Cyber Heads-up: Week of May 20, 2019

Good morning-

Last week was a very active week in the world of cyber threats. Hacked antivirus software vendors, Microsoft’s unusual release of a security patch for Windows XP, Linux Kernel zero-day, WhatsApp being used to deliver spyware, Google issuing a recall on its Titan security keys, and the SHA-1 hash is officially dangerous. We’ll cover these topics one-by-one.

Bleeping Computer is reporting (link to article *fixed* here) that Symantec, McAfee, and Trend Micro were all breached by a hacker group called Fxmsp. The group claims to have compromised the networks of these three companies and stolen source code for their flagship antivirus products. All three companies are triaging the damage and have released statements. The article has transcripts of conversations with Fxmsp and they are fascinating.

While it’s not time to panic just yet, this is a potential catastrophe for customers that use these companies’ antivirus products. Malicious actors having possession of source code could find flaws in their products and write malware that exploits those flaws. Damaging flaws in antivirus software has been disclosed before. And since we don’t know exactly what Fxmsp may find in the treasure trove of source code, we don’t know what to look for to know that it’s being exploited.

The best defense is layered security with malware defense at both the network edge (included as an advanced feature on many firewalls) and on endpoints (laptops, workstations, servers). Of course, using an advanced Security Event and Incident Monitoring (SIEM) tool with trained network analysts can help to identify unusual activity across networks and systems.

If you’re really, really, worried, there’s always replacing your malware defense software. It’s not a great option, but it’s an option.

While Assura’s endpoint security customers are not affected by this, our Security Operations Center is in a heightened state of vigilance monitoring for unusual activity on customer networks who have malware protection software from one of the three affected companies installed on their systems.

Although Windows XP was officially abandoned by Microsoft back in 2014 (meaning there would be no more updates/fixes to it), this week Microsoft took the highly unusual step of releasing a security update for the discontinued operating system. This is a flaw (CVE-2019-0708 in the Common Vulnerabilities and Exposures database) in the Windows Remote Desktop Protocol (RDP), which is used in Microsoft’s Remote Desktop Services and is relied upon by innumerable system administrators for remote access into Windows servers and Workstations.

“Any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017,” Simon Pope, director of incident response for the Microsoft Security Response Center, wrote in a statement announcing the patch Tuesday. “It is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”

“This vulnerability is pre-authentication and requires no user interaction,” Pope said. “In other words, the vulnerability is ‘wormable,’ meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. It is important that affected systems are patched as quickly as possible to prevent such a scenario from happening.”

It’s worthy of note that this vulnerability does not affect Microsoft’s latest operating systems — Windows 10, Windows 8.1, Windows 8, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, or Windows Server 2012.

This is easy. If you’re still running Windows XP, patch, patch, patch. If you’re running any system with RDP exposed to the Internet, block it off at the firewall level unless there’s a highly compelling business need. Those should be very few and far between though. Ideally, you should only access systems via RDP across a VPN tunnel. If a VPN isn’t feasible, you can also utilize an Access Control List (ACL) on your firewall to restrict access to trusted IP addresses. However, the reality of exposing RDP access to servers across the Internet is that you’re gambling because RDP’s security model was never developed to be secure across an untrusted network.

Linux kernels prior to version 5.0.8 are vulnerable to an attack that allows the attacker to execute arbitrary code remotely, without authentication on the target system (CVE-2019-11815). That’s a fancy way of saying that they can do anything they want as long as they can talk to the system over a network (including over the Internet).

Patch. Now. There are no known exploits of this yet, but there will be. If you’re an Assura security monitoring customer, once those exploits hit, our SOC will monitor for them.

Euronews reports the following:

WhatsApp, an encrypted messaging programme owned by Facebook, began rolling out an upgrade for its estimated 1.5 billion users on Friday. The flaw allowed attackers to install commercial Israeli surveillance spyware on phones through the messaging app’s phone call function, according to a report in the Financial Times (FT).

The “advanced actor” in this case used code developed by Israeli company NSO Group, according to FT.

The spyware manufacturer is known to sell surveillance software to countries such as Saudi Arabia.

By calling a targeted user through the app, hackers could install the Israeli software onto both iPhones and Androids even if the user did not answer the call, the FT report said.

The spyware company’s flagship spyware program “Pegasus” can take control of a phone camera and microphone, track movement and record calls.

An NSO spokesperson told Euronews that the company licenses software to “government agencies for the sole purpose of fighting crime and terror,” but that “intelligence and law enforcement determine how to use the technology to support their public safety missions.”

WhatsApp was developed to be a security messaging platform — sort of the anti-Facebook Messenger. However, this shows that even purpose-built secure platforms can have security flaws.

Users should immediately update the WhatsApp app on their phones.

Google’s Titan Security Key is a hardware token that helps users and organization implement secure access to systems and applications such as online banking. The Titan keys can be inserted into a USB port on the user’s computer or can be read using Near Field Communications (NFC) or Bluetooth Low Energy (BLE). NFC is used where a user can tap their security key to a reader (much like does when using Apple Pay at the super market) and BLE works without having to physically tap a reader, so works over a longer distance (a few meters away).

Unfortunately, Google disclosed a vulnerability in their titan keys that use BLE that stems from a, “misconfiguration in the Titan Security Keys’ Bluetooth pairing protocols.” As a result, Google has issued a recall on the affected keys. To determine if your key is affected, check the back of the key. If it has a “T1” or “T2” on the back of the key, your key is affected by the issue and is eligible for free replacement.

More about this issue is available in an article at Bleeping Computer.

Although an attacker would have to be 30 feet or closer to a victim in order to execute an attack successfully, if a user has one of the affected keys, they should contact Google to have them send a replacement key. Google says that all users of vulnerable Titan Security Keys will get free replacements by visiting google.com/replacemykey. There’s no downside to obtaining the replacement.

ZDNet reports that an academic research team from France and Singapore improved upon a theoretical attack against the SHA-1 hashing algorithm. In practical terms, hashing algorithms are used to protect passwords and make sure that encrypted communications over the web are secure. SHA-1 (an abbreviation of Secure Hash Algorithm 1) was widely used for years, but because of theoretical attacks are becoming more practical (and less economically costly) to execute, the move has been toward the SHA-2 or SHA-3 algorithms. Google used the market share of the Chrome web browser to flex its muscle a few years ago in order to force website operators to move to SHA-2. However, many website operators and several product vendors have not updated to the more secure versions of these algorithms.

This can be a complex issue to address and there isn’t a one-size-fits-all solution to address this because, while the use of hash algorithms is pervasive, it’s not well understood by non-security professionals. Web servers like Apache and Internet Information Services (IIS) have ways of ensuring that strong algorithms are in use. However, it takes doing research with product vendors to know how they protect things like passwords stored in databases and other sensitive information (like Social Security Numbers). This is where a discussion with those product vendors can be useful. If the product you’re using can use the SHA-2 and/or SHA-3 algorithm, that should be enabled and SHA-1 should be disabled.

If you’re an Assura Virtual ISO™ client, we encourage you to discuss this issue with your Virtual ISO™. Other readers may want to reach out to discuss their situation.

We do encourage questions and feedback so please feel free to reach out to us at [email protected].

Sincerely,

The Assura Team