BLOG

Intentional Backdoor Webmin RCE Vulnerability

    When Turkish researcher Özkan Mustafa Akkuş publicly disclosed a Remote Code Execution (RCE) vulnerability in the Webmin application at DefCon this month, the Webmin developers went into emergency overdrive mode to fix this issue ASAP. While the ethics of Akkuş’ disclosure without notifying the Webmin team first are certainly questionable, the vulnerability itself is severe and had been hidden for over a year. Even more alarming, further investigation by the Webmin team revealed that it wasn’t a coding error but in fact a malicious backdoor injected into the codebase through a build server.

    Webmin is a popular open-source application allowing management of Unixbased systems over the web. This includes management of users and groups, databases, web servers, e-mail, firewall, backups: pretty much any administration of the system. The vulnerability, CVE-2019-15107, pertains to the password expiration function allowing admins to require a user to set a new password at a set interval. By adding a pipe command “|” to the old password field using POST requests, a remote attacker could run arbitrary commands as the root user on the system.

   The vulnerability was introduced into the system by a malicious attacker in April 2018 by exploiting a Webmin development build server and modifying the password_change.cgi script. After some users reported that the password expiration feature was encountering errors, the developers reverted to an older version of the file that turned this feature off by default and inadvertently corrected the vulnerability. However, the attacker once again modified the file in July 2018. Even though the build server was decommissioned in September 2018, the new server was built from a directory containing the modified file so the vulnerability persisted until its DefCon reveal.

    The Webmin development team stated that version 1.890 included the vulnerability and that the password expiration function is enabled by default, making this the most vulnerable version. Versions 1.900 through 1.920 also include the vulnerability but with the password expiration function disabled by default. Version 1.930 was released following the DefCon reveal, which contains fixes for this vulnerability as well as some Cross-Site Scripting (XSS) vulnerabilities. Webmin developers are taking steps to ensure this issue doesn’t happen again, including an updated build process to only use checked-in code from GitHub, rotating all passwords and keys, and an audit of all GitHub check-ins over the past year.

Sources:

•  https://thehackernews.com/2019/08/webmin-vulnerability-hacking.html

 • https://www.zdnet.com/article/backdoor-found-in-webmin-a-popular-web-based-utility-for-managing-unix-servers/ 

http://www.webmin.com/exploit.html

Wed, 04 Sep 2019 14:33:00 +0000

The Syrk ransomware

    The Syrk ransomware, first reported by researchers at Cyren Security, disguises itself as a cheating device for the multiplayer Hunger Games style video game Fortnite. It proclaims the ability to provide aim assistance as well as player location revealing abilities. It doesn't provide any of these capabilities and instead installs an open source ransomware, Hidden-Cry with a .syrk extension.
   
    Hidden-Cry was shared on git-hub at the end of last year and is still openly available. The ransomware goes through a ten step process which consists of contacting a command & control (CC) server, disabling common defenses, executing a payload, encrypting files with a .Syrk extension, establishing persistence, preventing termination, periodically deleting files to establish a threat, and finally propagating itself malicious versions of files within connected USB drives. This particular malware is relatively benign. The decrypting tool is readily available with the files downloaded and is easily extracted and used to decrypt the ransomed files. The malware also creates .txt files to be sent to the CC server so that the attacker may provide a password to the victim once the ransom is paid. It's possible for a criminal to simply not send anything once payment is rendered. But if they intend to propagate via USB drive, it's likely that the first victim would be in contact with the next, and creating a reputation where payment brings no benefit would only prevent further payment. What's surprising is that the ransomware creates the file with the password right on the victim's computer. It even includes a Delete.exe that removes all traces of itself from the victim's computer (not USB drives) and even removes the start up file, making good on its promise after the password is entered.

    This attack is clearly targeted towards either the weak willed or the less informed. Children are particularly susceptible to the temptation to even the playing field to match the older or more dexterous peers in the game. The disguise as a tool for cheating already shows that the attacker intends to target those who would try to use shortcuts to achieve success over the effort of getting better at the game. While desire to win doesn’t make a vulnerable target, the lack of experience with scams and pressure to perform despite the limitations of age combine to make a particularly vulnerable demographic. The malware itself may not be as dangerous or complex as others, but it's target is particularly susceptible to such machinations.


Sources:

https://www.cyren.com/blog/articles/open-source-ransomware-targetsfortnite-users

https://www.kaspersky.com/blog/ransomware-in-fortnite-cheats/28104/

https://threatpost.com/fortnite-ransomware-masquerades-as-an-aimbotgame-hack/147549/
Wed, 04 Sep 2019 14:25:00 +0000

Potential Hurricane Dorian Cyber Scams


Original release date: September 4, 2019

The Cybersecurity and Infrastructure Security Agency (CISA) warns users to remain vigilant for malicious cyber activity targeting Hurricane Dorian disaster victims and potential donors. Fraudulent emails commonly appear after major natural disasters and often contain links or attachments that direct users to malicious websites. Users should exercise caution in handling any email with a hurricane-related subject line, attachment, or hyperlink. In addition, users should be wary of social media pleas, texts, or door-to-door solicitations relating to severe weather events.

To avoid becoming victims of malicious activity, users and administrators should review the following resources and take preventative measures:


If you believe you have been a victim of cybercrime, file a complaint with the Federal Bureau of Investigation Internet Crime Complaint Center at www.ic3.gov.

Wed, 04 Sep 2019 14:21:00 +0000

SQLite Heavy Vulnerabilities

Researchers at CheckPoint unveiled a method that could allow malicious actors to exploit programs that query SQLite databases. The findings were presented at the DEFCON cybersecurity conference last weekend by Omer Gull, a vulnerability researcher at CheckPoint. The researchers found that by overwriting a non-malicious SQLite database with a specially crafted malicious one, they can achieve remote code execution. SQLite is a C-language library that enables a fully self-contained SQL database engine. SQLite is used extensively by multiple operating systems such as iOS and Android, and applications such as Chrome, Firefox, Safari, and Dropbox. The researchers state that this attack technique allows for the exploitation of code that queries an SQLite database that an attacker can modify.

The researchers stated that the idea of an SQLite attack came from its role in command-and-control (C2) servers utilized by password-stealing malware. While reverse-engineering the malware, the researchers determined that most of them work in the same way. They state that “after the malware collects these SQLite files, it sends them to its C2 server where they are parsed using PHP and stored in a collective database containing all of the stolen credentials”. Using the specially crafted SQLite database, the researchers were able to gain a web shell on a C2 server in a lab environment by simulating the upload of a database.

In addition to exploiting a C2 server, the researchers provided another scenario where this vulnerability can be exploited. Within the iOS operating system, the “AddressBook.sqlitedb” file is one of the most common database files. This file is used for contact storage and is often referenced by either Apple apps or third-party messaging apps. By replacing this file with a malicious version, the researchers say that they can gain code execution. Normally persistence on iOS devices is difficult to achieve due to Apple’s Secure Boot feature. This security feature mandates that all executable files must be signed. However, SQLite database files are not signed, which allow for their modification.
While the researchers privately disclosed the vulnerabilities (CVE-2019-8600, CVE2019-8598, CVE-2019-8602, CVE-20198577) that were then patched in the latest SQLite version along with the latest iOS version (iOS 12.3), they said there are numerous other scenarios where this vulnerability can be exploited. “SQLite is one of the most deployed software in the world. However, from a security perspective, it has only been examined through the lens of WebSQL and browser exploitation,” said Omer Gull. SQLite attack scenarios should be considered a “major cyberthreat.” As always, keeping programs and operating systems up to date with the latest patches is one of the best ways to prevent the exploitation of these vulnerabilities.

Sources

https://threatpost.com/sqlite-exploits-iphone-hack/147203/ 

https://research.checkpoint.com/select-code_execution-from-usingsqlite/ 
Mon, 26 Aug 2019 19:15:00 +0000

VxWorks operating system Critical Vulnerabilities Found in Millions of Devices

    The Armis research team recently revealed 11 vulnerabilities, ranging from denial of service to remote code execution, affecting the VxWorks operating system. VxWorks is a real time operating system used in millions of embedded devices, from consumer electronics to medical devices. The vulnerabilities discovered bypass most forms of security and can even be used on the devices designed to secure the infrastructure if they utilize VxWorks.
The most critical vulnerabilities found allow for remote code execution on the target devices. Five of the critical vulnerabilities found require no interaction on the target system and are exploitable no matter how the device is configured. The sixth vulnerability requires the VxWorks internal DHCP client to parse a specially crafted response from an IP address allocation request. While this may seem like a difficult attack scenario, DHCP requires no authentication during these requests. This means an attacker can just wait, listening on the network until a request is made, and then spoof a malicious response before the real server. These vulnerabilities could allow for full takeover of a target network that used VxWorks based firewalls, making them especially dangerous.
Besides the critical vulnerabilities, there were also five lower impact, but still impactful, vulnerabilities found. One of the vulnerabilities allows for a complete denial of service which can be triggered by an attacker outside of the network. The other denial of service vulnerabilities discovered require the attacker to be in network proximity of the vulnerable device but can still prevent the vulnerable device from functioning if triggered.

    Armis describes three attack scenarios in their release document. The first scenario is based on the attacker being outside of the target network. VxWorks is used in a number of firewall devices and are immediately able to be exploited because they handle all network traffic. The second attack scenario is similar to the first in that the attack is outside of the network but are able to attack devices inside the network that can be reached from the outside. The third attack scenario is by an attacker positioned inside the network, such as on wifi or a guest network.

   VxWorks is sold and supported by Wind River, who was notified about the vulnerabilities. Wind River posted a security advisory covering the vulnerabilities and updates for affected customers. It is critical that affected devices are patched as soon as updates for them are available to prevent exploitation of these flaws.
Sources: 
https://www.threatpost.com/urgent-11-critical-infrastructureeternalblue/146731/

https://armis.com/urgent11/

Mon, 26 Aug 2019 19:12:00 +0000

IRS Warns of New Email Scam

The Internal Revenue Service (IRS) has issued a warning about a new email scam in which malicious cyber actors send unsolicited emails to taxpayers from fake (i.e., spoofed) IRS email addresses. The emails contain a link to a spoofed IRS.gov website that displays fake details about the targeted recipient’s tax refund, return, or account. The emails instruct the recipient to access their refund information by entering a provided password on the spoofed website. By entering the password, the victim unintentionally downloads malware that could enable the malicious cyber actors to take control of the affected system or obtain sensitive information.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the IRS news release and the CISA Tip on Avoiding Social Engineering and Phishing Attacks for more information.

Mon, 26 Aug 2019 15:10:00 +0000

Rubys in the Rough

    The Ruby programming language is a high level general-purpose programming language that was developed to focus on being Object oriented when the options for it were few and the creator found them lacking. The language uses a package manager called RubyGems to have a standardized platform for managing programs and libraries. 

    Thousands of users are potentially affected by vulnerabilities in 18 versions of Ruby libraries. The vulnerabilities included code that launched crypto miners inside other Ruby Projects. Other features of the compromised libraries included collection and delivery of data including credentials, payment, service provider, and the entire database to a server in the Ukraine. The backdoor contained a way for an attacker to send cookies through this vulnerability and to remotely execute code and commands. The code was inserted into several different crypto-mining libraries as well as a few utilities like omniauth_amazon and cron_parser. These are all relatively small packages, but the malicious actor tried to push his updates onto rest-client which is a much more widely used and scrutinized project, the backdoor was identified within hours and other projects where it was inserted were also discovered.
    Because of the quick identification time, there were only around a thousand downloads of the latest update for this older version of rest-client. However, the smaller libraries had this attack in place for over a month. Thankfully, the total downloads for all of those libraries combined numbered less than 3000. We last saw such dependency attacks in the strong_password library which downloaded a payload from pastebin.com instead of holding malicious code itself. 
    Of crowd sourced and open sourced projects, one must take extra precautions and evaluate the diffs between updates properly before committing to using such a solution. Without due diligence, one could find themselves unknowingly inserting bad code into their projects or relying on bad dependencies that could compromise both developer data, and user data in their products and projects. Relying on the descriptions and faith that a thoroughly used gem is a disservice to you as well as a disservice to the community at large.
Sources
https://securityaffairs.co/wordpress/90146/hacking/ruby-librariesbackdoor.html

https://github.com/rest-client/rest-client/issues/713

https://www.zdnet.com/article/backdoor-code-found-in-11-ruby-libraries/08
Mon, 26 Aug 2019 15:03:00 +0000

Mistake Apple accidentally Un-Patches Old Flaw

    Apple accidentally re-introduced a previously patched vulnerability from iOS 12.3 into iOS 12.4. This led to the release of a jailbreak for iOS 12.4 from Security Researcher Pwn20wnd called “unc0ver 3.5.0.” This is the first jailbreak to be released for up-to-date iPhones in years. This is significant, because, according to an article from Motherboard, iPhone bugs are so valuable that they are often not reported to Apple at all, and jailbreak exploits are often sold for large amounts of money. For example, the FBI paid over $1.2 million for a vulnerability that allowed them to gain access to an iPhone 5c used by San Bernardino shooter Syed Farook. 

    Another reason security researchers might be unwilling to report bugs to Apple is that Apple doesn’t offer a strong enough incentive. After refusing to offer a bug bounty program for some time, Apple announced its bug bounty program in 2016. Rewards range from $25,000 for “Access from a sandboxed process to user data outside of that sandbox process” to $200,000 for “Secure boot firmware components.” While this may sound like a lot of money, it is nothing compared to what Companies like Zerodium and Exodus offer for similar exploits. Zerodium has offered up to $1.5 million for exploits that would allow jailbreaks, and Exodus has offered up to $500,000 for similar exploits. Alternatively, some researchers don’t report bugs to Apple because the patching of those bugs would interfere with their ability to do further research. According to Luca Todesco, a well-known figure in the iPhone jailbreak community, “Either you report and kill your own bugs, or you decide not to report the bug so that you don’t complicate your own life and you can keep doing research.”

    The vulnerability used in this jailbreak was discovered by New Williamson, who works for Google Project Zero. The bug, titled CVE-2019-8605, could allow a malicious application to “execute arbitrary code with system privileges.” According to The Hacker News, “besides embedding the exploit into an innocentlooking app, the vulnerability can also be exploited remotely by combining it with sandbox bypass flaws in Apple Safari web browser or other Internet exposed services.” Even with this vulnerability, remotely hacking an iPhone is still a difficult task. However, it is substantially less difficult while this bug still exists on iPhones. 
Sources:
https://www.vice.com/en_us/article/qvgp77/hacker-releases-first-publiciphone-jailbreak-in-years

https://thehackernews.com/2019/08/ios-iphone-jailbreak.html

https://support.apple.com/en-us/HT210118

https://www.vice.com/en_us/article/gybppx/iphone-bugs-are-too-valuable-to-report-to-apple08
Mon, 26 Aug 2019 14:59:00 +0000

This is a Great Article by the Knowbe4 Company

Knowbe4 is a great solution for companies to train user on Social Engineering issues.
Here a great example of the content that they deliver to their base.


Scam of the Week: Equifax Settlement Phishing

Well, that did not take long! The Equifax Data Breach resulted in a settlement and those affected have a choice between free credit monitoring or a $125 payment. Internet lowlifes are now targeting victims of the Equifax data breach with phishing attacks and are spoofing Equifax’s settlement page.

Your users should report these as malicious emails. If they fall for it and click on the link, they are likely winding up on a spoofed site that looks very similar to the existing Equifax settlement page.

There, they are going to be exposed to a social engineering scam, trying to steal as much data as possible.

I suggest you send the following to your employees, friends and family. You're welcome to copy/paste/edit:

 

ALERT: Internet bad guys are now trying to trick you into filing an Equifax claim and get a $125 payment because your personal data was in the Equifax data breach. They are sending phishing attacks that look like they come from Equifax and when you click on the links, you wind up on a fake website that looks like it's Equifax, but will try to steal your personal information. Don't fall for it.

if you want to file a claim, go the legit FTC website and click on the blue "File a Claim" button. The website will check your eligibility for that claim, not everyone's information was compromised.
 
Here is the link to the FTC site:
https://www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement

Go to their blog at https://blog.knowbe4.com/ and also explore the free tools on their site https://www.knowbe4.com/free-it-security-tools

Tue, 06 Aug 2019 15:24:00 +0000

More examples of Speed to market not Secure First

    New technology often saturates a market before fully ripening to prime usefulness. The race to be first to market is often seen in the idea of recognized household names like Alexa, Blackberry, or even the Oculus Rift. While they might not always be the best at what they do, the familiarity can smooth over many of the kinks in the products they produce.

     The Hickory Smart Bluetooth Enabled Deadbolt allows its user to manage their home security remotely and to have the assurance that the door is locked in case they are concerned that they forgot to do so when they left the house. While this function seems to be useful to a potential customer, they have had 6 vulnerabilities uncovered by Rapid7 security researchers. One of the most concerning vulnerabilities is cleartext credential transmission from the Hickory Smart Ethernet Bridge device; it's something I would expect even the least security minded designer to avoid.

    The rest of the data is encrypted and it would be difficult to translate the credentials into actionable information regarding the deadbolt, but if the user were to change the credentials from the defaults and an adversary were able to obtain said credentials, they could be included in future credential stuffing attacks affecting the user. The Amcrest IP2M-841B IP camera is a rebranded Dahua camera; Dahua has had a history of security issues. It has a bug that exposes allows anyone to connect to the camera over http and decode the audio output for their listening pleasure.

    The camera wraps transmissions in a DHAV container, but it is trivial to decipher and play in a VLC player. In their haste to provide a product, they seem to be keeping these products at different patch levels, exposing users to security issues that may have been already patched. As Amcrest is one of many companies to sell rebranded Dahua products, it is unknown how many products are vulnerable to this bug.

    While the focus on being first to market with a technology may establish a foothold in the homes of consumers, it also makes the customers they seek to serve vulnerable to any cyber security risks that may have been left on the cutting room floor in the rush to get the product out the door. Testing and security is becoming ever more challenging by the day and each year we find our old standards insufficient. The effort to obtain access to an unlocked door or bugged camera might not be cost efficient to do for the average person at scale, but it easily puts higher value targets at risk, and simply not being a target is no excuse to support these practices.


Sources:




Tue, 06 Aug 2019 15:06:00 +0000