Ticker

6/recent/ticker-posts

Ad Code

Responsive Advertisement

This Week in Security: Somebody’s Watching, Microsoft + Linux, DDoS

In case you needed yet another example of why your IoT devices shouldn’t be exposed to the internet, a large swath of Hikvision IP Cameras have a serious RCE vulnerability. CVE-2021-36260 was discovered by the firm Watchful_IP in the UK. In Hikvision’s disclosure, they refer to the problem as a command injection vulnerability in the device’s web interface. The vuln is pre-authentication, and requires no user interaction. This could be something as simple as a language chooser not sanitizing the inputs on the back-end, and being able to use backticks or a semicolon to trigger an arbitrary command.

Now you’re probably thinking, “I don’t use Hikvision cameras.” The sneaky truth is that a bunch of cameras with different brand names are actually Hikvision hardware, with their firmware based on the Hikvision SDK. The outstanding question about this particular vulnerability is whether it’s present in any of the re-labelled cameras. Since the exact vulnerability has yet to be disclosed, it’s hard to know for sure whether the relabeled units are vulnerable.  But if we were betting…

Linux Malware on Windows

In retrospect it should probably be obvious, but the Windows Subsystem for Linux was destined to be yet another vector for infection for Windows machines. It’s finally happened in the wild, and Black Lotus Labs has the scoop. The actual malware sample is a Python script compiled into an ELF binary, designed to run inside the WSL environment. From there, it makes calls out to the Windows API. The advantage of using WSL for malware is that this escape detection by most of the security products on the market.

OMIGOD — That Didn’t Take Long

Last week we talked about the simple-to-exploit vulnerability in the Open Management Infrastructure, commonly installed on Linux VMs hosted in the Azure cloud. Botnets are already scanning the internet for vulnerable machines, and installing malware. The primary payload seems to be a Mirai variant, which among other things closes the vulnerable ports upon infection. Even though your VM doesn’t currently expose OMI to the internet, it may already be compromised. According to Caddo Security, there still haven’t been any automatic updates pushed to fix vulnerable servers, so unless a VM was manually updated last week, it should probably be assumed to be compromised at this point if it has OMI installed. This has the potential to be quite a big problem.

Smartphone Audit

How much do you trust your smartphone? How about a smartphone made by Chinese companies? The National Cyber Security Center of Lithuania had this question, and audited popular international phones made by Huawei, Xiaomi, and OnePlus. All three brands are produced by companies based in China, so there are some understandable concerns about potential spyware. If you think this is overly paranoid, go read about Project Rubicon.

The conclusions? Xaiomi devices are actively running spyware and have censorship tools built-in, although they are not actively blocking anything in international models. Huawei doesn’t seem to be quite so malicious, though it doesn’t get a complete pass. The problem here is the app store that ships with those phones. AppGallery is Huawei’s Play Store replacement, and it will helpfully fetch apps from a multitude of third party app stores. It does this quietly, so it’s very hard to determine if you’re actually getting the official version of an app, or a shady repackage from an obscure repository. The only brand to emerge clean is OnePlus, which isn’t terribly surprising. Read the full paper, available here as a PDF.

Bad OMENs

Many HP computers ship with the OMEN Gaming Hub, an all-in-one tool for managing hardware settings, among other things. This tool consists of a user-mode application, and a Windows driver running in the kernel. The front-end application makes IOCTL calls to the driver, which acts as a proxy to forward the calls to various hardware and software endpoints. The problem is that those calls are very flexible, and don’t have sufficient fine-grained controls to prevent abuse. Any application can make those calls, adding to this recipe for disaster. It’s not quite as easy as shift-right-clicking on a file chooser dialog, but it is as easy as a few lines of code added to the msrexec project. Put simply, arbitrary writes to MSRs (Model Specific Registers) means ring 0 code execution. After a botched patch attempt, HP has released properly fixed OMEN packages.

VoIP DDoS Ransom

Asking for a ransom to call off a DDoS attack is nothing new, but recently a new kind of target was attacked. VoIP.ms is a telecom provider offering VoIP services, and they’ve been effectively shut down by a DDoS attack. The attackers claim to be REvil, but that is likely a misdirect. Too many elements are unlike the way REvil operated. For instance, the initial ransom demand was delivered over pastebin, and only asked for a single Bitcoin. That has since been elevated to 100 Bitcoins.

While VoIP.ms has contracted Cloudflare to mitigate the attack and get their website operational again, this has done little to get actual VoIP services running again. Attacking VoIP networks this way is a very new attack, and providers like Cloudflare don’t yet have mitigations ready to go. If such attacks continue, I’m sure DDoS protection will soon be available.

Record DDoS

And we’ve just set a new record, and not one of those to be proud of. A new botnet, dubbed Mēris, has topped out at 21.8 million requests per second, so far. It’s likely that it’s capable of more. This is an application attack, rather than a raw bandwidth attack, meaning that the emphasis is on flooding the target with bogus requests.

When looking at the traffic sources, Qrator found a couple of odd similarities. Almost all of the IPs had ports 2000 and 5678 open, a sign of Mikrotik devices. The current theory is that the botnet is almost entirely made up of Mikrotik routers. The last known remotely exploitable flaw in these devices was CVE-2018-14847, fixed back in 2018. The number of devices in this botnet is suspiciously similar to the number of vulnerable devices exposed to the internet in 2018. It’s not clear exactly what has happened, but the official theory is that these devices were compromised in 2018, “fixed” with an automatic update, but still effectively compromised. This is still an ongoing story, we’ll try to update you if more is discovered.

Enregistrer un commentaire

0 Commentaires