This week we discussed Metasploit Framework, and some of the vulnerabilities we demonstrated were from 2008. For this week’s discussion, relate to the class a “hack” that involved a vulnerability that had been “in the wild” for at least six months.
NOTE: This is also the “In The News” for this week.
Note: Because we will be covering social engineering next week, this week’s hacks should be limited to technical attacks.
No doubt, the use of VPNs has increased in our new expanding remote workforce thanks to COVID. With this rapid expansion of remote workers using VPNs to connect their corporate networks, so does the opportunity or attack surface increase for exploitation. In this article from Cyware, China-backed hacking groups use tools like Shodan to identify vulnerabilities in VPNs, specifically, Pulse Secure and F5. The following Pulse Secure VPN vulnerability CVE-2019-11510 goes back to April 2019. With many organizations ill-equipped but forced into securing a remote workforce – updating patches in a telework environment, I’m sure it is reasonably challenging, leading to prolonged exposure periods for known vulnerabilities.
https://cyware.com/news/chinese-state-sponsored-hackers-targeting-us-organizations-by-exploiting-known-flaws-b32df420
https://www.securityfocus.com/bid/108073
Hi Kelly thanks for sharing. It really isn’t surprising that Chinese hackers are taking advantage of remote system vulnerabilities with the current situation we are in. My organization recently transitioned from Pulse Secure to Cisco AnyConnect VPN so luckily we managed to avoid exploitation there. Overall, I’ve been very impressed with the way our IT operations have been able to quickly transition the business to a remote work environment. It sounds like a large part of our organization will remain working remotely for the foreseeable future (some think permanently), so as an auditor, I hope and believe we should plan to assess the security of our remote environment.
Hi,
Thanks for sharing your perspective – this makes me wonder how auditors will audit remote workforces, possibly a standardized framework needs to be created. Interesting to think about! Will organizations need to meet a certain level of compliance to operate remotely depending on the data they possess?
I would think internally we would develop some type of framework users would be required to adhere to. In terms of regulatory requirements as far as I know nothing has come out yet but I can’t imagine that’ll be the case for long.
The recommendation against the attacks are “implementation of robust configuration and patch management programs”, but this could be difficult for Government systems especially if the system belongs to critical infrastructure. Since 2020 is an important year because of the Presidential election, I wonder if we’ll start seeing headlines of China collusion similar to what we saw in 2016 with Russia.
Hi,
You raise a good point – scary to think about how vulnerable our policitcal infrastructure is. With all the money we spend towards defense I wonder how long it will take to finally direct some of those funds to rebuilding our technological infrastructure.
Great point, Anthony. Especially since the article points out “At times, Chinese hackers have been found taking advantage of newly announced vulnerabilities within days of their announcement”. Patchng those systems that quickly would definitely be challenging.
Thank you for posting this article Kelly!
I read the Alert (AA20-258A) that the article referred to and noted that the Cybersecurity and Infrastructure Security Agency (CISA) suggests “Maintaining a rigorous patching cycle continues to be the best defense against the most frequently used attacks.” This recourse assumes the existence of a rigorous patching cycle to be maintained when, in fact, two of the four vulnerabilities being exploited were identified back in 2019:
– While the CVE-2019-11510 was made public in August 2019, an out-of-cycle patch for the vulnerability was issued in April 2019, and
– CVE-2019-19781 was announced in December 2019 and patches were released in January 2020.
It is likely that organizations that were not up-to-date on implementing patches before the pandemic began are at more of a disadvantage now, especially in light of increased cyberattacks and “hactivism” and decreased resources, including financial and human, in light of the economic impact of COVID.
Title: Unpatched Apple T2 Chip Flaw Plagues Macs
URL: https://threatpost.com/apple-t2-flaw-macs/159866/
Since 2018 Apple has used a security chip called T2 in their Mac computers to help maximize security by “securing its Touch ID feature, as well a providing the foundation for encrypted storage and security boot capabilities” (O’Donnell). However, a independent security researcher has discovered a vulnerability in this chip which can give root access to an attacker. Since this chip is based on Apple’s A10 processor it is vulnerable to two known iOS exploits called “Checkm8” which jailbreaks the device and then another exploit called “blackbird vulnerability” which attacks the secure boot of the secure enclave processor. This particular attack would require access to the physical device. The independent researcher has reached out to Apple, but have not heard any response as of yet.
Hi,
I read a headline for this earlier today – thanks for sharing a concise summary! I would be curious to know how much of Apple’s products sold portifolio are phones vs how much are desktops/laptops. I wonder if iOS is what will begin to level the playing field between Windows and Apple virus prevlance rate. Apple is no doubt feeling the pressure more than ever to innovate,.. as we know rush to product deployment can lead to poorly configured security measures.
Wow, I’m surprised that they still hadn’t received a response from anyone weeks after trying to bring attention to this. With the growth of more targeted attacks and many implementations of free charging stations, I wouldn’t be surprised if bad actors took advantage of this.
https://krebsonsecurity.com/2020/08/microsoft-put-off-fixing-zero-day-for-2-years/#more-52687
Microsoft released a patch in August 2020 for a vulnerability (CVE-2020-1464) in which they were notified of 734 days prior. Additionally, the article outlines that the vulnerability was actively being exploited in the wild at that time on Widows servers. This CVE was known to take advantage of a vulnerability in Microsoft’s Authenticode Digital Signing of software packages. Krebs writes, “Microsoft said an attacker could use this “spoofing vulnerability” to bypass security features intended to prevent improperly signed files from being loaded”.
I found Microsoft’s response of “well it’s patched now just update and you’re fine” disappointing but not surprising. I did some research and found that CVE-2020-1464 obtained a 5.3 (medium) CVSS score which I found interesting. From my perspective, I’d say there was significant misjudgment in assessing the risk involved with this vulnerability.
Hi Bryan,
It is disappointing to hear that it took Microsoft two years to fix this vulnerability. I agree with you that CVSS score of 5.3 seem low considering this vulnerability could allow bad programs to bypass security and get loaded on the machine.
It’s interesting to see how nonchalant Microsoft’s response was… I thought it was odd that Microsoft allowed Quintero to publicly disclose and publish the findings as well. Organizations who patch the vulnerability will be okay, but as we know some organizations will take their time to apply the patch or even worse not patch at all.
It is interesting how nonchalant they are but at the same time it’s very typical. From my personal experience it seems like this is the way Microsoft releases vulnerability information no matter the severity. How are standard computer users supposed to understand how vulnerable they are when all vulnerabilities are handled the same way?
I believe once a vulnerability has been reported, there should be an urgent need to patch it. Ignorance on the part of big tech firms like Microsoft is what keeps users and customers vulnerable. One thing that hackers need the most is time, once you allow them such freedom to perfect their attacks, the results could have severe repercussions.
Couldn’t agree more with your statement regarding the amount of time hackers have to exploit the vulnerability. I know there are likely many variables to consider when it comes to managing vulnerabilities but at some point the big corporations like Microsoft need to be held more accountable for these misses.
With each update of Microsoft, a large number of new vulnerabilities will be found out. They just put their energy on fixing higher priority/higher risk vulnerabilities. Microsoft may feel that this 5.3CVSS score vulnerability will not cause much loss, so it can be postponed. From another perspective, because the customer has no choice but to accept this kind of approach from Microsoft.
That’s a fair point and it’s probably optimistic thinking on my part to think Microsoft would be completely transparent 100% of the time. I think it would be helpful to learn more about how the vulnerability scoring process works. I would think the variable of “is it being exploited in the wild” or something along those lines would be included in the scoring but at this point i’m uncertain.
On February 4, 2020 in the article titled 8 of the 10 Most Exploited Bugs Last Year Involved Microsoft Products, author Jay Vijayin reported that cybercriminals have exploited Microsoft vulnerabilities more than security flaws in other technologies for the last three years. These results are based on data that is reported and rated through the Common Vulnerabilities and Exposure (CVE) system and they exclude vulnerabilities related to nation-state exploits (since they are not typically offered for sale).
Four of the eight 2019 Microsoft vulnerabilities impacted Internet Explorer, including the second most abused flaw – a remote code execution defect in the Windows VBScripting engine. Disturbingly, this was the top exploited vulnerabilities in 2018. In fact, 6 out of the 2019 Top 10 exploited bugs were also included in the 2018 Top 10 list, and one of them – a critical remote code execution flaw in Microsoft Office/Wordpad (CVE-2017-0199) – has been on the Top 10 list for three years.
A few reasons were cited for the reason cybercriminals continue to exploit certain vulnerabilities. One was that bugs that are easy to exploit or impact a common technology are often incorporated into kits and sold, and another was simply that they still work, since organizations take a long time to patch vulnerabilities, even if they are being actively exploited.
The author went on to report that there has been a significant decline in the use and availability of new exploit kits, largely due to successful law enforcement actions against groups that are selling them. This has also been attributed to the planned end-of-life of Adobe Flash, which has been a common attack vector in the past and accounted for the remaining two out of the Top 10 2019 most exploited bugs. Hence, the takeaway from this article is that organizations must prioritize vulnerability management in light of the proliferation of attacks that rely on bugs that have existing patches.
https://www.darkreading.com/vulnerabilities—threats/8-of-the-10-most-exploited-bugs-last-year-involved-microsoft-products/d/d-id/1336968
Hi Candance,
Thank you for sharing this article. It is interesting to see exploits that made the 2018 top 10 still show in the top exploits of 2019. It really shows how long it can take for vendors to patch a vulnerability and/or for the customer to actually patch their vulnerable systems.
An additional issue I’ve seen is that smaller customers frequently believe that hackers wont target their company. Since they don’t think there is any threat to them, they don’t concern themselves with continuous security measures like updating to patched systems.
That is truly unfortunate, Amelia since a big loss to a small company can take them right out! Denial is an interesting “strategy” – so many companies don’t think they are vulnerable to a breach until they become the victim of one, and by then it is likely too late to cut losses and recover from damages..
Hi Nicholas,
It makes much more sense to me – now that I have read the article that Bryan posted – that Microsoft products were involved in 8 out of 10 of the most exploited bugs in 2019. It will be very interesting to see if the company maintains this less-than-desirable position when the 2020 results are published!
On April 8th, Facebook disclosed a critical vulnerability for Instagram that would allow hackers to gain access to an Android users phone. The hackers could access “any resource in the phone that is pre-allowed by Instagram”. This includes contact’s stored, GPS data, camera, and local files. According to the CVE description, the vulnerability is exploited when an Android Instagram user “attempts to upload an image with specifically crafted dimensions”. The image file contains a payload that will utilize Instagram’s permissions list, which provides access to the mobile device. The vulnerability (CVE-2020-1895) score of 7.8 and Facebook recently patched the vulnerability approximately 6 months later.
URL:
https://www.zdnet.com/article/instagram-bug-opened-a-path-for-hackers-to-hijack-app-turn-smartphones-into-spies/
https://www.facebook.com/security/advisories/cve-2020-1895
Thanks Anthony interesting read – the ironic thing is that Instagram/Facebook is already stealing that info anyways!
I find that so many apps request permissions for things that they really shouldn’t need. I’m sure it’s to gain information for marketing/ to sell our data but this article is a great example of how bad actors can take advantage of app permissions.
Completely agree – I was investigating a suspicious email a few works ago that turned out to be a legitimate Workplace email from Facebook. It was crazy to see how invasive the simple login link was and how far it was reaching into the host’s OS.
This is a major concern especially concerning privacy. We can only imagine how many other apps have the same vulnerability, since all apps require permission to access almost every resource on the device before you can install/use it.
To Amelia’s point, I’ve lost count of how many time I have decided against activating apps on my phone since I don’t feel comfortable granting permissions that seem to go way beyond the intended purpose of the app. Having read this article makes me glad that I have refrained from using Instagram since I do have an Android and actively use Facebook.
I have to add that it was refreshing to see Facebook’s comment “We’re thankful for Check Point’s help in keeping Instagram safe” – much different than the attitude displayed by Microsoft in the article posted by Bryan this week!
Microsoft released an update for CVE-2020-1350 in July, which is a critical vulnerability in Windows DNS Server and gains a 10.0 score for CVSS. It bases on a flaw in Microsoft’s DNS server role, and it can affect all types of Windows Server versions. If the attacker successfully exploited the vulnerability, he can run the code which he wants to under the Local System Account.
Although Microsoft mentioned that this vulnerability may not be exploited in the wild. The Check Point’s vulnerability research team leader, Omri Herscovici, who said that this vulnerability already exists in Microsoft code for 17 years.
Perhaps this vulnerability is hidden too deeply, but finally, Microsoft has fixed it and released a patch.
URL: https://mspoweruser.com/microsoft-patches-17-year-old-wormable-exploit-in-windows-server/
It would be interesting to hear if this vulnerability was actually used in the wild at some point because 17 years is a long time. It is a good thing Microsoft patched this vulnerability because it could have devastating results for an organization if an attacker exploited it, which is why the CVSS score is of the highest rating.
I agree. I think any vulnerability that allows an attacker to gain local admin rights should automatically have a CVSS score of 10. They can do anything they want with that type of access and as the article states, it ultimately would have affect entire network if the DNS server was compromised.
I’m skeptical of Microsoft’s statement. Now that Omri can discover this question, which means more people have learned about this vulnerability during 17 years. It is too difficult to count the problems directly or indirectly caused by this vulnerability in 17 years, and Microsoft just doesn’t want to admit it.
SaltStack learned that the software they provide had critical vulnerabilities. They swiftly patched the vulnerabilities and informed their customers but customers were slow to respond. Multiple customers, including the blogging platform, Ghost, were hacked after they were informed of the vulnerability. The hacker’s plan was to install cryptominers on SaltStack customers’ systems but fortunately, the attack spiked CPU usage and in some cases, overwhelmed systems, making it easy to detect.
https://www.helpnetsecurity.com/2020/05/04/saltstack-salt-vulnerabilities/
https://www.forbes.com/sites/daveywinder/2020/05/03/ghost-confirms-hack-attack-750000-users-spooked-by-critical-vulnerability/#10ea23dd363e
Hacked Voice Remote Becomes Listening Device
Released back in 2015, the Comcast XR11 voice remote was developed as a “dumb device” meaning it is not an IOT device. However, researchers at Guardicore discovered a new vector attack that turns the remote into an eavesdropping device. The attack, codenamed “WarezTheRemote” does not require any physical contact between the attacker and device or interaction with victims.
“WarezTheRemote” uses a man-in-the-middle attack to exploit the remote controls’ radio frequency communication. This could be literally done with any radio transceiver and allows the attacker to push malicious firmware to the remote control over-the-air. The malicious firmware could then make the device to continuously record audio without any user interaction.
Guardicore researchers were able to turn one remote into a listening device using a 16dbi radio antenna and were able to listen to conversations in a house 65 feet away. It is possible that this attack could very well be used in industrial espionage as various organizations now have employee telecommuting, therefore a lot of business conversations and meetings are taking place in homes next to these vulnerable remotes.
Comcast was first informed of the vulnerability on April 21, 2020 and patched the vulnerability on September 24th on all affected devices.
https://www.infosecurity-magazine.com/news/hacked-voice-remote-becomes/
Hi,
This has been hot news for sure and I’m sure these types of attacks are only going to increase. Many people improperly configure their networking, IoT devices and simply practice poor password management. With the new remote workforce these poorly configured IoT devices allow for attackers to pivot home networks that now house work devices as well. This may cause an increase in VPN usage but in my article I share vulnerabilites related to VPN vendors. Never boring!
Hi Kelly,
I totally agree, security is a never ending task. Organizations are now prone to an even wider range of vulnerabilities with the ongoing mass teleworking. It sure is intriguing that a data breach can result from a home-use remote control device being hacked, then triggering a chain of other attacks.
Definitely agree with your comment regarding the increase in use of VPN networks. I find it funny that one can proactively attempt to be more secure but ultimately end up being less secure just in another area(s).
As more and more IoT devices are used, this type of problem will surely appear more frequently. More and more applications begin to collect users’ audio information, and the devices that we touch for a long time in our daily life, such as mobile phones and smart speakers, have been collecting this information for a long time (in order to improve the quality of service through big data). Once the data is maliciously used or leaked, it may cause serious consequences.
It is amazing how people are willing to take the risk of potentially having their privacy invaded by using these IoT devices or smart speakers that are recording and storing peoples’ voice commands on the companies servers.
It is and I think the majority of users mindset is “oh, well that won’t happen to me. There’s a million devices out there just like mine I don’t think it’s probable I will be exploited”. I’d say an overwhelming amount of users maintain this mentality.
Thank you Humbert,
I find it amazing that – considering there are (were?) more than 18 million Comcast XR11 voice remote devices in use in homes across America – that the company had patched all affected devices by September 24th. It also seems unlikely that the issue was never used against a Comcast customer, though the Company stated this based on their “thorough review of this issue, which included Guardicore’s research and our technology environment…”
https://www.zdnet.com/article/hackers-are-using-recent-microsoft-office-vulnerabilities-to-distribute-malware/
Hackers are exploiting vulnerabilities in Microsoft Office software to spread a sophisticated form of malware that’s capable of stealing credentials, dropping additional malware, cryptocurrency mining, and conducting distributed denial-of-service (DDoS) attacks. The malware has been active since 2016