Information Security Report | September 2018

Information Security Report | September 2018

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

This month features a serious vulnerability in a number of HP printer/fax combinations, a new twist on exploiting MikroTik routers to mine crypto currency, a critical Apache Struts code vulnerability that doesn’t require installed plugins, details of the Reddit 2007 backup database breach, Google’s forthcoming plans to block the injection of third-party code into their browser processes and how to get free replacement Symantec certificates to avoid FireFox untrusted certificate warnings.

Current Threats and Exploits

  • HP Printer/Fax Combo Vulnerabilities:
    Security researchers have discovered a serious vulnerability in a number of HP printer fax combination units. The vulnerability allows a remote attacker to take control of the device by exploiting a vulnerability in the built-in fax modem. The only prerequisites to launch the attack are for the printer to be connected to a phone line and for the adversary to know the fax number of the device. This makes the vulnerability especially suitable for targeted attacks. Once an attacker has gained control of the device, they are able to pivot across to the LAN interface of the device and start launching attacks back into the internal computer network the printer is connected to. During a demonstration, the security researchers who found the vulnerability were able to use the printer to launch the eternal blue exploit against computers connected to the same LAN as the printer.
    HP have released patches for the affected devices and it is strongly recommended you check for updates if you use a HP printer/fax combination device. If you do not make use of the fax component of the device, it is recommended you disconnect it from the phone line to lower the attack surface. (1)
  • Crypto Currency Mining Code Dynamically Injected into Browsing Sessions:
    Attackers have made use of a well-known exploit to compromise over 200,000 MikroTik routers and inject and use them to perform crypto currency mining activities. The attack, however, proceeded in a different manner from the usual. Instead of using the routers to mine crypto currency, they used the router to dynamically inject the coinhive crypto currency mining JavaScript code into HTTP sessions passing through it. This caused users downstream of the compromised router to receive the mining code and begin generating revenue for the attacker. Additionally, if web servers resided behind an affected router, it would also inject mining code into all the HTTP pages delivered by the server. To make matters worse, the affected routers included ISP grade routers, greatly increasing the number of affected users. It is important to note that only HTTP sites are affected, as the router is unable to inject the code into encrypted HTTPS sessions.
    It is recommended that all users of MikroTik routers ensure they have the latest patches installed. (2)
  • Another Critical Apache Struts Remote Code Execution Vulnerability:
    Apache has announced another critical remote code execution vulnerability in their Struts library. It was reported that the vulnerability exists in the Struts core itself and therefore is exploitable without the need for any installed plugins. Additionally, the attack can be performed without the attacker needing to authenticate to the page and it is thought to be very easy for an attacker to determine if a page is vulnerable to the attack.
    Apache Struts users are advised to update to version 6.2.35 or 2.5.17 to mitigate the vulnerabilities ASAP. (3)


Recent Breaches

  • Old Reddit Data Exposed:
    Reddit released a statement advising users that they suffered a data breach earlier in the month. According to the statement, the attacker gained access to a backup of the 2007 database containing usernames and salted passwords. While the system was protected by SMS two factor authentication, it was found the attacker was able to capture the second factor using an SMS intercept.
    Users whose data was exposed have been sent an email from Reddit with instructions on the next steps they need to take. Reddit have changed their second factor authentication method to use a token-based method and is recommending all their users to do the same. (4)

Other News

  • Google Chrome to Block Third Party Code Injection:
    A number of anti-virus vendors follow the practice of injecting their own code into web browser processes to add their own protection against malicious sites the user visits. The practice often allows them to restrict the categories of the web sites users can visit and also scan pages for occurrences of malware. While the injection of this code is designed to make the browsing experience more secure, it is not officially supported by the browser manufacturers and can make them unstable. In response to this, Google has announced they will begin notifying users, after a browser crash, of any other software which is injecting code into the browser process. Additionally, Google has announced that in future versions of Chrome, they will begin to outright block the injection of third-party code into their browser processes. It is currently not known what impact (if any) this will have on the overall security of web browsing using Chrome, and the feature is still in a trial rollout phase. Additional information will be provided by Google in the coming months. (5)
  • Browsers to Distrust Symantec TLS Certificates:
    The nightly build of FireFox version 63 is now showing an untrusted certificate warning for certificates issued by Symantec. The action has seen the distrust of all Symantec issued certificates, as well as subsidiary certificate authorities including Thawte, GeoTrust and RapidSSL. It is recommended that website administrators replace certificates issued by the above certificate authorities as soon as possible. Digicert (who has taken over the issuance of Symantec issued certificates) is offering a replacement certificate at no additional cost to the administrator. By updating the certificate, it will ensure users are not presented with the invalid certificate warning page when visiting your site. It is recommended that website admins obtain new certificates no later than October 2018 as this is when the feature is planned to be introduced into the mainstream versions of both FireFox and Google Chrome. (6)