IT NEWS

A week in security (August 8 – August 14)

Researchers found one-click exploits in Discord and Teams

A group of security researchers have discovered a series of vulnerabilities in Electron, the software underlying popular apps like Discord, Microsoft Teams, and many others, used by tens of millions of people all over the world.

Electron is a framework that allows developers to create desktop applications using the languages used to build websites: HTML5, CSS, and JavaScript. It’s an open source project that has been used as the foundation for some extremely popular apps. Electron itself is built on the open source Chromium browser project (the basis of Google Chrome), and the NodeJS JavaScript runtime which is built on Chromium’s V8 JavaScript engine—a significant source of Chrome security problems.

Building blocks

It is not uncommon for developers to use other projects, frameworks and libraries as building blocks for their projects. Building on proven code makes sense: It saves time, it is easier for others to get involved, and everyone benefits from all the layers of solved problems in the existing codebase.

The problem with building software on existing foundations, provided by others, is that its developer may not fully understand the security implications of certain decisions or configurations. And they need to rebuild their own application whenever a security vulnerability is fixed in the software they’re building on top of, and then distribute that update to their users.

Probably the most famous example of such a building block vulnerability is Log4Shell. Log4Shell is a vulnerability that was found in Log4j, an open source logging library written in Java that was developed by the Apache Software Foundation. Millions of applications use it, and some of them are enormously popular—such as iCloud, Steam, and Minecraft—so the impact of the vulnerability was enormous.

The chances of applications harboring out-of-date underpinnings are software are high. And the reservoir of known bugs that are fixed in, say, Chrome, but not yet fixed in Electron, or fixed in Electron but not yet fixed an application built on top of Electron, is something that criminals and researchers can exploit.

A group of researchers recently presented research into Electron vulnerabilities at the Black Hat security conference having done exactly that. For a peek into what they did, and a look at how complicated modern bug hunting is, read researcher s1r1us’s explanation of how they went about finding a remote code execution (RCE) vulnerability in Discord by chaining a new cross-site scripting vulnerability, a CSP bypass in Discord’s out-of-date Chrome version, and an exploit for an existing V8 vulnerability.

In the case of s1r1us’s Discord bug, what the researchers found could be exploited with nothing more than a malicious link to a video. With Microsoft Teams, the bug they found could be exploited by inviting a victim to a meeting. In both cases, if the targets clicked on these links, an attacker would have been able to take control of their computers.

Mitigation

The most general and best advice in many cases is to avoid clicking on links that come in unexpected or in unusual ways. In an ideal world you would distrust them with the same vigor as the links in your mailbox and on social media. However, this can be very difficult in practice because many of these applications require you to click on links to join meetings, accept invitations and so on.

A more workable solution, suggested by the researcher, is to use apps like Discord or Spotify inside your browser, because then you have the protection afforded by Chrome, which is much larger than the one provided by Electron, and you have control whether it’s up to date or not.

Most of us though, will simply stick to downloading our security updates, and hoping the people who make the software are too.

Viral video drives malvertising on social media platform

This blog post was authored by Jérôme Segura

Viral content shared on social media is highly coveted since it gets a lot of impressions and engagement. Unfortunately, the people who push this kind of content don’t always have the best of intentions.

We recently identified a malvertising campaign on Facebook that uses a cute story that gained attention last year. The fraudsters are luring potential victims into clicking on its link so that they are conditionally redirected to a fake tech support page.

This technique is far from being new but yet still works really well and deserves to be analyzed once again so that affected parties better understand how they are being abused.

Too cute to be true

The scam starts with the sweet story of a man who jumped out of his car at a traffic light to have his puppy meet another dog. This moment was shared on a number of platforms last year and could melt any animal lover’s heart.

easset upload file39120 225262 e

We saw this post on Facebook and it has been viewed and shared since at least mid July. Yet, in this case, the link is a trap set to redirect potential victims to a malicious page known as a browser locker. While it does not actually ‘lock’ anything, the page displays fake messages about computer viruses and entices users to call for assistance. What follows after are the well-known tech support scams.

easset upload file26208 225262 e

Cloaking games

In order to evade detection and remain active for as long as possible, these fraudulent schemes use a simple technique known as cloaking. The idea is to only display the malicious page in specific scenarios while showing legitimate content the rest of the time.

Here are some examples of filters that threat actors may use to their advantage:

  • IP address
    • Geolocation (country and city)
    • Internet Service Provider (ISP)
  • Browser user-agent
    • Operating system (Windows, Mac, Mobile)
    • Browser name and version
  • Referer (the site visited just before)
  • Cookies
  • Time zone

In other words, for a given campaign a target may be: people living on the US’s west coast using Windows 10 and Google Chrome with a valid Facebook referer clicking on the link for the first time after 6 PM on weekdays. For the rest of the time and other visitors, a decoy page will be shown instead:

easset upload file37053 225262 e

The proverbial ‘smoking gun’

When it comes to reporting such abuses, most registrars, hosting companies and platforms will require some hard evidence unless you have worked with them in the past and they already trust the information you pass along.

While a video capture is a pretty damning piece of evidence, it may not necessarily be enough to convince a provider especially if they aren’t able to reproduce the issue on their side. Because of cloaking, finding that smoking gun can literally take hours of frustrated attempts until finding the right combination of parameters. In fact, in some cases you may have to wait for when the scammers manually activate a redirect for a specific time window.

Running a web proxy is often invaluable to capture the event as it is happening as well as hard evidence of the suspected behavior. For example, what we see below are the request and response headers for the domain performing cloaking.

  • The request headers show the host (fnbchecklagsin[.]com) the referer (Facebook) and the full URI we requested (GET)
  • The response headers show that the server responded with the HTTP 302 code which indicates a redirect to a new location (browser locker)

easset upload file98323 225262 e

Essentially, the malicious remote server did not even serve the decoy content but immediately redirected our browser to the tech support scam page.

easset upload file57951 225262 e

We have reported this incident to the registrar (NameCheap), the hosting provider (DigitalOcean) and the platform (Facebook) abused to spread this scam. Malwarebytes users were already protected thanks to our Browser Guard extension.

Anti-tracking tool tells you if you’re being followed

If there is one thing we know about the people around us, even the perfect strangers, it’s that they almost all have smartphones. And those smartphones aren’t merely passive receivers, they’re broadcasting constantly, looking for things you might want to connect to.

Advertisers have exploited the electronic noise that smartphones make for years, using it to track people in places like shopping malls. But now a security researcher has used the same idea to detect if you’re being followed.

Matt Edmondson had the idea for the tool when a friend of his, who also works for the government, expressed concerns about being tailed when meeting a confidential informant who had ties to a terrorist organization. Although the friend is skilled at escaping those following them by car, he was looking for “an electronic supplement”.

“He was worried about the safety of the confidential informant,” Edmondson explained to Wired.

Edmondson wears many hats. He served as a federal agent for the US Department of Homeland Security for 21 years; he is the founder of an infosec consultation company; a hacker; a certified SANS instructor; and a digital forensics expert. Suffice it to say, he has the skills and experience to create something that would make someone safe using parts that don’t cost much, some open-source Python code, and a Raspberry Pi.

Edmondson presented his project at Black Hat on Thursday. His talk, Chasing Your Tail With a Raspberry Pi, touched on how he assembled the anti-tracking device, the challenges encountered when building it, and some best practices to consider, including creating an ignore list for friendly smartphones, and the importance of randomizing your MAC address (the rarely-changed identifier that allows others to track your smart phone).

The anti-tracking device works by scanning for wireless devices and checking if these have been present within the past 20 minutes. Unlike tools made to scan stationary devices, Edmonson’s machine was designed to scan moving ones. This is necessary as the act of tailing requires movement.

The device can fit in a shoebox and is in a waterproof case. It has a Wi-Fi card that runs Kismet (a popular wireless network detector), a portable charger, and a touchscreen where the user sees alerts. Each alert solidifies the possibility that one is being tailed.

“It’s purely designed to try to tell you that you’re seeing something now that you were also seeing a few minutes ago,” Edmondson says. “This isn’t designed to follow people in any way, shape, or form.”

Edmondson pleads with the tech community to take digital tracking and surveillance seriously. “It was really kind of disheartening and depressing to look at the ratio of tools to spy on people versus tools to help you not get spied on,” he says.

Donut breach: Lessons from pen-tester Mike Miller: Lock and Code S03E17

When Mike Miller was hired by a client to run a penetration test on one of their offices, he knew exactly where to start: Krispy Kreme. Equipped with five dozen donuts (the boxes stacked just high enough to partially obscure his face, Miller said), Miller walked briskly into a side-door of his client’s offices, tailing another employee and asking them to hold the door open. Once inside, he cheerfully asked where the break room was located, dropped off the donuts, and made small talk.

Then he went to work.  

By hard-wiring his laptop into the company’s Internet, Miller’s machine received an IP address and, immediately after, he got online. Once connected, Miller ran a few scanners that helped him take a rough inventory of the company’s online devices. He could see the systems, ports, and services running on the network, and gained visibility into the servers, the work stations, even the printers. Miller also ran a vulnerability scanner to see what vulnerabilities the network contained, and, after a little probing, he learned of an easy way to access the physical printers, even peering into print histories. 

Miller’s work as a penetration tester means he is routinely hired by clients to do this exact type of work—to test the security of their own systems, from their physical offices to their online networks. And while his covert work doesn’t always go like this, he said that it isn’t uncommon for companies to allow basic flaws. Even when he shared his story on LinkedIn, several people doubted his story. 

“It’s crazy because so many people say ‘Well, there’s no way you could’ve just plugged in.’ Well, you’re right, I should not have been able to do that.”

Today, on Lock and Code with host David Ruiz, we speak with Miller about common problems he’s seen in his work as a pen-tester, how companies can empower their employees to provide better security, and what the relationship is between physical security and cybersecurity. 

You can also find us on Apple PodcastsSpotify, and Google Podcasts, plus whatever preferred podcast platform you use.

Show notes and credits:

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)
Licensed under Creative Commons: By Attribution 4.0 License
http://creativecommons.org/licenses/by/4.0/
Outro Music: “Good God” by Wowa (unminus.com)

Thousands of Zimbra mail servers backdoored in large scale attack

Researchers at Volexity have discovered that a known vulnerability has been used in a large scale attack against Zimbra Collaboration Suite (ZCS) email servers. But the vulnerability was supposed to be hard to exploit since it required authentication. So they decided to dig deeper.

An incomplete fix

Zimbra is a brand owned by Synacor. Zimbra Collaboration, formerly known as the Zimbra Collaboration Suite (ZCS) is a collaborative software suite that includes an email server and a web client. It is widely used across different industries and government organizations. We reported about a cross-site scripting (XSS) zero-day vulnerability in the Zimbra email platform back in February 2022. At the time, Zimbra claimed there were 200,000 businesses, and over a thousand government and financial institutions, using its software.

The initial investigations showed evidence indicating the likely cause of these breaches was exploitation of CVE-2022-27925, a remote-code-execution (RCE) vulnerability in ZCS. This vulnerability was patched by Zimbra in March 2022.

The description of the CVE informs us that Zimbra Collaboration (aka ZCS) 8.8.15 and 9.0 has mboximport functionality that receives a ZIP archive and extracts files from it. An authenticated user with administrator rights has the ability to upload arbitrary files to the system, leading to directory traversal.

Zimbra patched the vulnerability, but, in the company’s own words, it would turn out to be an “incomplete fix for CVE-2022-27925”.

Mass exploitation

It is uncommon for a vulnerability that requires administrator rights to be used in a large-scale attack. Firstly, because it is usually a lot of work for a cybercriminal to obtain valid administrator credentials. But also because once they have administrator credentials there are a lot more options open to them. Although in this case, uploading zip files that will be auto-magically extracted sounds like a good way to establish a foothold.

So how did it come about that a serious, yet hard to exploit vulnerability got involved in a larger attack rather than a targeted one? The researchers did a lot of digging and found that the threat actors were chaining the known vulnerability with a zero-day path traversal vulnerability. The authentication bypass vulnerability was assigned CVE-2022-37042 after sharing their findings with Zimbra. A path traversal vulnerability allows an attacker to access files on your web server to which they should not have access.

The underlying problems was that the authentication check, after sending an error message to the unauthenticated attacker, continued executing the subsequent code. So, even though the attackers received an error message the web shell was planted on the server anyway. These web shells were a malicious script used by the attacker with the intent to escalate and maintain persistent access. In other words, a backdoor.

Knowing the paths to which the attacker had installed web shells, and the behavior of ZCS when contacting a URL that did not exist, the researchers performed a scan of ZCS instances in the wild to identify third-party compromises using the same web shell names. This scan yielded over 1,000 infected ZCS instances worldwide. The real number of infected instances is probably a lot higher since the scan only looked for shell paths known to the researchers.

Mitigation

Zimbra has patched the authentication issue in its 9.0.0P26 and 8.8.15P33 releases. If you were late to patch for the RCE vulnerability, you should assume that your server instance has been compromised.

In order to verify the presence of web shells on a ZCS instance, one technique that can be used is to compare the list of JSP files on a Zimbra instance with those present by default in Zimbra installations. Lists of valid JSP files included in Zimbra installations can be found on GitHub for the latest version of 8.8.15 and of 9.0.0.

Stay safe, everyone!

Slack flaw exposed users’ hashed passwords

Slack, the workplace communication platform, has notified some of its users that their hashed passwords have been subject to exposure for the last five years. The company wasn’t specific in its notice, but Wired said that the flaw was in one of its “low-friction features”. The flaw exposed hashed passwords of users when creating or revoking shared invitation links for workspaces.

“When a user performed either of these actions, Slack transmitted a hashed version of their password to other workspace members,” the company said in a notice. “It affected all users who created or revoked shared invitation links between 17 April 2017 and 17 July 2022.”

Putting a plaintext password through a hashing algorithm changes it to a cryptographically scrambled or obfuscated version of itself, now called a “ciphertext”. It is a unique string of characters with a fixed length. Adding “salt”—essentially random data—when hashing would further protect the password from getting easily extracted by threat actors.

The exposure only occurs behind the scenes, though, as Slack users who were sent these invitations couldn’t see the passwords. However, they weren’t completely inaccessible, although seeing the exposed passwords required actively monitoring encrypted traffic from Slack’s servers.

“We have no reason to believe that anyone was able to obtain plaintext passwords because of this issue. However, for the sake of caution, we have reset affected users’ Slack passwords.”

Slack warned that hashes are “secure, but not perfect.” Hashed passwords could still be revered by brute force methods.

Slack promptly patched the flaw after an independent security researcher reported it to Slack last month. It then notified the approximately 0.5 percent of all its users who may have been affected, 

The company also took this opportunity to advise its users to enable 2FA (two-factor authentication) on their accounts and create strong and unique passwords. It also advised users to check access logs, which they can find here, for their accounts.

Update now! Microsoft fixes two zero-days in August’s Patch Tuesday

Microsoft has published fixes for 141 separate vulnerabilities in its batch of August updates, fixing a total of 118 CVEs in multiple products. This is a new monthly record if you look at the CVE count.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). These are the CVEs that jumped out at us.

Microsoft Support Diagnostics Tool

CVE-2022-34713: is a Microsoft Windows Support Diagnostic Tool (MSDT) Remote Code Execution (RCE) vulnerability. This is a known to be exploited vulnerability which requires the target to open a specially crafted file. This CVE is a variant of the vulnerability publicly known as Dogwalk.

CVE-2022-35743: is another MSDT RCE vulnerability. Neither technical details nor an exploit are publicly available, but we do know that user interaction is required and the attack vector is local, so this is very likely another case where a specially crafted file needs to be opened by the victim.

Microsoft Exchange

CVE-2022-30134: is a Microsoft Exchange Information Disclosure vulnerability. This vulnerability is publicly disclosed but has not yet been detected in attacks. Affected products are Microsoft Exchange Server 2019 CU 11, Microsoft Exchange Server 2016 CU 22, Microsoft Exchange Server 2013 CU 23, Microsoft Exchange Server 2016 CU 23, and Microsoft Exchange Server 2019 CU 12. Users vulnerable to this issue would need to enable Extended Protection in order to prevent exploitation of this vulnerability. More details can be found on the Exchange Team Blog.

CVE-2022-24477: is a Microsoft Exchange Server Elevation of Privilege (EoP) vulnerability. Affected products are Microsoft Exchange Server 2016 CU 23, Microsoft Exchange Server 2019 CU 12, Microsoft Exchange Server 2019 CU 11, Microsoft Exchange Server 2016 CU 22, and Microsoft Exchange Server 2013 CU 23. Users vulnerable to this issue would need to enable Extended Protection in order to prevent exploitation of this vulnerability. More details can be found on the Exchange Team Blog.

CVE-2022-24516: is another a Microsoft Exchange Server EoP vulnerability. Affected products are Microsoft Exchange Server 2016 CU 23, Microsoft Exchange Server 2019 CU 12, Microsoft Exchange Server 2013 CU 23, Microsoft Exchange Server 2019 CU 11, and Microsoft Exchange Server 2016 CU 22. Users vulnerable to this issue would need to enable Extended Protection in order to prevent exploitation of this vulnerability. More details can be found on the Exchange Team Blog.

Windows Point-to-Point Protocol

CVE-2022-30133: is a Windows Point-to-Point Protocol (PPP) RCE vulnerability with a CVSS score of 9.8 out of 10. An unauthenticated attacker could send a specially crafted connection request to a remote access server (RAS) server, which could lead to remote code execution (RCE) on the RAS server machine. This vulnerability can only be exploited by communicating via port 1723. As a temporary workaround prior to installing the updates that address this vulnerability, you can block traffic through that port thus rendering the vulnerability unexploitable.

Windows Network File System

CVE-2022-34715: is a Windows Network File System (NFS) RCE vulnerability with a CVSS score of 9.8 out of 10. This vulnerability could be exploited over the network by making an unauthenticated, specially crafted call to a Network File System (NFS) service to trigger a Remote Code Execution (RCE). This vulnerability is not exploitable in NFSV2.0 or NFSV3.0. Prior to updating your version of Windows that protects against this vulnerability, you can mitigate an attack by disabling NFSV4.1. This could adversely affect your ecosystem and should only be used as a temporary mitigation.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has also released security updates for many of its products, including Acrobat, Reader, Adobe Commerce, and Magento Open Source. More details on the Adobe security site.

Cisco released security updates for numerous products this month.

Google released Android security updates.

SAP released 5 new Security Notes.

VMware released Security Advisory VMSA-2022-0022 and warned that a recently disclosed auth bypass flaw is now actively exploited.

Twilio breached after social engineering attack on employees

Cloud-based communication platform provider Twilio has announced a breach via a social engineering attack on employees.

On August 4, 2022, Twilio says it became aware of unauthorized access to information related to a limited number of Twilio customer accounts, through the social engineering attack which was designed to steal employee credentials.

Text messages

A number of current and former employees received text messages that appeared to come from Twilio’s IT department. The messages said either the recipient’s password had expired, or that their schedule had changed, and that they needed to log in. To increase the credibility of the URLs they contained words including “Twilio,” “Okta,” and “SSO” (short for single sign-on) to try and trick users to click on a link which led to a fake log in site. At this site, the attacker could intercept the login credentals and use those to access the compromised accounts.

The attackers must have put in some effort to link the Twilio employees to their phone numbers. It seems likely they used data from another breach, or breaches, and searched for Twilio employee names with their phone numbers. It would be easy to assume that it might have been one of the LinkedIn data breaches from 2021, because employer data would be needed, but unfortunately there are many other options to combine data from other breaches.

It certainly does add a layer of credibility to the attack, since most people don’t give their telephone number to just anyone, but their employer would know it.

Take down

Once Twilio confirmed the incident, its security team revoked access to the compromised employee accounts to mitigate the attack and a forensics firm was engaged to aid the ongoing investigation.

The text messages originated from US carrier networks, and Twilio says it worked with these carriers to shut down the numbers, and worked with the hosting providers serving the malicious URLs to shut those accounts down. It’s possible, however, that the attackers will continue to rotate through carriers and hosting providers to resume their attacks.

Twilio customers

Twilio has notified the affected customers. If you were not contacted by Twilio, then it means there is no evidence that your account was impacted by this attack.

Protection

By providing employees with mobile devices or allowing them to use personal smartphones for work, organizations have increased the possible number of targets for phishing campaigns.

Since employees’ phones are usually outside of the scope of an organizations security software, protection against this sort of attack is not easy.

The massive use of smartphones, tablets and mobile applications in our daily lives, for personal and professional purposes, turns them into essential tools that we trust maybe a tad too much.

And it’s not just text messages you need to worry about. Social media, messaging apps, and even dating apps have created many other channels to deliver an attack.

Providing your employees with software that blocks malicious text messages and URLs will only be effective against long-running campaigns, so it’s likely that this one would have made it through.

The most effective strategy is education. Users need to learn that text messages are to be treated with the same amount of suspicion as unexpected emails. Especially if the text message contains a link.

Stay safe, everyone!

5 cybersecurity tips for students going back to school

The new school season is just around the corner. And while you are getting ready to go back to school, now is a good opportunity to check you are doing all you can to stay as safe as possible online.

Make sure you are doing these five things:

1. Use multi-factor authentication (MFA)

MFA has become a necessary security measure in a world where passwords still rule. It’s added security for your school-related accounts—and actually any online accounts you have, including social media.

MFA is an additional layer of security, after you enter your username and password. This could be a code generated by an app, a push notification you need to accept, a physical key you plug into your computer, or similar.

Use it wherever it is offered to you. Yes, it makes logging in take slightly longer, but it really does make your accounts safer.

2. Use strong passwords

By “strong”, we mean the best possible password string you can come up. If, for example, your school IT administrator sets a maximum password length of 10 and allows a mix of alphabets and numbers, then make your password 10 characters long with the maximum complexity you can.

And while we’re on the subject of passwords, remember to use a unique password for each of your online accounts. If you use the same email and password combination for every account, then if one gets breached you have to assume they have all been breached.

Of course, it’s impossible to remember a strong password for every account you have. This is where password managers come in. They can generate passwords for you, and will remember them all too. Just make sure you use a super strong password for your password manager itself, and protect it with MFA.

Lastly, never share passwords with anyone.

3. Be wary of links and attachments

When it comes to phishing and malware campaigns, danger doesn’t just lurk in emails. It’s on social media, SMS, chat platforms, gaming platforms, and other online watering holes, too.

Remember: if someone sends you an unsolicited link or attachment, you’re right to be suspicious. Treat it as suspect, and always verify with the sender if they’re someone you know, preferably via other means than the medium with which you received the link or attachment.

4. Share with caution

Students can do this in (at least) three ways:

  1. Limit what you share. Don’t give away personal details on social media, including those which tie you to your school.
  2. Be smart about what information you allow apps to access. Does that calendar app really need access to your location?
  3. For high school and college students, think twice before sharing private photos with someone. Consider that they may be shared with others, and how you might feel if that happened.

5. Lock down your files

The school does its part to secure your most important data, but you have a part to play, too.

You can start by locking down the devices you bring to school, such as your smartphone and laptop. Make sure there’s at least a password or code that stops anyone from casually picking up your device, and then opening it.

If you use the cloud to store files, learn how to secure that properly—the cloud-of-your-choice will have a guide on that. Remember, the cloud can only be as secure as you, the user, makes it.

It’s easy when you know how

Thankfully, securing data doesn’t get any more complicated for regular users than the five tips we have listed above. Remain vigilant and remind yourself that cybersecurity and privacy are shared goals and responsibilities. Students should do their part in the same way that your school’s IT team is doing theirs.

Stay safe, and have a pleasant, risk-free school year ahead!