This week, Microsoft brings hardware-based isolation to Chrome & Firefox, the US border’s license plate scanning technology hacked, Crooks leverage WordPress and Joomla sites for malicious redirects, the Chinese military wants to replace Windows OS in fear of US hacking, and how Google-protected mobile browsers were open to phishing for over a year! In the expert commentary, we welcome back Jason Wood from Paladin Security to talk about how almost 1 million are still vulnerable to the BlueKeep Vulnerability!
- Microsoft Brings Hardware-Based Isolation to Chrome, Firefox | SecurityWeek.Com – First introduced in 2017 and designed to isolate browser-based attacks, the container technology has been available only to Microsoft Edge until earlier this year, when Microsoft released the Windows Defender Application Guard extensions to Windows Insiders. The extensions leverage a native application that handles the communication between the browser and the device’s Application Guard settings and were designed to automatically redirect untrusted navigations to Windows Defender Application Guard for Microsoft Edge.
- Maker of US border’s license-plate scanning tech ransacked by hacker, blueprints and files dumped online (The Register Exclusive) – Exclusive The maker of vehicle license plate readers used extensively by the US government and cities to identify and track citizens and immigrants has been hacked. Its internal files were pilfered, and are presently being offered for free on the dark web to download. The file names and accompanying directories – numbering almost 65,000 – fit with the focus of the surveillance technology biz. They include .xlsx files named for locations and zip codes, .jpg files with names that refer to “driver” and “scene,” .docx files associated with presumed government clients like ICE, and date-and-time stamped .jpgs and .mp4 files.
- Crooks leverages .htaccess injector on Joomla and WordPress sites for malicious redirects – Researchers at Sucuri are warning Joomla and WordPress websites admins of malicious hypertext access (.htaccess) injector found on a client website. The website was used by attackers to redirect traffic to advertising sites that attempted to deliver malware. “During the process of investigating one of our incident response cases, we found an .htaccess code injection. It had been widely spread on the website, injected into all .htaccess files and redirecting visitors to the http[:]//portal-f[.]pw/XcTyTp advertisement website. ” reads the report – It should be noted this is the result of a breach, not the cause. If you are looking for evidence of your site being breached, this is one place to always look and monitor closely, however, the report did not indicate how the attackers gained initial access to the system.
- Chinese military to replace Windows OS amid fears of US hacking | ZDNet – This is not the first time I’ve heard of this, several years ago we covered a story about this, and here is the same story again, I guess it takes a long time to come up with a new operating system: Amidst an escalating trade war and political tensions with the US, Beijing officials have decided to develop a custom operating system that will replace the Windows OS on computers used by the Chinese military. The decision, while not made official through the government’s normal press channels, was reported earlier this month by Canada-based military magazine Kanwa Asian Defence. Per the magazine, Chinese military officials won’t be jumping ship from Windows to Linux but will develop a custom OS.
- Microsoft Beefs Up Wi-Fi Protection – Microsoft has begun pushing out its May 2019 Windows 10 update, which will flag Wi-Fi networks that are using the outdated and insecure Wired Equivalent Privacy (WEP) and Temporal Key Integrity Protocol (TKIP) authentication mechanisms. I don’t believe this is a practical security improvement as many guest networks don’t use any encryption at all, which is a similar level of security as WEP, and not all that worse than TKIP. However, the user having a false sense of security that they are connected to a secure network is a huge problem for security, therefore I like this change as it will alert the user that something is not secure and hopefully change behavior (Says Paul optimistically).
- Nearly 1 Million Computers Still Vulnerable to “Wormable” BlueKeep RDP Flaw – Nearly 1 million Windows systems are still unpatched and have been found vulnerable to a recently disclosed critical, wormable, remote code execution vulnerability in the Windows Remote Desktop Protocol (RDP)—two weeks after Microsoft releases the security patch. If exploited, the vulnerability could allow an attacker to easily cause havoc around the world, potentially much worse than what WannaCry and NotPetya like wormable attacks did in 2017. Dubbed BlueKeep and tracked as CVE-2019-0708, the vulnerability affects Windows 2003, XP, Windows 7, Windows Server 2008 and 2008 R2 editions and could spread automatically on unprotected systems. This research comes from a reliable source: Robert Graham, head of offensive security research firm Errata Security, revealed that, unfortunately, roughly 950,000 publicly accessible machines on the Internet are vulnerable to the BlueKeep bug. – So get patching, and speaking of patching…
- 0patch issued a micropatch to address the BlueKeep flaw in always-on servers – However, unlike Microsoft’s security fix, 0patch’s micropatch does not require rebooting, the deployment of security updates on always-on servers sometimes is deployed because normally it is not possible to restart them without following specific procedures. At the time the fix only works on systems running 32-bit Windows XP SP3, anyway, the expert plan to port it to Server 2003 and other versions. – They have released the source code as well, so you can review it before you apply it, if you’re into that sorta thing.
- Google-protected mobile browsers were open to phishing for over a year – The real story is the research: The researchers created 2,380 phishing sites on new .com domains. They used one of five cloaking techniques for each site, based on the techniques used by real phishing kits, along with a control group using no cloaking. They tested these techniques against 10 anti-phishing mechanisms offered by major companies and found them wanting. Only 23% of the phishing URLs crawled were blocked by at least one browser, the researchers said. They also uncovered a huge gap: …shockingly, mobile Chrome, Safari, and Firefox failed to show any blacklist warnings between mid-2017 and late 2018 despite the presence of security settings that implied blacklist protection. You can find the original research paper released this month here, titled: PhishFarm: A Scalable Framework for Measuring the Effectiveness of Evasion Techniques Against Browser Phishing Blacklists published by researchers at Arizona State University.
Robert Graham of Errata Security has an interesting and somewhat disturbing blog post about the potential impact of CVE-2019-0708, aka BlueKeep. He started looking at systems on the internet to see if he could determine how many hosts were vulnerable to BlueKeep. I want to say that I’m surprised by the numbers of hosts he discovered, but the cynical part of me wasn’t really shocked. His conclusion is that there is a good chance that we will experience WannaCry and notPetya all over again. Perhaps worse because the attackers have more experience now in how to be successful.
First, let’s get some background on BlueKeep. The vulnerability is an unauthenticated, remote code execution flaw in the Remote Desktop Protocol (RDP) on Windows 7, Server 2008, and Server 2008 R2. Presumably, it would also impact older systems that are no longer maintained. It does not appear to impact newer versions of the Windows OS. The patches were released by Microsoft on May 14, 2019. So we’ve had some time to get patching, but are still early in the patch cycle for a lot of organizations.
Going back to Robert’s report, he found that there are about 7.6 million devices listening to network port 3389 on the internet. Of these, he confirmed that about 950,000 of them vulnerable to BlueKeep. Ugh. First off, RDP shouldn’t be used over the internet. It shouldn’t be connected to the internet. And wherever it is used, it should have some configuration changes made to harden this service against attacks. Keep in mind that these 950,000 hosts are also older versions of the Windows OS. They are about 10 years old. They are more likely to be systems that aren’t well maintained, just because they are running an out of date OS. So they haven’t been patched, and there’s a good chance they won’t be patched any time soon.
So there’s a reasonable chance we are facing a new worm in the near future that will hang around forever bouncing around between unpatched systems. Some folks might think that they don’t have a problem because these systems are not important and are easily replaceable. The issue is that these hosts are also connected to your internal network. Once a worm gets a foothold in it, it will try to spread laterally. If these networks aren’t patched, then they will spread rapidly internally. Environments that tend to lag on updates due to device certification requirements, such as medical facilities, could be facing a rough road. In the past, we’ve witnessed medical records being locked up and having a worm cause potential health impacts.
The lateral spread isn’t limited to using the BlueKeep vulnerability either. Once a host is infected with a worm, it can start looking for credentials in memory. It can check periodically to see if it finds any. Then it can use the internal trust nature of Windows environments to execute code on other systems. You can start seeing fully patched systems being compromised because it changed its exploitation method to using valid credentials to spread. This is something that I’ve done during manually during penetration tests. It’s not hard at all and works very well.
It will also continue to hang around for quite a while. It’s been two years since WannaCry started rolling around and I see hosts infected with it every day. Fortunately, once you are patched it just becomes part of the noise of the internet. If you aren’t patched, then it can ruin your day pretty quickly. If you need ammunition to get approval to roll out this update to systems, then check out Robert’s post at erratasec.com. It conveys the urgency of the issue and gives a pretty good image of the breadth of it. Hopefully, it’s over-estimated in the impact, but we’ve got a fair shot at seeing what he’s predicting come to pass. Regardless, make sure you are patching and that you don’t have protocols like RDP exposed to the internet. It was never intended to be there in the first place.
Jason Wood – Founder; Primary Consultant, Paladin Security.