The proliferation of ransomware continues, this time with The Guardian announcing that they were partially shut down from an attack. Staff are working from home while the incident is investigated and data is restored. Publication seems to be continuing and the paper went as expected.
A couple of reports have been published recently about how ransomware and other malware are distributed, the first being a public service announcement from the FBI, which describes what could be a blindingly obvious attack vector – search engine advertising. A bad actor chooses a company or common keyword, pays for placement on a search engine, and then builds a fake website that looks legitimate. For bonus points, this uses a typo domain, like adobe[dot]cm or a punycode domain that looks even closer to the real thing.
The FBI has a trio of recommendations, one of which I wholeheartedly agree with. Their first suggestion is to inspect links before you click them, which is great, except for the punycode attack. In fact, there are enough lookalike glyphs to make this essentially useless. The second is to type in URLs directly instead of using a search engine to find a company’s website. This is great as long as you know the URL and don’t make a typo. But honestly, not all of us have accidentally landed on the website[dot]co by doing this? Their last recommendation is the good one, and that is to run a high-quality ad blocker for safety. Just remember to disable blocking selectively for sites you want to support. (Like Hackaday!)
Exchange still targeted
And the second report, a PDF from Prodraft, details the activities of FIN7, which has added ransomware to its criminal portfolio. These attacks are launched in several ways, including malicious USB drives and using known Exchange vulnerabilities, such as CVE-2020-0688 and the ProxyShell family of issues.
And speaking of which, ProxyShell/ProxyNotShell is not dead, as there has been another bypass found in the wild. This is not an effective bypass against the November 8th patch, but bypasses the rewrite rules that were designated as an effective mitigation. The reason is that this attack does not use the autodiscover endpoint, but uses the same technique on the OWA (Outlook Web App) endpoint instead.
Password processing failed
LastPass isn’t the only password manager in the news, and the problems found in Passwordstate make the latest LastPass problems seem like the least of the inconveniences. Passwordstate is an enterprise password management solution. Researchers at modzero started with the browser extension, which allows a user to access saved passwords. To authenticate, a token is generated and sent to the server. It turns out that the token is just the username and other user information, XOR’d with a static, universal key. And on the server side, the only check that happens is on the username. So on any Passwordstate installation anywhere, if you can talk to the API and know a valid username, you can extract every password available for that account.
The same API has another problem, any user can write to any other user’s saved password, including the login URL for a given password. And since the entire interface is web-based, Cross-Site Scripting attacks are the way to go. There is, of course, insufficient disinfection. An administrator can use the API to run Powershell scripts. Then spray the malicious link into other users’ URLs and wait for an admin to use the interface to login somewhere. The Powershell script runs and starts a reverse shell. And because the stored passwords are not usefully encrypted (AES encrypted, but the key is stored, hidden, on the same machine as the database), this allows an attacker to escape with the entire database of passwords. The vulnerabilities have been fixed in version 9.6 Build 9653, although seeing the severity of issues and other issues, one has to wonder how effectively these issues were handled.
Linux does Samba (badly)
There is a perfect 10 vulnerability in the Linux kernel. CVE-2022-47939 is an issue in the
ksmbd driver, which was added last year for faster SMB performance. SMB here stands for Server Message Block, the primary file sharing protocol for Windows machines. The problem is a dangling pointer, which allows for use after-free. The solution is a one-line patch that sets the pointer to zero on close.
As scary as a CVE scoring a severity of 10 seems, I’m pretty sure you have nothing to worry about, even if you’re a Linux user or managing a Linux server. Why? Because period
ksmbd is official at its core, hardly any distros compile it into their official kernels, the Samba project doesn’t use any of the vulnerable code, and exposing any SMB service to untrusted connections is already a terrible idea. Or to put it another way, if you make use of it
ksmbd driver, you did it on purpose.
The Kernel Configuration option is
CONFIG_SMB_SERVERand you can check the current configuration in both
/boot/config-$(uname -r). Alternatively, use
lsmod to search for
ksmbd module. The real place where this could be a real problem is in a NAS device running Linux under the hood, although my guess is that the core module is new enough that none of the popular devices on the market use it. Be sure to let us know if you are aware of a major distro that compiles the module by default, or a NAS that uses it.
Google Home Takeover
Google’s smart home devices are based on the same firmware as Chromecast, and use a similar under-the-hood approach to authentication. [Matt] noticed this and started wondering, could it be a security issue? Look, playing a video on a TV is no big deal, but a smart speaker has access to several important features. Chromecasts serve a key on a local API, and send a request with that key until Google connects the device to your account. The purpose is that everyone on the local network should be able to cast to the TV. It seems that it was accidental that the process worked on other smart devices.
But wait, there’s more. These devices have a setup mode, where they broadcast an open WiFi network. All it takes to trigger this mode is to take the device offline – and it’s as simple as sending fake wireless packets. Connect to that network, make the API request, and you have the secret key. Let it reconnect to the real network and you can authenticate as a new verified user. Smart Home Actions let you do some interesting things with other devices, but just the ability to make a silent phone call from the device is scary enough. Google agreed, removing both the accidental approval flow and the ability to call a phone number via a routine.
Bits and bytes
Content management system TYPO3 fixed and announced an RCE earlier this month. This was only available to authenticated users with access to the Form Designer module, but allowed the injection of TypoScript that could be executed as PHP code.
Don’t rely on save games from the internet. This is good general advice, but applies specifically to games built on Ren’Py, a visual novel engine built on Python. To load saved games the pickles library is used – it is already notorious for being insecure when removing untrusted data. It’s just not obvious that saved games can deserialize directly over Python functions and take over program execution.
The Netgear RAX30, and possibly other models, are running
pucfu application on at startup, and checks for firmware updates from a Netgear domain. Researchers at the NCC Group have discovered that if they inspect the JSON response to that request, the binary can be manipulated into command injection, leading to a reverse shell.