NewsBites Volume XXII - Issue #60 July 31, 2020

Top of the News

2021-07-30

GRUB2 Bootloader Vulnerability Affects Millions of Devices

A vulnerability in the GRUB2 (Grand Unified Bootloader version 2) bootloader could be exploited to run malicious firmware during startup. The issue affects most Linux devices and Windows devices that use Secure Boot. Researchers at Eclypsium discovered the issue and disclosed it to "including OS vendors, computer manufacturers, and CERTs" prior to public disclosure. Linux distributions have begun making fixes available, although not without hiccups: Red Hat's fix for the BootHole vulnerability is reportedly causing problems for some users - when the patch is installed, their systems will not boot.

Editor's Note

This is an important vulnerability. Important, but not critical. Wait for your Linux distribution to address this. To exploit this issue, an attacker has to have root access on the system. It could provide a method for an attacker to retain more persistent access to a system. One more reason to "wipe and rebuild" vs. "clean" malware from affected systems. (And don't forget to wipe/reinstall grub as well.)

Johannes Ullrich

The Grub2 bootloader is used with more than just Linux distributions, which may be somewhat unexpected to learn, and the exploit can be used to write code into the UEFI firmware which may then require factory reset to recover. Make sure you know how to do that reset. Due to side-effects of the patch, test on representative devices before wide deployment.

Lee Neely

Netgear Will Not Release Patches for 45 Devices Vulnerable to RCE Flaw

A remote code execution vulnerability affecting Netgear home routers was disclosed in June. Netgear will not release fixes for 45 of the affected router models, identifying them as "outside the security support period." Proof-of-concept exploit code for the stack buffer overflow vulnerability has been released.

Editor's Note

Obviously, with high levels of work from home, use of the unpatchable devices is a concern. The CERT alert has a link to a nice spreadsheet with all the Netgear model numbers that won't be supported with patches. Netgear's response to this issue is a good reason to remove them from procurement lists for any corporate buys, and it is worth looking at what user devices are supplied with any ISP services you are using for small office/home office connectivity, as well. The consumer issue is really something that is going to need legislation to drive required support periods or at least up-front declaration of guaranteed support periods.

John Pescatore

If you are sick of vendors forcing you to buy new devices vs. offering to fix defective devices they sold you: Consider one of the very capable, and by no means difficult to use open source alternatives that use commodity hardware. My favorite: OPNSense just released an update this week that yet again improves security and offers features that you will have a hard time finding in many expensive enterprise solutions. Other alternatives are pfsense, ipfire or for older/less capable hardware good old OpenWRT. Lots of other options depending on what you need. Some of these even offer paid supported versions.

Johannes Ullrich

"Useful life" ends with the publication of vulnerabilities in unsupported products. Fortunately, the cost of the replacement will be a fraction of the cost of the original and the value higher.

William Hugh Murray

Ryuk Ransomware Infection Case Study

A Ryuk ransomware attack took down the network of an unidentified food and beverage manufacturer. AT&T Cybersecurity investigated the incident and helped the company recover from the attack without paying a ransom. The incident also offers reminders of actions organizations can take to better protect their networks, including replacing old hardware, changing default passwords, patching systems, and adhering to cyber hygiene.

Editor's Note

This is a well-written "tick-tock" of how and why many ransomware attacks succeed - useful for getting decision makers to understand the need for reaching basic security hygiene. The piece is from the perspective of an external consulting organizations but in the real world those external voices are often needed to get that management backing.

John Pescatore

Kudos to AT&T Cybersecurity for releasing this great resource. This is a great read and a very useful tool to learn on how to improve your defence and reaction to ransomware. I strongly recommend reading it. Another tool to be aware of is the excellent NoMoreRansom project by Europol's European Cybercrime Centre which celebrated its fourth anniversary this week; the site, www.nomoreransom.org, has lots of useful resources including decryption keys to many of the ransomware strains.

Brian Honan

The Rest of the Week's News

2021-07-29

Microsoft is Retiring SHA-1 Windows Content

On Monday, August 3, Microsoft will remove all Windows downloads signed with SHA-1 from the Microsoft Download Center. SHA-1 is vulnerable to collision attacks, a fact which could be exploited to create forged digital certificates.

Editor's Note

Stop relying on SHA-1 digital signatures. The issue with collision attacks was identified in 2015. Collision attacks mean a malicious application, or other signed content, can impersonate a legitimate one. For Microsoft this is the last step in transitioning to SHA-2 hashes for their updates.

Lee Neely

Nefilim Ransomware Group Releases Files Stolen from DKA

Operators of the Nefilim ransomware have published files stolen from Dresdner Kuehlanlagenbau GmbH (DKA), a subsidiary of the Dussmann Group, a multi-service provider in Germany. The Dussmann Group has confirmed that DKA was recently the victim of a ransomware attack.

Lazarus Hacking Group is Using Ransomware

Researchers at Kaspersky have found that the Lazarus hacking group, which is believed to operate on behalf of North Korea's government, has turned to ransomware. Lazarus hackers used ransomware identified as VHD in attacks against a company in France and a company in Asia earlier this year.

McAfee: North Korean Hackers Launched Spear Phishing Attacks Against US Companies

Researchers from McAfee Advanced Threat Research say that North Korean state-sponsored hackers launched phishing campaigns against US defense and aerospace companies earlier this year. The spear-phishing emails sent to employees at targeted companies pretended to be information about job offers from other defense contractors. McAfee has dubbed the campaign "Operation North Star."

Cisco Releases Fix for Critical Flaw in Data Center Network Manager

Cisco has released a fix for a critical flaw in its Data Center Network Manager (DCNM). The authentication bypass vulnerability has been given a CVSS base score of 9.8. The issue lies in the REST API of the DCNM software. Cisco also released fixes for several high- and medium-severity flaws in DCNM.

Update Available to Address Critical Flaw in wpDiscuz WordPress Plugin

A critical remote code execution flaw in the wpDiscuz comment plugin for WordPress could be exploited by unauthenticated users to take control of vulnerable websites. Users are urged to update to wpDiscuz version 7.0.5.

Editor's Note

Update now, or remove the plugin if you're not using it. The exploit leverages weaknesses in the PHP filetype checking to allow for malicious upload of content disguised as image files. Another mitigation is to disable execution of content in the uploads directory, which may require a plugin like Wordfence.

Lee Neely

A reminder that developers are responsible for the quality of all the code in their products, not just the code that they write themselves. Specifically, most WordPress plug-ins come with no explicit representations or expectations of quality.

William Hugh Murray

Zoom Fixes Meeting Password Cracking Vulnerabilities

Zoom has fixed a security issue that could be exploited to crack meeting passwords. The default password protection for Zoom meetings was, before the fix, a six-digit numeric code. Because Zoom did not rate-limit password attempts, hackers could launch brute-force password attacks. Zoom has addressed the issues by "requiring a user logs in to join meetings in the web client, and updating default meeting passwords to be non-numeric and longer."

Editor's Note

Zoom updated the Web client to rate limit password attempts as well as remove issues where CSRF based exploits were possible.

Lee Neely

European Union Sanctions Russia, China, and North Korea for Cyberattacks

The European Union has imposed economic sanctions, including travel bans and asset freezes, against Russia, China, and North Korea over cyberattacks conducted against EU citizens. Russia was sanctioned for Not Petya and "for an attempted cyber-attack on the Organisation for the Prohibition of Chemical Weapons (OPCW)." China was sanctioned for intrusions into cloud providers' networks. North Korea was sanctioned for WannaCry.

Editor's Note

Cyber warfare is different. The response to low-level cyber attacks should be defensive (i.e., cyber security), legal, political, and economic. The response to all-out cyber warfare should be military. Attempts at retaliation in kind will only damage the infrastructure. "People who live in glass houses should not throw stones."