• Picture of the Week. • Credit Freeze vs Credit Lock. • T-Mobile hacker speaks! • Where will Windows 11 run? • ProxyToken. • Tailscale
A pair of unpatched security vulnerabilities can allow unauthenticated cyberattackers to turn off window, door and motion-sensor monitoring.
A pair of vulnerabilities in the Fortress S03 WiFi Home Security System could allow cyberattackers to remotely disarm the system, leaving homes open to unlawful entry.
The Fortress platform is a consumer-grade home security system that allows users to mix and match various sensors, IP cameras and accessories, connecting them via Wi-Fi to create a personalized security system. RF fobs are used for system control, arming and disarming monitors on doors, windows and motion detectors.
According to Rapid7 researcher Arvind Vishwakarma, who discovered the bugs, the “vulnerabilities could result in unauthorized access to control or modify system behavior, and access to unencrypted information in storage or in transit.”
Both bugs remain unpatched.
Disarming Home Security Systems
The first vulnerability, tracked as CVE-2021-39276, is due to an insecure cloud API deployment, he said in a Tuesday post. Unauthenticated users can trivially exploit it to retrieve a secret that can then be used to alter the system’s functionality remotely. To disarm an alarm system, attackers can send a specially crafted unauthenticated POST to the API.
“If a malicious actor knows a user’s email address, they can use it to query the cloud-based API to return an International Mobile Equipment Identity (IMEI) number, which appears to also serve as the device’s serial number,” Vishwakarma said. “With a device IMEI number and the user’s email address, it is then possible for a malicious actor to make changes to the system, including disarming its alarm.”
According to Rapid7, it’s important to note that the effort to exploit this may be too much for random, opportunistic home invaders, but in a stalker/restraining order type of situation where the person already knows the target and is in possession of an email address, the urgency to mitigate the problem increases, given the potential for physical violence.
“The likelihood of exploitation of these issues is pretty low,” Tod Beardsley, director of research at Rapid7, told Threatpost. “An opportunistic home invader is not likely to be a cybersecurity expert, after all. However, I am concerned about a scenario where the attacker already knows the victim well, or at least, well enough to know their email address, which is all that is really required to disable these devices from over the internet using CVE-2021-39276.”
An RF Weakness
The second issue, tracked as CVE-2021-39277, involves the RF signals used to communicate between the key fobs, door/window contact sensors and the Fortress Console, which are sent in the 433 MHz band. Specifically, anyone within RF signal range could capture and replay RF signals to alter systems behavior, resulting in disarmament.
“When a radio-controlled device has not properly implemented encryption or rotating key protections, this can allow an attacker to capture command-and-control signals over the air and then replay those radio signals in order to perform a function on an associated device,” according to Vishwakarma.
In a proof-of-concept exploit, researchers used a software-defined-radio (SDR) device to capture normal operations of the device’s “arm” and “disarm” commands. Then, replaying the captured RF signal communication command would arm and disarm the system without further user interaction.
An exploit requires an attacker to be within physical range, staking out the property and waiting for the victim to use an RF-controlled device on the system – no prior knowledge of the victim is necessary.
To exploit the RF weakness, “the attacker would need to be both reasonably conversant in SDR in order to capture and replay the signals, and be within reasonable radio range,” Beardsley told Threatpost. “What that range is would depend on the sensitivity of the gear being used, but typically this sort of eavesdropping requires line of sight and pretty close proximity – across the street or so.”
How to Protect Against Fortress Home Security Attacks
As mentioned, there is, unfortunately, no firmware update available for either vulnerability. The vendor closed the ticket that Rapid7 opened on the bugs without comment, and didn’t respond to researchers’ follow-ups.
“In the past, we’ve seen that vendors that are unresponsive prior to disclosure tend to respond after disclosure, and tend to address these issues pretty quickly,” Beardsley said. “I’m hopeful that’ll be the case with this issue.”
There is, however, a workaround for the first issue. Because an attack requires the system’s email address, “we suggest registering the device with a secret, one-time use email address, that can function as a sort of weak password,” Beardsley told Threatpost. “Absent an authentication update from the vendor, I feel like this is an okay workaround.”
For CVE-2021-39277, there’s “very little a user can do to mitigate the effects of the RF replay issues absent a firmware update to enforce cryptographic controls on RF signals,” according to the post. Rapid7 advised that users could avoid using key fobs and other RF devices linked to Fortress to avoid an attack.
This is just the latest vulnerabilities to be found in internet of things (IoT) devices, pointing out a continuing need for security by design on the part of hardware vendors.
“A proper cloud infrastructure can greatly benefit IoT security by enabling automatic updates and insulating users from many local security threats, but it can also magnify the impact of vendor programming errors,” Craig Young, principal security researcher at Tripwire, said via email. “Whereas a vulnerability within an individual device is generally exploited by a nearby attacker, vulnerabilities within a vendor infrastructure can expose all users at once.”
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
Cream is latest DeFi platform to get fleeced in rash of attacks.
Cream Finance is the latest decentralized finance (DeFi) platform for cryptocurrency trading to take a major financial hit at the hands of hackers, losing nearly $19 million in an attack this week on its “flash loan” feature.
The attacker was able to steal nearly $29 million before being discovered, 418,311,571 in Amp Coin and 1,308.09 in Ethereum cryptocurrency, Cream Finance confirmed.
“We have stopped the exploit by pausing supply and borrow on AMP,” the company statement said. “No other markets were affected.”
C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.
We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.
— Cream Finance 🍦 (@CreamdotFinance) August 30, 2021
DeFi platforms connect various cryptocurrency blockchains to create a decentralized infrastructure for borrowing, trading and other transactions.
Cream Finance Hit With Reentry Attack
According to researchers at PeckShield, a bug in the feature allowed the threat actors to pull off a “reentry attack,” which allows funds to be borrowed on a loop, repeatedly, while the previous transaction is being processed.
“The hack is made possible due to a reentrancy bug introduced by $AMP, which is an ERC777-like token and exploited to re-borrow assets during its transfer, before updating its first borrow,” PeckShield explained.
2/4 The hack is made possible due to a reentrancy bug introduced by $AMP, which is an ERC777-like token and exploited to re-borrow assets during its transfer before updating the first borrow. pic.twitter.com/oVg0w1FWFt
— PeckShield Inc. (@peckshield) August 30, 2021
The attack on Cream Finance comes just days after Poly Networks suffered a $610 million theft, the largest DeFi breach in history, before the money was returned by the attacker in a weird twist, likely after the criminal figured out that stealing the crypto is easier than making a withdrawal.
Solidity Leaves Plenty of Room for Error
The complexity of implementing Solidity coding language used to create DeFi “smart contracts” on a variety of blockchain platforms leaves plenty of room of coding errors, and opportunity for attackers, Joe Stewart with PhishLabs told Threatpost. An error in smart-contract coding is what enabled the Cream Finance reentry attack, Stewart said.
“The recent security breach of the Cream Finance platform was facilitated by the latest in a long chain of smart contract vulnerabilities introduced by human error (or possibly insider attacks),” Stewart said. “Because Solidity is an evolving language, it is very easy to shoot yourself in the foot by something as simple as failing to include the correct function modifier in your code – exactly what happened to the author of the Cream Finance smart contract.”
The layers of complexity are made even more tricky once those DeFi smart contracts start interacting with others,” Stewart added.
“The increasing complexity of DeFi contracts that interact with one another (possibly even across different blockchains) make it difficult to predict all possible code paths that could lead to privilege escalation and loss of funds locked in the contract,” Stewart added. “This is what happened in the recent PolyNetwork hack resulting in $610M being stolen (although subsequently returned by the hacker).”
Tal Be’ery, co-founder of ZenGo, pointed out via tweet that in both the attacks on both Cream and Poly Networks, the threat actors wouldn’t have been able to test their various exploits in a lab environment, they were likely poking around for some time in the systems looking for a hole.
Attackers Sharpening Tools, Attacks
“The attackers had to develop and test their exploits against a real chain, because it’s too complex to set up in a lab,” Be’ery explained. “A good monitoring (and) alert solution might have given enough time to fix.”
A very important corollary from #polynetworkhack .The attackers had to develop and test their exploits against the real chain, because it’s too complex to set it up in the lab.A good monitoring + alert solution might have given enough time to fix. https://t.co/IdJsunuVLv
— Tal Be’ery (@TalBeerySec) August 15, 2021
As DeFi platforms figure out how to shore up security, Karl Steinkamp with Coalfire warned that threat actors, motivated by volatile crypto-bubbles, are working overtime to refine attacks.
“Given the generally appreciating value of crypto-assets, bad actors will likely continue to use them for many more years into the future,” Steinkamp told Threatpost. “While it has been seen currently to a limited extent over the last 10 years, bad cybercriminals will need to get smarter in using blockchains and crypto if they are going to be successful, which will likely include mixing tools and more off-chain and/or hardware addressed wallets.”
And the most recent data shows DeFi platforms were on the receiving end of 76 percent of all major hacks in 2021 and even before the Poly Networks hack, losses for 2021 had already exploded by 180 percent over last year, according to Atlas VPN.
With rising risk of theft, its going to be up to the DeFi platforms themselves and larger cryptocurrency community to offer some reassurance it’s safe.
“The crypto-industry has generated a lot of excitement; however, many newcomers are unaware of the risks,” Atlas VPN’s researchers said. “Lack of regulation in the crypto-industry allows cybercriminals to thrive either by hacking less secured DeFi projects or by carrying out rug pull scams. For DeFi to become more legitimate, it is essential to establish security and business regulations.”
In the meantime, KnowBe4’s James McQuiggan suggested that users concerned about security should keep their cryptocurrency stored offline.
“Whether reverse-engineering the cryptography or attacking the source, cybercriminals continue to find ways to circumvent controls to steal money for their financial gain and ruin the customers’ portfolios,” McQuiggan said. “It demonstrates that users should maintain offline wallets to protect a large portion of their investments versus having them all in one location and risk losing their entire investment through a data breach or attack.”
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
Services that let consumers resell their bandwidth for money are ripe for abuse, researchers warn.
Services that allow consumers to resell their own internet bandwidth for profit to businesses that want to resell it are ripe for abuse, according to researchers.
The burgeoning business model is growing in popularity with consumers who earn about $1 for every 10GB of their bandwidth shared with services that include Honeygain, Nanowire, IPRoyal Pawns, Peer2Profit and PacketStream.
“These relatively new platforms were built with a legitimate purpose, but attackers quickly found ways to abuse them,” according to a report by Cisco Talos posted Tuesday. Services are delivered as desktop and mobile applications. Apps fall into a category called proxyware, because they turn the device running the software into a type of proxy server.
Proxyware services are attractive to businesses that use them for internet-related traffic research, such as search engine optimization. The ability to access residential and geographically diverse IP addresses can be extremely helpful. Uses also include testing potential online advertising campaigns or circumventing commercial network restrictions.
For consumers, Cisco points out, proxyware services are “advertised as a means to circumvent geolocation checks on streaming or gaming platforms,” while at the same time allowing consumers to generate income for the use of their bandwidth.
Why Are Proxyware Services Potentially Dangerous?
Researchers found that abuse of the services – by consumers and adversaries – present a myriad of risks, including:
Malicious or trojan-ized versions of bandwidth-sharing application distributed by adversaries
Corporate networks exposed to malicious versions of proxyware
Employee abuse of company networks running the app or multiple versions of the service
Businesses using proxyshare platforms potentially exposing unencrypted internet traffic to malicious hosts
Consumers accruing bandwidth overage fees when running app on a mobile device
Growing Proxyware Trend Presents Cybersecurity Challenges
“As proxyware has grown in popularity, attackers have taken notice and are now attempting to exploit this interest to monetize their malware campaigns,” according to the report’s co-authors: Edmund Brumaghin, threat researcher, and Vitor Ventura, outreach researcher, both with Cisco Talos.
Researchers say adversaries are currently using proxyware services to run malware campaigns and monetize the internet bandwidth of victims. They compare the trend with how adversaries surreptitiously installed cryptocurrency mining software on victims’ computers in an attempt to monetize CPU cycles.
“These applications pose significant privacy and operational risks to organizations as they may allow nefarious or abusive network traffic to appear as if it originates from their corporate networks resulting in reputational damages that may also lead to service disruption,” researchers wrote.
With regards to this report, Threatpost is waiting for Honeygain and Nanowire, two leading services in this space, to reply to requests for comment.
Growing Trend and Associated Threats
Pinpointing how many consumers are using these types of services is difficult. To gauge interest and the user-base of Honeygain, market leader of the niche, Cisco examined subscriber growth of the Honeygain subreddit on Reddit from zero in 2019 to close to 8,000 as of July 2021. According to Cisco’s investigation, Honeygain boasted a quarter million users, based on Honeygain’s reported responses to a survey of its customers.
Estimating how many legitimate companies use proxyware services is equally hard to determine.
“Investigating DNS activity associated with the API used by the Honeygain client, we identified a large number of queries being performed. This is another indicator that clearly demonstrates the popularity of this platform across the internet,” researchers wrote.
Active Abuse: Proxyware Services Under Attack
Cisco found a number of existing malware campaigns were distributing trojan-ized versions of the proxyware applications. “Threat actors are distributing the proxyware applications to monetize victims’ network bandwidth for the purposes of generating revenue,” researchers reported.
In other instances documented by Cisco, “threat actors are distributing malicious executables that pose as installers for legitimate proxyware applications like Honeygain. When executed, they will typically install the legitimate application, while also silently installing malware.”
As expected, adversaries adopt a number of different techniques, similar to those of malicious crypto-miners, both for running the application silently and maintaining process persistence.
Proxyware as a Tor Alternative
For adversaries, abuse of proxyware services offers the added benefits of anonymity.
“We believe attackers are highly likely to abuse these proxyware platforms, as they can be used to disguise an attacker’s origin more efficiently than Tor, since the exit nodes cannot be cataloged,” researchers said.
For the services themselves, the illegitimate use of their platforms by adversaries can mean end-users are blocklisted due to activities they don’t even control, researchers said. “It (also) increases organizations’ attack surface, potentially creating an initial attack vector directly on the endpoint.”
Security Teams: Consider Yourselves Warned
Cisco Talos classified proxyware as potentially unwanted applications (PUA) or potentially unwanted programs (PUP).
“These platforms may introduce significant risk to most corporate environments,” researchers noted.
Researchers said that an examination of the Honeygain platform revealed that “because of the way the communications are processed to facilitate the retrieval and delivery of content it may be possible to monitor the DNS activity of other platform users.”
Researchers said unencrypted content, such as HTTP traffic, could be intercepted and manipulated in transit by Honeygain nodes under adversarial control.
“These platforms also pose new challenges for researchers, since there is no way to identify a connection through these kinds of networks — the origin IP becomes even less meaningful in an investigation. Due to the various risks associated with these platforms, it is recommended that organizations consider prohibiting the use of these applications on corporate assets,” researchers advised.
Bug Bounty Radar // The latest bug bounty programs for September 2021 New web targets for the discerning hacker In bug bounty program news this
The popular Dynamic Pricing and Discounts plugin from Envato can be exploited by unauthenticated attackers.
A pair of security vulnerabilities in the WooCommerce Dynamic Pricing and Discounts plugin from Envato could allow unauthenticated attackers to inject malicious code into websites running unpatched versions. This can result in a variety of attacks, including website redirections to phishing pages, insertion of malicious scripts on product pages and more.
The plugin, which has 19,700+ sales on Envato Market, offers a variety of pricing and promotion tools for online retailers, including special offers, bulk pricing, tiered pricing, bundle pricing, deals of the day, flash sales, wholesale pricing, member pricing, individual pricing, loyalty programs, behavioral pricing, location-based pricing and so on. It also supports conditional price increase and extra fees.
According to researchers at the Ninja Technologies Network, the two unauthenticated vulnerabilities affect version 2.4.1 and below. The first is a high-severity stored cross-site scripting (XSS) bug; the second is a medium-severity settings export problem.
The XSS bug exists in the __construct method of the “wc-dynamic-pricing-and-discounts/classes/rp-wcdpd-settings.class.php” script, according to a Tuesday writeup from NinTechNet.
Also, the import function lacks a security nonce to prevent against cross-site request forgery (CSRF) attacks, where a user can submit unauthorized commands from a site that the web application trusts.
The second bug exists because a core export function lacks a capability check and is accessible to everyone, authenticated or not.
“An unauthenticated user can export the plugin’s settings, inject JavaSript code into the JSON file and reimport it using the previous vulnerability,” according to NinTechNet.
The issues are patched in version 2.4.2, though the CSRF check is still not fixed, researchers warned.
Users of WooCommerce, the popular e-commerce platform for WordPress, are no strangers to having to patch security problems, and it’s important to keep on top of patching. Last month for instance WooCommerce rushed emergency fixes for a critical SQL-injection security vulnerability in the core platform and a related plugin that had been under attack as a zero-day bug, for instance. The bug could allow unauthenticated cyberattackers to make off with scads of information from an online store’s database – anything from customer data and payment-card info to employee credentials.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.
The NAS maker issued two security advisories about the RCE and DoS flaws, adding to a flurry of advisories from the vast array of companies whose products use OpenSSL.
On Monday, QNAP put out two security advisories about OpenSSL remote-code execution and denial-of-service (DoS) bugs, fixed last week, that affect its network-attached storage (NAS) devices.
The vulnerabilities are tracked as CVE-2021-3711 – a high-severity buffer overflow related to SM2 decryption– and CVE-2021-3712, a medium-severity flaw that can be exploited for DoS attacks and possibly for the disclosure of private memory contents.
These OpenSSL flaws are spreading ripples far and wide.
That’s because OpenSSL is mostly used by network software – including being widely used by Internet servers and the majority of HTTPS websites – that use the TLS protocol (transport layer security), formerly known as SSL (secure sockets layer), to protect data in transit.
TLS has replaced SSL, which contained what Sophos’s Paul Ducklin called a “huge” number of cryptographic flaws. But many popular open-source programming libraries that support it – including OpenSSL, LibreSSL and BoringSSL, “have kept old-school product names for the sake of familiarity,” Ducklin commented in a recent drilldown into the OpenSSL bugs.
QNAP on Monday joined a parade of organizations whose products rely on OpenSSL and which are either investigating the flaws (in QNAP’s case) or have already released security advisories, including Linux distributions such as Red Hat (not affected), Ubuntu, SUSE, Debian and Alpine Linux.
QNAP Hammers Out Fixes
QNAP said that it’s “thoroughly investigating the case” and that it plans to release security updates and more information ASAP.
Same goes for NAS appliance maker Synology, which told its customers that the OpenSSL vulnerabilities affect its Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server and VPN Server products. On Thursday, Synology assigned “important” and “moderate” severity ratings to the vulnerabilities and said that it’s working on patches.
Yet another storage solutions provider, NetApp, is now trying to figure out which of its products may be affected. So far, it’s confirmed that Clustered Data ONTAP, E-Series SANtricity OS controller software, the NetApp Manageability SDK, NetApp SANtricity SMI-S Provider, and NetApp Storage Encryption are affected, and it’s investigating dozens more of its products.
Cisco and Broadcom are also expected to release advisories describing how the latest OpenSSL vulnerabilities will affect their products.
It turns out that the OpenSSL vulnerabilities affect QNAP NAS devices running the HBS 3 Hybrid Backup Sync data backup and disaster recovery tool, the QTS GUI, the QuTS hero operating system, and QuTScloud, which is an operating system for QNAP Cloud NAS virtual appliances.
According to Sophos’s Ducklin, the flaws could allow an attacker to trick an application “into thinking that something succeeded (or failed) when it didn’t, or even to take over the flow of program execution entirely.
If successfully exploited, the flaws could allow remote attackers to execute arbitrary code with the permissions of the user running the application, QNAP said, which gives CVE-2021-3711 a high severity rating. CVE-2021-3712 allows remote attackers to disclose memory data or execute a DoS attack, making it a medium-security flaw.
MITRE has the technical details here for CVE-2021-3712 and CVE-2021-3711.
CVE-2021-3711 is a heap-based buffer overflow. These bugs generally lead to crashes but can also translate into lack of availability, including putting the program into an infinite loop. Such vulnerabilities can also allow attackers to carry out RCE, bypass protection, or to modify memory.
According to MITRE, the CVE-2021-3711 bug in OpenSSL allows an attacker who can present SM2 content – SM2 being a public key cryptographic algorithm based on elliptic curves that’s used to generate and verify digital signatures for decryption – to send data that overflows the buffer by up to a maximum of 62 bytes, “altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash.”
As Sophos’s Ducklin explained when writing about this decryption bug, OpenSSL includes implementations of the SM algorithms: It uses SM2 for key agreement and digital signatures, SM3 for hashing, and SM4 for block encryption. On the plus side, Sophos researchers don’t think that crooks are going to be able to exploit this bug, given that “official TLS support for ShangMi was only introduced in RFC 8998, dated March 2021, so it’s a newcomer to the world’s cryptographic stable.”
As Ducklin wrote, OpenSSL does include implementations of SM2, SM3 and SM4, “it doesn’t yet include the code needed to allow you to choose these algorithms as a ciphersuite for use in TLS connections.”
“You can’t ask your TLS client code to request a ShangMi connection to someone else’s server, as far as we can see; and you can’t get your TLS server code to accept a ShangMi connection from someone else’s client.
“So the bug is in there, down in the low-level OpenSSL libcrypto code, but if you use OpenSSL at the TLS level to make or accept secure connections, we don’t think you can open up a session in which the buggy code could be triggered.
“In our opinion, that greatly reduces the likelihood of criminals abusing this flaw to implant malware on your laptop, for example by luring you to a booby-trapped website and presenting you with a rogue certificate during connection setup.” —Sophos’s Paul Ducklin
The CVE-2021-3712 flaw is caused by a read buffer overrun weakness while processing ASN.1 strings. MITRE explains that ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure that contains a buffer holding the string data and a field holding the buffer length, as opposed to normal C strings that are represented as a buffer for the string data, which is terminated with a NUL (0) byte. “If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit,” according to MITRE. That could lead to a crash, causing DoS or could also lead to disclosure of private memory contents, such as private keys or even sensitive content in plaintext.
Both of the OpenSSL bugs were fixed in OpenSSL 1.1.1l on Tuesday of last week.
Fix Them If You Can
Sophos’s Ducklin recommended upgrading to OpenSSL 1.1.1l if possible. “Although most software on Windows, Mac, iOS and Android will not be using OpenSSL, because those platforms have their own alternative TLS implementations, some software may include an OpenSSL build of its own and will need updating independently,” he noted. “If in doubt, consult your vendor. Most Linux distros will have a system-wide version of OpenSSL, so check with your distro for an update. (Note: Firefox doesn’t use OpenSSL on any platforms.)”
There’s no shortage of reasons to heed his advice, given that criminal gangs already have NAS devices in their crosshairs. In a report published a few weeks ago, Palo Alto Network Unit 42 researchers said that they’d discovered a new variant of the eCh0raix ransomware string that exploited a critical bug, CVE-2021-28799 – an improper authorization vulnerability that gives attackers access to hard-coded credentials so as to plant a backdoor account – in the Hybrid Backup Sync (HBS 3) software on QNAP’s NAS devices.
The nearly year-old eCh0raix ransomware strain has been used to target both QNAP and Synology network-attached storage (NAS) devices in past, separate campaigns, but the new variant is more efficient: It can target either vendors’ devices in a single campaign.
Norton recently acquired Avast merging into a $8 billion antivirus empire. What does this mean for the AV industry? Get NordPass: https://nordpass.com/tpsc (sponsor) 👉 Contact
Microsoft Exchange Server had ‘ProxyToken’ vulnerability that leaked incoming emails Patched authentication bypass comes in wake of widespread exploitation of ‘ProxyShell’ vulnerabilities Microsoft has patched