BF-SIRT Newsletter 2017-51

Google’s Project Zero released details of a local proof-of-concept attack against a fully patched Windows 10 PC that allows an adversary to execute untrusted JavaScript outside a sandboxed environment on targeted systems. These vulnerabilities was patched this month, and they have a great technical write up.

Dutch security firm Fox-IT has gone public about a cyber attack it suffered in September after not protecting its DNS entries with two-factor authentication. This seems like, different from many other examples, a good example of how to handle incidents like this.

Using publicly known information, a team of researchers from the University of Melbourne have claimed to re-identify seven prominent Australians in an open medical dataset. In theses days of GDPR this should be something to take note of when talking about “anonymization” of big data sets.

Brian Krebs has a great post where he looks at the price of stolen credentials and provides a glimpse into the fortunes that a credential thief can earn, this goes to show that leaked credentials is a bigger issue than each individual, it is a part of the criminal economy and fosters more cybercrime.

Top 5 Security Links
Project Zero Chains Bugs for ‘aPAColypse Now’ Attack on Windows 10
Fox-IT reveals hackers hijacked its DNS records, spied on clients’ files
Re-identification possible with Australian de-identified Medicare and PBS open data
The Market for Stolen Account Credentials
Attack Attribution Tricky Say Some as US Blames North Korea for WannaCry

BF-SIRT Newsletter 2017-50

This weeks top stories begins with the ROBOT attack, a bug in the implementation of RSA key exchange for products using PKCS #1 v1.5. This includes SSL\TLS if RSA is used for for exchanging keys. The bug can let an adversary decrypt traffic and even sign messages with someones else private key. The vulnerable products include F5, Citrix, and Cisco and many vendors has released patches.

A database containing over 1.4 Billion clear text passwords was discovered by security firm 4iQ while looking for passwords on the “dark web”. The full database contains over 41GB of cleartext passwords and user-names aggreated from previos leaks from Bitcoin, Pastebin, LinkedIn, MySpace, Netflix, YouPorn, Last.FM, Zoosk, Badoo, RedBox, games like Minecraft and Runescape, and credential lists like Anti Public, Exploit.in.

Security researcher discovered that a lot of HP models comes pre-installed with a keylogger that could be used to spy on user by malware or hackers. The kyelogger is disabled by default, but can be turned on by making changes to the registry in windows machines. Since this is built into the drivers by HP, this keylogger can be turned on bypassing . HP.

Tennable released Nessus Professional v7, removing API and multi-user support. These two components are looked to as essential by many security professionals and is met with criticism in the security community. But it gets even worse. When notifying its user about the new version, they added all users to a support-forum that sent out as much as 150 emails a minute for over an hour, effectively creating a spam-storm for all its users.

A new attack-framework “TRITON” is targeting Industrial Control Systems (ICS)and caused operational disruption to critical infrastructure according to Mandiant. This looks to be Nation-state sponsored attack, and could lead to physical damage of critical systems producing gas, power and other national critical infrastructure.

And don’t forget that this Tuesdays was Microsoft s patch Tuesday, with fixes for over 30 vulnerabilities, including 19 Critical browser issues.

Top 5 Security links
ROBOT attack
1.4 Billion Clear Text Credentials Discovered in a Single Database
Pre-installed keylogger found in over 460 HP laptops
Tennable released Nessus Professional v7, removing features and spaming users
TRITON Attacker Disrupts ICS Operations

BF-SIRT Newsletter 2017-49

This weeks top stories is that Microsoft Issues Emergency Windows Security Update For A Critical Vulnerability that could lead to remote code execution in Microsoft’s own

TeamViewer Rushes Fix for Permissions Bug that let the controlled machine to take control over the controlling machine. The bug impacts Windows, macOS and Linux versions of TeamViewer.

Bugs in over 30 mail clients found letting a phisher craft perfectly spoofed emails, defeating DMARC, Sender Policy Framework(SPF) and Domain Keys Identified Mail (DKIM) showing the mail as legit in the client.
This collection of bugs has been named “Mailsploit” by the researcher that discovered it, and a list of vulnerable devices can be found here.

Two researchers from enSilo described a new code injection technique called “Process Doppelgänging”  at blackhat 2017. This new attack works on all Windows versions and researchers say it bypasses most of today’s major security products. This is a file-less attack and it is impossible to patch since it exploits core designs of Microsoft process loading mechanism. The good news is that its a very technically challenging exploit to run.

In malware news FBI, Europol, Microsoft and ESET Team teamed up to dismantle the longest running botnet to date, the Andromeda network of botnets that has been active since 2011.

Top 5 Security links
Microsoft Issues Emergency Windows Security Update For A Critical Vulnerability
TeamViewer Rushes Fix for Permissions Bug
‘Mailsploit’ Lets Hackers Forge Perfect Email Spoofs
Patch for apples blank password bug released
“Process Doppelgänging” Attack Works on All Windows Versions

BF-SIRT Newsletter 2017-48

This weeks top stories is that half of the Internet’s email servers was vulnerable to a remote code execution, half the planets inhabitants seemingly wondered how blank password could give privilege escalation in the latest version of macOS.

Financially focused Cobalt criminal group exploited Microsoft Office’s Equation Editor in its latest campaign, patched was released in November.

A classified toolkit for potentially accessing US military intelligence networks was left in an unsecured AWS S3 silo.

Less news, but input worth considering, Linus Torvalds has offered a calmer lengthy explanation of his thoughts on security, after a classic expletive-laden first version.

Top 5 Security Links
No Patch Available for RCE Bug Affecting Half of the Internet’s Email Servers
Why <blank> Gets You Root
Older Office Cybersecurity Vulnerability Exploited by Cobalt Attackers
US intelligence blabs classified Linux VM to world via leaky S3 silo
Linus Torvalds on security: ‘Do no harm, don’t break users’

BF-SIRT Newsletter 2017-47

This weeks top stories is that Intel fixes critical bugs in Management Engine, its secret CPU-On-Chip, and that F5 announces a critical BIG-IP SSL vulnerability.

You should also read about the new OWASP Top 10 that has been released, and a forecast from ISF about security threats in 2018.

Top 5 Security links
Intel Fixes Critical Bugs in Management Engine, Its Secret CPU-On-Chip
F5 DROWNing, not waving, in crypto fail
Four Years Later, We Have a New OWASP Top 10
5 information security threats that will dominate 2018
Uber concealed massive hack that exposed data of 57m users and drivers

BF-SIRT Newsletter 2017-46

This weeks top stories is that research by Google and the University of California found that phishing attacks are more efficient than data breaches at getting criminals into victim’s account and that the average person still has can’t pick a good password, and security researchers described a proof-of-concept exploit dubbed AVgater that affects multiple antivirus products and can lead to a full system takeover.

Github has announced a new feature to their dependency graph that will warn developers about vulnerable dependencies in their projects.

You can also read about Malwarebytes researchers warning IT workers seeking love online to beware “CatPhishing” scams, and in an interview Premera Blue Cross CISO and vice president sizes up healthcare security threats for 2018.

Top 5 Security links
Google study finds phishing attacks more efficient than data breaches
AVGater abuses antivirus software for local system takeover
Github Will Warn Developers About Vulnerable Dependencies in Their Projects
Beware Catphishing attacks targeting the hearts of security pros
A CISO Sizes Up Healthcare Security Threats for 2018

BF-SIRT Newsletter 2017-45

This weeks top stories is that the recent Intel Chips running Minix for their Management Engine have debugging ports that can be reached over USB, USB is also a theme in Linux Kernel patching these days with more than 40 security issues discovered.

Amazon has updated their AWS Dashboard to warn admins when they are exposing S3 buckets.

Researchers at Volexity has been tracking the Vietnamese threat actor APT32 group since May 2017 and claim they are one of the most advanced APTs in the threat landscape.

Top 5 Security links
Intel’s super-secret Management Engine firmware now glimpsed, fingered via USB
Don’t worry about those 40 Linux USB security holes. That’s not a typo
Amazon Updates AWS Dashboard to Warn Admins When They’re Exposing S3 Buckets
Misconfigured Amazon S3 Buckets Expose Users, Companies to Stealthy MitM Attacks
Vietnamese APT32 Group is One of the Most Advanced APTs in the Threat Landscape

BF-SIRT Newsletter 2017-44

This weeks top stories is that the Reaper IoT Botnet is not fully mobilized according to report, and that Heathrow Airport Security Plans was found on memory stick on a street in London.

European Union member states have drafted a diplomatic document which states serious cyber-attacks by a foreign nation could be construed as an act of war.

If you are looking for some in-depth reading, Sophos has released its 2018 Malware Forecast report concluding that ransomware-as-a-service will see the insidious malware spread rapidly beyond personal computers in the year ahead. Proofpoint researchers uncovered a long-running malvertising campaign and has a nice write up and threat actor profile: KovCoreG, The Kovter Saga.

Top 5 Security Links
Reaper IoT Botnet Not Fully Mobilised, Says Report
Heathrow Airport Security Plans Found on Memory Stick
EU to Declare Cyber-Attacks “Act of War”
Threat Actor Profile: Kovcoreg, The Kovter Saga
Sophos: 2018 Malware Forecast Report

We wrote tests for our third-party security libraries, and you won’t believe what happened next! (CVE-2017-8028)

On the importance of thorough testing

Much of modern software development revolves around the concept of “quality”. As with all abstract concepts, “quality” is somewhat difficult to pin down, but for this article we can define it as “how well software conforms to its requirements”. Less formally, we can say that “high-quality software does what it’s supposed to”.

One way to ensure that you consistently deliver high-quality software is to have automated tests. I’m not a Test-Driven Development fundamentalist insisting on 100% test coverage; but if some part of your software is important to your users, there should be at least one automated test demonstrating that it works. This is obviously true for your software’s functional requirements, but it applies equally to its non-functional requirements such as auditing and performance.

So what non-functional requirements are important to the users of Basefarm’s internally-developed applications?
One thing that immediately springs to (at least my) mind is security. So we need some tests for that, right?

Think like a hacker

When developing secure applications, it is always useful to try to think like an attacker. If I were to try to get unauthorized access to this application, how would I go about it?

Obviously, you’d first need to log in. For Basefarm’s internal applications we use username/password logins authenticating against our internal LDAP server; this means that an attacker must obtain a set of working credentials somehow.

This suggests three tests:

  1. An existing user can log in with the correct password (this is what we call the happy-path test, which demonstrates that in fair weather conditions the software works as intended);
  2. A non-existent user is not allowed access;
  3. An existing user logging in with an incorrect password is not allowed access

As part of these tests, it is also useful to think about things like auditing and information leakage; login attempts — successful or not — should be logged, and the error message(s) presented on failure should not give an attacker information she does not already have. In particular, authentication failures should not say “no such user” or “incorrect password”; “Invalid credentials” is a safe, neutral way to put it.

So, in pseudo-code, we have the following tests:

authenticate("existinguser", "correctpassword") must succeed

authenticate("nonexistentuser", "anypassword") must fail

authenticate("existinguser", "wrongpassword") must fail

Don’t reinvent the wheel

The developers at Basefarm, as in most other places, don’t have the time (or, to be honest, the expertise) to write everything from scratch. It is hard enough to implement our specific functionality; implementing and maintaining code to talk to databases and LDAP, handle authentication and transactions and all the other things a large-scale (dare I say Enterprise?) application needs would be impossible. So like many other teams on the JVM platform we lean heavily on the Spring framework and its attendant ecosystem of libraries; in particular, we use Spring Security for authentication and authorization.

Setting the scene

Since our LDAP server (as all good LDAP servers should) requires authentication and encrypted communication using STARTTLS, our Spring Security configuration looks something like this (ignoring some details on how, exactly, things are wired together):

<bean id="tlsAuthStrategy" 
      class="org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy" />

<ldap:context-source 
  url="ldap://monkeymachine:389/dc=springframework,dc=org" 
  username="cn=Manager,dc=springframework,dc=org" password="secret" 
  authentication-strategy-ref="tlsAuthStrategy" />

<security:authentication-manager>
  <security:ldap-authentication-provider 
    user-search-base="ou=People,dc=springframework,dc=org" 
    user-search-filter="(uid={0})" />
</security:authentication-manager>   

The idea is that the security framework, authenticating with the manager credentials, searches for a user to really authenticate as.

We believe this to be a fairly typical LDAP-auth setup; in fact, the actual configuration is more or less copy-pasted from the Spring Security documentation.

We originally implemented this in 2011; and the configuration worked well, all the tests passed, and we were happy.

Let’s dance!

Fast-forward six years, to 2017. As part of our regular maintenance cycle, I went through all of our application’s dependencies and updated them to the latest version, to get the benefit of whatever new features and fixes are available.

This is usually a cushy job: Update some version numbers; recompile everything; drink coffee while the tests pass; and then ship it.

So I upgrade Spring Security to 4.2.1, and start the test run.

Imagine my surprise when I returned from my coffee binge to see

Tests failed: 1

Waltz Tango Foxtrot?

And the test that failed?

authenticate("existinguser", "wrongpassword") must fail

Whisky Tequila Fernet? In short, WTF???

Finding the problem

I’ll spare you the details of how we debugged the issue; it’s not really interesting, involving as it did copious amounts of coffee, creative swearing, scratching of heads, wailing and gnashing of teeth, and poring over code, logs and packet captures.

It turned out that the problem was not in Spring Security per se, but in Spring LDAP; a change in Spring Security’s use of that library exposed a weakness in DefaultTlsDirContextAuthenticationStrategy, which never actually performs an LDAP “bind” operation using the provided credentials.

The desired sequence of events when authenticating in our setup is something like this:

  1. Open a new LDAP connection
  2. Secure it using STARTTLS
  3. Bind with the search credentials (username/password from the context-source)
  4. Perform an LDAP search for the DN to bind as for the real authentication step
  5. Open another new LDAP connection
  6. Secure it using STARTTLS
  7. Bind using the DN from step 4 and the provided password

The logs from the LDAP server show what really happens (I’ve removed some entries from the log; the full log can be seen here):

-- step 1
59ceb606 conn=1000 fd=15 ACCEPT from IP=172.17.0.1:33378 (IP=0.0.0.0:389)
-- step 2
59ceb606 conn=1000 op=0 STARTTLS
-- step 3
59ceb606 conn=1000 op=1 BIND dn="cn=admin,dc=example,dc=org" mech=SIMPLE ssf=0
-- step 4
59ceb606 conn=1000 op=2 SRCH base="ou=People,dc=example,dc=org" scope=2 deref=3 filter="(cn=user)"
59ceb606 conn=1000 fd=15 closed
-- step 5
59ceb606 conn=1001 fd=15 ACCEPT from IP=172.17.0.1:33380 (IP=0.0.0.0:389)
-- step 6
59ceb606 conn=1001 op=0 STARTTLS
59ceb606 conn=1001 fd=15 closed (connection lost)

Step 7 never happens; as long as you have a username, all passwords are accepted.

Further investigation showed that this had been noticed as far back as 2013 by one mwebb and reported as a bug in November 2016, but not recognized as a security issue.

We had also noticed it before, earlier in 2017, but due to time pressures we did not properly investigate the issue at that time.

Houston, you may want to look at this

The Spring Framework is currently maintained by Pivotal Software, Inc., so we notified their security team of the problem. They, in turn, notified the maintainers of Spring LDAP, who initially concluded that this is not a bug because anonymous LDAP access was involved, as it was in the original example project exhibiting the bug.

However, a slight modification of the example project showed that the erroneous behaviour persists even when anonymous bind is not used; it is clear from the log that there is no bind attempt with the user credentials at all.

After a little back and forth, the Spring LDAP team released a fixed version of Spring LDAP on October 6, 2017, nearly a year after the initial bug report.

Timeline

2016-11-11 (approximately)
Tobias Schneider discovers the issue
2016-11-18
Schneider reports the bug to Spring LDAP, with a pull request
2017-01-11
We initially notice the issue, but due to time pressures do not investigate and roll back to an earlier version
2017-08-10
We attempt to upgrade again; again, we roll back to the earlier, working version, but this time (probably due to higher blood caffeine levels) a full investigation is scheduled
2017-09-26
We isolate the problem and discover the earlier bug report
2017-09-28
We notify Pivotal’s security team that we consider this a security vulnerability
2017-09-29
The Spring LDAP team determines that this is not a vulnerability
We demonstrate that the issue exists without involving anonymous search
2017-10-06
The Spring LDAP team commits a fix and releases a working version
2017-10-11
We request a CVE via Dell EMC and Pivotal
2017-10-16
Pivotal publishes CVE-2017-8028

The moral of the story (a.k.a TL;DR)

  • Security is an important part of your application; write tests for it
  • All non-trivial software has bugs, and some of these will be security-related
  • Report security issues to the security contact for the involved software

BF-SIRT Newsletter 2017-43

This weeks top stories is that Bad Rabbit, a new Petya-like ransomware is spreading, and Reaper, a new Mirai-like Iot botnet, has been detected and is many times larger.

A recent report concludes that cybercriminals focus on the shipping and cloud storage sectors, and Kaspersky is in hard weather against the US intelligence industry, but says NSA contractor leaked US hacking tools by mistake.

Dell lost control of a key customer support domain for a month in 2017 and Google Play Protect is literally the worst at detecting malware on Android, according to test results.

Top 5 Security links
Bad Rabbit: A new Petya-like ransomware that’s spreading, but beatable
After quietly infecting a million devices, Reaper botnet set to be worse than Mirai
NSA contractor leaked US hacking tools by mistake, Kaspersky says
Cybercriminals Focus on the Shipping and Cloud Storage Sectors
Dell Lost Control of Key Customer Support Domain for a Month in 2017