Weekly Cybersecurity Roundup #9
"Companies spend millions of dollars on firewalls and secure access devices, and it's money wasted because none of these measures address the weakest link in the security chain: the people who use, administer and operate computer systems" - Kevin Mitnick
Threat Actors Impersonate Brands on Social Media for Malicious Purposes
With more than 2.95 billion people now estimated to use social media, an organization’s online presence directly relates to the satisfaction of its customers, as well as its profits. False or misleading images or comments connected with a brand on online platforms can swiftly impact the reputation or even financials of an otherwise successful company. While most individuals have been taught to identify suspicious or even malicious content presented via email, threat actors know that when it comes to social media that is simply not the case. Criminals that use social media to abuse an organization have broad access to an audience focused on socializing and sharing information, not analyzing Twitter handles or Instagram pages for inaccurate data. These vulnerabilities are appealing to the bad guys and make it easier to convince the victim that the doctored or unauthorized logo they are looking at is in fact, real. That, along with the level of anonymity that social media possesses, allows for an easy and well-distributed scam.
The zero-day exploits of Operation WizardOpium
Back in October 2019 we detected a classic watering-hole attack on a North Korea-related news site that exploited a chain of Google Chrome and Microsoft Windows zero-days. While we’ve already published blog posts briefly describing this operation, in this blog post we’d like to take a deep technical dive into the exploits and vulnerabilities used in this attack.
RangeAmp attacks can take down websites and CDN servers
A team of Chinese academics has found a new way to abuse HTTP packets to amplify web traffic and bring down websites and content delivery networks (CDNs).
Named RangeAmp, this new Denial-of-Service (DoS) technique exploits incorrect implementations of the HTTP "Range Requests" attribute.
HTTP Range Requests are part of the HTTP standard and allow clients (usually browsers) to request only a specific portion (range) of a file from a server. The feature was created for pausing and resuming traffic in controlled (pause/resume actions) or uncontrolled (network congestion or disconnections) situations.
The HTTP Range Requests standard has been under discussion at the Internet Engineering Task Force (IETF) for more than half a decade, but, due to its usefulness, has already been implemented by browsers, servers, and CDNs.
Reverse Engineering a 5g ‘Bioshield’
Six months ago the UK’s Glastonbury Town Council set up a 5g Advisory Committee to explore the safety of the technology, and last month the local paper reported their findings.
This statement is in their recommended measures report (page 31 of this PDF):
5G Bioshield https://5gbioshield.com/ We use this device and find it helpful.
We’re aware of people playing around with Shungite or setting up a ring of EMF shields to achieve this, but we’ve never seen someone saying it can be done with a USB stick.
We are not 5g specialists, nor are we health experts, but USB sticks are well within our skill-set.
We ordered three devices and set to it.
Hackers breached six Cisco servers through SaltStack Salt vulnerabilities
SaltStack Salt is open source software that is used for managing and monitoring servers in datacenters and cloud environments. It is installed on a “master” server and it manages “minion” servers via an API agent.
The two recently revealed vulnerabilities – CVE-2020-11651 (an authentication bypass flaw) and CVE-2020-11652 (a directory traversal flaw) – can be exploited by unauthenticated, remote attackers to achieve RCE as root on both masters and minions.
The flaws were fixed in late April, but not all exposed Salt servers have been patched. A few weeks ago, Censys put the number of potentially vulnerable, internet-exposed Salt servers at 2,928.
One of the things that likely prolonged the deployment of patches is the fact that Salt is integrated in other solutions, and developers of those solutions took some time to push out security updates.
VMware vRealize Operations Manager is one of those solutions, and so are two network architecture modeling and testing solutions by Cisco.
Maze: the ransomware that introduced an extra twist
An extra way to create leverage against victims of ransomware has been introduced by the developers of the Maze ransomware. If the victim is not convinced that she should pay the criminals because her files are encrypted, there could be an extra method of extortion. Over time, more organizations have found ways to keep safe copies of their important files or use some kind of rollback technology to restore their systems to the state they were in before the attack.
To have some leverage over these organizations, the ransomware attackers steal data from the infiltrated system while they deploy their ransomware. They then threaten to publish the data if the victim decides not to pay. Depending on the kind of data, this can be a rather compelling reason to give in.
New Noise-Resilient Attack On Intel and AMD CPUs Makes Flush-based Attacks Effective
Modern Intel and AMD processors are susceptible to a new form of side-channel attack that makes flush-based cache attacks resilient to system noise, newly published research shared with The Hacker News has revealed.
The findings are from a paper "DABANGG: Time for Fearless Flush based Cache Attacks" published by a pair of researchers, Biswabandan Panda and Anish Saxena, from the Indian Institute of Technology (IIT) Kanpur earlier this week.
Dubbed "Dabangg" (meaning fearless), the approach builds upon the Flush+Reload and Flush+Flush attacks, which have been exploited previously by other researchers to leak data from Intel CPUs.
However, the new variant aims to improve the accuracy of these attacks even in a noisy multi-core system. It also works seamlessly against non-Linux Operating Systems, like macOS.
It's not every day the NSA publicly warns of attacks by Kremlin hackers – so take this critical Exim flaw seriously
The NSA has raised the alarm over what it says is Russia's active exploitation of a remote-code execution flaw in Exim for which a patch exists.
The American surveillance super-agency said [PDF] on Thursday the Kremlin's military intelligence hackers are actively targeting some systems vulnerable to CVE-2019-10149, a security hole in the widely used Exim mail transfer agent (MTA) that was fixed last June.