Cyber Pulse: Edition 130 | 21 September 2020

Here is our cyber security news round-up of the week:

Hardware video encoders with multiple vulnerabilities

Hardware video encoders from multiple suppliers contain several critical security bugs that allow a remote unauthenticated miscreant to run arbitrary code on the equipment. In a disclosure published this week, Alexei Kojenov, lead product security engineer at Salesforce, outlined a series of flaws affecting IPTV/H.264/H.265 video encoders powered by the hi3520d chipset from Huawei's HiSilicon subsidiary. The security holes are present in software from unknown developers that runs on top of a Linux stack provided by HiSilicon for products using its system-on-chips.

In a post, Alexei Kojenov says: 

"The vulnerabilities exist in the application software running on these devices. All vulnerabilities are exploitable remotely and can lead to sensitive information exposure, denial of service, and remote code execution, resulting in full takeover of the device."

The critical flaws include:

• an administrative interface with a backdoor password (CVE-2020-24215);
• root access via telnet (CVE-2020-24218); and
• unauthenticated file upload (CVE-2020-24217), which enables malicious code execution and command injection.

All of these can be exploited over the network or internet to hijack vulnerable equipment.

Kojenov also flagged vulnerabilities of high and medium severity: a buffer overflow (CVE-2020-24214) that stops the thing from working properly; and a way to access RTSP video streams without authorization (CVE-2020-24216).

Huawei insists the vulnerabilities were not introduced by its HiSilicon chips nor the SDK code it provides to manufacturers that use its components. That would mean someone else provided the makers of these video encoder devices application software riddled with holes, and this code was shipped with the equipment. The products just all happen to use the hi3520d chipset.

In a statement, a Huawei spokesperson said:

"Following the media reports about the suspected security issues (CVE-2020-24214, CVE-2020-24215, CVE-2020-24216, CVE-2020-24217, CVE-2020-24218, and CVE-2020-24219) in HiSilicon video surveillance chips on September 16, 2020, Huawei has launched an immediate investigation. After technical analysis, it was confirmed that none of the vulnerabilities were introduced by HiSilicon chips and SDK packages. Huawei is in favor of coordinated vulnerability disclosure by all organizations and individuals in the security research ecosystem to reduce the impact on stakeholders."

The encoders are used to stream video over IP networks, converting raw video signals to digital video using compression standards like H.264 or H.265 for distribution through a service like YouTube, or to be viewed directly in a web or app-based video player as an RTSP or HLS stream.

Critical vulnerabilities in multi-factor authentication

Critical vulnerabilities in multi-factor authentication (MFA) implementation in cloud environments where WS-Trust is enabled could allow attackers to bypass MFA and access cloud applications, such as Microsoft 365, which uses the protocol, according to new research from Proofpoint. As a result of the way Microsoft 365 session login is designed, an attacker could gain full access to a target's account including their mail, files, contacts, data and more. At the same time, these vulnerabilities could also be leveraged to gain access to other cloud services from Microsoft, including production and development environments such as Azure and Visual Studio.

Proofpoint first disclosed these vulnerabilities publicly at its virtual user conference Proofpoint Protect, but they have likely existed for years. The firm's researchers tested several Identity Provider (IDP) solutions, identified those that were susceptible and resolved the security issues. Microsoft is well aware that the WS-Trust protocol is “inherently insecure” and in a support document, the company said that it will retire the protocol for all new tenants in October of this year, for all new environments within a tenant in April of 2021, and for all new and existing environments within a tenant in April of 2022.

In some cases, an attacker can spoof their IP address to bypass MFA using a simple request header manipulation, while in others, altering the user-agent header can cause the IDP to misidentify the protocol and believe it was using Modern Authentication. With more employees working from home than ever before during the pandemic, MFA is quickly becoming a must-have security layer for cloud applications.

Prolific hackers indicted in the US

The U.S. Justice Department this week indicted seven Chinese nationals for a decade-long hacking spree that targeted more than 100 high-tech and online gaming companies. The government alleges the men used malware-laced phishing emails and supply-chain attacks to steal data from companies and their customers. One of the alleged hackers was first profiled here in 2012 as the owner of a Chinese antivirus firm. Charging documents say the seven men are part of a hacking group known variously as APT41, Barium, Winnti, Wicked Panda, and Wicked Spider.

Once inside a target organisation, the hackers stole source code, software code signing certificates, customer account data and other information they could use or resell. APT41’s activities span from the mid-2000s to the present day. Earlier this year, for example, the group was tied to a particularly aggressive malware campaign that exploited recent vulnerabilities in widely-used networking products, including flaws in Cisco and D-Link routers, as well as Citrix and Pulse VPN appliances.  

Security firm FireEye reported that hacking blitz “one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years.”

Mozi botnet accounts for 90% of the IoT network traffic

The Mozi botnet accounted for 90% of the IoT network traffic observed between October 2019 and June 2020, IBM reported. An IoT botnet that borrows the code from Mirai variants and the Gafgyt malware, Mozi appeared on the threat landscape in late 2019. The Mozi botnet was spotted by security experts from 360 Netlab, when at the time of its discovery it was actively targeting Netgear, D-Link and Huawei routers by probing for weak Telnet passwords to compromise them. According to the researchers, in the last months of 2019, the botnet was mainly involved in DDoS attacks. It implements a custom extended Distributed Hash Table (DHT) protocol that provides a lookup service similar to a hash table ([key, value]).

Mozi Botnet relies on the DHT protocol to build a P2P network, and uses ECDSA384 and the xor algorithm to ensure the integrity and security of its components and P2P network, according to the analysis published by the experts. The sample spreads via Telnet with weak passwords and some known exploits (see the list below). In terms of functions, the execution of the instructions of each node in the Mozi botnet is driven by a Payload called Config issued by the Botnet Master. This kind of implementation makes it simple to add/remove nodes with minimum workaround re-keys. The Mozi Botnet uses its own implementation of the extended DHT protocol to build a P2P network.

The malware spreads by attempting to guess Telnet passwords of target devices and leveraging known exploits. Once gained access to the device, the bot attempt to execute a malicious payload and the bot will automatically join the Mozi P2P network.

The botnet supports the following capabilities:

• DDoS attack
• Collecting bot Information
• Execute the payload of the specified URL
• Update the sample from the specified URL
• Execute system or custom commands

Serious Windows flaw patched in August

Microsoft's August Patch Tuesday included a fix for a severe elevation-of-privilege vulnerability that could allow an attacker on a network to impersonate any computer account within the domain, including the domain controller (the server responsible for handling security authentication requests), and reset the password for that account. The vulnerability, dubbed "Zerologon" (CVE-2020-1472), was assigned a CVSS score of 10, but technical details of the flaw weren't made public at the time of the patch's release.

Researchers have published an analysis of the vulnerability, and observers quickly realised the flaw is extremely serious. The vulnerability is trivial to exploit, and several public exploits are already available. The vulnerability is due to flaws in the custom AES cryptographic authentication scheme used by the Netlogon protocol. Netlogon is responsible for a number of features involving user account authentication, including updating passwords within the domain. Microsoft's August patch addresses this issue, and organisations are urged to apply the fix as soon as possible. Microsoft also plans to release a more comprehensive patch in February 2021.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter below.

Click here to find out about QA's extensive cyber-security courses.