Month: July 2018

Red Hat Enterprise Linux (RHEL) is a popular distribution used by many organizations for servers and other network endpoints. Two free versions of the operating system have also branched out of RHEL, Fedora and CentOS. US-CERT issued an alert Wednesday that a critical vulnerability had been discovered in the Network Manager application and how it handles Dynamic Host Configuration Protocol (DHCP) responses. With these responses, this vulnerability could lead to commands being run on the system with full root privileges.
When a device connects to a network and is configured to use DHCP (as most endpoints are), it sends a request out on the network saying that it needs an IP address and other related network information. When the DHCP server receives the request, it assigns an IP address to the requestor and sends a response with the address as well as other network configuration parameters such as DNS servers. This allows automatic, central management of network addresses such that duplication doesn’t occur, which would cause network routing and traffic issues. Google researcher Felix Wilhelm discovered a vulnerability in the Network Manager package included in RHEL and related operating systems. This package runs a script to set the network configuration on the host when a response from a DHCP server is received. However, the script is vulnerable to malicious responses that can cause arbitrary commands to be run on the host with root privileges. For instance, a reverse remote terminal session could be opened, allowing the attacker to run commands on the host at will with full access. A malicious response can be sent by someone spoofing a DHCP server on the local network or if the legitimate DHCP server is already compromised. While this does require the attacker and target to be on the same local network, this could also be done remotely if both are on a public Wi-Fi connection or in combination with another attack that could compromise other machines on the local network.
Patches for this vulnerability have already been released for most systems and users are urged to update immediately. Patches released so far: RHEL version 6 and 7, Fedora versions 26, 27, and 28. Red Hat Virtualization 4.1 is also vulnerable but Network Manager is turned off by default. However, Red Hat Virtualization 4.2 contains the fix. CentOS has also patched the vulnerability in version 7. Additionally, there is a workaround by disabling or removing the vulnerable script, but Red Hat says “…this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers.” Patching is recommended over the workaround.

Sources:  https://threatpost.com/critical-linux-flaw-opens-the-door-to-full-rootaccess/132034/  https://thehackernews.com/2018/05/linux-dhcp-hacking.html  https://bugzilla.redhat.com/show_bug.cgi?id=1567974 

It was a busy end of May for cybersecurity in our nation’s capital. The White House Office of Management and Budget issued a report saying that most federal agencies are not prepared for cyberattacks, while noting that almost three quarters of the agencies assessed have programs that are at risk or high risk.  At nearly the same time, the FBI reported a botnet with ties to Russia has infected the nation’s routers and that they should all be rebooted.   Now, the Department of Commerce and Department of Homeland Security (DHS) has released a report on how the federal government can combat botnets or networks of infected internet-connected devices that can be leveraged by hackers. The report listed six principal themes for reducing distributed threats including: 1) working closely with international partners as these are global threats; 2) utilizing tools that are available but not being commonly used; 3) ensuring devices are secured through all stages of their “lifecycle;” 4) boosting education and awareness of botnets for businesses and citizens; 5) changing market incentives to encourage security; and 6) collaboration to address an ecosystem-wide problem. 

To address these, the DHS report outlines five goals: 1) Identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace; 2) Promote innovation in the infrastructure for dynamic adaptation to evolving threats; 3) Promote innovation at the edge of the network to prevent, detect, and mitigate automated, distributed attacks; 4) Promote and support coalitions between the security, infrastructure, and operational technology communities domestically and around the world; 5) Increase awareness and education across the ecosystem.

This report was not unexpected. A year ago, President Trump signed an executive order directing Commerce and Homeland Security to issue a report about combating botnets and automated and distributed attacks, with a deadline of one year.   Given these facts, what’s Washington to do about cyber security? The report outlines some steps, but it appears it would take an advocate in the White House to help agencies improve the very cybersecurity programs the initial report calls deficient. Unfortunately the White House eliminated the top cybersecurity post several weeks ago, and although organizing a plan to execute the goals of this latest report would be right in the cyber czar’s swim lane, the responsibilities of White House cybersecurity coordinator have now been delegated to two members of the National Security Council’s team.

Sources:  https://www.washingtonpost.com/news/powerpost/paloma/the-cybersecurity202/2018/05/30/the-cybersecurity-202-white-house-cybersecurity-report-showsfederal-agencies-still-struggling-to-getsecure/5b0d79c81b326b492dd07ed3/?utm_term=.d8258a22e35b  https://www.whitehouse.gov/wp-content/uploads/2018/05/Cybersecurity-RiskDetermination-Report-FINAL_May-2018-Release.pd

Since 2012, the Necurs botnet has been an evolving work horse of a botnet, backing up the Jaff ransomware, Dridex banking Trojan, and Locky ransomware campaigns. Most recently it has been found pushing URL files with misleading icons to trick victims into exposing themselves to the malware of the attacker’s choice. It eludes some spam filters by contacting the command and control server instead of directly downloading the malware.
The researchers at Trend Micro have found that the newest iteration of Necurs spreads spam with Internet Query (IQY) files instead. IQY files are test files that are meant to help in adding external resources to an Excel spreadsheet. Once activated, Windows® will automatically execute any commands in an IQY file in Excel. This in turn results in a domino effect which leverages the Dynamic Data Exchange capabilities of Excel, which allows a file-less execution of a PowerShell script, which finally downloads a remote access application.

Figure 1: Infection chain starting with the IQY file
Source: https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-poses-a-newchallenge-using-internet-query-file/

The final payload is known as FlawwedAMMY named after the Ammy Admin remote administration software from which it is derived. FlawwedAMMY can take control of the infected computer using commands such as: File Manager, View Screen, Remote Control, Audio Chat, RDP SessionsService, Disable Desktop Composition, Disable Visual effects, Show Tooltip, or Activate Mouse Cursor Blinking.
The only indication that the IQY file might be malicious is the existence of a URL which makes detection at that stage difficult. But using Dynamic Data Exchange has been a known attack vector by Microsoft so there are two separate warnings that occur before the attack can proceed.

Sources:  https://securityaffairs.co/wordpress/73916/malware/necurs-iqfattachments.html  https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-poses-anew-challenge-using-internet-query-file/  https://www.securityweek.com/necurs-campaign-uses-internet-query-fileattachments

The personal data of 21 million Timehop customers has been compromised as hackers were able to breach their backend server environment. Timehop functions by connecting to social media platforms to show users’ past memories. The breach was disclosed on Sunday, July 8th, stating that the breach occurred on the week of July 4th. TimeHop stated in an update on July 11th that the breach included names, email addresses, dates of birth, gender, country codes, and some phone numbers, though no private/direct messages, financial data, social media, or photo content was stolen. 
During a technical assessment of the breach, it was shown that the attackers leveraged their attack through stolen admin credentials, which they then used to gain access to the application’s cloud computing environment. From there they attacked Timehop’s production database and started transferring data. Due to the database not using multifactor authentication, it was not hard for hackers to bypass it with the stolen credentials.
Timehop was able to disable the access token keys for all accounts and stated that “none of your memories were accessed”. They also said that the additional data lost was not due to a secondary breach – coincidentally, this was the only data loss incident Timehop has suffered to date. In addition, Timehop reported that there is no evidence to indicate that the attackers were able to use any of the tokens to gain access to social media accounts. 
Timehop has updated their statements about the token keys as well. The keys were deauthorized by Timehop acting in concert with social media partners by Sunday, 8 July. Timehop did not report the breach, which was discovered on 5 July 2018 to its users until after it was certain that the keys had been de-authorized and the social media partners had not observed any suspicious activity. Users will have to re-authenticate their token keys to the application in order to continue using it.
Timehop goes on to say that if users used their phone number for login, then Timehop would have the user’s phone number, which in turn would give attackers access to them as well. It is recommended that users take additional security precautions with their cellular provider to ensure that their number cannot be ported, and in the cases of AT&T, Verizon, or Sprint, they can simply add or change their pin. T-Mobile users are recommended to call 611 from a T-Mobile device, or call 1-800-937-8997 to talk with customer services representative to assist with limiting the portability of the customer’s phone number. 

Sources  https://threatpost.com/timehop-breach-impacts-personal-data-of-21-millionusers/133765/  https://nakedsecurity.sophos.com/2018/07/09/your-social-media-memoriesmay-have-been-compromised/  https://techcrunch.com/2018/07/09/timehop-discloses-july-4-data-breachaffecting-21-million/  

The internet has become a staple of modern life. Having a website has become a necessity for most small businesses to connect with potential customers and provide information on the business and their offerings. However, one of the most common website development tools, WordPress, has a major vulnerability that could allow full control of a website by an attacker.
WordPress is a Content Management System (CMS) for hosting websites. It provides a framework for easy site creation and maintenance without having to code every aspect of the website. WordPress is one of the most popular CMS tools, alongside others such as Drupal and Joomla, and is used in approximately 30% of all websites.
Security researchers at RIPSTech, a security analysis solution provider for PHP, discovered an authenticated arbitrary file deletion vulnerability in WordPress that could lead to attackers being able to execute arbitrary code on the host webservers or completely take down the site. As any responsible security researcher would do, RIPSTech reported the vulnerability to the WordPress security team in November 2017. However, when the WordPress team was unresponsive as to when the issue would be fixed, RIPSTech decided to release the vulnerability information to the public in late June 2018 (a month longer than the WordPress team’s estimated six months to fix).
The vulnerability stems from a lack of user input sanitization when deleting a thumbnail for an image that was uploaded to the site. The input can redirect the code to delete other files on the system, including important site-related files. For instance the .htaccess file, which can contain security restraints, can be deleted to decrease the site’s security, or the wp-config.php file can be removed which would cause the installation phase to be triggered the next time the site is loaded. This would allow the attacker to create their own administrator credentials providing complete control of the site. The index.php file can also be removed, allowing access to other files and directories on the server that were protected and the entire WordPress installation could be removed. This highlights the importance of maintaining frequent site backups, especially on a different system or network.
This vulnerability does require low-level access to the system with author level privileges at a minimum. This allows uploading of images to, as well as deletion of images on, the site and therefore the ability to exploit the vulnerability. WordPress released version 4.9.7 containing a patch for the vulnerability and users are strongly encouraged to update. Prior to this, RIPSTech released a temporary hotfix that checked to assure user input could not cause a path traversal, protecting security relevant files.

Sources:  https://thehackernews.com/2018/06/wordpress-hacking.html  https://blog.ripstech.com/2018/wordpress-file-delete-to-code-execution/  https://indivigital.com/news/wordpress-core-vulnerability-could-give-would-beattackers-the-capability-to-delete-files/

Rowhammer vulnerabilities are once again making mainstream news with the addition of CVE-2018-9942, dubbed RAMpage. This new variant of Rowhammer-based vulnerabilities allows attackers to compromise other applications and seize complete control over Android-based devices. What makes this vulnerability unique is how efficient the exploit process has become relative to preceding exploits.
The security community has been aware of Rowhammer-based bugs since 2012. Back then it was recognized as more of a theoretical based hardware reliability issue with Dynamic Random Access Memory (DRAM) chips. Back then, to save on cost and increase system response time, manufacturers were allowing applications to directly access memory instead of utilizing the processor which opened up the doors for possible vulnerabilities. At that point it was known that when repeatedly and rapidly accessing rows of memory it was possible to induce bit flipping into adjacent rows of memory. This type of attack typically might crash an application or induce the hardware device into an error condition. Since exploitation was so difficult and more theoretical it would seem that vendors and manufacturers did not take this problem seriously. However, over the past few years security researchers have uncovered additional problems with android based devices and attackers have matured their exploitation techniques.
Using RAMpage exploits, an attacker can leverage a set of Direct Memory Access (DMA) based Rowhammer attacks to bypass system defenses, compromise other applications, and effectively gain root access on the latest Android OS. The RAMpage attack generally consists of three steps: exhausting the system heap, shrinking the cache pool, and then rooting the mobile device. By using traditional Rowhammer techniques an attacker can drain all ION’s (Android’s Memory Manager) internal memory pools. This allows an attacker to break out of their initial allocated application memory in order to access other interesting memory regions. Then, by shrinking the cache pool using the Flip Feng Shui exploitation technique, attackers can trick the kernel into storing a page table within the vulnerable memory region. Finally, by implementing the initial two steps and leveraging a root exploit to place within the vulnerable memory region an attacker can successfully compromise an android device. The prerequisite for this attack requires an attacker to have access over an application that can carry out such an attack on the device. The research paper is linked at the bottom for further details.
At this time it is unrealistic to fix the vulnerability in hardware as it would be expensive and would not address the devices currently in use. Interestingly, the researchers that initially discovered the issue also released a tool called GuardION – a software based mitigation solution against RAMpage attacks.

Sources  https://threatpost.com/rowhammer-variant-rampage-targets-android-devicesall-over-again/133198/  https://vvdveen.com/publications/dimva2018.pdf