This Week in Safety: Adblock for Safety, ProxyNotShell Lives and CVSS 10 for Not to Worry
The ubiquity of ransomware continues, this time with The Guardian announcing that it has been partially stopped following an attack. Staff are working from home while the incident is investigated and data is recovered. The publication seems to be continuing and the printed paper has worked as expected.
Several reports have emerged recently on the distribution of ransomware and other malware, the first being an FBI Public Service Announcement detailing what could be a blindingly obvious attack vector: search engine advertising. research. A bad actor chooses a business or common search term, pays for search engine placement, and then creates a fake website that looks legitimate. For bonus points, this uses a typosquatted domain, like adobe[dot]cm or a punycode domain that looks even more like the real thing.
The FBI has a trio of recommendations, one of which I wholeheartedly agree with. Their first suggestion is to inspect links before clicking them, which is fine except for the punycode attack. In fact, there are enough similar glyphs to make this essentially useless. The second is to enter URLs directly rather than using a search engine to find a company's site. That's fine as long as you know the URL and don't mistype it. But honestly, haven't we all accidentally ended up on the [dot]co site doing this? Their final recommendation is the correct one, and that is to run a high-quality ad blocker for security. Remember to selectively disable blocking of websites you want to support. (Like Hackaday!)
Exchange always targetedAnd the other report, a PDF from Prodraft, details the activities of FIN7, which added the ransomware to their criminal portfolio. These attacks are launched through multiple means, including malicious USB drives and using known Exchange vulnerabilities, such as CVE-2020-0688 and the ProxyShell family of issues.
And speaking of which, ProxyShell/ProxyNotShell is not dead, because there was another workaround found in the wild. This is not an effective workaround against the November 8 patch, but bypasses the rewrite rules that were touted as an effective mitigation. The reason is that this attack does not use the Autodiscover endpoint, but applies the same technique to the OWA (Outlook Web App) endpoint.
Password manager failureLastPass isn't the only password manager in the news, and problems with Passwordstate make recent LastPass issues seem like the most minor of inconveniences. Passwordstate is an enterprise solution for password management. modzero researchers started with the browser extension, which allows a user to access saved passwords. To authenticate, a token is generated and sent to the server. Turns out that token is just the username and other user info, XORed with a static universal key. And on the server side, the only check that happens is on the username. So on any Passwordstate installation anywhere, if you can talk to the API and know a valid username, you can extract all passwords accessible to that account.
This same API has another problem, any user can write to any other user's stored passwords, including the login URL for a given password. And since the entire interface is web-based, Cross-Site Scripting attacks are the way to go. There is, of course, insufficient disinfection. An administrator can use the API to run Powershell scripts. So spray the malicious link in other users' URLs and wait for an administrator to use the interface to login somewhere. The powershell script runs, starting a reverse shell. And because the stored passwords aren't encrypted in any useful way (AES encrypted, but the key is stored, obfuscated, on the same machine as the database), it allows an attacker to get away with all the password database. The vulnerabilities have been addressed in 9.6 Build 9653, although given the severity of the issues and other issues, one has to wonder how effectively these issues were addressed.
Linux does samba (badly)There is a Perfect 10 vulnerability in the Linux kernel. CVE-2022-47939 is an issue in the ksmbd driver, which was added last year in an attempt to speed up SMB performance...
The ubiquity of ransomware continues, this time with The Guardian announcing that it has been partially stopped following an attack. Staff are working from home while the incident is investigated and data is recovered. The publication seems to be continuing and the printed paper has worked as expected.
Several reports have emerged recently on the distribution of ransomware and other malware, the first being an FBI Public Service Announcement detailing what could be a blindingly obvious attack vector: search engine advertising. research. A bad actor chooses a business or common search term, pays for search engine placement, and then creates a fake website that looks legitimate. For bonus points, this uses a typosquatted domain, like adobe[dot]cm or a punycode domain that looks even more like the real thing.
The FBI has a trio of recommendations, one of which I wholeheartedly agree with. Their first suggestion is to inspect links before clicking them, which is fine except for the punycode attack. In fact, there are enough similar glyphs to make this essentially useless. The second is to enter URLs directly rather than using a search engine to find a company's site. That's fine as long as you know the URL and don't mistype it. But honestly, haven't we all accidentally ended up on the [dot]co site doing this? Their final recommendation is the correct one, and that is to run a high-quality ad blocker for security. Remember to selectively disable blocking of websites you want to support. (Like Hackaday!)
Exchange always targetedAnd the other report, a PDF from Prodraft, details the activities of FIN7, which added the ransomware to their criminal portfolio. These attacks are launched through multiple means, including malicious USB drives and using known Exchange vulnerabilities, such as CVE-2020-0688 and the ProxyShell family of issues.
And speaking of which, ProxyShell/ProxyNotShell is not dead, because there was another workaround found in the wild. This is not an effective workaround against the November 8 patch, but bypasses the rewrite rules that were touted as an effective mitigation. The reason is that this attack does not use the Autodiscover endpoint, but applies the same technique to the OWA (Outlook Web App) endpoint.
Password manager failureLastPass isn't the only password manager in the news, and problems with Passwordstate make recent LastPass issues seem like the most minor of inconveniences. Passwordstate is an enterprise solution for password management. modzero researchers started with the browser extension, which allows a user to access saved passwords. To authenticate, a token is generated and sent to the server. Turns out that token is just the username and other user info, XORed with a static universal key. And on the server side, the only check that happens is on the username. So on any Passwordstate installation anywhere, if you can talk to the API and know a valid username, you can extract all passwords accessible to that account.
This same API has another problem, any user can write to any other user's stored passwords, including the login URL for a given password. And since the entire interface is web-based, Cross-Site Scripting attacks are the way to go. There is, of course, insufficient disinfection. An administrator can use the API to run Powershell scripts. So spray the malicious link in other users' URLs and wait for an administrator to use the interface to login somewhere. The powershell script runs, starting a reverse shell. And because the stored passwords aren't encrypted in any useful way (AES encrypted, but the key is stored, obfuscated, on the same machine as the database), it allows an attacker to get away with all the password database. The vulnerabilities have been addressed in 9.6 Build 9653, although given the severity of the issues and other issues, one has to wonder how effectively these issues were addressed.
Linux does samba (badly)There is a Perfect 10 vulnerability in the Linux kernel. CVE-2022-47939 is an issue in the ksmbd driver, which was added last year in an attempt to speed up SMB performance...
What's Your Reaction?
