Category Archives: Security & Privacy

Google Project Zero is moving to complete 90-day patch adoption

Vendors are allowed to have 90 days to fix bugs, under adjustments to the transparency policies of Google Project Zero.

Project Zero, the team of elite security researchers from Google, has changed its disclosure policy to focus on allowing vendors to get patches right for security issues and distribute them to users.

Under the amendments introduced on Tuesday, any flaws will be disclosed to the public after 90 days, unless a prior agreement remains.

Previously, once a security fix was created, the issue would be made public by a Project Zero researcher on his bug tracker.

“Too many times, we’ve seen vendors patch reported vulnerabilities by ‘papering over the cracks’ and not considering variants or addressing the root cause of a vulnerability,” Project Zero manager Tim Willis wrote.

“One concern here is that our policy goal of ‘faster patch development’ may exacerbate this problem, making it far too easy for attackers to revive their exploits and carry on attacking users with little fuss.”

Willis added that vendors would be able to ensure that users install updates to patched versions before disclosure.

“End user security doesn’t improve when a bug is found, and it doesn’t improve when a bug is fixed. It improves once the end user is aware of the bug and typically patches their device,” he said.

The improvements would improve and make it more compatible with Project Zero, the blog post said.

“Some vendors considered our determination of when a vulnerability was fixed as unpredictable, especially when working with more than one researcher on the team at a given time,” Willis said.

“They saw it as a barrier to working with us on larger problems, so we’re going to remove the barrier and see if things improve.”

Project Zero said that nearly 96 percent of vulnerabilities are fixed in August before the lifting of the 90-day disclosure period. This number has been updated to 97.7 percent on Tuesday.

Project Zero only extended its 90-day deadline twice— for the 2016 iOS issue of task t and the 2018 flaws in Meltdown and Spectre.

The post Google Project Zero is moving to complete 90-day patch adoption appeared first on .

Maze Ransomware Operators Publish User Information

As if it wasn’t hard enough to have their data compromised, businesses who fell victim to Maze ransomware are now facing another threat: their data could become public.

Maze’s operators have been collecting data from victim organisations for a while, ultimately using it as a weapon until payment is received to decrypt archives. Now, for all those victims who refuse to pay the ransom, they threaten to release the data.

In this respect, a website was created by the threat actor where they identified the names and websites of eight businesses who allegedly refused to pay the sum demanded to retrieve their records.

According to technology journalist Brian Krebs, even though the event did not make news, at least one of the businesses on that list was actually targeted by Maze ransomware.

The Maze operators publish data on that page, such as the initial date of contamination, certain compromised records (office, text and PDF files), the overall volume of data allegedly obtained from the company, and the IP addresses and computer names of the infected servers.

The step is not shocking, particularly since the people behind Maze have been engaging in exfiltrating victim details for a while now and are also threatening to publicly disclose that information if the victim does not pay the demanded ransom.

Throughout one instance in which the Maze ransomware was introduced, the perpetrators first leveraged Cobalt Strike since obtaining access to the network, collecting data about the target area before advancing laterally. Also used was a tactic commonly associated with Russian agent of danger Cozy Bear.

The hackers then began using PowerShell to exfiltrate data and connect to a remote FTP server. They only implemented Maze ransomware after this phase was done to encrypt the data of the victim.

Cobalt Strike was used again after the original breach in another event that Cisco Talos attributed to the same perpetrator, and PowerShell was used to dump large amounts of data using FTP. Without making the information available, the attackers then demanded payment.

The two events are primarily linked through the Command and Control (C&C) technology used— the data was deposited to the same server as in the previously mentioned accident— using 7-Zip to compact the collected data, interactive logins through Windows Remote Desktop Protocol, and remote execution of PowerShell.

“The use of targeted ransomware attacks isn’t new and, unfortunately, it’s not going anywhere anytime soon. This is an extremely lucrative attack avenue for adversaries and as such, its popularity is likely only going to increase. What makes these particular attacks interesting is the additional monetization avenue of exfiltrating data in the process,” Talos points out.

The threat agent could demand more money from the victim with this data in hand, or could monetize it by selling it to other cyber criminals on dark web platforms. Not to mention that entities will pay for the damage incurred by their data being published.

“This trend of achieving maximum monetary gain for their nefarious activities is increasingly common in the crimeware space […]. Expect adversaries to be increasingly aware of the systems and networks they are compromising as all systems and networks are not created equally and some have much higher profit margins, when compromised,” Talos concludes.

The post Maze Ransomware Operators Publish User Information appeared first on .