Author: jay f

National Cyber Awareness System:

Safeguard Websites from Cyberattacks (REPOST)

Protect personal and organizational public-facing websites from defacement,
data breaches, and other types of cyberattacks by following cybersecurity best
practices. The Cybersecurity and Information Security Agency (CISA) encourages
users and administrators to review CISA’s updated Tip on Website Security and take
the necessary steps to protect against website attacks.   

For more information, review:

• CISA Insight:
  Enhance Email and Web Security,  
• National Institute of Standards and Technology (NIST) Special
  Publication (SP) 800-44: Guidelines on Securing Public Web Servers,
  and  
• NIST SP
  800-95: Guide to Secure Web Services.

Critical Patch Update is a collection of patches for multiple
security vulnerabilities. These patches are usually cumulative, but each
advisory describes only the security patches added since the previous
Critical Patch Update advisory. Thus, prior Critical Patch Update
advisories should be reviewed for information regarding earlier
published security patches. Please refer to:

• Critical Patch Updates, Security Alerts and Bulletins for information about Oracle Security Advisories.

Oracle continues to periodically receive reports of attempts
to maliciously exploit vulnerabilities for which Oracle has already
released security patches. In some instances, it has been reported that
attackers have been successful because targeted customers had failed to
apply available Oracle patches. Oracle therefore strongly recommends
that customers remain on actively-supported versions and apply Critical
Patch Update security patches without delay.

This Critical Patch Update contains 334 new security patches across
the product families listed below. Please note that an MOS note
summarizing the content of this Critical Patch Update and other Oracle
Software Security Assurance activities is located at January 2020 Critical Patch Update: Executive Summary and Analysis.

Go here for more info

Cisco has released security updates to address vulnerabilities in Cisco
Webex Video Mesh, Cisco IOS, and Cisco IOS XE Software. A remote attacker could
exploit these vulnerabilities to take control of an affected system. For
updates addressing lower severity vulnerabilities, see the Cisco
Security Advisories webpage.

The Cybersecurity and Infrastructure Security Agency (CISA) encourages users
and administrators to review the Cisco
Webex Video Mesh Advisory and the Cisco
IOS and IOS XE Software Advisory and apply the necessary updates.

    With an estimated 25,000 hosts still vulnerable and proof-of-concept (PoC) exploit code now being released, things went from bad to worse for those affected by the vulnerability CVE-2019-19881. In December, Mikhail Klyuchnikov, a
researcher at Positive Technologies disclosed a vulnerability that would allow
for direct access to a company’s network from the Internet. He stated that this
vulnerability affects all versions of Citrix Application Delivery Controller
(NetScaler ADC) and Citrix Gateway (NetScaler Gateway). Klyuchnikov also
stressed how severe this vulnerability was, stating that its exploitation would be
trivial, and that it would have a widespread effect on commercial organizations.
Dmitry Serebryannikov, another researcher at Positive Technologies stated that
“Citrix applications are widely used in corporate networks. This includes their
use for providing terminal access of employees to internal company applications from any device via the Internet.” At the time, it was estimated that the
vulnerability affected more than 80,000 companies, most operating within the
United States. While no technical details were available at the time, we now
know that the vulnerability is a result of the VPN handler failing to sanitize usersupplied inputs. This allows for an unauthenticated attacker to perform remote
code execution via directory traversal.

    It wasn’t until January 10th, 18 days after Positive Technologies released their
report, that the first PoC was publicly released by Project Zero India. Some researchers felt that this release was irresponsible as many systems were still
vulnerable and an official patch had not yet been released. Despite this, the cat
was now out of the bag and many researchers then began to drop their own
PoC’s. One day later, the weaponization of these PoC’s began. Reports of exploits implementing reverse shells and the development of automated scanners
began to pop up. Those operating honeypots observed a spike in activity after
these releases and reported up to 30,000 requests per hour. As for the total
number of systems still affected, out of 60,000 scanned Citrix endpoints, it was
determined that 25,121 or around 40 percent of them were still vulnerable.
System administrators should be aware of this vulnerability and if their organization is vulnerable, take the steps necessary to remediate the issue. That includes following and implementing the remediation steps within Citrix’s security bulletin. The Cybersecurity and Infrastructure Security Agency (CISA) released
a program that would allow system administrators to check if they are vulnerable to CVE-2019-19781. Citrix has announced the release of patches that will fix
this issue starting on January 20th and extending through January 31st.

Sources

• https://www.ptsecurity.com/ww-en/about/news/citrix-vulnerability-allows-criminals-to-hack-networks-of-80000-companies/

• https://threatpost.com/unpatched-citrix-flaw-exploits/151748/

    A popular app allowing parents to track their baby’s special moments by storing
videos, pictures, height, weight, location, and other milestones in a child’s development has leaked thousands of those special moments online.
Peekaboo Moments, developed by Bithouse Inc., failed to secure an Elasticsearch database containing over 70 million log files containing Peekaboo Moments user’s data, including links to videos, photos, and geo-location coordinates.

   The unsecured database was discovered by Dan Ehrlich, from the USbased computer security consulting firm Twelve Security. Peekaboo Moments
appears to be run by a Chinese based company, and the Singapore-based Alibaba Cloud hosted the server in question. According to the Peekaboo Moments
Google app profile page, the company states, “We completely understand how
these moments are important to you,” and “Data privacy and security come as
our priority. Every baby’s photos, audios & videos or diaries will be stored in
secured space. Only families and friends can have access to baby’s moments at
your control.”
At this point, it is not clear how long the Elasticsearch server has been exposed
or who has accessed the data.

    The Peekaboo Moments app has been downloading over a million times, according to the Google app page, and still boasts
a review rating of 4.6 out of 5 by over 69,000 reviews. The Information Security
Media Group (ISMG) has reached out multiple times to Peekaboo Moments
CEO Jason Liu, based in San-Francisco for information on the breach with no
reply. ISMG also reached out to Ehrlich for comment, and he stated, “I’ve never
seen a server so blatantly open,” and that, “Everything about the server, the
company’s website and the iOS/Android app was both bizarrely done and grossly insecure.”

    The data breach also exposed Facebook API keys used to upload photos and
videos from the popular app to Peekaboo Moments user accounts. The API keys
allow attackers to gain access to content on Peekaboo user’s Facebook pages.
Facebook was notified Wednesday of the breach, but it has not responded yet,
nor is it known if they have revoked the developers compromised API keys.
Founder of the data breach notification service Have I Been Pwned, Troy Hunt,
explains that the data breach itself is relatively standard. But what is disturbing
is the complete unresponsiveness from the developers. “Here we have an organization trusted by a huge number of people to protect their precious memories, and they won’t even respond to reports of a very serious data security incident,” Hunt says. “That’s very alarming.”

Sources:

• https://www.bankinfosecurity.com/babys-first-breach-app-exposes-babyphotos-videos-a-13603

• https://www.infosecurity-magazine.com/news/peekaboo-moments-databreach/

    In the first three quarters of 2019, the world saw nearly 152 million ransom-ware attacks affecting every sector from government to education to healthcare. As the threat continues to grow, it costs businesses over $75 million per year. One cybersecurity group estimated a new ransomware infection happening every 14 seconds in 2019 and they expect that to accelerate to an infection every 11 seconds by 2021. Given that there are plenty of victims willing to pay to get their data back, it’s no wonder that adversaries continue to develop new strains of ransomware while consistently integrating the most effective pieces of existing ones.

    Starting off 2020 is yet another new ransomware strain dubbed SNAKE. Discovered by MalwareHunterTeam, this enterprise–targeting malware is going after big business. SNAKE starts by removing the system’s Shadow Volume Copies, then kills any processes “related to SCADA systems, virtual machines, industrial control systems, remote management tools, network management software, and more.”


    SNAKE then encrypts all of the computer’s files, except for certain system files. Researchers observed that it took longer than most other ransomware strains to finish the encryption process. The encrypted files are appended with five random characters after the file extension. The malware also adds an “EKANS” (SNAKE in reverse) file marker to each encrypted file.


    Once the files are encrypted, SNAKE leaves the ransom note (Fix–Your–Files.txt) in the public Desktop folder. No specific ransom amount is quoted in the note, but a contact email address is provided, as well as instructions on how to get proof that the attackers have a working decryption key. Researchers also point-ed out that the wording of the ransom note may indicate that the decryption key is meant for the entire affected network, not just single systems.


    At this time there is no free decryptor available, but researchers are working on it. For now, awareness is key as few details on infection vectors have been re-leased. If a link, email, or attachment looks suspicious, don’t open it – report it. See something, say something.

Sources:

 


• https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/

• https://www.scmagazine.com/home/security-news/ransomware/snake-ransomware-tries-to-slither-its-way-into-enterprise-networks/

• https://phoenixnap.com/blog/ransomware-statistics-facts

    WhatsApp is a Facebook owned messaging system popular for their end–to–end encryption and groups that are capable of including up to 256 members. A shared communication tool is critical to have while coordinating amongst friends and participants of collaborative efforts. When one of those collaborators has malicious intentions it doesn’t take much effort to sow discord in the group, it takes even less to disrupt the group when the communication platform has bugs to exploit.

    Check Point discussed a series of chat manipulations they were capable of per-forming on the service by decrypting the communication between the mobile and web versions of the WhatsApp app. They presented three manipulations at the BlackHat 2019 conference and WhatsApp has had some of those vulnerabilities patched. Their continued research into the app has revealed a critical flaw in how WhatsApp responds to unexpected inputs in the phone number parameter.

    The Check Point team was able to modify the contents of the phone number parameter to something beyond the allowable 5–20 numerical character range. A malicious actor can modify it into any non–numerical character, then send a message to a group in which the malicious actor is already participating to crash the Application for all the participants of the group. The app would then enter a crash loop being unable to be reopened until the user deletes the offending message and group.


    The group is thus forever lost and all historic data within those communications are lost. Check Point’s head of product vulnerability research also points out that a malicious actor could send out a timed phishing message directly or shortly after the malicious message crashes the victim’s WhatsApp application. An unwary user might be more susceptible to a timely sms or email message requesting personal or sensitive information in hopes of repairing their app.


    WhatsApp Engineer, Ehren Kret, claims in a statement to WIRED that the issue has been patched since mid–September and that there are additional controls to maintain the security of group chats.

Sources:

 • https://research.checkpoint.com/2019/breakingapp–whatsapp–crash–data–loss–bug/

 
• https://www.wired.com/story/whatsapp–group–chat–crash–bug/


• https://thehackernews.com/2019/12/whatsapp–group–crash.html

    In the world of IoT home cameras, Ring cameras by Amazon are most popular. There can be many benefits of using the cameras for monitoring or as a security device, but it’s been a bad few weeks for the Ring camera. We now have reports of a hacker taunting a child in Mississippi, in another report someone hurled racist insults at a Florida family. A Tennessee family reported that a man hacked their camera to talk to an 8-year-old girl in her bedroom. Yesterday, a Ring camera was hacked to make inappropriate comments toward a California woman. 

    Are these really hacks, or simply user errors? Ring seems to have put much of the blame for these hacks on its users. A Ring spokesperson said that the California incident was not a result of Ring’s network or systems being compromised. A Ring spokesperson also said that the incident in Tennessee was isolated and that it wasn’t because of a security breach. But there have been two claims of exposed Ring data. The first, reported by Buzzfeed, claimed 3,672 Amazon Ring cameras were compromised potentially exposing the login credentials of users; security experts noted the data was most likely taken from another company’s database. Tech Crunch reported that about 1,500 Ring customers’ passwords were also compromised in a separate leak and the passwords and email addresses were uploaded to a dark web site DeepPaste.

    Motherboard found “hackers have made dedicated software for more swiftly gaining access to Ring cameras by churning through previously compromised email addresses and passwords, and that some hackers were live-streaming the Ring

    Zerocleare abuse on their own so-called podcast dubbed ‘NulledCast.’ ” Users are not without blame here. As motherboard pointed out, reused passwords can lead to compromise and may have been the case in several incidents. Ring however is not without blame either. Last month a flaw was identified in Ring Video Doorbell Pro cameras’ software that made it possible for wireless eavesdroppers to grab the WiFi credentials of customers during the device’s setup. Ring does not currently offer some basic security precautions, such as double-checking whether someone logging in from an unknown IP address different from the legitimate user, or providing identification of how many users are currently logged in. Ring doesn’t appear to check a user’s chosen password against known compromised user credentials nor does Ring appear to provide users a list of previous login attempts.

    What can one do? Ring does offer twofactor authentication, and although not required, it should be implemented. As always don’t reuse passwords, go change it now if you did reuse one. Even if someone is actively watching though one of your devices, Ring will log everyone out after the password change. Look at the blue light, we know it’s not a guarantee if the camera is on but it’s an indication. And finally, you can always cover or unplug a camera if you want your privacy assured, otherwise smile – you might be on camera.

Sources:

• https://www.vice.com/en_us/article/epg4xm/amazon-ring-camera-security

• https://www.digitaltrends.com/home/man-hacks-ring-camera-inwomans-home-to-make-explicitcomments/

    Malicious apps are bad enough, but what if you have one on your phone that looks just like an app you use everyday? As it turns out, researchers from the Norwegian application security firm Promon discovered an Android vulnerability that does just that. 

    Dubbed StrandHogg, it impacts all Android devices including the most recent versions and updates. It also reportedly “puts the top 500 most popular apps at risk” without even needing root access. If you have an Android in your pocket, you are at risk.

    StrandHogg is delivered through a malicious dropper app that then downloads additional apps posing as some of your favorites. From there it will request additional permissions to your phone, allowing it to spy on your activity, steal credentials, track your location, access your data, and access features like the camera and microphone. Thirty-six known dropper apps have since been removed from the Google Play store, but even more will surely take their place. 

    At this time it’s unclear whether Google plans to do anything about StrandHogg. The vulnerability itself is not exactly brand new. The Promon team’s work was actually a continuation of research conducted in 2015 by a team at Penn State. Back then they proved that the vulnerability was theoretically possible, but it wasn’t enough to get Google to take it seriously. Now that it’s being actively exploited in the wild, perhaps that will change. 

    Despite the fact that StrandHogg impacts all 2.5 billion Android devices in use, a healthy dose of user awareness will go a long way in mitigating the risk. If an app you normally use is behaving strangely, there may be something wrong and you should stop using it immediately. 
Tell-tale signs of malicious app activity include unusual permissions requests or requests that don’t include the app name; login prompts when you are already logged in; and mistakes in the interface like typos or buttons that don’t work. 

    Always download apps from trusted sources and even then, a quick check to make sure an app is legit can save a lot of headaches later. 

Sources: 

• https://threatpost.com/strandhogg-vulnerability-allows-malware-to-poseas-legitimate-android-apps/150750/

• https://lifehacker.com/how-to-tell-if-an-android-app-is-strandhoggmalware-in-1840172627

• https://promon.co/security-news/strandhogg/

A virtual private network (VPN) is supposed to keep the user’s traffic over a network safe from outside onlookers. They act as a protected path for communication over a public network to gain access to the resources and capabilities of the private network without a physical connection. Researchers at University of New Mexico have discovered a vulnerability in most  Linux distros that allow an attacker to discover if the victim is using a VPN and to even hijack active connections within the VPN. The vulnerability is tracked as CVE-2019-14899.

The Attacker needs to be network adjacent to the victim to set up a rogue access point for which the victim will connect. This allows the attacker to determine the victim’s virtual IP address, make inferences about the victim’s active connections, and then to determine the sequence and acknowledgement numbers of the active connection by examining the encrypted replies to unsolicited packets. This gives the attacker the ability to hijack the TCP session. This acts much like echolocation or backscattering effects to determine the shape of something by observing the reactions of something thrown at it, be it sound waves, charged particles, or unsolicited packets.
This method was tested against several VPN services including OpenVPN, WireGaurd, and IKEv2/IPSec. The vulnerability was found to be exploitable in both IPv4 and IPv6 connections. It was not effective against any Linux distribution before the Ubuntu 19.10. In Ubuntu 19.10, the rp_filter settings were set to “loose” as opposed to “strict”, but can be changed manually. The researchers believe that ToR users are protected as the encryption for these connections occur in user space.

The systems this vulnerability effects are as follows:
• Ubuntu 19.10 (systemd)
• Fedora (systemd)
• Debian 10.2 (systemd)
• Arch 2019.05 (systemd)
• Manjaro 18.1.1 (systemd)
• Devuan (sysV init) • MX Linux 19 (Mepis+antiX)
• Void Linux (runit)
• Slackware 14.2 (rc.d)
• Deepin (rc.d)
• FreeBSD (rc.d)
• OpenBSD (rc.d)

Turning on Reverse path filtering (setting the rp_filter to “strict”), filtering fake addresses with bogon filtering, and encrypting both packet size and timing would help mitigate the issue.

Sources:

• https://www.zdnet.com/article/newvulnerability-lets-attackers-sniff-orhijack-vpn-connections/

• https://seclists.org/oss-sec/2019/q4/122

• https://securityaffairs.co/wordpress/94764/hacking/cve-201914899-vpn-flaw.html

Don’t