Alerts

HP released firmware updates for a number of its Serial-Attached SCSI solid-state drives to prevent their failure at exactly 32,768 hours of operation time.

The devices are used in multiple server and storage products for enterprise, such as HPE ProLiant, Synergy, Apollo, JBOD D3xxx, D6xxx, D8xxx, MSA, StoreVirtual 4335 and StoreVirtual 3200.

The abnormal expiration time translates to 3 years, 270 days and 8 hours, a lot less than the normal lifespan of these products. For some of them, the warranty can be extended to up to five years.

Dire notification

The warning came through a customer bulletin from Hewlett Packard Enterprise (HPE) support center and notes that the SSD failure caused by the bug makes both the drive and the data on it unrecoverable.

Restoring the data would be possible “from backup in non-fault tolerance, such as RAID 0 and in fault tolerance RAID mode if more drives fail than what is supported by the fault tolerance RAID mode logical drive.”

In total, HP lists 20 drives affected by the issue. For the time being, a fix is available for only eight of them since November 22. For the rest of them, the company plans to release a firmware update in the second week of December.

Read more »

Remember the Y2K bug that threatened computer programs to go crazy on January 1, 2000? A similar timestamp recognition problem is affecting Splunk platform instances neglected by their administrators before 2020.

Documentation for Splunk Enterprise warns that a patch needs to be applied before January 1, 2020, for the platform to recognize timestamps for events with a two-digit year.

Splunk software platform helps organizations search, analyze, and view large pools of data from various components of the IT infrastructure or business. It can ingest information from various sources (sensors, applications, devices) and turn it into actionable reports that allow identifying patterns or predicting trends. It can also calculate metrics or create alerts triggered by certain actions.

Cause of the problem

Different types of dates and timestamps in Splunk are determined by the input processor based on ‘datetime.xml’ – a file that uses regular expressions to extract the information from incoming data.

The issue is that the unpatched version of the file can extract two-digit years up to 2019, so it will work properly only until the last day of the year. Read more »

Iran’s elite hacking group is upping its game, according to new evidence delivered at a cybersecurity conference this week. The country’s APT33 cyberattack unit is evolving from simply scrubbing data on its victims’ networks and now wants to take over its targets’ physical infrastructure by manipulating industrial control systems (ICS), say reports.

APT33, also known by the names Holmium, Refined Kitten, or Elfin, has focused heavily on destroying its victims’ data in the past. Now though, the group has changed tack according to Ned Moran, principal program manager at Microsoft, who spoke at the CYBERWARCON conference in Arlington, Virginia on Thursday. Moran, who is also a fellow with the University of Toronto’s Citizen Lab focusing on security and information technologies, focuses on identifying and disrupting state-sponsored attackers in the Middle East.

The APT33 group is closely associated with Shamoon malware that wipes data from its targets’ systems. Experts have also warned of other tools in the group’s arsenal, including a data destruction tool called StoneDrill and a piece of backdoor software called TURNEDUP.

Moran said that APT33 used to use ‘password spraying’ attacks, in which it would try a few common passwords on accounts across lots of organizations. More recently, though, it has refined its efforts, ‘sharpening the spear’ by attacking ten times as many accounts per organisation while shrinking the number of organisations it targets. It has also focused heavily on ICS manufacturers, suppliers and maintainers, Moran said.

Read more »

Four popular open-source VNC remote desktop applications have been found vulnerable to a total of 37 security vulnerabilities, many of which went unnoticed for the last 20 years and most severe could allow remote attackers to compromise a targeted system.

VNC (virtual network computing) is an open source graphical desktop sharing protocol based on RFB (Remote FrameBuffer) that allows users to remotely control another computer, similar to Microsoft’s RDP service.

The implementation of the VNC system includes a “server component,” which runs on the computer sharing its desktop, and a “client component,” which runs on the computer that will access the shared desktop.

In other words, VNC allows you to use your mouse and keyboard to work on a remote computer as if you are sitting in front of it.

There are numerous VNC applications, both free and commercial, compatible with widely used operating systems like Linux, macOS, Windows, and Android.
Read more »

The Trickbot banking trojan keeps evolving according to researchers who spotted this week an updated password grabber module that could be used to steal OpenSSH private keys and OpenVPN passwords and configuration files.

TrickBot (also known as Trickster, TrickLoader, and TheTrick) is a modular and constantly updated malware continuously upgraded with new capabilities and modules since October 2016 when it was initially spotted in the wild.

Even though the first detected variants only came with banking Trojan capabilities it used to collect and exfiltrate sensitive data to its masters, TrickBot is now also a popular malware dropper observed while infecting systems with other, some times more dangerous, malware strains.

Newly targeted OpenSSH and OpenVPN apps

Trickbot just-updated password grabbing module that now targets the OpenSSH and OpenVPN applications was discovered by researchers at Palo Alto Networks’ Unit 42 on a compromised 64-bit Windows 7 device on November 8. Read more »