Verkada Cameras Hacked and New Microsoft DNS Server Vulnerability

It’s been quite a few months in the cyber security world, and last week was no exception with two major vulnerabilities concerning Verkada cameras and Windows DNS servers. Both vulnerabilities are unpacked in the below CHU alerts!

On March 9, APT-69420, a lewd self-given title that plays on the Advanced Persistent Threat naming convention, leaked visual and network data from major companies including Cloudflare, Tesla, Nissan, Equinox, prisons, hospitals, and more on Twitter. The tweets from the user “ArsonCats” have since been taken down and the account is suspended. Before being removed, the user was adding the hashtag #OperationPanopticon to tag posts related to this attack.

APT-69420 is a hacktivist group that feeds on exploiting vulnerabilities on a large scale for public exposure. The group’s view of their hacks is dual-pronged. First, they believe that software/hardware vendors have a responsibility to provide secure products, and they do, Assura won’t argue that.

Their second perspective of their hacks is that while providers have the responsibility to provide a secure product, there is an equal amount of responsibility placed on organizations to thoroughly vet and test their products. A simple third-party vendor checklist during onboarding or contract negotiations isn’t enough. While this is also true, demonstrating this impact to organizations through public display is in no way respectable.

There was a maintenance backdoor placed in Verkada security camera systems, which are widely used across the world. APT-69420 found this backdoor and used it to gain unauthorized access to over 150,000 cameras according to their tweets. According to the group, “This is the tip of the tip of the tip of the iceberg.”

During the group’s tweet-spree they released footage and pictures of the inside of jail cells, mental health hospital rooms, the Tesla factory floor, a Cloudflare guard sitting at their desk/making their rounds, etc. For sake of these individuals and the organization’s privacy, Assura will not be re-sharing these images/videos.

What is more concerning about this attack is that the user “ArsonCats” demonstrated that she was able to use the access gained to move further into the penetrated networks should she have wanted to. The interface provided by the Verkada cameras is essentially just a Linux terminal.

For more on the mindset of the attacker see this video taken from an interview by Dan Patterson, a reporter with CBS News:

https://twitter.com/i/status/1369597260808548353 [see embed code above]

Verkada has responded to this attack with the following statement, “We have disabled all internal administrator accounts to prevent any unauthorized access.”

Where to begin? Let’s unpack this piece by piece.

Responsible disclosure. What is it? Bugcrowd, a leader in responsible disclosure program management, says, “Responsible disclosure is a process that allows security researchers to safely report found vulnerabilities to your team.” Essentially what this means is that an organization will provide safe harbor to a hacker if they find a vulnerability in a technology they are responsible for.

However, this also means that the hacker is responsible for maintaining the confidentiality of the organization’s information and will not release it unless there is approval by the organization. This is where APT-69420 deviated from the terms of nicety – Verkada does not have any responsible disclosure program, and therefore, is off-limits to hacking without penalty. Could this have been prevented by adopting a responsible disclosure program? Possibly by another hacker, but not by APT-69420 because they have other motivations, which leads us to our next point.

Third-party vendor agreements are weak. Unfortunately, many solely compliance-based information security programs only require a third-party vendor risk assessment that consists of signing some paperwork and attesting to the fact that they have secure products and practices. In a perfect world where organizations had the time and money to thoroughly test and vet their third-party vendors, they would. APT-69420 wants to drive this point home – you are responsible for your own security at the end of the day. While the tactic was less-than-admirable, the point is well taken.

Our answer will be a bit different than the traditional Cyber Heads-Up.

Assura’s Virtual Information Security Officer service is available to assist organizations that have concerns about the strength of their third-party vendor management process. Assura also provides penetration testing services to organizations looking to have their internal or external networks, web applications, or wireless networks tested. 

On March 9, 2021, Microsoft released several security advisories for Windows DNS Server. Of those vulnerabilities, five of them would allow a remote attacker to execute malicious code on the target DNS server if it is exposed in some way. One vulnerability, in particular, CVE-2021-26897, is considered a critical severity vulnerability. These vulnerabilities have yet to be publicly disclosed by Microsoft and the US-CERT has not announced these vulnerabilities yet. Assura was made aware of these issues via monitoring of CERT-EU. At the time of writing, the CVE for the critical vulnerability has no information within it and is in a “reserved” state. The CVE can be seen here.

Not much is known about the attacks at this time due to their release state by Microsoft.

What is known about the attacks, as provided by CERT-EU, is that the critical vulnerability (CVE-2021-26897) may be exploited by making consecutive Signature RRs Dynamic Update requests to the DNS server, which will lead to a write on the head when the updates are combined into base64-encoded strings before writing them to the zone file. Essentially, a heap-based buffer overflow. Think of trying to put 10 pounds of flour into a 5-pound bag. The extra flour has to go somewhere, right? Well, if the attacker can make their flour land in the right place, they own your server.

The other vulnerability that we have some information about is CVE-2021-26877. This vulnerability may be triggered when a zone update with a TXT RR has a “TXT length” greater than the “Data length”.

The affected products include:

Let’s start with the response fatigue being experienced by many right now. Let me just say, it is OK to feel this way. In no way is security “achievable” because it is not tangible – there is no such thing as security. Security is a theory, a practice, or an idea. What we are all doing is managing the risk our organization faces every day. While this may feel like “security” most days, we are really just trying to blunt the blow of the next attack. So, try to let yourself breathe a bit. We can’t always prevent the next big attack because we don’t know when or where it will come from. What we can do is prepare to the best of our capabilities and respond appropriately when an attack occurs.

As for our take on this series of new vulnerabilities in Windows DNS Servers. Please ensure that you are following the mitigation and security update advice provided by Microsoft in the articles listed below:

Assura’s Security Operations Center will continue to monitor for anomalous activity related to this attack vector. Assura will continue to update our clients and readers with new information as it is uncovered and fully understood.

If you’re an Assura client, please do not hesitate to reach out to your Virtual ISO or Assura SOC point-of-contact if you have questions about these vulnerabilities or our response. Otherwise, please contact us at [email protected].

References:

https://media.cert.europa.eu/static/SecurityAdvisories/2021/CERT-EU-SA2021-014.pdf

https://www.bugcrowd.com/resource/what-is-responsible-disclosure/