This week, Microsoft OAuth Flaw Opens Azure Accounts to Takeover, Vulnerabilities Disclosed in Kaspersky, Trend Micro Products, Critical Code Execution Vulnerability Found in GoAhead Web Server, and StrandHogg Vulnerability Allows Malware to Pose as Legitimate Android Apps! In the expert commentary, we welcome back Adam Gordon from ITPro.TV, to discuss DevSecOps and the Culture Clash in Organizations! All that and more, on this episode of Hack Naked News!
Vulnerabilities Disclosed in Kaspersky, Trend Micro Products - According to SafeBreach, Kaspersky Secure Connection (KSDE), a VPN client used with various Kaspersky applications, including Security Cloud, Internet Security, Anti-Virus, Total Security, and Kaspersky Free, is impacted by CVE-2019-15689, a vulnerability that could allow an attacker to implant and run an arbitrary unsigned executable. Specifically, KSDE, a signed service that starts automatically at system boot up and which runs as SYSTEM, attempts to load multiple missing DLLs. An attacker able to load an arbitrary DLL could have it run with SYSTEM privileges within the context of ksde.exe. Similar vulnerabilities allow attackers to load DDLs in Trend Micro Products. SafeBreach reported these vulnerabilities to the respective vendors in July of this year. All three have acknowledged the bugs and issued CVE numbers for them.
Microsoft OAuth Flaw Opens Azure Accounts to Takeover - The vulnerability exists because when Microsoft applications undergo the OAuth 2.0 (the next generation of OAuth) authorization flow, they trust certain third-party domains and sub-domains that are not registered by Microsoft. CyberArk researchers discovered three vulnerable Microsoft applications that trust these unregistered domains: Portfolios (a portfolio management tool), O365 Secure Score (a security analytics tool) and Microsoft Trust Service (a portal providing resources about Microsoft security, privacy and compliance practices).at least 54 sub-domains with these URL endings were not registered in the Azure portal – plus, there may be more that weren’t discovered, he said. Attackers can take advantage of this by taking over these domains and then registering them, meaning that they would be approved by default and could request users’ “access_tokens,” which would then allow them to take actions using users’ permissions
Kali Linux Gets New Desktop Environment & Undercover Theme - With the new release, Offensive Security has moved Kali Linux from Gnome to Xfce, a lightweight, open source desktop environment for Linux, BSD, and other Unix-like operating systems. The move is designed to improve performance and the user experience for pen-testers, according to Offensive Security. Xfce, for instance, runs on all levels of Kali installs from high-end laptops to lower-end ARM-based systems.
StrandHogg Vulnerability Allows Malware to Pose as Legitimate Android Apps - The researchers said attackers can use the vulnerability to allow “real-life malware to pose as legitimate apps, with users unaware they are being targeted,” according to a blog post. “The attack can be designed to request permissions which would be natural for different targeted apps to request, in turn lowering suspicion from victims,” researchers wrote. “Users are unaware that they are giving permission to the hacker and not the authentic app they believe they are using.” If the flaw is exploited, to users it appears that they are clicking on an app that they use every day, such as Facebook or Instagram. However, what happens when they click on the app is that instead of the app a user intended to open starting up, malware is deployed that can give permissions to the hacker, who is directed to the legitimate app, researchers said.
Critical Code Execution Vulnerability Found in GoAhead Web Server - Developed by EmbedThis, GoAhead is advertised as the “world's most popular tiny embedded web server.” Both open-source and enterprise versions are available and the vendor says GoAhead is present in hundreds of millions of devices. A Shodan search for GoAhead currently shows over 1.3 million internet-connected systems. The critical GoAhead vulnerability discovered by Talos is related to how multi-part/form-data requests are processed. An unauthenticated attacker can exploit this weakness to trigger a use-after-free condition and execute arbitrary code on the server by sending specially crafted HTTP requests. The security hole is tracked as CVE-2019-5096 and it has been assigned a CVSS score of 9.8.
Control access and permissions to AWS services and resources - If you are in AWS, you should use this: Resource policies allow customers to granularly control who is able to access a specific resource and how they are able to use it across the entire cloud environment. With one click in the IAM console, customers can enable the analyzer across their account to continuously analyze permissions granted using policies associated with their Amazon S3 buckets, AWS KMS keys, Amazon SQS queues, AWS IAM roles, and AWS Lambda functions. While there are other solutions out there for this, it doesn't hurt to enable additional monitoring as your cloud configuration likely changes, a lot.
[caption id="attachment_210" align="alignleft" width="120"] Paul Asadoorian - Founder & CTO[/caption]
We have exciting news about the Security Weekly webcast program: We are now partnered with (ISC)2 as an official CPE provider! If you attend any of our webcasts, you will be receiving 1 CPE credit per webcast! Register for one of our upcoming webcast with Zane Lackey of Signal Sciences, Ian McShane from Endgame, or Stephen Smith and Jeff Braucher of LogRhythm (or all 3!) by going to securityweekly.com/webcasts If you have missed any of our previously recorded webcasts, you can find our on-demand library at securityweekly.com/ondemand
The U.S. Department of Justice announced that Russian national Aleksandr Grichishkin will be imprisoned for five years after being found guilty of being the ringleader of a "bulletproof hosting" company that offered technical support to malware operators between 2008 and 2015.
Numerous websites are being targeted by a widespread contact form and discussion forum spamming campaign involving the distribution of malicious Excel XLL files that facilitate the installation of the information-stealing RedLine malware.