This week, RDP Servers Can Hack Client Devices, Roughly 500,000 Ubiquiti devices may be affected by a flaw already exploited in the wild, Crypto exchange in limbo after the founder dies with password, Home DNA kit company says its working with the FBI, Outlaw Shellbot infects Linux servers to mine for Monero, Apple’s Siri Shortcuts feature vulnerable to abuse, researchers warn, Code Execution Flaw Found in LibreOffice and OpenOffice, Google’s new Chrome extension warns you about stolen passwords, Mitigations against Mimikatz Style Attacks, and Google Patches Critical .PNG Image Bug. David Pearson from Awake Security joins us for the expert commentary on the recent news around Japan performing an IoT pentest on their public IPs!
- RDP Servers Can Hack Client Devices: Researchers – It seems there was only one vulnerability in Microsoft’s RDP implementation discovered recently, and that is the clipboard sharing issue, which is disabled by default, the rest are in an open-source project: More than two dozen vulnerabilities have been discovered by security experts in popular implementations of the remote desktop protocol (RDP), including flaws that allow a malicious RDP server to hack a device running the client RDP software. The FBI warned recently that attacks involving RDP have been on the rise in the past couple of years, fueled by RDP access sold on the dark web. Researchers at Check Point Software Technologies have conducted a detailed analysis of FreeRDP, rdesktop, and the Remote Desktop Connection software shipped with Windows. They have identified a total of 25 security holes, including 16 that have been described as “major.”
- Roughly 500,000 Ubiquity devices may be affected by flaw already exploited in the wild – So, according to the security researcher, its a DoS vulnerability, but Ubuquity says otherwise, who do you believe?: According to the expert, the devices are affected by a DoS flaw that attackers were attempting to trigger. Now security experts at Rapid7 revealed that they were monitoring suspicious traffic destined for port 10001 for at least one year. Ubiquity is aware of the issue and is currently working on a firmware update that will address it anyway it is trying to downplay it. “There has been some discussion lately about a bug in airOS which can result in management access to airOS devices becoming inoperable until these devices are rebooted. This issue appears to be caused by external access to airOS devices using port 10001. As a temporary workaround for this issue while it is being investigated and resolved by the development team, network operators can block port 10001 at the network perimeter.” reads the advisory published by Ubiquity. “To our current knowledge, this issue cannot be used to gain control of network devices or to create a DDoS attack.”
- Crypto exchange in limbo after founder dies with password – Yikes! Some say this could be a hoax, we have no evidence to support that theory, only what has been published on the Internet: Customers of Canadian cryptocurrency exchange QuadrigaCX are missing over $250 million CAD in fiat and virtual currency (a total of around $190m in US dollars) after its founder died without telling anyone the password for his storage wallet. QuadrigaCX enabled users to trade between fiat currency and cryptocurrencies including Bitcoin, Bitcoin Cash, Litecoin and Ethereum. Gerry Cotten, the 30-year-old founder of the Vancouver-based exchange, passed away in India on 9 December 2018 due to complications from Crohn’s disease. In an affidavit to the Supreme Court of Nova Scotia, his partner Jennifer Robertson explained that cryptocurrencies had been stored in a cold wallet under his sole control.
- Home DNA kit company says its working with the FBI – The balance between privacy and the law is a stuggle, and its real: FamilyTreeDNA – one of the larger makers of at-home genealogy test kits – has disclosed that it’s quietly been giving the FBI access to its database of 1 million DNA profiles to help solve violent crime. Investigators’ use of public genealogy databases is nothing new: law enforcement agencies have been using them for years. But the power of online genealogy databases to help track down and identify people became clear in April 2018, when police arrested Joseph James DeAngelo on suspicion of being the Golden State Killer: the man allegedly responsible for more than 50 rapes, 12 murders and more than 120 burglaries across the state of California during the 70s and 80s.
- Outlaw Shellbot infects Linux servers to mine for Monero – On Tuesday, the JASK Special Ops research team disclosed additional details (.PDF) of the attack wave which appears to focus on seizing infrastructure resources to support illicit Monero mining activities. The campaign uses a refined version of Shellbot, a Trojan which carves a tunnel between an infected system and a command-and-control (C2) server operated by threat actors. The backdoor is able to collect system and personal data, terminate or run tasks and processes, download additional payloads, open remote command line shells, send stolen information to a C2, and also receive additional malware payloads from controllers.
- Apple’s Siri Shortcuts feature vulnerable to abuse, researchers warn – Someone had their evil hat on and identified this flaw in Siri: “Using native shortcut functionality, a script could be created to speak the ransom demands to the device’s owner by using Siri’s voice,” explains the blog post, authored by John Kuhn, senior threat researcher at IBM. “To lend more credibility to the scheme, attackers can automate data collection from the device and have it send back the user’s current physical address, IP address, contents of the clipboard, stored pictures/videos, contact information and more. This data can be displayed to the user to convince them that an attacker can make use of it unless they pay a ransom.”
- Code Execution Flaw Found in LibreOffice, OpenOffice – All the targeted user needs to do is open a malicious ODT file and move the mouse anywhere over the document. The expert has published a blog post detailing his findings and a video showing how the attack works. While the post and proof-of-concept (PoC) code focus on LibreOffice, the attack can be adapted for OpenOffice as well. Inführ says both Linux and Windows systems are impacted. The vulnerability, tracked as CVE-2018-16858, has been described as a path traversal issue that allows an attacker to execute a Python file located anywhere on the targeted system. [The issue was fixed in LIbreOffice] with the release of versions 6.0.7 and 6.1.3. OpenOffice developers have also been alerted, but they have yet to release a patch. Until a fix becomes available, users can disable Python support by removing or renaming the pythonscript.py file in the installation folder.
- Google’s new Chrome extension warns you about stolen passwords – The Password Checkup tool, which the tech giant released on Tuesday, warns you if the username and password you’re using were stolen in any data breaches and then prompts you to change them if they were. Even data breaches from more than a decade ago can still hurt victims if they’ve never changed their passwords. Consider this: A collection of 2.2 billion stolen credentials, dating as far back as 2008, is still floating around on hacker forums. Cybercriminals are counting on your being lazy.
- Mitigations against Mimikatz Style Attacks – Great article covering defenses to Mimikatz from SANS ISC handler Rob Venderbrink: Mimikatz parses credentials (either clear-text or hashes) out of the LSASS process, or at least that’s where it started – since it’s original version back in the day, it has expanded to cover several different attack vectors. An attacker can then use these credentials to “pivot” to attack other resources in the network – this is commonly called “lateral movement”, though in many cases you’re actually walking “up the tree” to ever-more-valuable targets in the infrastructure. The defender / blue-teamer (or the blue-team’s manager) will often say “this sounds like malware, isnt’t that what Antivirus is?”. Sadly, this is half right – malware does use this style of attack. The Emotet strain of malware for instance does exactly this, once it gains credentials and persistence it often passes control to other malware (such as TrickBot or Ryuk). Also sadly, it’s been pretty easy to bypass AV on this for some time now – there are a number of well-known bypasses that penetration testers use for the Mimikatz + AV combo, many of them outlined on the BHIS blog: https://www.blackhillsinfosec.com/bypass-anti-virus-run-mimikatz
- Google Patches Critical .PNG Image Bug – The most severe of these issues is a critical security vulnerability in (the Android) Framework that could allow a remote attacker using a specially crafted PNG file to execute arbitrary code within the context of a privileged process – While there are no reports of this being exploited in the wild, I expect this will happen once the patch is published. Of course, this depends on how easy, or difficult, exploitation is for this particular issue. It is unclear just how the exploit works, could it be through a browser or does it have to be via text messaging? The article seems to hint that it can be exploited in a browser: An attacker exploiting the flaw could remotely take over a vulnerable Android device by sending a booby-trapped image or tricking a user into following a malicious link sent via a mobile message service..
- RSA Conference 2019 is coming up March 4 – 8 in San Francisco! Go to rsaconference.com/securityweekly-us19 to register now using the discount code 5U9SWFD to receive $100 off a full conference pass! If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request!
- Join us April 1-3, at Disney’s Contemporary Resort for InfoSec World 2019 where you can connect and network with like-minded individuals in search of actionable information. Visit https://infosecworld.misti.com/ and use the registration code OS19-SECWEEK for 15% off the Main Conference or World Pass. If you are interested in booking an interview or briefing with Security Weekly, please go to securityweekly.com/conferencerequest to submit your request!