The funniest thing happened to REvil this week. Your online presence seems to have disappeared.
Their Tor sites as well as conventional sites went out at around the same time Tuesday morning, leading to speculation that they may have been hit by a law enforcement operation. This follows renewed US pressure on other countries, particularly Russia, to take action against ransomware groups that operate within its borders. If it’s a coordinated shutdown, it’s likely a response to the extremely widespread July 4th campaign launched through the Kaseya platform. Seriously, if you do something that threatens to upset Americans, don’t do it on the day we celebrate national pride by blowing things up.
All REvil sites are down including the payment sites and the data leak site. 🤔
The public representative of the ransomware gang, Unknown, has been strangely silent.
– Lawrence Abrams (@LawrenceAbrams) July 13, 2021
Speaking of Kaseya, they have completed their analysis and published instructions for safely turning on your VSA on-premise hardware. Now that the fixes are available, more Information about the attack itself will be made public. Truesec researchers followed this story in real time and even provided information about the attack to Kaseya based on their observations. Their analysis shows that 4 separate vulnerabilities were involved in the attack. First is an authentication bypass. It uses code that looks something like this:
if password == hash(row[nextAgentPassword] + row[agentGuidStr]) login ok elseif password == hash(row[curAgentPassword] + row[agentGuidStr]) login ok elseif password == hash(row[nextAgentPassword] + row[displayName]) login ok elseif password == hash(row[curAgentPassword] + row[displayName]) login ok elseif password == row[password] login failed else login ok
Yes, your code will fail on opening instead of closing. I’ve spent some time trying to understand how this code could ever work, or what the engineer who wrote it thought, and I have nothing. I have to hope the original version makes more sense. It should be noted that in order to get this far in the registration process, an attacker would need a valid
Next in the attack flow, an unexpected request to the
done.asp endpoint has triggered a security vulnerability during unrestricted upload. This would theoretically be thwarted by a Cross Site Request Forgery protection token, but that token was not properly verified, allowing another easy bypass. The attacker uploaded two files, a payload that is sent to the victim’s computers and an ASP script that runs on the appliance itself. The attacker’s final step was to trigger the execution of this script from another malfunctioning endpoint. From there, the attack would run automatically and the appliance’s logs would be cleared to cover up the trail.
Android Wifi Scan RCE
There’s always something funny hidden there the monthly Android security updates, and this month is no exception. CVE-2021-1965 is a bug in the Qualcomm driver code, a buffer overflow in handling BSSID beacons when scanning for networks. Part of these beacons is the “information element”, which contains additional information about the network. The code in question did not handle long IE fields properly, resulting in a possible buffer overflow.
This is an interesting mistake because a modern phone will always scan for WiFi networks unless you put it on airplane mode and it is enough to be within range of a malicious network to trigger the vulnerability.
PrintThe nightmare is over?
Microsoft has pushed forward a couple of fixes, both of which target the PrintNightmare bug, one of which is an Out Of Band (OOB) patch, AKA, which was not released on Patch Tuesday. Several researchers came forward to suggest that if they had a particular system configuration, the vulnerability was still there. Microsoft has responded to these claims:
Our investigation has shown that the OOB security update is working as planned and is effective against the known print spooler exploits and other public reports collectively known as PrintNightmare. All of the reports we examined were based on the fact that the default registry settings for Point and Print were changed to an insecure configuration.
It seems like the ride isn’t quite over yet, although this time it might really be limited to local users:
#printing nightmare – Episode 3
They know that even patched with default configuration (or enforced security with #Microsoft Settings), can a standard user driver as SYSTEM?
– 🥝 Benjamin Delpy (@gentilkiwi) July 15, 2021
You don’t need to see my login details
Sage X3 is an enterprise resource planning system. Think Quickbooks, but for businesses. Rapid7 researchers found a few problems with the program, but the big one is CVE-2020-7388. The server and client elements of Sage X3 communicate over a TCP connection and use a proprietary authentication mechanism to protect this connection. As long as authentication is successful, commands can be sent back over the connection for execution on the server as an authenticated user. This proprietary authentication mechanism has a minor flaw. If you change one of the bytes during authentication initialization, the server never asks for the hashed username and password and instead executes commands as its own SYSTEM user. That is a hurry up and update.
Insecure cameras or why use a VLAN?
Researchers at Randorisec seem to have a hobby Finding security gaps in cameras with UDP technology. They continued their favorite pastime, grabbing the latest firmware for their cameras and looking for vulnerabilities. The problem? These firmware files have been encrypted. They were not deterred, simply looked for an undiscovered RCE on the firmware version they still had access to and then used that to open the current cameras and access the file systems. They found twelve more CVEs. The description is great and walks you through the process of turning a vulnerability into a working exploit – read it.
There is a lesson to be learned here. Code that a vendor believes is unimportant and never seen is almost guaranteed to be garbage in one way or another. How many devices do you have on your networks that are likely to fall into this category? We’re not even talking about hardware that might have deliberate backdoors. IP cameras are useful tools for physical security, but they can be a terrible problem for network security. Is there a solution? Separate networks, the easiest way to use VLANs. Keep your untrusted devices off your important network, and better yet, keep your cameras off the internet.
#week #security #REvil #dark #Kaseya #cleanup #Android #updates #awful #firmware