This Month in Cybersecurity - July

Microsoft and Apple Squash Some Security Bugs

This last Tuesday, July 11th, Microsoft took aim at closing out some security loopholes and bugs found within its operating system and other services. A few of these were acknowledged to be undergoing active exploitation. Four of these exploits were considered to have a high CVSS score, which indicates the severity, or “badness”, of the exploits. One notable exploit that had been discovered through outside sources seems to be missing from this update, and experts advise to expect an out of cycle update from Microsoft that users should be ready to implement.

On the Apple side of things, one of the newer security measures instituted by the company, the Rapid Security Response system, pushed an update that was aimed at some zero day exploits the company had found. The update was, however, pulled when a bug was noticed that caused some websites not to load correctly. Just a few days later, the Rapid Security Response pushed another update, this one remaining, and as of now, has not shown to contain the original bug.

WordPress Targeted Through External Plugin

WordPress hosted websites have been undergoing a series of attacks by threat agents who are taking advantage of a security vulnerability via a payment plugin, known as WooCommerce. The plugin, that has been developed by Automattic and that has more than 600,000 active installations, has been patched, but numerous versions of the plugin are still susceptible to the exploit.

A third party has noted that over 157,000 sites were targeted over 1.3 million times in what is being noted as demonstrating “significantly more sophistication than similar attacks. Users of the WooCommerce plugin via WordPress are being urged to immediately update to the latest version of the plugin, 5.6.2.

Adobe Dealing With Another Critical Flaw, this time for ColdFusion

Adobe ColdFusion has been the target of ongoing attacks by threat agents in attempts to gain remote access to devices via webshells, malicious scripts designed to penetrate servers. The attacks have been executed via two exploits that were found to work in tandem to give the threat agents access to the servers.

Adobe has rolled out a patch that addresses one of the two exploits, but assures that both are needed in order for the threat agents to execute the attack, so updating one cripples the other as an exploit. They also suggest locking down installations of ColdFusions via admins to increase security and defense against similar attacks.

 

Defensible Strategies

Learn from those who have been attacked

Linux Under Growing Ransomware Attacks

Linux has never had a large presence within the the office or home side of workstations, making it not as popular of a target for threat agents when it comes to attacks. Linux, however, does make up a very large portion of web servers and other device types that most users are not dealing with on a daily basis.

In 2022, ransomware attacks to Linux, however, increased by 75% as threat agents realize that disrupting these devices causes many pain points for users and companies that utilize web services hosted by Linux servers. Organizations are being encouraged to take steps now to step up the security for Linux based equipment such as:

  • Endpoint protection

  • Patch management

  • Data backups

  • Access control

  • Awareness

  • Resilience testing

  • Procedure testing

Disruptions to Linux operations have the potential to be beyond the scale of what has been seen so far, so security of these devices are imperative.

Microsoft Discloses Email Breached by Chinese Hackers

On July 11th, Microsoft announced via a blog post that it had discovered that certain customers’ email systems, including unspecified government agencies, had been breached by Chinese threat agents to gather intelligence. Microsoft noted that they had been investigating unusual activity, but the threat agents were still able to manipulate credentials to gain access to accounts.

The U.S. Department of Homeland Security noticed the activity as well and notified both Microsoft and CISA to have the issues patched by Microsoft and close out the security vulnerabilities. Both CISA and Microsoft noted that while these attacks were well resourced and seemed to be more focused on espionage, these are still things that can affect regular end users.

This Month in Cybersecurity - June Edition

Email Authorization Changed By Google

Google has fixed an issue that was reported to them by a security architect by the name of Chris Plummer. The issue allowed a scammer to impersonate delivery service giant UPS through an exploit that fooled the Brand Indicators for Message Identification (BIMI). This email authentication service is used by Google and others to protect brands from spoofing and phishing attacks claiming to be trusted organizations, but has a loophole that was found via a third-party security vulnerability.

Google has since replaced BIMI with a new and more robust authentication requirement know as DomainKeys Identified Mail (DKIM). The email that initially caused the bug to come to light fortunately did not contain any malicious intent, but exploits like these can lead to many dangerous outcomes.

Fortinet Patches VPN Vulnerability Found in FortiGate

Fortinet recently released a patch for a critical vulnerability that targeted their FortiGate firewall SSL. This vulnerability was discovered by a French IT Security firm, Lexfo, who disclosed it to Fortinet. The vulnerability allowed for threat agents to gain access to an organization’s network through the SSL VPN and make changes to the firewall’s settings. This allows the agents to gather information and lock things down from the people who actually use the system.

According to the researchers, the flaw was found on every SSL VPN offered through Fortinet. Fortinet has been involved with many vulnerabilities that have been exploited by threat agents and currently has 10 products on CISA’s Known Exploited Vulnerabilities Catalog.

Azure Down, As Claims of DDoS Attacks Enrapture Microsoft Services

On June 9th, the web portal for the cloud service Azure, provided by Microsoft, was made unavailable as itself and other Microsoft services under went DDoS attacks. Distributed Denial-of-Service (or DDoS) attacks are generally malicious attempts to disrupt traffic to servers or networks by overwhelming them with a flood of traffic (think of a highway being clogged up by too many vehicles).

The attack is being claimed to be by a Sudanese threat agent in a supposed protest to U.S. companies and their involvement in Sudanese internal affairs, but security researchers believe this to be a ruse and point more towards a Russian attack on major internet infrastructure.

Microsoft has not confirmed the reason that the services went down, but as of June 12th, the web portal and services are back up and running.

 

Defensible Strategies

Learn from those who have been attacked

AI Software by NVIDIA Manipulated to Leaking Data

An AI software by chipmaker NVIDIA, known as the NeMo Framework, has been found to reveal private information after being coerced and manipulated to ignore safety restraints programmed into it. The AI has been designed to be used by companies to help with providing responses to questions in a similar manner as a customer service representative would.

Researchers were able to manipulate the language models the AI used to break through the guardrails set up so that the artificial intelligence wouldn’t move on from specific subjects. This allowed the researchers to get personally identifiable information from the database the AI was situated in for the test.

With AI becoming more prevalent, companies such as NVIDIA, Google, and Microsoft work to build public trust, but instances like these show that there is still threat and knowledge to be gained before handing the reigns over to AI.

Swiss Government Faces Possible Data Breach in Cyberattack

Government officials for Switzerland announced on June 8th that some governmental operational data may have been stolen. They believe this due to an attack at a tech firm the country works with to provide software to internal departments.

The company involved, Xplain, were targets of a ransomware attack that gave access to the company’s internal information and contrary to prior reports, this may have included operational data of the Swiss army and customs department.

Ransomware attacks are on the rise that affect not only companies, but also governments and universities and show why an increase in proper security training are imperative.

This Month in Cybersecurity - May Edition

Patching a Patch, Microsoft Rolls Out Fix

After rolling out a fix in March, Microsoft has pushed another patch that directly addresses a fix to an issue that the earlier patch did not completely solve. The vulnerability involved sending an email with a custom notification sound, which could contain a URL pointing to a remote server. When Outlook processed the email, it could inadvertently send the user's credentials to the remote server, potentially enabling unauthorized access to other resources and compromising the victim's data.

The patch was found to be incomplete, allowing for threat agents to bypass the protection. Specialists say that while releasing the patch, it brought more attention to the existing issue and allowed for others to find ways to manipulate and exploit the vulnerability. Microsoft is now suggesting that both patches be downloaded and installed as to shore up the vulnerabilities created in Outlook and the Windows API.

Apple Rolls Out New Style Update to Error

Apple released its first rapid security fix for iPhones and Macs. This type of patch is meant to be downloaded and applied automatically to protect devices from attacks without relying on users to update their systems. However, some users experienced issues downloading the update. Apple hasn't provided details about the specific vulnerabilities addressed or whether they were already being exploited.

The rapid security response is a new release type aimed at delivering important security improvements between regular software updates. By default, these fixes are applied automatically, but users can choose to receive them with regular OS updates instead. Apple suggests to download these updates as soon as possible, even if they have received the error.

WordPress being Targeted by Threat Agents

Threat agents have started to take advantage of a vulnerability found on May 2nd. The vulnerability allows attackers to steal sensitive information and gain higher privileges on affected WordPress sites. The flaw was discovered by Patchstack and publicly disclosed with a proof-of-concept exploit shortly after the plugin vendor released a security update. The exploit targets logged-in users with access to the plugin and can bypass default configurations, increasing its chances of success.

The Akamai Security Intelligence Group observed significant scanning and exploitation activity using the provided sample code. With over 1.4 million websites that have not upgraded to the latest version, the threat agents have a large selection of targets to pull from. It is being recommended to update to version 5.12.6 (backported) and 6.1.6

 

Defensible Strategies

Learn from those who have been attacked

Data Breach of Info over 10 Years Disclosed by Toyota

Toyota Motors has notified the public of a data breach that occurred that allowed for data including vehicle identification numbers, chassis numbers, and vehicle location information to be exposed. The breach was caused by a misconfigured database that was accessible without authentication.

Toyota has assured the information that was made available cannot be used to identify owner’s personal information and that they are unaware of any current abuse using this information. This is the second incident with Toyota within the last year; in October, Toyota notified users that personal information may have been leaked due to an access code being public on GitHub.

Hikers Info Exposed as Data Leak Affects French Company

La Malle Postale, a transportation company for hikers in France, announced that personal information and private messages of their clients were exposed. The leaked data included names, phone numbers, emails, SMS messages, passwords, and employee credentials. The leak was discovered by the Cybernews research team, and the company's data was accessible to the public.

Around 70,000 customer passwords and employee credentials were leaked. The passwords were encoded using easily crackable algorithms. The data breach poses risks such as identity theft, phishing scams, and social engineering attacks. La Malle Postale has since closed the data leak, but it is suggested that clients who could have been potentially affected change their account passwords, enable two-factor authorization, and monitor financial information for any unusual activity.

Common Pen Test Findings That Are Easy to Fix

We do a lot of penetration tests for a wide range of clients; whether they be healthcare, retail, nonprofit, insurance, banks, industrial or anything in between. Even though this includes a diverse range of industries, they all seem to make the same mistakes that result in the same findings test after test, year after year.

Albeit most of these findings are not critical and don’t typically result in us compromising your systems, they do provide vulnerabilities that could leave an attacker with a foothold on your network. Also, from a compliance standpoint, many of these findings fail basic compliance requirements.

Luckily, most of these findings are easy to fix, and most of them involve web server misconfigurations. This article provide an overview of what those vulnerabilities are, and why they are vulnerabilities. In a follow up to this article, I will include technical “how tos” so that you can resolve these issues.

In no particular order:

Clickjacking

To quote Wikipedia, clickjacking is “a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.”

Now really, Brandon, what does that mean? Here’s the scenario:

  • Your company has a website, acmecorp.com that includes a login screen, or some sort of form that collects information. Your website doesn’t protect against clickjacking

  • I’m looking to target your users. So I buy acmecor.com (one letter off…), I make a simple page that loads your website. The trick is that I “magically” have hidden fields on top of your username and password field that users can’t see.

  • Your users come to my website because I’ve lured them somehow

  • As they enter their username and password, I capture it. If I’m “nice” I throw them over to your website and let the user continue using your application. I now have their username and password.

Why is this a problem? Because I can “steal” your website without your users realizing it. About 99% of pen tests and Web Application Scans identify clickjacking as an issue! Best of all, it’s a 5 minute fix!

Server Information Disclosures

Like a lot of things you buy, they require a little customization. If you buy a new car, you adjust the radio, the seats, the mirrors, etc. Maybe you buy some new floor mats or those window deflector things. Either way, you don’t just jump in it and drive away. The same goes for your web servers.

Straight “out of the box” most web servers give away too much information and aren’t configured for the Internet. Most like to brag who they are by exclaiming to the world what product they are, and often time their exact version. They also give us lots of information about what their capabilities are, and sometimes allow us access to stuff we shouldn’t.

This is a vulnerability because as an attacker I can look up every vulnerable your server us vulnerable to. I might even be given the scripts or software I need to break in. It’s almost like telling me your security code on your home security system.

What can you do? Basically, it comes down to taking the time to “lock down” your servers. I explain how in the next couple of posts. This leads me to our next common vulnerability

Out of Date Systems

Now that your server told me EXACTLY what version it is running, I can quickly Google that the server was released in 2012, or whatever. I know there are 20 newer versions of the server, and that the server has 25 serious vulnerabilities. However, if you ran the latest and greatest, and hid a lot of the details, I’d have a much harder time getting in. First, because you locked it down as I suggested above I don’t know the exact version you’re running, but secondly, you’re running the latest version. With that, few if any vulnerabilities are known and finding a way in is much harder. Now I have to painstakingly search underground hacker forums, the “dark web”, and other nefarious locations that expose me to the threat of malware and all the other bad of the Internet.

Forgotten, Abandoned or Test Systems

This one is especially for those that develop their own systems or have a large number of systems. In this case, test sites get forgotten about. You upgrade your portal but leave the old one one. Whatever it may be. In either case, you’ve neglected it, didn’t configure it right, and left the front door wide open.

We have had complete compromises of our clients from systems in which the client responded “Oh crap, I forgot that even existed!” Guess what, as a hacker, we didn’t “forget” because we just found it!

In short, if you don’t need it, don’t put it on the Internet.

Web Application Firewalls

Many of the attacks that you’ll see are “well known” and have been around for, in many cases, decades. However, many sites are still vulnerable to them. Sometimes your password standards are weak or a user uses a weak password. In many of these cases, a Web Application Firewall could help protect against the known threats and block them altogether. It can also “lock out” an account if someone tries to brute force it.

Some options include appliances such as Netscaler, Barracuda, or F5; some as web services such as Cloudflare or AWS; some are features on your firewall like Sophos XG or Watchguard; and some are even modules to your webserver such as Apache’s modsecuriy.

In any case, you should have one, and fine tune it to block common threats like brute force attacks, SQL injections and Cross Site Scripting (XSS)

SSL Ciphers and Protocols

SSL ciphers and protocols are often overlooked because they’re misunderstood. First let’s get the 10,000 foot view of what we mean by protocols and ciphers.

When a web browser connects to a web server (or two email servers connect to each other, etc) they do so using a protocol. That protocol, or in its simplest term, the language the two computers use to talk to each other, is either SSL or TLS. Once they’ve established which protocol they’ll use, they agree on which ciphers will be used for the actual encryption of the communications. To use an analogy, the protocol is whether you’re going to ship a package via UPS or the Post Office, while the cipher suite is how well you secure the package itself during delivery. This is overly simplistic, but hopefully somewhat useful.

With that said, the web browser and web server need to agree on which protocol and ciphers they’ll use. You can’t control which browsers are used to connect to your website, but you can control the list of available protocols and ciphers. PCI requires you use “modern’ and “secure” protocols and ciphers. For protocols it’s simple; you must use TLS 1.1 or newer (TLS 1.2 is preferred). That leaves out TLS 1.0 and all of SSL.

For protocols, we don’t have to have any in depth knowledge of what to use. What we do need is knowledge on how to get them set correctly. Configuration all depends on your web server. For Apache or Nginix we use a web utility called the Mozilla SSL Configuration Generator. With the proper config in hand (select “modern”), we simply copy and paste into our virtual host. IIS is actually easier to configure because of a free utility called IIS Crypto. Download and install this utility on your webserver and then select the PCI template from the template screen. Apply and reboot and you’re done.

In addition to Nginiz, Apache, and IIS, ciphers and protocols can be configured on many type of servers and appliances such as Citrix Netscaler, Exchange, F5, etc.

To test that you’ve “got them right”, you can utilize Qualys’ free tool called SSL Labs. This handy website will give you a grade and lengthy details of where you’ve gone astray. Scoring an A+ is not hard to do and you should be doing it for all of your web servers.

Conclusion

Did you notice a pattern here? Three of the five common findings are directly related to your web server configurations. In fact, we could argue all five relate to web servers. The reason is pretty simple and straightforward: web servers are the most commonly deployed web technology, and they’re the most varied in their content and configurations. Further, they’re easy to “set and forget” which is the worst thing you can do.

While these are only five findings, they are on at least 80+% of all pen test reports we create; and most importantly they’re all easy to fix. Stick around and I’ll (hopefully) have up some tutorials on how to better configure your web servers. I’m working on articles for Apache and IIS, which accounts for about 95% of all web servers we encounter.