Header Ads

This Week in Security: Print Nightmare Continues, Ransomware Goes Bigger, And ATM Jackpots!

For the second time, Microsoft has attempted and failed to patch the PrintNightmare vulnerability. Tracked initially as CVE-2021-1675, and the second RCE as CVE-2021-34527. We warned you about this last week, but a few more details are available now. The original reporter, [Yunhai Zhang] confirms our suspicions, stating on Twitter that “it seems that they just test with the test case in my report”.

Microsoft has now shipped an out-of-band patch to address the problem, with the caveat that it’s known not to be a perfect fix, but should eliminate the RCE element of the vulnerability. Except … if the server in question has the point and print feature installed, it’s probably still vulnerable. And to make it even more interesting, Microsoft says they have already seen this vulnerability getting exploited in the wild.

Ransomware, The Big One

Kaseya makes remote management, security, and network monitoring products for IT departments and companies. Their VSA product specifically does remote monitoring and management, and had an optional on-premises component. Put simpler, you put their server on your network, and then installed their client on every computer you manage. The clients report back to the server, and you can install updates or fix problems remotely. It sounds great, actually. The only problem is that there was a pair of vulnerabilities in those servers.

The Dutch Institute for Vulnerability Disclosure had been doing research work on Kaseya systems, and had disclosed a number of flaws, which were working through the normal process of patching. CVE-2021-30116 seems to be the primary vulnerability used, and Kaseya was painfully close to rolling out a fix. The timing weakly suggests inside knowledge of Kaseya’s vulnerability and patching process, but that is by no means certain. Either way, the attack was launched over the 4th of July weekend in the US, and many Kaseya VSA machines were targeted. Once these management endpoints were compromised, a REvil malware binary was pushed out to all connected clients as an update to install. REvil has boasted that they scored over a million infections as a result, and have offered a universal decryptor for a cool $70,000,000.

We’ve discussed here how ransomware groups have put some effort into not making too big of a splash, as getting too much publicity can lead to seized servers, bitcoins mysteriously recovered by the FBI, and actual arrests, depending on what country the group operates out of. It will be interesting to see if an event of this magnitude results in further action.

NFC ATM Jackpot

Near Field Communications (NFC) is the technology that powers non-contact smart cards. You may use one of these for access control to get into your workplace. You probably have NFC tech built into your credit cards, and maybe your passport, too. Most cell phones can do NFC communications, and here’s the important bit, they can mimic a smart card. What do you suppose a security researcher would do with such an ability? Naturally, use this ability to send malformed smart card data to a reader and see what happens.

That’s just what [Josep Rodriguez] did, to a bunch of ATM machines. He is part of IOActive, a security research company, and they have a consulting contract with one of the ATM vendors. It seems that his work on the one device inspired security testing of multiple brands. Quite a few can be crashed via unexpected NFC input, and if we know anything from the last few years of security research, that often means that things are vulnerable to full exploit. And, as expected, on the machine he could legally attempt a full exploit against, [Rodriguez] hit the jackpot. Literally.

Jackpotting an ATM is when an attacker can convince it to dispense all its cash at once. There have been a few ways to do this in the past, from stealing manufacturer’s tools, to attacking the machine physically. This is the first time such an attack has been found over NFC, or at least that has been publicly talked about. More information about the attacks are coming. It seems this initial story is intended to be a warning shot to vendors, that it’s time to get serious about patching their equipment.

Vulnerable Training App

Interested in Android App security? There’s a training tool you might be interested in, the Damn Vulnerable Bank. It’s an Android app that looks and works just like a real app might, but without the legal problems that go with hacking into a real bank’s infrastructure. And there’s a getting-started guide that walks you through the process of getting the app running in an emulator, including defeating the built-in protections against such research.

Password Stealing Gets Tricky

Android apps that try to harvest data from users is nothing new, right? I almost passed this story by, until I noticed that these apps were doing something clever. The set of apps found by analysts at Doctor Web are working apps, and show ads just as we’ve come to expect. These apps have a unique option to get rid of the ads showing, just log into your Facebook account. Hit that button, and the Facebook login page shows up right in the app, making for an easy experience.

Does that trigger your security spider sense? It should. That app has complete control over what happens in its own browser implementation. In this case, it loads the real Facebook page, and then loads some additional JavaScript to steal the password as it’s typed in. Thanks to this research, Google has kicked the apps off the play store, but not before they racked up a combined 5.8 million installs.

All Your Database Are Belong To Us

One of the ways private data leaks out to the world is through an unsecured database. There are quite a few of the non-traditional databases that either complete lack built-in security, or default to an insecure installation. That isn’t a problem, so long as the people using the database take the appropriate steps to keep the data secure. How many such databases do you think are exposed to the internet right now?

Researchers at RedHunt Labs wanted to know, so they started scanning the IPv4 space for unsecured databases. They picked eight databases, and started looking, and found a total of 95,321 insecure or totally unsecured databases exposed to the internet. It’s hard to know how many of those have proprietary data, but there’s also the possibility that each of those represents a foothold into a network. Keep your databases off the internet!

How Broken Can You Make A Password Manager

And finally, in the facepalm category, Kaspersky’s Password Manager was generating extremely insecure passwords. There were several odd issues at play, but by far the worst was that the only source of randomness the generator used was the current time … in seconds. To quote the article, “every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second.” To put it another way, if you know the day a password was generated by this system, you can immediately narrow it down to a list of 86,400 passwords. That’s just a little bit more than 16 bits, or the equivalent of a three-character password. Oof.


No comments