Category: threatpost

threat post logo

Fortress Home Security Open to Remote Disarmament

A pair of unpatched security vulnerabilities can allow unauthenticated cyberattackers to turn off window, door and motion-sensor monitoring.

A pair of vulnerabilities in the Fortress S03 WiFi Home Security System could allow cyberattackers to remotely disarm the system, leaving homes open to unlawful entry.
The Fortress platform is a consumer-grade home security system that allows users to mix and match various sensors, IP cameras and accessories, connecting them via Wi-Fi to create a personalized security system. RF fobs are used for system control, arming and disarming monitors on doors, windows and motion detectors.

According to Rapid7 researcher Arvind Vishwakarma, who discovered the bugs, the “vulnerabilities could result in unauthorized access to control or modify system behavior, and access to unencrypted information in storage or in transit.”
Both bugs remain unpatched.
Disarming Home Security Systems
The first vulnerability, tracked as CVE-2021-39276, is due to an insecure cloud API deployment, he said in a Tuesday post. Unauthenticated users can trivially exploit it to retrieve a secret that can then be used to alter the system’s functionality remotely. To disarm an alarm system, attackers can send a specially crafted unauthenticated POST to the API.
“If a malicious actor knows a user’s email address, they can use it to query the cloud-based API to return an International Mobile Equipment Identity (IMEI) number, which appears to also serve as the device’s serial number,” Vishwakarma said. “With a device IMEI number and the user’s email address, it is then possible for a malicious actor to make changes to the system, including disarming its alarm.”
According to Rapid7, it’s important to note that the effort to exploit this may be too much for random, opportunistic home invaders, but in a stalker/restraining order type of situation where the person already knows the target and is in possession of an email address, the urgency to mitigate the problem increases, given the potential for physical violence.
“The likelihood of exploitation of these issues is pretty low,” Tod Beardsley, director of research at Rapid7, told Threatpost. “An opportunistic home invader is not likely to be a cybersecurity expert, after all. However, I am concerned about a scenario where the attacker already knows the victim well, or at least, well enough to know their email address, which is all that is really required to disable these devices from over the internet using CVE-2021-39276.”
An RF Weakness
The second issue, tracked as CVE-2021-39277, involves the RF signals used to communicate between the key fobs, door/window contact sensors and the Fortress Console, which are sent in the 433 MHz band. Specifically, anyone within RF signal range could capture and replay RF signals to alter systems behavior, resulting in disarmament.
“When a radio-controlled device has not properly implemented encryption or rotating key protections, this can allow an attacker to capture command-and-control signals over the air and then replay those radio signals in order to perform a function on an associated device,” according to Vishwakarma.
In a proof-of-concept exploit, researchers used a software-defined-radio (SDR) device to capture normal operations of the device’s “arm” and “disarm” commands. Then, replaying the captured RF signal communication command would arm and disarm the system without further user interaction.
An exploit requires an attacker to be within physical range, staking out the property and waiting for the victim to use an RF-controlled device on the system – no prior knowledge of the victim is necessary.
To exploit the RF weakness, “the attacker would need to be both reasonably conversant in SDR in order to capture and replay the signals, and be within reasonable radio range,” Beardsley told Threatpost. “What that range is would depend on the sensitivity of the gear being used, but typically this sort of eavesdropping requires line of sight and pretty close proximity – across the street or so.”
How to Protect Against Fortress Home Security Attacks
As mentioned, there is, unfortunately, no firmware update available for either vulnerability. The vendor closed the ticket that Rapid7 opened on the bugs without comment, and didn’t respond to researchers’ follow-ups.
“In the past, we’ve seen that vendors that are unresponsive prior to disclosure tend to respond after disclosure, and tend to address these issues pretty quickly,” Beardsley said. “I’m hopeful that’ll be the case with this issue.”
There is, however, a workaround for the first issue. Because an attack requires the system’s email address, “we suggest registering the device with a secret, one-time use email address, that can function as a sort of weak password,” Beardsley told Threatpost. “Absent an authentication update from the vendor, I feel like this is an okay workaround.”
For CVE-2021-39277, there’s “very little a user can do to mitigate the effects of the RF replay issues absent a firmware update to enforce cryptographic controls on RF signals,” according to the post. Rapid7 advised that users could avoid using key fobs and other RF devices linked to Fortress to avoid an attack.
This is just the latest vulnerabilities to be found in internet of things (IoT) devices, pointing out a continuing need for security by design on the part of hardware vendors.
“A proper cloud infrastructure can greatly benefit IoT security by enabling automatic updates and insulating users from many local security threats, but it can also magnify the impact of vendor programming errors,” Craig Young, principal security researcher at Tripwire, said via email. “Whereas a vulnerability within an individual device is generally exploited by a nearby attacker, vulnerabilities within a vendor infrastructure can expose all users at once.”
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.


Cream Finance DeFi Platform Rooked For $29M

Cream is latest DeFi platform to get fleeced in rash of attacks.

Cream Finance is the latest decentralized finance (DeFi) platform for cryptocurrency trading to take a major financial hit at the hands of hackers, losing nearly $19 million in an attack this week on its “flash loan” feature.
The attacker was able to steal nearly $29 million before being discovered, 418,311,571 in Amp Coin and 1,308.09 in Ethereum cryptocurrency, Cream Finance confirmed.

“We have stopped the exploit by pausing supply and borrow on AMP,” the company statement said. “No other markets were affected.”

C.R.E.A.M. v1 market on Ethereum has suffered an exploit, resulting in a loss of 418,311,571 in AMP and 1,308.09 in ETH, by way of reentrancy on the AMP token contract.
We have stopped the exploit by pausing supply and borrow on AMP. No other markets were affected.
— Cream Finance 🍦 (@CreamdotFinance) August 30, 2021

DeFi platforms connect various cryptocurrency blockchains to create a decentralized infrastructure for borrowing, trading and other transactions.
Cream Finance Hit With Reentry Attack
According to researchers at PeckShield, a bug in the feature allowed the threat actors to pull off a “reentry attack,” which allows funds to be borrowed on a loop, repeatedly, while the previous transaction is being processed.
“The hack is made possible due to a reentrancy bug introduced by $AMP, which is an ERC777-like token and exploited to re-borrow assets during its transfer, before updating its first borrow,” PeckShield explained.

2/4 The hack is made possible due to a reentrancy bug introduced by $AMP, which is an ERC777-like token and exploited to re-borrow assets during its transfer before updating the first borrow.
— PeckShield Inc. (@peckshield) August 30, 2021

The attack on Cream Finance comes just days after Poly Networks suffered a $610 million theft, the largest DeFi breach in history, before the money was returned by the attacker in a weird twist, likely after the criminal figured out that stealing the crypto is easier than making a withdrawal.
Solidity Leaves Plenty of Room for Error
The complexity of implementing Solidity coding language used to create DeFi “smart contracts” on a variety of blockchain platforms leaves plenty of room of coding errors, and opportunity for attackers, Joe Stewart with PhishLabs told Threatpost. An error in smart-contract coding is what enabled the Cream Finance reentry attack, Stewart said.
“The recent security breach of the Cream Finance platform was facilitated by the latest in a long chain of smart contract vulnerabilities introduced by human error (or possibly insider attacks),” Stewart said. “Because Solidity is an evolving language, it is very easy to shoot yourself in the foot by something as simple as failing to include the correct function modifier in your code – exactly what happened to the author of the Cream Finance smart contract.”
The layers of complexity are made even more tricky once those DeFi smart contracts start interacting with others,” Stewart added.
“The increasing complexity of DeFi contracts that interact with one another (possibly even across different blockchains) make it difficult to predict all possible code paths that could lead to privilege escalation and loss of funds locked in the contract,” Stewart added. “This is what happened in the recent PolyNetwork hack resulting in $610M being stolen (although subsequently returned by the hacker).”
Tal Be’ery, co-founder of ZenGo, pointed out via tweet that in both the attacks on both Cream and Poly Networks, the threat actors wouldn’t have been able to test their various exploits in a lab environment, they were likely poking around for some time in the systems looking for a hole.
Attackers Sharpening Tools, Attacks
“The attackers had to develop and test their exploits against a real chain, because it’s too complex to set up in a lab,” Be’ery explained. “A good monitoring (and) alert solution might have given enough time to fix.”

A very important corollary from #polynetworkhack .The attackers had to develop and test their exploits against the real chain, because it’s too complex to set it up in the lab.A good monitoring + alert solution might have given enough time to fix.
— Tal Be’ery (@TalBeerySec) August 15, 2021

As DeFi platforms figure out how to shore up security, Karl Steinkamp with Coalfire warned that threat actors, motivated by volatile crypto-bubbles, are working overtime to refine attacks.
“Given the generally appreciating value of crypto-assets, bad actors will likely continue to use them for many more years into the future,” Steinkamp told Threatpost. “While it has been seen currently to a limited extent over the last 10 years, bad cybercriminals will need to get smarter in using blockchains and crypto if they are going to be successful, which will likely include mixing tools and more off-chain and/or hardware addressed wallets.”
And the most recent data shows DeFi platforms were on the receiving end of 76 percent of all major hacks in 2021 and even before the Poly Networks hack, losses for 2021 had already exploded by 180 percent over last year, according to Atlas VPN.
With rising risk of theft, its going to be up to the DeFi platforms themselves and larger cryptocurrency community to offer some reassurance it’s safe.
“The crypto-industry has generated a lot of excitement; however, many newcomers are unaware of the risks,” Atlas VPN’s researchers said. “Lack of regulation in the crypto-industry allows cybercriminals to thrive either by hacking less secured DeFi projects or by carrying out rug pull scams. For DeFi to become more legitimate, it is essential to establish security and business regulations.”
In the meantime, KnowBe4’s James McQuiggan suggested that users concerned about security should keep their cryptocurrency stored offline.
“Whether reverse-engineering the cryptography or attacking the source, cybercriminals continue to find ways to circumvent controls to steal money for their financial gain and ruin the customers’ portfolios,” McQuiggan said. “It demonstrates that users should maintain offline wallets to protect a large portion of their investments versus having them all in one location and risk losing their entire investment through a data breach or attack.”
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

threat post logo

Proxyware Services Open Orgs to Abuse – Report

Services that let consumers resell their bandwidth for money are ripe for abuse, researchers warn.

Services that allow consumers to resell their own internet bandwidth for profit to businesses that want to resell it are ripe for abuse, according to researchers.
The burgeoning business model is growing in popularity with consumers who earn about $1 for every 10GB of their bandwidth shared with services that include Honeygain, Nanowire, IPRoyal Pawns, Peer2Profit and PacketStream.

“These relatively new platforms were built with a legitimate purpose, but attackers quickly found ways to abuse them,” according to a report by Cisco Talos posted Tuesday. Services are delivered as desktop and mobile applications. Apps fall into a category called proxyware, because they turn the device running the software into a type of proxy server.
Proxyware services are attractive to businesses that use them for internet-related traffic research, such as search engine optimization. The ability to access residential and geographically diverse IP addresses can be extremely helpful. Uses also include testing potential online advertising campaigns or circumventing commercial network restrictions.
For consumers, Cisco points out, proxyware services are “advertised as a means to circumvent geolocation checks on streaming or gaming platforms,” while at the same time allowing consumers to generate income for the use of their bandwidth.
Why Are Proxyware Services Potentially Dangerous?
Researchers found that abuse of the services – by consumers and adversaries – present a myriad of risks, including:

Malicious or trojan-ized versions of bandwidth-sharing application distributed by adversaries
Corporate networks exposed to malicious versions of proxyware
Employee abuse of company networks running the app or multiple versions of the service
Businesses using proxyshare platforms potentially exposing unencrypted internet traffic to malicious hosts
Consumers accruing bandwidth overage fees when running app on a mobile device

Growing Proxyware Trend Presents Cybersecurity Challenges
“As proxyware has grown in popularity, attackers have taken notice and are now attempting to exploit this interest to monetize their malware campaigns,” according to the report’s co-authors: Edmund Brumaghin, threat researcher, and Vitor Ventura, outreach researcher, both with Cisco Talos.
Researchers say adversaries are currently using proxyware services to run malware campaigns and monetize the internet bandwidth of victims. They compare the trend with how adversaries surreptitiously installed cryptocurrency mining software on victims’ computers in an attempt to monetize CPU cycles.
“These applications pose significant privacy and operational risks to organizations as they may allow nefarious or abusive network traffic to appear as if it originates from their corporate networks resulting in reputational damages that may also lead to service disruption,” researchers wrote.
With regards to this report, Threatpost is waiting for Honeygain and Nanowire, two leading services in this space, to reply to requests for comment.
Growing Trend and Associated Threats
Pinpointing how many consumers are using these types of services is difficult. To gauge interest and the user-base of Honeygain, market leader of the niche, Cisco examined subscriber growth of the Honeygain subreddit on Reddit from zero in 2019 to close to 8,000 as of July 2021. According to Cisco’s investigation, Honeygain boasted a quarter million users, based on Honeygain’s reported responses to a survey of its customers.
Estimating how many legitimate companies use proxyware services is equally hard to determine.
“Investigating DNS activity associated with the API used by the Honeygain client, we identified a large number of queries being performed. This is another indicator that clearly demonstrates the popularity of this platform across the internet,” researchers wrote.
Active Abuse: Proxyware Services Under Attack
Cisco found a number of existing malware campaigns were distributing trojan-ized versions of the proxyware applications. “Threat actors are distributing the proxyware applications to monetize victims’ network bandwidth for the purposes of generating revenue,” researchers reported.
In other instances documented by Cisco, “threat actors are distributing malicious executables that pose as installers for legitimate proxyware applications like Honeygain. When executed, they will typically install the legitimate application, while also silently installing malware.”
As expected, adversaries adopt a number of different techniques, similar to those of malicious crypto-miners, both for running the application silently and maintaining process persistence.
Proxyware as a Tor Alternative
For adversaries, abuse of proxyware services offers the added benefits of anonymity.
“We believe attackers are highly likely to abuse these proxyware platforms, as they can be used to disguise an attacker’s origin more efficiently than Tor, since the exit nodes cannot be cataloged,” researchers said.
For the services themselves, the illegitimate use of their platforms by adversaries can mean end-users are blocklisted due to activities they don’t even control, researchers said. “It (also) increases organizations’ attack surface, potentially creating an initial attack vector directly on the endpoint.”
Security Teams: Consider Yourselves Warned
Cisco Talos classified proxyware as potentially unwanted applications (PUA) or potentially unwanted programs (PUP).
“These platforms may introduce significant risk to most corporate environments,” researchers noted.
Researchers said that an examination of the Honeygain platform revealed that “because of the way the communications are processed to facilitate the retrieval and delivery of content it may be possible to monitor the DNS activity of other platform users.”
Researchers said unencrypted content, such as HTTP traffic, could be intercepted and manipulated in transit by Honeygain nodes under adversarial control.
“These platforms also pose new challenges for researchers, since there is no way to identify a connection through these kinds of networks — the origin IP becomes even less meaningful in an investigation. Due to the various risks associated with these platforms, it is recommended that organizations consider prohibiting the use of these applications on corporate assets,” researchers advised.

threat post logo

WooCommerce Pricing Plugin Allows Malicious Code-Injection

The popular Dynamic Pricing and Discounts plugin from Envato can be exploited by unauthenticated attackers.

A pair of security vulnerabilities in the WooCommerce Dynamic Pricing and Discounts plugin from Envato could allow unauthenticated attackers to inject malicious code into websites running unpatched versions. This can result in a variety of attacks, including website redirections to phishing pages, insertion of malicious scripts on product pages and more.
The plugin, which has 19,700+ sales on Envato Market, offers a variety of pricing and promotion tools for online retailers, including special offers, bulk pricing, tiered pricing, bundle pricing, deals of the day, flash sales, wholesale pricing, member pricing, individual pricing, loyalty programs, behavioral pricing, location-based pricing and so on. It also supports conditional price increase and extra fees.
According to researchers at the Ninja Technologies Network, the two unauthenticated vulnerabilities affect version 2.4.1 and below. The first is a high-severity stored cross-site scripting (XSS) bug; the second is a medium-severity settings export problem.
The XSS bug exists in the __construct method of the “wc-dynamic-pricing-and-discounts/classes/rp-wcdpd-settings.class.php” script, according to a Tuesday writeup from NinTechNet.
“It lacks a capability check and a security nonce and thus is accessible to everyone, authenticated or not,” researchers explained. “An unauthenticated user can import the plugin’s settings. Because some fields aren’t sanitized, the attacker can inject JavaScript code into the imported JSON-encoded file.”
If successful, the code will be executed on every product page of the WooCommerce e-shop, they added. Additionally, attackers could replace JavaScript code with any HTML tags, such as a Meta Refresh tag, which could be used to redirect visitors and customers to a malicious website.
Also, the import function lacks a security nonce to prevent against cross-site request forgery (CSRF) attacks, where a user can submit unauthorized commands from a site that the web application trusts.
The second bug exists because a core export function lacks a capability check and is accessible to everyone, authenticated or not.
“An unauthenticated user can export the plugin’s settings, inject JavaSript code into the JSON file and reimport it using the previous vulnerability,” according to NinTechNet.
The issues are patched in version 2.4.2, though the CSRF check is still not fixed, researchers warned.
Users of WooCommerce, the popular e-commerce platform for WordPress, are no strangers to having to patch security problems, and it’s important to keep on top of patching. Last month for instance WooCommerce rushed emergency fixes for a critical SQL-injection security vulnerability in the core platform and a related plugin that had been under attack as a zero-day bug, for instance. The bug could allow unauthenticated cyberattackers to make off with scads of information from an online store’s database – anything from customer data and payment-card info to employee credentials.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

threat post logo

QNAP Is Latest to Get Dinged by OpenSSL Bugs Fallout

The NAS maker issued two security advisories about the RCE and DoS flaws, adding to a flurry of advisories from the vast array of companies whose products use OpenSSL.

On Monday, QNAP put out two security advisories about OpenSSL remote-code execution and denial-of-service (DoS) bugs, fixed last week, that affect its network-attached storage (NAS) devices.
The vulnerabilities are tracked as CVE-2021-3711 – a high-severity buffer overflow related to SM2 decryption– and CVE-2021-3712, a medium-severity flaw that can be exploited for DoS attacks and possibly for the disclosure of private memory contents.
These OpenSSL flaws are spreading ripples far and wide.
That’s because OpenSSL is mostly used by network software – including being widely used by Internet servers and the majority of HTTPS websites – that use the TLS protocol (transport layer security), formerly known as SSL (secure sockets layer), to protect data in transit.
TLS has replaced SSL, which contained what Sophos’s Paul Ducklin called a “huge” number of cryptographic flaws. But many popular open-source programming libraries that support it – including OpenSSL, LibreSSL and BoringSSL, “have kept old-school product names for the sake of familiarity,” Ducklin commented in a recent drilldown into the OpenSSL bugs.
QNAP on Monday joined a parade of organizations whose products rely on OpenSSL and which are either investigating the flaws (in QNAP’s case) or have already released security advisories, including Linux distributions such as Red Hat (not affected), Ubuntu, SUSE, Debian and Alpine Linux.
QNAP Hammers Out Fixes
QNAP said that it’s “thoroughly investigating the case” and that it plans to release security updates and more information ASAP.
Same goes for NAS appliance maker Synology, which told its customers that the OpenSSL vulnerabilities affect its Synology DiskStation Manager (DSM), Synology Router Manager (SRM), VPN Plus Server and VPN Server products. On Thursday, Synology assigned “important” and “moderate” severity ratings to the vulnerabilities and said that it’s working on patches.
Yet another storage solutions provider, NetApp, is now trying to figure out which of its products may be affected. So far, it’s confirmed that Clustered Data ONTAP, E-Series SANtricity OS controller software, the NetApp Manageability SDK, NetApp SANtricity SMI-S Provider, and NetApp Storage Encryption are affected, and it’s investigating dozens more of its products.
Cisco and Broadcom are also expected to release advisories describing how the latest OpenSSL vulnerabilities will affect their products.
QNAP’s Advisories
It turns out that the OpenSSL vulnerabilities affect QNAP NAS devices running the HBS 3 Hybrid Backup Sync data backup and disaster recovery tool, the QTS GUI, the QuTS hero operating system, and QuTScloud, which is an operating system for QNAP Cloud NAS virtual appliances.
According to Sophos’s Ducklin, the flaws could allow an attacker to trick an application “into thinking that something succeeded (or failed) when it didn’t, or even to take over the flow of program execution entirely.
If successfully exploited, the flaws could allow remote attackers to execute arbitrary code with the permissions of the user running the application, QNAP said, which gives CVE-2021-3711 a high severity rating. CVE-2021-3712 allows remote attackers to disclose memory data or execute a DoS attack, making it a medium-security flaw.
MITRE has the technical details here for CVE-2021-3712 and CVE-2021-3711.
CVE-2021-3711 is a heap-based buffer overflow. These bugs generally lead to crashes but can also translate into lack of availability, including putting the program into an infinite loop. Such vulnerabilities can also allow attackers to carry out RCE, bypass protection, or to modify memory.
According to MITRE, the CVE-2021-3711 bug in OpenSSL allows an attacker who can present SM2 content – SM2 being a public key cryptographic algorithm based on elliptic curves that’s used to generate and verify digital signatures for decryption – to send data that overflows the buffer by up to a maximum of 62 bytes, “altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash.”
As Sophos’s Ducklin explained when writing about this decryption bug, OpenSSL includes implementations of the SM algorithms: It uses SM2 for key agreement and digital signatures, SM3 for hashing, and SM4 for block encryption. On the plus side, Sophos researchers don’t think that crooks are going to be able to exploit this bug, given that “official TLS support for ShangMi was only introduced in RFC 8998, dated March 2021, so it’s a newcomer to the world’s cryptographic stable.”
As Ducklin wrote, OpenSSL does include implementations of SM2, SM3 and SM4, “it doesn’t yet include the code needed to allow you to choose these algorithms as a ciphersuite for use in TLS connections.”
“You can’t ask your TLS client code to request a ShangMi connection to someone else’s server, as far as we can see; and you can’t get your TLS server code to accept a ShangMi connection from someone else’s client.
“So the bug is in there, down in the low-level OpenSSL libcrypto code, but if you use OpenSSL at the TLS level to make or accept secure connections, we don’t think you can open up a session in which the buggy code could be triggered.
“In our opinion, that greatly reduces the likelihood of criminals abusing this flaw to implant malware on your laptop, for example by luring you to a booby-trapped website and presenting you with a rogue certificate during connection setup.” —Sophos’s Paul Ducklin
Technical Details
The CVE-2021-3712 flaw is caused by a read buffer overrun weakness while processing ASN.1 strings. MITRE explains that ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure that contains a buffer holding the string data and a field holding the buffer length, as opposed to normal C strings that are represented as a buffer for the string data, which is terminated with a NUL (0) byte. “If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit,” according to MITRE. That could lead to a crash, causing DoS or could also lead to disclosure of private memory contents, such as private keys or even sensitive content in plaintext.
Both of the OpenSSL bugs were fixed in OpenSSL 1.1.1l on Tuesday of last week.
Fix Them If You Can
Sophos’s Ducklin recommended upgrading to OpenSSL 1.1.1l if possible. “Although most software on Windows, Mac, iOS and Android will not be using OpenSSL, because those platforms have their own alternative TLS implementations, some software may include an OpenSSL build of its own and will need updating independently,” he noted. “If in doubt, consult your vendor. Most Linux distros will have a system-wide version of OpenSSL, so check with your distro for an update. (Note: Firefox doesn’t use OpenSSL on any platforms.)”
There’s no shortage of reasons to heed his advice, given that criminal gangs already have NAS devices in their crosshairs. In a report published a few weeks ago, Palo Alto Network Unit 42 researchers said that they’d discovered a new variant of the eCh0raix ransomware string that exploited a critical bug, CVE-2021-28799 – an improper authorization vulnerability that gives attackers access to hard-coded credentials so as to plant a backdoor account – in the Hybrid Backup Sync (HBS 3) software on QNAP’s NAS devices.
The nearly year-old eCh0raix ransomware strain has been used to target both QNAP and Synology network-attached storage (NAS) devices in past, separate campaigns, but the new variant is more efficient: It can target either vendors’ devices in a single campaign.

threat post logo

Top 3 APIs Vulnerabilities: Why Apps are Owned by Cyberattackers

Jason Kent, hacker-in-residence at Cequence, talks about how cybercriminals target apps and how to thwart them.

Application programming interfaces (APIs) have become the glue that holds today’s apps together. There’s an API to turn on the kitchen lights while still in bed. There’s an API to change the song playing on your house speakers. Whether the app is on your mobile device, entertainment system or garage door, APIs are what developers use to make applications function.
There are three major vulnerability types that cyberattackers target in order to “own” apps. But first, some background on what makes APIs such a security concern.
APIs can operate much the same way that a URL might operate. Typing “www.example[.]com” into a web browser will elicit a response from Search for your favorite song and you will see the following in the URL bar: “{myfavoritesong}.”

The page result is dynamically built to present you with your search findings. Your mobile banking app operates in the same manner, with the API grabbing your name, account number and account balance — and populating the fields in the pre-built pages accordingly. While APIs have similar characteristics to web applications, they are far more susceptible to attacks; they include the entire transaction, including any security checks, and are typically communicating directly to a back-end service.
Increased API Vulnerabilities: History Repeats Itself
In the late 1990s folks figured out that you could often drop a single quote ” ‘ ” into a search box or login field and the application would respond with a database error. Understanding SQL database syntax means that a vulnerable application was simply a wide-open application that one could potentially have total control over. And once found, SQL vulnerabilities were often attacked.
This reflects the problems we have had in application security forever: Input validation. Without proper function and security testing, APIs can become a perfect point of attack. Trusted by the application, with high-speed, massive data exchanges possible, APIs are a cause for concern for any organization that is utilizing them or developing them for use.
Top 3 API Vulnerabilities
In my work with customers in the application-security market and my long-time involvement in the Open Web Application Security Project (OWASP) community, I commonly see API vulnerability exploits. Here are three of the most common types:

Broken Object Level Authorization (BOLA): The layperson’s definition of BOLA is “insufficient validation of an object access request,” which allows an attacker to perform an unauthorized action by reusing an access token. The Peloton security incident is one of many recent BOLA exploit examples where an attacker could view all of the data, including anything marked private, in another user’s profile. The business impact of the Peloton incident was significant, likely impacting every business group from development to operations to marketing and public relations.

Broken User Authentication: Defined as “implementation flaws in authentication mechanisms,” these bugs allow attackers to impersonate legitimate users. Two common types of exploits come to mind here. The first is credential stuffing executed by automated bots. Finding a login API with a broken user authentication flaw is a perfect target for an automated attack. A more sophisticated use of this flaw is for reconnaissance, to determine how the API works. If I put in a username/password combo of “[email protected]/” password and the application says “invalid password” then I know this is a valid username. An attacker will use this data point to increase their chances of credential-stuffing (or other type of attack) success.

Improper Assets Management: This API flaw is the result of “insufficient environment segregation and management,” and allows attackers to access under-secured API endpoints. In the recent John Deere security incident, a developer API that was part of the John Deere partner program had access to production data without redactions, [potentially] exposing John Deere customers utilizing the tractor giant’s Green Star system. Stating the obvious, the flaw lied in the lack of separation between the two environments. Additional gaps that fall into this category include not monitoring for sensitive data in a development API, and keeping deprecated APIs online/exposed.

Fixing the Problem
2021 is already the year of the API security incident, and the year is not over. API flaws impact the entire business – not just dev, or security or the business groups. Finger-pointing has never fixed the problem. The fix begins with collaboration; development needs a full understanding from business groups on how the API should function. API coding is different, so a refresh on secure coding practices is warranted. And security needs to be involved upfront, to help uncover gaps before publication.
A great place to start is with the OWASP. It has published the API Security Top 10 and recently published the Completely Ridiculous API, which includes examples of bad APIs in an application. Organizations can use the Completely Ridiculous API online or in-house as an educational platform to train development and security on the errors to avoid when utilizing APIs.
Whether you are utilizing an “API-first approach” or just starting your journey into digital transformation aided by APIs, knowing the vulnerabilities that are out there and what might happen if something is missed, is crucial.
Jason Kent is hacker-in-residence at Cequence Security.
Enjoy additional insights from Threatpost’s Infosec Insiders community by visiting our microsite.

threat post logo

LockFile Ransomware Uses Never-Before Seen Encryption to Avoid Detection

Researchers from Sophos discovered the emerging threat in July, which exploits the ProxyShell vulnerabilities in Microsoft Exchange servers to attack systems.

Researchers discovered a novel ransomware emerging on the heels of the ProxyShell vulnerabilities discovery in Microsoft Exchange servers. The threat, dubbed LockFile, uses a unique “intermittent encryption” method as a way to evade detection as well as adopting tactics from previous ransomware gangs.
Discovered by researchers at Sophos, LockFile ransomware encrypts every 16 bytes of a file, which means some ransomware protection solutions don’t notice it because  “an encrypted document looks statistically very similar to the unencrypted original,” Mark Loman, director, engineering, for next-gen technologies at Sophos, wrote in a report on LockFile published last week.
“We haven’t seen intermittent encryption used before in ransomware attacks,” he wrote.

The ransomware first exploits unpatched ProxyShell flaws and then uses what’s called a PetitPotam NTLM relay attack to seize control of a victim’s domain, researchers explained. In this type of attack, a threat actor uses Microsoft’s Encrypting File System Remote Protocol (MS-EFSRPC) to connect to a server, hijack the authentication session, and manipulate the results such that the server then believes the attacker has a legitimate right to access it, Sophos researchers described in an earlier report.
LockFile also shares some attributes of previous ransomware as well as other tactics—such as forgoing the need to connect to a command-and-control center to communicate–to hide its nefarious activities, researchers found.
“Like WastedLocker and Maze ransomware, LockFile ransomware uses memory mapped input/output (I/O) to encrypt a file,” Loman wrote in the report. “This technique allows the ransomware to transparently encrypt cached documents in memory and causes the operating system to write the encrypted documents, with minimal disk I/O that detection technologies would spot.”
Deeper Dive
Researchers analyzed LockFile using sample of the ransomware with the SHA-256 hash  “bf315c9c064b887ee3276e1342d43637d8c0e067260946db45942f39b970d7ce” that they discovered on VirusTotal. Upon opening, the sample appears to have only three functions and three sections.
The first section, named OPEN, contains no data – only zeroes, researchers said. It’s the second section, CLSE, that includes the sample’s three functions. However, rest of the data in the section is encoded code that is decoded later and placed in the “OPEN” section, which researchers examined in depth, they said.
“The entry() function is simple and calls FUN_1400d71c0():,” researchers wrote. “The FUN_1400d71c0() function decodes the data from the CLSE section and puts it in the OPEN section. It also resolves the necessary DLLs and functions. Then it manipulates the IMAGE_SCN_CNT_UNINITIALIZED_DATA values and jumps to the code placed in the OPEN section.”
Researchers used WinDbg and .writemem to write the OPEN section to disk to analyze the code statically in Ghidra, an open-source reverse-engineering tool. There they found the ransomware’s main function, the first part of which initializes a crypto library that LockFile likely uses for its encryption functions, they said.
The ransomware then uses the Windows Management Interface (WMI) command-line tool WMIC.EXE–which is part of every Windows installation—to terminate all processes with vmwp in their name, repeating the process for other critical business processes associated with virtualization software and databases, researchers wrote.
“By leveraging WMI, the ransomware itself is not directly associated with the abrupt termination of these typical business critical processes,” they explained. “Terminating these processes will ensure that any locks on associated files/databases are released, so that these objects are ready for malicious encryption.”
LockFile renames encrypted documents to lower case and adds a .lockfile file extension, and also includes an HTML Application (HTA) ransom note looks very similar to that of LockBit 2.0, researchers said.
“In its ransom note, the LockFile adversary asks victims to contact a specific e-mail address: contact[@],” they said, adding that the domain name—which seems to have been created on Aug. 16–appears to be a “derogatory reference” to the Conti Gang, a still-active and competing ransomware group.
Intermittent Encryption, Explained
The feature that most defines and differentiates LockFile from its competitors is not that it implements partial encryption per se — as LockBit 2.0, DarkSide and BlackMatter ransomware all do this, according to researchers. What sets LockFile apart is the unique way it employs this type of encryption, which has not been observed by a ransomware before, Loman said.
“What sets LockFile apart is that it doesn’t encrypt the first few blocks,” he wrote. “Instead, LockFile encrypts every other 16 bytes of a document. This means that a text document, for instance, remains partially readable.”
The “intriguing advantage” to this approach is that it can elude some ransomware protection technologies that use what’s called “chi-squared (chi^2)” analysis, skewing the statistical way this analysis is done and thus confusing it.
“An unencrypted text file of 481 KB (say, a book) has a chi^2 score of 3850061,” Loman explained. “If the document was encrypted by DarkSide ransomware, it would have a chi^2 score of 334 – which is a clear indication that the document has been encrypted. If the same document is encrypted by LockFile ransomware, it would still have a significantly high chi^2 score of 1789811.”
Once it has encrypted all the documents on the machine, LockFile disappears without a trace, deleting itself with a PING command, researchers said. “This means that after the ransomware attack, there is no ransomware binary for incident responders or antivirus software to find or clean up,” they wrote.

threat post logo

Army Testing Facial Recognition in Child-Care Centers

Army looking for AI to layer over daycare CCTV to boost ‘family quality of life.’

Live video feeds of daycare centers are common, but the Army wants to take their kid-monitoring capabilities to the next level.
Under a new pilot program being rolled out at a Fort Jackson, S.C. child-care center, the military is looking for service providers to layer commercially available facial recognition and artificial intelligence (AI) over existing closed-circuit television video feeds to improve childcare and cut costs.
The request for bids on the project, called Installations of the Future: Technology Pilot for Child Development Center, explained that the CCTV feeds aren’t constantly monitored by humans and the pilot program will explore whether AI could fill in the gaps.

“Video analytic software provides the added security of continual computer monitoring used as an addition to the human CCTV monitoring,” the request for bid said. “Moreover, it provides instant notifications to staff on a wide range of important AR 190-3 monitoring parameters as events occur.”
AI to Monitor Health and Well-Being?
The solicitation for contract laid out nebulous objectives to “monitor the health and well-being of children” at the childcare center.
The paperwork did detail cybersecurity parameters, which includes an interconnection agreement, adherence to the Department of Defense cybersecurity regulations and a requirement that any data stored be encrypted.
Other requirements include following the Security Technical Guides (STIGs), submission to Static Application Security Testing (SAST) for source code analysis, and an obligation to provide patching and mitigation support.
Facial-recognition software has regularly come under fire by security professionals and privacy advocates alike. Not only have facial-recognition algorithms been easily fooled, they’ve been decried as a privacy nightmare by groups like the American Civil Liberties Union, which sued to the Department of Homeland Security in March 2020 over its use of facial recognition in airports. Just months later, Sens. Bernie Sanders (Vt.) and Jeff Merkley (Ore.), both Democrats, introduced the National Biometric Information Privacy Act in an effort to curb the government’s ability to collect peoples’ biometric data.
The Fort Jackson pilot program is scheduled to run for a year, according to the request for bids. Designs are due in 120 days and should be installed and operational within 8 months, the schedule said. Bids on the job are due Sept 10.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

threat post logo

Microsoft Exchange ‘ProxyToken’ Bug Allows Email Snooping

The bug (CVE-2021-33766) is an information-disclosure issue that could reveal victims’ personal information, sensitive company data and more.

A serious security vulnerability in Microsoft Exchange Server that researchers have dubbed ProxyToken could allow an unauthenticated attacker to access and steal emails from a target’s mailbox.
Microsoft Exchange uses two websites; one, the front end, is what users connect to in order to access email. The second is a back-end site that handles the authentication function.
“The front-end website is mostly just a proxy to the back end. To allow access that requires forms authentication, the front end serves pages such as /owa/auth/logon.aspx,” according to a Monday posting on the bug from Trend Micro’s Zero Day Initiative. “For all post-authentication requests, the front end’s main role is to repackage the requests and proxy them to corresponding endpoints on the Exchange Back End site. It then collects the responses from the back end and forwards them to the client.”

The issue arises specifically in a feature called “Delegated Authentication,” where the front end passes authentication requests directly to the back end. These requests contain a SecurityToken cookie that identify them; i.e., if the front end finds a non-empty cookie named SecurityToken, it delegates authentication to the back end. However, Exchange has to be specifically configured to have the back end perform the authentication checks; in a default configuration, the module responsible for that (the “DelegatedAuthModule”) isn’t loaded.
“When the front end sees the SecurityToken cookie, it knows that the back end alone is responsible for authenticating this request,” according to ZDI. “Meanwhile, the back end is completely unaware that it needs to authenticate some incoming requests based upon the SecurityToken cookie, since the DelegatedAuthModule is not loaded in installations that have not been configured to use the special delegated authentication feature. The net result is that requests can sail through, without being subjected to authentication on either the front or back end.”
From there, attacker could install a forwarding rule allowing them to read the victim’s incoming mail.
“With this vulnerability, an unauthenticated attacker can perform configuration actions on mailboxes belonging to arbitrary users,” according to the post. “As an illustration of the impact, this can be used to copy all emails addressed to a target and account and forward them to an account controlled by the attacker.”
ZDI outlined an exploitation scenario wherein an attacker has an account on the same Exchange server as the victim. However, if an administrator permits forwarding rules having arbitrary internet destinations, no Exchange credentials are needed at all, researchers noted.
The bug (CVE-2021-33766) was reported to the Zero Day Initiative by researcher Le Xuan Tuyen of VNPT ISC, and it was patched by Microsoft in the July Exchange cumulative updates. Organizations should update their products to avoid compromise.
The ProxyToken revelation comes after the disclosure of ProxyLogon in early March; that’s an exploit chain comprised of four Exchange flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065), which together create a pre-authentication remote code execution (RCE) exploit. Attackers can take over unpatched servers without knowing any valid account credentials, giving them access to email communications and the opportunity to install a web shell for further exploitation within the environment. ProxyLogon was weaponized in wide-scale attacks throughout the spring.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.