Windows Vulns Galore, Homoglyph Domains, Pegasus, & “Trust No One”! – PSW #703
This week in the Security News: Trust no one, its all about the information, so many Windows vulnerabilities and exploits, so. many., Saudi Aramco data for sale, Sequoia, a perfectly named Linux vulnerability, is Microsoft a national security threat?, Pegasus and clickless exploits for iOS, homoglyph domain takedowns, when DNS configuration goes wrong and a backdoor in your backdoor!Trust no one, its all about the information, so many Windows vulnerabilities and exploits, so. many., Saudi Aramco data for sale, Sequoia, a perfectly named Linux vulnerability, is Microsoft a national security threat?, Pegasus and clickless exploits for iOS, homoglyph domain takedowns, when DNS configuration goes wrong and a backdoor in your backdoor!
Announcements
Don't miss any of your favorite Security Weekly content! Visit https://securityweekly.com/subscribe to subscribe to any of our podcast feeds and have all new episodes downloaded right to your phone! You can also join our mailing list, Discord server, and follow us on social media & our streaming platforms!
CyberRisk Alliance, in partnership with InfraGard, has launched the Critical Infrastructure Resilience Benchmark study. Measure your readiness for ransomware by completing the survey and getting your score. Visit https://securityweekly.com/CIRB to take the survey
Hosts
- 1. CVE-2021-31956 Exploiting the Windows Kernel (NTFS with WNF) – Part 1"This blog post is the first in the series and will describe the vulnerability, the initial constraints from an exploit development perspective and finally how WNF can be abused to obtain a number of exploit primitives. The blogs will also cover exploit mitigation challenges encountered along the way, which make writing modern pool exploits more difficult on the most recent versions of Windows."
- 2. Sequoia: A Deep Root In Linux’s Filesystem Layer ? Packet StormNeat! "Qualys discovered a size_t-to-int conversion vulnerability in the Linux kernel's filesystem layer: by creating, mounting, and deleting a deep directory structure whose total path length exceeds 1GB, an unprivileged local attacker can write the 10-byte string "//deleted" to an offset of exactly -2GB-10B below the beginning of a vmalloc()ated kernel buffer. They successfully exploited this uncontrolled out-of-bounds write, and obtained full root privileges on default installations of Ubuntu 20.04, Ubuntu 20.10, Ubuntu 21.04, Debian 11, and Fedora 34 Workstation; other Linux distributions are certainly vulnerable, and probably exploitable. A basic proof of concept (a crasher) is attached to this advisory." Qualys Post: https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/sequoia-a-local-privilege-escalation-vulnerability-in-linuxs-filesystem-layer-cve-2021-33909 Note: In a separate post, the Qualys research team also disclosed a DoS vulnerability in systemd: https://blog.qualys.com/vulnerabilities-threat-research/2021/07/20/cve-2021-33910-denial-of-service-stack-exhaustion-in-systemd-pid-1
- 3. CVE-2021-3438: 16 Years In Hiding – Millions of Printers Worldwide Vulnerable – SentinelLabsYa wonder how no one has found this before, given: "Several months ago, while configuring a brand new HP printer, our team came across an old printer driver from 2005 called SSPORT.SYS thanks to an alert by Process Hacker once again. This led to the discovery of a high severity vulnerability in HP, Xerox, and Samsung printer driver software that has remained undisclosed for 16 years. This vulnerability affects a very long list of over 380 different HP and Samsung printer models as well as at least a dozen different Xerox products."
- 4. SonicWall warns of ‘imminent ransomware campaign’ targeting its EOL equipment – The Record by Recorded FutureDon't want ransomware? Upgrade your devices, and you'll pay: "If customers can’t update, SonicWall is recommending that they disconnect devices immediately and reset their access passwords, and enable account multi-factor authentication, if supported. “The affected end-of-life devices with 8.x firmware are past temporary mitigations. Continued use of this firmware or end-of-life devices is an active security risk,” it added." - I mean, or you could just unplug your firewalls and other gear...SMH.
- 5. Microsoft: New Unpatched Bug in Windows Print Spooler"The company released the advisory late Thursday for the latest bug, a Windows Print Spooler elevation-of-privilege vulnerability tracked as CVE-2021-34481. Microsoft credited Dragos vulnerability researcher Jacob Baines for identifying the issue."
- 6. Backdoor.Win32.IRCBot.gen Remote Command ExecutionIs this a bug or a feature? "The malware listens on TCP port 6777. Third-party attackers who can reach infected systems can execute commands. Commands must be wrapped in quotes or it will fail."
- 7. Is Microsoft a National Security Threat?I don't buy it, regardless of the operating system, you are just as vulnerable: "Because of this, organizations relying on Windows will have a hell of a time migrating away from Windows and the rest of the Microsoft ecosystem which means that they’re naturally going to drag their toes in doing so; the bigger they are, the slower any attempt at a migration will go. In turn, this means that there is plenty of time for those that can easily migrate away from the madness and insecurity of the Microsoft ecosystem as a means of sheltering themselves from a barrage of attacks safely in the shadow of Microsoft for the time being." - Apple hides their vulnerabilities as best they can. No one wants to take the time to find and disclose a big enough percentage of Linux vulnerabilities to make a difference (Though Qualys is having a go at it.).
- 8. “Clickless” exploits from Israeli firm hacked activists’ fully updated iPhones"Pegasus is frequently installed through “zero-click” exploits, such as those sent by text messages, which require no interaction from victims. After the exploits surreptitiously jailbreak or root a target's iPhone or Android device, Pegasus immediately trawls through a wealth of the device's resources. It copies call histories, text messages, calendar entries, and contacts. It is capable of activating the cameras and microphones of compromised phones to eavesdrop on nearby activities. It can also track a target's movements and steal messages from end-to-end encrypted chat apps." More info: https://www.theguardian.com/news/2021/jul/18/what-is-pegasus-spyware-and-how-does-it-hack-phones
- 9. Microsoft Cracks Down on Malicious Homoglyph DomainsBrand monitoring tools should catch this, right? If so, then why did Microsoft have to kill 20 attacker-owned domains? - "In one instance, the attackers hijacked legitimate Office 365 e-mail communication to send an impersonation email from a homoglyph domain (that had a single letter changed) and convince the victim that the message came from a known trusted source. They then falsely claimed that the CFO put a hold on the account, asking for a payment to be made as soon as quickly."
- 10. Bug Bounty Bootcamp?—?Ch07: Open RedirectsWe talked about open redirects on a previous episode, this is a pretty good tutorial to use as a reference.
- 11. Fortinet’s security appliances hit by remote code execution vulnerability"A Use After Free (CWE-416) vulnerability in [the] FortiManager and FortiAnalyzer fgfmsd daemon may allow a remote, non-authenticated attacker to execute unauthorised code as root via sending a specifically crafted request to the FGFM port of the targeted device," the vendor warned customers. Note that the FGFM service is disabled by default in FortiAnalyzer..."
- 12. How to Test a Plugin’s Performance and SecurityFor Wordpress, mostly stuff people know about already, but interesting how you can use Chrome's built-in dev tools to report on unused CSS/JS files. Curious if there are potential attack vectors here...?
- 13. How does TLS work?
- 14. The elegant maths behind the RSA Encryption
- 15. Security implications of misconfigurationsThe lost domain that led to: "Talos registered the domain and we immediately noticed a significant majority of the DNS requests were related to internet computers looking for a file called "wpad.dat" on tiburoninc.net's web server...Abusing the proxy settings communicated to these employees could have allowed a potential attacker to establish their own proxy, inspect all data transmitted from the employees' computers, and manipulate the data returned in the response." They also found a typosquat domain that had requests for VPN connections and others that made a typo in the MX server record!
- 1. Senate bill gives contractors, others 24 hours to disclosure breachesBecause breach notification is the most important thing missing from data security programs.
- 2. How Data Discovery and Zero Trust Can Help Defend Against a Data BreachIt's all about the information, Marty.
- 3. Risk of Cloud Breaches Rising, Teams Struggling to Address Them, Fugue and Sonatype Survey FindsBut I thought migrating to the cloud solved all your security woes.
- 4. Security And Compliance Tools And Strategies For The CloudSome of these recommendations might be more readily apparent if the focus was on compliance first rather than security. just sayin'.
- 5. China’s GDPR is coming: are you ready?Wait. Aren't they the bad guys?
- 6. ‘Trust No One’ Should Be Our New Security MottoWait, what? New?
- 1. White House: The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of ChinaThe United States has long been concerned about the People’s Republic of China’s (PRC) irresponsible and destabilizing behavior in cyberspace. Today, the United States and our allies and partners are exposing further details of the PRC’s pattern of malicious cyber activity and taking further action to counter it, as it poses a major threat to U.S. and allies’ economic and national security.
- 2. Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security DepartmentThis Joint Cybersecurity Advisory was written by the FBI and the CISA to provide information on a Chinese APT group known in open-source reporting as APT40. This advisory provides APT40’s TTPs and IOCs to help cybersecurity practitioners identify and remediate APT40 intrusions and established footholds.
- 3. Chinese State-Sponsored Cyber Operations: Observed TTPsTrends in Chinese State-Sponsored Cyber Operations NSA, CISA, and FBI have observed increasingly sophisticated Chinese state-sponsored cyber activity targeting U.S. and allied political, economic, military, educational, and critical infrastructure (CI) personnel and organizations to steal sensitive data, critical and emerging key technologies, intellectual property, and personally identifiable information (PII).
- 4. Apple security updatesSafari 14.1.2 macOS Catalina and macOS Mojave19. iOS and iPadOS 14.7, watchOS 7.6, tvOS 14.7, macOS 11.5 all dropped 7/19 & 7/21.
- 5. New Windows 10 vulnerability allows anyone to get admin privilegesWindows 10 and Windows 11 are vulnerable to a local elevation of privilege vulnerability after discovering that users with low privileges can access sensitive Registry database files. SYSTEM, SECURITY, SAM, DEFAULT, and SOFTWARE databases can be read by anybody.
- 6. The US government is offering big bucks to track down foreign hackersThe US State Department has announced that it is offering up to $10 million for information that can help identify or locate state-sponsored threat actors.
- 7. Microsoft secured court order to take down domains used in BEC campaignMicrosoft obtained a court order that allowed the company to take down malicious “homoglyph” domains that are being used to conduct fraud. In all, Microsoft took down 17 domains that were crafted to appear legitimate through variations in spelling or the use of characters that are similar in appearance.
- 8. Saudi Aramco data breach sees 1 TB stolen data for saleThis month, a threat actor group known as ZeroX is offering 1 TB of proprietary data belonging to Saudi Aramco for sale. ZeroX claims the data was stolen by hacking Aramco's "network and its servers," sometime in 2020. As such, the files in the dump are as recent as 2020, with some dating back to 1993, according to the group.