, that their end users are comfortable with their features. Legacy systems also need to be taken into consideration – often, several tools will be used together, which can provide integration and security challenges.

With this in mind, unifying collaboration tools will become the Holy Grail of many businesses post-COVID-19 to avoid efficiency declines and ongoing security issues. Zoom’s new ability to integrate with Google Calendar and Microsoft’s Together Mode are examples of how this might look, as providers take the opportunity to make their products more attractive in an increasingly remote-focused business world.

New Tools

Carl Harris, group director at BCS (The Chartered Institute for IT) says there has been a shift over the past 12 months in how collaboration tools are used: “Certainly, at the start of the pandemic, the single biggest change in our use of collaboration tools was not which tools we are using, but how we would use the ones at our disposal differently.”

He adds: “Take Microsoft Teams as an example. Prior to lockdown Teams was a value-add collaboration tool, enabling us to reach employees via a simple video call more easily on those irregular occasions when somebody may be working from home. Now it is an integral part of our everyday working. All daily employee interaction is conducted through the tool, and the use of the tool’s features have expanded from just simple video calling to an extensive use of all it has to offer.”

Jörn Rabach, director at architecture practice Hutchinson & Partners, tells Cloud Pro his organisation has found significant benefits in melding a specialist remote working and collaboration tool into its existing systems.

“We have recently adopted Inevidesk, a virtual desktop solution which has been developed specifically for the AEC (Architecture, Engineering and Construction) sector,” he says. “Most importantly, this solution integrated seamlessly into our existing set-up, allowing the teams to directly work off our London based servers while avoiding the cost and complexity of a hybrid infrastructure solution.”

Fran Nolan, MD of content agency Tribera, explains that her company, too, found itself needing more than the basic level of collaboration platform that everyone flocked to in March 2020.

We immediately had to get Microsoft Teams as we needed an intuitive way to meet on video as much as possible. We regularly use the chat function too to stay connected and try to keep those collaborative conversations going,” she says. “We then got GetBusy as we were finding we had too many work channels open with email, Slack andWhatsApp so we now use GetBusy which still integrates with email, but the task assignment and completion are a lot slicker.”

Transforming connections

What does all this mean for the future, both of business and of collaboration technology? One type of technology that holds some promise for meetings in particular is alternate reality, virtual reality, and extended reality – with Cloud Pro‘s sister title, IT Pro, having already trialled an example of this in the form of Vive Sync.

Jocelyn Lomer, chief executive at nuVa Enterprises, which develops a virtual meeting room application, explains to Cloud Pro that while the tools we’ve been using so far have plugged a hole, we need to build on them.

“The desktop video apps are insufficiently rich and do not deliver innovative solutions or allow the mind to range freely,” she says. “Traditional desktop collaboration tools like MS Teams and Zoom have proven to be partly sufficient, but frequently employees are left frustrated, stressed and exhausted from the limitations of the asynchronous tools.”

Shaun Lynn, CEO of channel services provider Agilitas, says that as COVID restrictions subside, businesses will begin to reconsider how they create a more collaborative and flexible workplace outside a time of crisis.

“Collaboration tools need to support this migration, with connectivity and compatibility being key focus areas,” Lynn says. “Like all software-based tools, this will be an evolution rather than a revolution. Market demand will define functionality, and the vendors of collaborative tools who respond the quickest will be the ones to succeed. Like all great tech, some will become the VHS of collaboration tools and others will be Betamax.”

All businesses, no matter their siz,e have been transforming at speed as the pandemic has re-shaped their workforces. Choosing the right collaboration tools that deliver efficient services to remote teams and individuals are now the cornerstone all companies can build upon. But business leaders should also appreciate that these tools are not just for process management. Collaboration tools can connect remote workers on a personal level. Collaboration is about work, but also reinforcing social relationships that are critical for every employee’s wellbeing.

Microsoft’s Apprenticeship Connector will help SMBs find digital apprentices


Keumars Afifi-Sabet

8 Mar, 2021

Microsoft has partnered with the job-seeking platform GetMyFirstJob to launch an online hub that will connect UK organisations seeking to recruit digital apprentices with a wide pool of prospective applicants.

Apprenticeship Connector will simplify the recruitment process by listing vacancies across Microsoft’s network of partners and customers, which young jobseekers can access to seek new opportunities. The firm said its partners and customers will also be able to promote their vacancies to a larger and more diverse range of candidates.

GetMyFirstJob was chosen as the ideal partner platform in light of its recognition that traditional recruitment processes were exacerbating existing batteries to social mobility. Its own platform has sought to channel skills into the right areas, reaching more than 4.1 million users in 2020.

The partnership aims to solve the specific problem of small and medium-sized businesses (SMBs) struggling to recruit the right candidates while also aiming to raise the diversity of new recruits generally.

“Digital apprenticeships are one of the best routes to well-paid careers in businesses of all types, not just in tech,” said Microsoft’s UK CEO, Clare Barclay. “It’s why we have worked hard over the past 10 years to help provide thousands of people with the skills and training needed for the in-demand jobs of today and tomorrow. 

“Yet even in the current jobs market, the reality is there are many vacancies going unfilled. I encourage anyone thinking about getting started in digital to visit The Microsoft Apprenticeship Connector and take the next step.”

Microsoft also shared some statistics highlighting the tech recruitment problem in the UK, also referred to as the digital skills crisis. For example, the UK needs more than three million skilled people in technology roles by 2025, while almost half of UK businesses are also looking to recruit workers with the same technical skills, ranging from data analytics to cyber security, regardless of sector.

Last February, experts urged the government to reform its apprenticeship scheme after it fell short of its own targets. Figures at the time showed that the number of people starting an apprenticeship between August and October 2019 fell to 125,800 – down from 132,000 the previous year. 

This represented a 4.7% drop, although the situation is even bleaker today. The latest ONS figures show that new starts between August and October 2020 fell by a staggering 27.6% to 91,100. The effects of COVID-19 would have certainly played a role, although it nevertheless feeds into a long-term downward trend.

The UK chancellor, Rishi Sunak, also last week stressed the importance of apprenticeships as he was outlining the latest Budget. He doubled the cash incentive for employers to hire apprentices and introduced a new flexi-job programme that would allow apprentices to work with a number of different employers within one sector.

“It’s great to see Microsoft using its technology expertise to make it easier for people to engage with these fantastic opportunities,” Sunak said. “As the world becomes increasingly more digital, these skills will play a crucial role in helping us build back better from the pandemic.”

‘Hundreds of thousands’ of victims in Microsoft Exchange Server attacks


Keumars Afifi-Sabet

8 Mar, 2021

There are potentially hundreds of thousands of victims from cyber attacks exploiting newly-discovered Microsoft Exchange Server vulnerabilities, with the White House urging businesses to patch their systems immediately.

US-based victims exceed 30,000 including small businesses, towns and cities as well as local government organisations, according to security researcher Brian Krebs, with Chinese hackers determined to steal their email communications.

This figure, however, only represents a portion of “hundreds of thousands” of servers that state-backed Chinese hackers have seized, based on information provided to Krebs by two security experts. Each targeted server, deployed to process email communications, represents roughly one organisation here. 

“This is an active threat,” White House press secretary Jen Psaki said at a press briefing, as reported by BBC News. “Everyone running these servers – government, private sector, academia – needs to act now to patch them.” 

She added that the White House was concerned “there are a large number of victims” and that these vulnerabilities discovered last week could have “far-reaching impacts”.

Microsoft patched four actively exploited flaws in several versions of its Microsoft Exchange Server service last week, which attackers were taking advantage of to steal emails from web-facing systems running the software. 

In these attacks, the perpetrators left behind a password-protected web shell that could be accessed from anywhere, giving them administrative access to victims’ servers.

The company also warned businesses that this charge was being led by state-backed hackersspecifically the Hafnium group, although refrained from disclosing how many victims there were at the time.

The US Cybersecurity and Infrastructure Security Agency (CISA) then ordered US federal agencies to immediately patch their Exchange Server installations, or disconnect the programme until it can be reconfigured, for fear of falling victim to hacking attempts.

“Patching and mitigation is not remediation if the servers have already been compromised,” the White House’s National Security Council also tweeted. “It is essential that any organization with a vulnerable server take immediate measures to determine if they were already targeted.”

Vice president of Volexity, Steven Adair, who first reported the Exchange flaws to Microsoft, also told KrebsonSecurity that the hacking group first exploited these bugs on 6 January, but shifted into a much higher gear over the last few days.

“Even if you patched the same day Microsoft published its patches, there’s still a high chance there is a web shell on your server,” he said. “The truth is, if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”