All posts by Keumars Afifi-Sabet

REvil demands $70 million ransom after Kaseya supply chain attack


Keumars Afifi-Sabet

5 Jul, 2021

REvil has infected more than 40 customers of IT management software firm Kaseya in a SolarWinds-style supply chain attack in which ransomware was distributed  through a malicious update.

Kaseya revealed this weekend that its cloud-based IT management and remote monitoring product VSA had been compromised, but that the attack affected a small number of its on-premises customers only. The number of victims is estimated to be roughly 40, according to the firm.

The cyber gang exploited a zero-day vulnerability to remotely access internet-facing VSA servers. Given this software is used by many Managed Service Providers (MSPs), this route of entry also gave them a route into these MSP’s customers. Kaseya was targeted because a key functionality of VSA is to push software and automated IT tasks on request, without checks. 

The hackers responsible are now issuing varying ransom demands to its victims. REvil is demanding $44,999 from victims if their endpoint has been hit, according to Sophos security researcher Mark Loman. The group, meanwhile, is demanding a sum of $70 million to publish the universal decryptor, while boasting that it’s infected a million devices.

Looking beyond the 40 victims that Kaseya suggests REvil has claimed, Huntress Labs claims that more than 1,000 businesses have had servers and workstations encrypted, including MSPs. 

The response to the attack has been stark, with businesses served by the VSA product cutting off their servers from access to the internet. According to Dutch security firm DIVD CSIRT, the number of reachable VSA instances dropped from the norm of 2,200 to less than 140 as of Sunday. 

The company confirmed that a DIVD researcher, Wietse Boonstra, had previously identified a zero-day flaw, tracked as CVE-2021-30116, which is now being used in the ransomware attack. This flaw was discovered as part of a wider research project in which the firm is examining flaws in tools for system administrators in products such as Vembu BDR, Pulse VPN and Fortinet VPN.

“After this crisis, there will be the question of who is to blame,” the company said in a blog post. “From our side, we would like to mention Kaseya has been very cooperative. Once Kaseya was aware of our reported vulnerabilities, we have been in constant contact and cooperation with them. 

“When items in our report were unclear, they asked the right questions. Also, partial patches were shared with us to validate their effectiveness. During the entire process, Kaseya has shown that they were willing to put in the maximum effort and initiative into this case both to get this issue fixed and their customers patched. They showed a genuine commitment to do the right thing. Unfortunately, we were beaten by REvil in the final sprint, as they could exploit the vulnerabilities before customers could even patch.”

Kaseya executives are meeting again today to discuss bringing its data centres online, with a scheduled restoration date and time of 5 July “by the end of the day” local time (UTC). That timeframe is dependent on achieving some key objectives, however.

Once the software as a service (SaaS) data centres have been restored, Kaseya will publish the schedule for distributing its patch for on-premise customers

Instructions on how to exploit Windows Print Spooler accidentally leaked after research blunder


Keumars Afifi-Sabet

2 Jul, 2021

Cyber criminals are abusing a severe Windows vulnerability just days after a security company inadvertently published a proof-of-concept (PoC) exploitation for this previously undisclosed flaw.

The vulnerability, nicknamed PrintNightmare, concerns the Print Spooler component in all Windows devices. It’s being tracked as CVE-2021-34527, and lets attackers install programmes, view, change or delete data, or create new accounts with full privileges on targeted devices.

Microsoft had initially fixed a flaw in the Print Spooler component on 8 June as part of its Patch Tuesday round of updates. At the time this was deemed a privilege escalation flaw and was tracked as CVE-2021-1675.

The firm then upgraded the severity of the bug from just privilege escalation to remote code execution on 21 June.

At the same time, researchers with the security firm Sangfor had been conducting their own research into Print Spooler vulnerabilities, which they were preparing to discuss at the forthcoming Black Hat cyber security conference in August.

Seeing that Microsoft had upgraded the bug’s severity, the researchers assumed that it was the same flaw they had been working with and decided to publish the proof of concept for the exploit ahead of the conference, safe in the knowledge that it had been patched.

This remote code execution exploit, however, was for an entirely different Print Spooler weakness that hadn’t been previously disclosed by Microsoft, and used a different attack vector.

Once this was established, the researchers quickly took down their work, but not before the exploit code was downloaded and republished elsewhere.

Microsoft has since warned businesses that hackers have seized upon this blunder and are targeting businesses with the flaw now known as CVE-2021-34527. Since it’s an evolving situation, Microsoft hasn’t yet attached a threat severity score to the bug.

“A remote code execution vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations,” Microsoft wrote in a security advisory.

“An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges.”

Until a patch becomes available, Microsoft has recommended that businesses either disable the Print Spooler service or disable inbound remote printing through their group policy.

The first mitigation would disable the ability to print locally or remotely, while the second workaround blocks the remote attack vector by preventing inbound remote printing operations. Local printing, however, will still be possible.

Microsoft bolsters Azure with AT&T 5G deal and security collaboration


Keumars Afifi-Sabet

1 Jul, 2021

Microsoft has struck agreements with US networking giant AT&T and the cyber security organisation MITRE to bring additional 5G support as well as threat monitoring capabilities to Azure.

As part of its deal with MITRE, Microsoft will integrate the organisation’s adversarial tactics, techniques and common knowledge (ATT&CK) framework into its public cloud platform in order to build a foundation for developing threat models.

Separately, the firm has acquired the Network Cloud division of AT&T, which plays host to its core 5G network. Microsoft will indirectly own but won’t operate this network, and instead plans to integrate IP and expertise into its Azure for Operators platform.

These twin deals are part of Microsoft’s strategic efforts to bolster its public cloud platform on the cyber security and networking fronts.

The AT&T acquisition, for example, is part of a strategic alliance that will see network traffic managed by Microsoft Azure. This is set to begin with the 5G core, the software at the heart of AT&T’s 5G network.

Microsoft says AT&T will benefit from greater productivity and cost-efficiency as more network workloads migrate to Azure for Operators. The firm will also use the company’s hybrid and hyperscale infrastructure to reduce costs.

The Network Cloud platform, which Microsoft is acquiring, has been running AT&T’s 5G core network since 2018. Microsoft will integrate this into its Azure for Operators platform to allow operators to run telecoms networks in the cloud.

Microsoft will benefit from access to IP and technical expertise to grow its product, building on the 2020 acquisitions of Affirmed Networks and Metaswitch Networks. It’s also acquiring AT&T’s engineering and lifecycle management software that’s used to develop carrier-grade cloud that can run containerised or virtualised network services.

“With Azure, operators can provide a more flexible and scalable service model, save infrastructure cost, and use AI to automate operations and differentiate customer offerings,” said executive vice president of Azure, Jason Zander.

“Through our collaboration with AT&T, Microsoft will expand its telecom portfolio to support operators with a carrier-grade cloud that provides seamless experiences across Microsoft’s cloud and the operator’s network.”

Microsoft’s partnership with MITRE, meanwhile, has seen the firm integrate the ATT&CK framework into Azure to launch the Security Stack Mappings for Azure research project. This has introduced a library of mappings that connect built-in Azure security controls to the techniques, identified by ATT&CK, that they’re designed to protect against.

The project aims to plug an information gap for businesses seeking to proactively secure their public cloud deployment. This project creates data that shows how built-in security controls might secure their assets against the specific attack methods most likely to target them.

“Microsoft has worked to expand the suite of built-in security controls in Azure which, while highly effective for protecting customer environments, can feel overwhelming to understand across an organisation’s entire Azure estate,” said senior threat intel librarian with Microsoft’s threat intelligence centre, Madeline Carmichael.

“MITRE has developed the ATT&CK framework into a highly respected, community-supported tool for clarifying adversary TTPs. Pairing the two together provides a helpful view for organisations to understand their readiness against today’s threats in a familiar vocabulary that enables easy communication to their stakeholders.”

Kubernetes costs spiralling as businesses fail to monitor spend


Keumars Afifi-Sabet

30 Jun, 2021

Expenditure on Kubernetes is rising dramatically, and most businesses are struggling to accurately project how much they’re expecting to spend on their container orchestration systems in future.

Over the last year, Kubernetes-related costs surged for 68% of businesses, according to research by the Cloud Native Computing Foundation (CNCF), which manages the ecosystem. Just 12% of businesses lowered their Kubernetes expenses, while among organisations to have sustained an increase, half saw it jump by more than 20%.

Kubernetes is an open source container orchestration system for automating app deployment, scaling and management. While it was originally designed by Google, Kubernetes is now maintained by the CNCF.

The trend does not come as a surprise, according to the report, because as most organisations adopt cloud-native architectures and scale up Kubernetes environments, the associated cloud costs will rise.

Despite costs projected to spiral, however, there’s a disconnect between these rising expenses and how well most businesses are able to accurately forecast Kubernetes costs, project these, and instigate processes that can manage overspend.

CNCF and the FinOps Foundation surveyed senior IT staff from their extended communities of 195 organisations, which is a small sample size but serves as a representative sample of a cross-section of businesses. 

The vast majority of respondents either don’t monitor Kubernetes spending at all, 24%, or rely on monthly estimates only, 44%. Only 13% used accurate show-backs while 14% had a chargeback programme in place. 

“As more organisations adopt cloud-native architectures and scale up Kubernetes environments, the associated cloud costs will rise,” the report said. “However, the FinOps for Kubernetes survey uncovered a disconnect between these rising expenses and how well most respondents have been able to accurately and effectively monitor Kubernetes costs, predict those costs, and instill processes that can curtail unnecessary overspend.

“Whether spending $10,000 per month or 100x that, the lack of real-time cost visibility and the insights and actions that organisations can take from that suggests that the majority of organizations leveraging Kubernetes can become significantly more cost-efficient – and do so without impacting performance.”

As cloud costs continue to rise for the majority of businesses, the report urges organisations to adopt processes and systems to track how much they spend. Firms should look beyond basic cost estimations and should instead seek to allocate costs back to granular environments and projects for show-back and chargeback. 

Cisco flaw under attack after researchers publish exploit PoC


Keumars Afifi-Sabet

28 Jun, 2021

Hackers are targeting a vulnerability in Cisco’s Adaptive Security Appliance (ASA) after security researchers published a proof-of-concept (PoC) for a successful exploit.

Positive Technologies SWARM, the security company’s offensive research team, published an exploit PoC for the flaw tracked as CVE-2020-3580 last week. This was originally patched in October 2020 alongside CVE-2020-3581 through to CVE-2020-3583.

This issue, which is considered to be moderately severe, concerns multiple vulnerabilities in the web services interface of Cisco ASA software and Cisco Firepower Threat Defense (FTD) software. 

On unpatched systems, Cisco ASA/FTD software web services don’t sufficiently validate user-supplied inputs. To exploit the bug successfully, hackers would need to convince a user on the interface to click on a malicious link. The vulnerability is rated 6.1 out of ten on the CVSS threat severity scale.

Exploitation could allow an attacker to remotely conduct cross-site scripting (XSS) attacks on affected devices that haven’t been patched. Cisco ASA Software is the core operating system that powers the Cisco ASA family, comprising devices that offer firewall tools among other security-oriented services.

Since the PoC was posted online, Positive Technologies researcher Mikhail Klyuchnikov reported that many other researchers are also chasing bug bounties for this vulnerability. Tenable researchers have also reported that attacks are exploiting CVE-2020-3580.

Cisco issued a patch for this flaw in October 2020, but the fix for CVE-2020-3581 was only partial, and the company had to issue a second patch in April this year. As of last July, there were 85,000 ASA/FTD devices distributed across the business landscape. 

Cisco Adaptive Security Appliance (ASA) Software is the core operating system that powers the Cisco ASA family. It offers firewall tools for various ASA devices, with ASA Software also integrating with other critical security technologies to deliver security-oriented products. 

Businesses are being advised to patch their systems with the latest update to avoid falling victim to successful attacks.

Windows 11 leaks in full after early build shows up online


Keumars Afifi-Sabet

16 Jun, 2021

Microsoft’s Windows 11 operating system has leaked online in full just days before developers were set to showcase its new look and key features in a reveal event. 

Screenshots of the in-development successor to Windows 10 show that the biggest aesthetic features include a centralised Start menu and taskbar, rounded corners for all windows and menus, as well as a light skin activated by default. 

Images were first leaked to the Chinese site Baidu, although a fully operational version of Windows 11 has since emerged online, according to The Verge.  

The user interface (UI) is altogether more reminiscent of macOS than classic Windows deployments, although activating a dark skin and shifting the Start menu to the left of the taskbar does make it resemble Windows 10. 

It’s also very similar in the layout of the UI for Microsoft’s Windows 10X, first developed for dual-screen devices but since abandoned and integrated instead into the broader Windows development cycle. The latest major Windows 10 update, for example, borrowed heavily on elements first devised to be included in Windows 10X.  

The Start menu included in this beta version of Windows 11 represents perhaps the most significant UI change against Windows 10. There’s a tiled layout to the apps in the menu, with a section for pinned and recommended services, alongside a prompt to view all apps.

Much of the leaked version remains completely unchanged, however, barring updated icons and the fact that windows are in keeping with the rounded edges aesthetic. The task menu as well as contextual menus and the file explorer all look much like they do in Windows 10, though it’s unclear whether these will change with the finished version.

Another significant addition is that of a Widgets button in the taskbar, which suggests the return of a widgets system that was included with Windows Vista and Windows 7. A screenshot shows a menu that slides out with tiles that show different pieces of information such as the weather, football scores, and news headlines.

Users can also snap windows far more effectively and micromanage the layout by clicking the maximise button in the top right corner. They can, at present, choose which half, or quadrant, of the screen in which to place their window.

Microsoft has strongly hinted at the existence of a successor to Windows 10 for some months, teasing various details about a Sun Valley build that promises to improve users’ workflow, according to Windows Central

The firm is due to discuss the build and detail its features for the first time on 24 June. Microsoft CEO Satya Nadella described this as “one of the most significant updates to Windows of the past decade”, and argued that it will unlock greater economic opportunity for developers and creators. 

“I’ve been self-hosting it over the past several months, and I’m incredibly excited about the next generation of Windows,” he said during his keynote at the Microsoft Build 2021 event. 

“Our promise to you is this: we will create more opportunity for every Windows developer today and welcome every creator who is looking for the most innovative, new, open platform to build and distribute and monetise applications.”

Microsoft has also announced in recent days that it plans to retire Windows 10 by 2025, again signalling that Windows 11 is on its way very soon.

IT Pro approached Microsoft for confirmation the leaks are genuine, and whether it’s considering taking any action.

Ubuntu Pro launches on Google Cloud


Keumars Afifi-Sabet

15 Jun, 2021

Canonical has launched the premium version of the open source Ubuntu Linux kernel on Google Cloud, offering enterprise users a suite and new features and security capabilities for their deployments. 

Ubuntu Pro on Google Cloud is available to all Google Cloud users, with the deployment allowing for instant access to all security patches covering thousands of open source apps, as well as critical compliance features. 

This premium version of the free-to-use Linux operating system focuses on enterprise and production use, providing developers and admins with secured DevOps environments, as well as additional security tools. 

Live kernel patching, for example, offers virtual machine (VM) instances increased security, while users can benefit from ten years of mission-critical support for 18.04 LTS onwards. The maintenance period of Ubuntu Pro 16.04 LTS is eight years.

“Enterprise customers are increasingly adopting Google Cloud to run their core business-critical and customer-facing applications,” said VP and GM for Compute at Google Cloud, June Yang.

“The availability of Ubuntu Pro on Google Cloud will offer our enterprise customers the additional security and compliance services needed for their mission-critical workloads.” 

With Ubuntu Pro, alongside all standard optimisations and security updates in Ubuntu, users can also utilise certified components to allow operating environments under various compliance regimes, including GDPR and PCI. 

Later in the year, additional features will be added such as certified FIPS 140-2 components, a security dashboard, managed apps, and more that haven’t yet been defined.

Google Cloud has partnered with Canonical in some capacity for many years, and the standard iteration of Ubuntu has been available to Google Cloud customers since 2014. 

The two platforms have worked together on Ubuntu Pro on Google Cloud, which serves as a more secure, hardened and cost-effective DevOps environment that aims to boost customers’ cloud transformation efforts.

“Since 2014, Canonical has been providing Ubuntu for Google Cloud customers. We continuously expand security coverage, great operational efficiency, and native compatibility with Google Cloud features,” said VP of Cloud GTM at Canonical, Alex Gallagher. 

“I’m excited to witness the collaboration between Canonical and Google Cloud to make Ubuntu Pro available. Ubuntu Pro on Google Cloud sets a new standard for security of operating systems and facilitates your migration to Google Cloud.”

Customers can purchase these premium images directly from Google Cloud by selecting Ubuntu Pro as the operating system directly from the Google Cloud Console. 

Vodafone partners with industry giants to develop Open RAN network


Keumars Afifi-Sabet

14 Jun, 2021

A number of major firms are participating in Vodafone’s project to deliver the first commercial deployment of Open Radio Access Network (RAN) in Europe. 

DellSamsung, NEC, Wind River, Capgemini and Keysight will contribute their technologies and expertise to Vodafone’s efforts to build on the Open RAN lab in Newbury, in England, as well as digital skills hubs in Malaga and Dresden in Spain and Germany. 

Open RAN is a networking concept that allows mobile network operators to use equipment from multiple vendors to form key components of a mobile network. Current RAN technology takes the form of a hardware and software integrated platform. 

The alternative, spearheaded by the O-RAN-ALLIANCE, allows for disaggregation between hardware and software with open interfaces and virtualisation, alongside software that controls and updates networks through the cloud. 

Benefits of the technology include diversifying the supply chain, raising flexibility, as well as adding new capabilities and services to networks. Operators, for example, could easily introduce AI functionality to optimise the network for specific use cases, such as large crowds at a football match.

“Open RAN provides huge advantages for customers,” said Vodafone CTO, Johan Wibergh. “Our network will become highly programmable and automated meaning we can release new features simultaneously across multiple sites, add or direct capacity more quickly, resolve outages instantly and provide businesses with on-demand connectivity.

“Open RAN is also reinvigorating our industry. It will boost the digital economy by stimulating greater tech innovation from a wider pool of vendors, bringing much-needed diversity to the supply chain.”

Allowing for a mix and match of hardware and equipment would also allow governments to move away from a reliance on technology provided by Huawei, over security concerns, as well as Ericsson and Nokia. Encouraging smaller companies to enter the market would, in theory, enhance competition. 

For this reason, the project is also backed by the European Commission, with the EU hoping that developments in Open RAN will bring more European companies into the emerging market. Vodafone and other major EU telecoms firms hope these networks architectures will help to build a broader ecosystem.

The initial focus will be on the 2,500 sites in the UK that Vodafone committed to Open RAN in October 2020. Described as one of the largest deployments in the world, it’ll be built jointly with Dell, NEC, Samsung and Wind River.

Vodafone also projects to use new radio equipment defined under the Evenstar programme, which the firm contributes to. Capegemini and Keysight will provide support to ensure there’s interoperability between all the components that make up the infrastructure.

From this year, the six vendors will work together to extend 4G and 5G coverage to more rural places across the South West of England and most of Wales, shifting to urban areas at a later stage of the programme.

Latest Android 12 beta puts privacy front and centre


Keumars Afifi-Sabet

10 Jun, 2021

Google has launched the second build of the Android 12 Public Beta with participating Pixel users able to make use of a swathe of widely-anticipated privacy features.

Android 12 Beta 2 adds several features that were announced at the Google I/O developer conference in May but weren’t included with the first beta. 

Chief among these is a privacy dashboard that gives users insights into the various permissions that apps request, including access to location, the microphone, and the camera.

“Today we’re releasing the second Beta of Android 12 for you to try. Beta 2 adds new privacy features like the Privacy Dashboard and continues our work of refining the release,” said Android’s VP of engineering, Dave Burke.

“End-to-end there’s a lot for developers in Android 12 – from the redesigned UI and app widgets, to rich haptics, improved video, and image quality, privacy features like approximate location, and much more.”

The dashboard, accessible from the settings menu, also comes packaged with quick toggles so users can cut an app’s access to hardware components. There’s also an indicator in the status bar to show when either the microphone or camera are being accessed.

The latest beta version also adds functionality to manage network connections, replacing the Wi-Fi widget in the notifications centre with the Internet panel. This panel helps users switch between providers and troubleshoot connectivity issues.

Much of the changes with Android 12, in this latest beta as well as the last, aren’t set in stone and are subject to change based on feedback from Pixel users testing the operating system. There’s set to be at least one more beta release before Android 12 achieves ‘platform stability’ in August. There may then be one final beta release ahead of the final release later this year.

Android 12 will instigate a complete refresh of the UI, bringing a new set of colours, shapes, and animations to the way that users navigate the system. The design language, dubbed Material You by developers, will make Android more “expressive, dynamic and personal”.

As detailed at the I/O conference, the development team has made significant investments in upgrading performance in the new operating system. These comprise improvements to foundational system performance, battery life efficiencies, changes to foreground services, media quality, as well as new tools to optimise apps.

Google is shifting YouTube infrastructure to Google Cloud


Keumars Afifi-Sabet

7 Jun, 2021

Google is planning to migrate parts of YouTube away from its internal on-premise data centre infrastructure to its public cloud division, Google Cloud.

Although Google Cloud has carved a solid reputation through the years, its overall market share still languishes behind the likes of  Azure and AWS. With the cloud market continuing to expand at pace, especially since the COVID-19 pandemic, the firm is therefore hoping to exploit the potential for higher revenues.

Moving parts of YouTube’s operations to Google’s own public cloud division may serve as a spark the company needs to stay competitive, according to Google Cloud CEO Thomas Kurian speaking with CNBC

Doing so would also allow the company to fight alongside the likes of AWS and Azure, with parent companies Amazon and Microsoft each moving their core services to their own public cloud divisions through the years.

“Part of evolving the cloud is having our own services use it more and more, and they are,” Kurian told the network. “Parts of YouTube are moving to Google Cloud.”

This migration will be the latest Google service to be powered by its public cloud arm, alongside its Google Workspace suite of productivity apps and services, as well as the DeepMind research division. 

YouTube, however, is one of the largest and most widely-used platforms on the internet, and migrating its operations to Google Cloud may, the company hopes, encourage other businesses to follow suit.

Google Cloud has been in a state of transition since Kurian took over from Diane Greene a couple of years ago. The division recorded losses of £4.1 billion in 2020, which were attributed to investment in new data centres, with Google Cloud intent on vastly expanding its operations in the coming years.

In 2020, the cloud giant launched four cloud regions in Indonesia, South Korea and the US, alongside another four which are set to be established in Qatar, Spain, Italy and France.