Home / Robin's Newsletter

Robin’s Newsletter #143

Criminals jump on Hafnium/ProxyLogon. Hacktivists breach Verkada's 150K facial recognition cams. Apple's IP theft lawsuit. Google's Spectre exploit.

 Vol. 4  Iss. 11  14/03/2021   Robin Oldham  ~7 Minutes

Subscribe to Robin's Newsletter

This week

There are lots of security advisories that focus on technical information (TTPs, IOCs and other TLAs) but don’t often come across those that look from a business risk perspective. Something that is for senior management, to aid their understanding of current events and the cyber risk posed to their organisations.

So this week Cydea issued our first ”Risk Advisory” for Microsoft Exchange and the “Hafnium” / “ProxyLogon” vulnerability. We take a look at the evolving sources of risk and the potential business consequences and I’d love to hear your feedback. Please check it out and let me know by reply, Twitter, LinkedIn or avian carrier.

Cydea Risk Advisory: Microsoft Exchange Hafnium/ProxyLogon

That neatly links us into our main story this week…

Criminal gangs start exploiting Microsoft Exchange servers

It’s the second week of headlines for Microsoft Exchange as attackers rapidly took advantage of the Hafnium vulnerabilities (vol. 4, iss. 10) that have now been dubbed ‘ProxyLogon’.

On Tuesday the European Banking Agency, based in Paris, followed on Thursday by Norway’s Stortinget (parliament) both reported breaches of their on-premise Exchange servers. (The latter was subject to a 2020 breach by a Russian APT actor.)

More is coming to light on the timeline of events and how the vulnerabilities, whilst serious, came to be exploited so rapidly.

Researchers at ESET identified that six discrete threat groups were exploiting the vulnerabilities before Microsoft released the patch. This points to either an organisation selling the exploit to multiple parties, a common party sharing details to support the campaigns of these groups (as national security agencies share intelligence), or other shared source or forum where details are exchanged.

Four more groups jumped on the bandwagon in the days immediately following the release of the patch, and in a period too short for them to have likely reverse-engineered and productionised their exploits.

Thursday evening then saw cybercriminals getting in on the act with Microsoft reporting the first detection of a new ransomware strain, dubbed DearCry or DoejoCrypt, capitalising on the vulnerabilities in Exchange to get a foothold within organisations.

With high-end estimates ranging from 100,000 — 250,000 compromised Exchange servers we are sure to see plenty of incidents in the weeks to come. The burden will likely disproportionately fall on small and medium-sized businesses that lack the IT and security resource to rapidly patch, contain and respond to the vulnerabilities.

Those organisations can use Microsoft’s Safety Scanner (MSERT) tool to detect web shells present on Exchange servers - an indication that your organisation has been compromised - as well as installing the required patches.

Meanwhile, lots of infosec community spent Thursday arguing over the ethics of releasing proof of concept code, and GitHub taking the code down, in a colossal waste of energy that could have been devoted to developing countermeasures or other more positive endeavours. 

theregister.com (EBA), theregister.com (Norway Parliament), vice.com, arstechnica.com (10 groups/timeline), bleepingcomputer.com (MSERT tool and config options), arstechnica.com (Drama!)

Interesting stats

$40M paid out in 2020 by bug bounty platform HackerOne, with a 310% increase in reports for misconfiguration (this doesn’t seem like good value for money, to me, and says orgs would be better investing in quality assurance process and tools before bug bounties), and 9.5% of respondents would not disclose a vulnerability if no financial reward was offered, according to HackerOne’s 2021 Hacker Report hackerone.com Plus, some bonus H1 demographics… 1M registered users, 82% ‘hack part-time’ and 55% are under 25 years of age, with 85% citing learning as a motivation.

Other newsy bits

Apple lawsuit alleges ex-employee downloaded ‘substantial number’ of files on last day

Apple alleges that a former employee involved in the design of the company’s MacBook Pro lineup stolen confidential information and shared it with a journalist for favourable coverage of their new startup. The lawsuit states that “on his last day at Apple, [the employee] downloaded a substantial number of confidential Apple documents from Apple’s corporate network onto his personal computer that would benefit his new company.”

This, and the recent example of a Tesla employee downloading ‘thousands of files’ upon joining (vol. 4, iss. 5), demonstrate the heightened period of risk for employee IP theft is immediately after joining, and before leaving the organisation.

Rather than a complex and invasive programme monitoring employee behaviours, detecting data exfiltration during these periods may be easier and more effective. Joiners/movers/leavers information can be extremely valuable in detection and response.  arstechnica.com

Surveillance firm Verkada breached by hacktivists

Surveillance firm Verkada, which sells CCTV systems with built-in facial recognition technology, has been compromised by hacktivists after the details of an administrator account were found online.

The credentials — that seemingly didn’t require multi-factor authentication — provided privileged access to all 150,000 of the company’s cameras that are installed in over 5,200 organisations including prisons, hospitals, gyms, tech companies and schools.

It highlights how pervasive facial recognition technology is becoming within workplaces and the lax controls from vendors leave systems ripe for abuse. In Vice’s write up they highlight previous issues with Verkada employees abusing cameras in their own office to make ‘sexually explicit jokes’ about other colleagues. bloomberg.com, vice.com, arstechnica.com

In brief

Attacks, incidents & breaches

  • OVHcloud data centre in Strasbourg burns down, fortunately no casualties zdnet.com, though it’s not all bad news…
  • Kaspersky reckon 140 servers leased from OVH are used by nation state actors, and 36% of those are now offline vice.com
  • Cl0p ransomware group doxes names, social security numbers and addresses of employees at Michigan-based Flagstar Bank in attempt to strong-arm a ransom payment vice.com
  • “Hundreds of thousands” of benefit appointments at Spain’s State Public Employment Service (SEPE) disrupted after Ryuk ransomware attack cyberscoop.com
  • Brewing at Molston Coors breweries affected by suspected ransomware ‘cyber incident’ zdnet.com
  • Gab compromised for second time in two weeks, posts from founder’s account asking “why do you keep lying to your despicable users?” arstechnica.com
  • GitHub resets sessions after accidentally “misrouted a user’s session to the browser of another authenticated user, giving them the valid and authenticated session cookie for another user” in 0.001% of logins theregister.com

Threat intel

  • FIN8 group back with new BADHATCH malware that adds screen capture and fillers execution capabilities, and targeting insurance, retail, technology, and chemical industries in the Americas, South Africa and Italy cyberscoop.com
  • Crypto-currency mining botnet zoMiner is targeting ElasticSearch and Jenkins installs bleepingcomputer.com
  • TrickBot stepping in to fill gap left following Emotet takedown, according to CheckPoint zdnet.com

Vulnerabilities

  • F5 releases patches for seven vulnerabilities in Big-IP products that need patching ASAP and can result in remote code execution, denial of service attacks, or complete device takeovers theregister.com
  • NCC Group finds 15 vulnerabilities in Netgear JGS516PE SOHO switch, firmware update released theregister.com
  • Academic paper sets out how interconnects between cores on Intel CPUs can be exploited to leak data such as keystrokes and encryption keys theregister.com
  • Apple release patches for WebKit memory corruption vulnerability that may lead to code execution techcrunch.com

Security engineering

  • Microsoft adding ability to tag ‘external’ email messages in forthcoming update to Microsoft 365 that will be displayed in Outlook mail clients bleepingcomputer.com
  • Linux Foundation announces ‘LetsEncrypt for software signing’ service to improve open-source security zdnet.com

Internet of Things

  • Unpatch QNAP network attached storage (NAS) devices are being compromised to mine crypto-currency bleepingcomputer.com

Privacy

  • U.S. T-Mobile customers have ’til 26th April to opt-out of the company sharing web and app usage data with advertisers arstechnica.com

Public policy

  • The White House is mulling the introduction of ‘software security labels’ akin to energy efficiency ratings and Singapore’s IoT labels (vol. 3, iss. 40) cyberscoop.com

Law enforcement

  • South Korean police arrest suspected GandCrab ransomware affiliate cyberscoop.com
  • 1,500 Belgian police launch 200 raids on criminals in Antwerp area after intelligence gathered from encrypted phone service Sky ECC theregister.com

Mergers, acquisitions and investments

  • McAfee to focus solely on consumer security, will sell enterprise business to private equity group Symphony Technology for $4BN who also owns a stake in RSA Security techcrunch.com

And finally

Google releases browser-based proof of concept for Spectre exploit

Google has posted a POC to GitHub that demonstrates how a Spectre-based side-channel attack can be carried out against their Chrome browser running on an Intel processor. The JavaScript code executes a timing attack to probe if memory is cached or loaded from memory, and then recover cached data that they should not have access to. The demonstration is the result of some great research and, while not significant for most websites, highlights some new policies available to developers of more sensitive applications. These developers can use cross-origin resource, opener and embedder policies (CORP, COOP and COEP respectively) to tell web browsers to isolate the processing of their site and prevent others from interacting with it. googleblog.com