CYBER PULSE: EDITION 137 | 13 NOVEMBER 2020
Cyber Security Training Courses presents the latest cyber security news round-up of the week from QA.
Desktop Ubuntu vulnerability allows privilege escalation
A vulnerability in Ubuntu Display Manager (gdm) could allow a standard user to create accounts with increased privileges, giving a local attacker a path to run code with administrator permissions (root). Although certain conditions are necessary, the bug is easy to exploit. The process involves running a few simple commands in the terminal and modifying general system settings that do not require increased rights.
GitHub’s security researcher Kevin Backhouse discovered a simple way to trick an already set-up Ubuntu system into running the account configuration routine for a new system. This scenario requires an administrator account to set up the machine and install applications. The researcher found that ‘gdm3’ triggered this sequence when the ‘accounts-daemon’ of the AccountsService component was not running. A standard user should not be able to stop it.
However, researchers discovered two vulnerabilities in AccountsService that caused the component to hang (CVE-2020-16127) and drop user account privileges (CVE-2020-16126), allowing a standard user to crash the daemon by sending it a delayed segmentation fault signal (kill -SIGSEGV). The delay is necessary to give time to log out of the current session or the user is locked out. These two vulnerabilities affect Ubuntu 20.10, Ubuntu 20.04, Ubuntu 18.04, and Ubuntu 16.04. For CVE-2020-16127, the researcher explains in a blog post that it was caused by code added to Ubuntu’s version of AccountService that does not exist in the upstream version maintained by freedesktop. This bug is now tracked as CVE-2020-16125 and rated with a high severity score of 7.2 out of 10.
ICS/IOT vulnerabilities in two Schneider PLCs
Two security vulnerabilities in Schneider Electric’s programmable logic controllers (PLCs) could allow attackers to compromise a PLC and move on to more sophisticated critical infrastructure attacks. PLCs are key pieces of equipment in environments such as electric utilities and factories. They control the physical machinery footprint in factory assembly lines and other industrial environments, and are a key part of operational technology (OT) networks. According to researchers, the issues are present in the company’s EcoStruxure Machine Expert v1.0 PLC management software, and in the firmware for the M221 PLC, version 22.214.171.124, respectively.
Schneider Electric recommends patching the engineering software, updating the firmware of the controller and blocking ports on the firewall. CVE details for Schneider specific vulnerabilities can be found here. Trustwave added that customers should also use two different complex passwords for different application protections, and take steps to ensure only the engineering workstation and authorised clients can communicate to the PLC directly.
Tech news service provider Mashable suffers a data breach
Mashable, a major tech and culture news website, has reported a data breach which has resulted in the personal data of their users being exposed online. On Sunday 8 November Mashable issued a statement confirming that their database had been breached and that readers who used their social media sign-in feature to access the site, have had their details posted online. The data that has been exposed includes users’ full names, locations, genders, email addresses, IP address and links to their social media profiles.
The Mashable statement said that “based on our review, the database related to a feature that, in the past, had allowed readers to use their social media account sign-in (such as Facebook or Twitter) to make sharing content from Mashable easier.”
The company also reminded its users not to share any passwords, personal details, or payment information with other parties.
“We appreciate your attention to this important topic and sincerely apologise for any concern or inconvenience this incident may cause. Protecting our users’ data is one of our highest priorities. We are working hard to investigate the issue and prevent it from happening again,” said Mashable.
Google Play Store identified as main distribution for Android malware
The official Google Play Store has been identified as the primary source of malware installs on Android devices in a recent academic study – considered the largest one of its kind carried out to date. Using telemetry data provided by NortonLifeLock (formerly Symantec), researchers analysed the origin of app installations on more than 12 million Android devices for a four-month period between June and September 2019.
In total, researchers looked at more than 34 million APK (Android application) installs for 7.9 million unique apps. Researchers said that depending on different classifications of Android malware, between 10% and 24% of the apps they analysed could be described as malicious or unwanted applications. But the researchers focused specifically on the "who-installs-who relationships between installers and child apps" to discover the path malicious apps take to reach user devices. The results showed that around 67% of the malicious app installs researchers identified came from the Google Play Store.
RegretLocker targets virtual hard drives
Researchers discovered a new ransomware strain called RegredLocker, and it was analysed by Advanced Intel's Vitali Kremez. This new ransomware strain has a simple, old-school way of communicating its ransom note. No fancy Tor portal, no bombastic gasconade, just a simple email saying, "Hello friend. All your files are encrypted. If you want to restore them, please email us."
When ransomware encrypts files on a computer, it is not efficient to encrypt a large file as it slows down the entire encryption process’s speed. RegretLocker uses an interesting technique of mounting a virtual disk file so each of its files can be encrypted individually. To do this, RegretLocker uses the Windows Virtual Storage API OpenVirtualDisk, AttachVirtualDisk and GetVirtualDiskPhysicalPath functions to mount virtual disks. Once the virtual drive is mounted as a physical disk in Windows, the ransomware can encrypt each one individually, which increases the speed of encryption.
In addition to using the Virtual Storage API, RegretLocker also utilises the Windows Restart Manager API to terminate processes or Windows services that keep a file open during encryption. But if the name of a process contains ‘vnc’, ‘ssh’, ‘mstsc’, ‘System’, or ‘svchost.exe’, the ransomware will not terminate it. This exception list is likely used to prevent the termination of critical programs or those used by the threat actor to access the compromised system.
Edited and compiled by QA's Director of Cyber, Richard Beck.