Here is our cyber security news round-up of the week:
Desktop Ubuntu vulnerability allows privilege escalation
A vulnerability in Ubuntu Display Manager (gdm) could allow a standard user to create accounts with increased privileges, giving a local attacker a path to run code with administrator permissions (root). Although certain conditions are necessary, the bug is easy to exploit. The process involves running a few simple commands in the terminal and modifying general system settings that do not require increased rights.
GitHub’s security researcher Kevin Backhouse discovered a simple way to trick an already set-up Ubuntu system into running the account configuration routine for a new system. This scenario requires an administrator account to set up the machine and install applications. The researcher found that ‘gdm3’ triggered this sequence when the ‘accounts-daemon’ of the AccountsService component was not running. A standard user should not be able to stop it.
However, researchers discovered two vulnerabilities in AccountsService that caused the component to hang (CVE-2020-16127) and drop user account privileges (CVE-2020-16126), allowing a standard user to crash the daemon by sending it a delayed segmentation fault signal (kill -SIGSEGV). The delay is necessary to give time to log out of the current session or the user is locked out. These two vulnerabilities affect Ubuntu 20.10, Ubuntu 20.04, Ubuntu 18.04, and Ubuntu 16.04. For CVE-2020-16127, the researcher explains in a blog post that it was caused by code added to Ubuntu’s version of AccountService that does not exist in the upstream version maintained by freedesktop. This bug is now tracked as CVE-2020-16125 and rated with a high severity score of 7.2 out of 10.
ICS/IOT vulnerabilities in two Schneider PLCs
Two security vulnerabilities in Schneider Electric’s programmable logic controllers (PLCs) could allow attackers to compromise a PLC and move on to more sophisticated critical infrastructure attacks. PLCs are key pieces of equipment in environments such as electric utilities and factories. They control the physical machinery footprint in factory assembly lines and other industrial environments, and are a key part of operational technology (OT) networks. According to researchers, the issues are present in the company’s EcoStruxure Machine Expert v1.0 PLC management software, and in the firmware for the M221 PLC, version 188.8.131.52, respectively.
Schneider Electric recommends patching the engineering software, updating the firmware of the controller and blocking ports on the firewall. CVE details for Schneider specific vulnerabilities can be found here. Trustwave added that customers should also use two different complex passwords for different application protections, and take steps to ensure only the engineering workstation and authorised clients can communicate to the PLC directly.
Tech news service provider Mashable suffers a data breach
Mashable, a major tech and culture news website, has reported a data breach which has resulted in the personal data of their users being exposed online. On Sunday 8 November Mashable issued a statement confirming that their database had been breached and that readers who used their social media sign-in feature to access the site, have had their details posted online. The data that has been exposed includes users’ full names, locations, genders, email addresses, IP address and links to their social media profiles.
The Mashable statement said that “based on our review, the database related to a feature that, in the past, had allowed readers to use their social media account sign-in (such as Facebook or Twitter) to make sharing content from Mashable easier.”
The company also reminded its users not to share any passwords, personal details, or payment information with other parties.
“We appreciate your attention to this important topic and sincerely apologise for any concern or inconvenience this incident may cause. Protecting our users’ data is one of our highest priorities. We are working hard to investigate the issue and prevent it from happening again,” said Mashable.
Google Play Store identified as main distribution for Android malware
The official Google Play Store has been identified as the primary source of malware installs on Android devices in a recent academic study – considered the largest one of its kind carried out to date. Using telemetry data provided by NortonLifeLock (formerly Symantec), researchers analysed the origin of app installations on more than 12 million Android devices for a four-month period between June and September 2019.
In total, researchers looked at more than 34 million APK (Android application) installs for 7.9 million unique apps. Researchers said that depending on different classifications of Android malware, between 10% and 24% of the apps they analysed could be described as malicious or unwanted applications. But the researchers focused specifically on the "who-installs-who relationships between installers and child apps" to discover the path malicious apps take to reach user devices. The results showed that around 67% of the malicious app installs researchers identified came from the Google Play Store.
RegretLocker targets virtual hard drives
Researchers discovered a new ransomware strain called RegredLocker, and it was analysed by Advanced Intel's Vitali Kremez. This new ransomware strain has a simple, old-school way of communicating its ransom note. No fancy Tor portal, no bombastic gasconade, just a simple email saying, "Hello friend. All your files are encrypted. If you want to restore them, please email us."
When ransomware encrypts files on a computer, it is not efficient to encrypt a large file as it slows down the entire encryption process’s speed. RegretLocker uses an interesting technique of mounting a virtual disk file so each of its files can be encrypted individually. To do this, RegretLocker uses the Windows Virtual Storage API OpenVirtualDisk, AttachVirtualDisk and GetVirtualDiskPhysicalPath functions to mount virtual disks. Once the virtual drive is mounted as a physical disk in Windows, the ransomware can encrypt each one individually, which increases the speed of encryption.
In addition to using the Virtual Storage API, RegretLocker also utilises the Windows Restart Manager API to terminate processes or Windows services that keep a file open during encryption. But if the name of a process contains ‘vnc’, ‘ssh’, ‘mstsc’, ‘System’, or ‘svchost.exe’, the ransomware will not terminate it. This exception list is likely used to prevent the termination of critical programs or those used by the threat actor to access the compromised system.
Edited and compiled by QA's Director of Cyber, Richard Beck.
Subscribe to our weekly Cyber Pulse newsletter below.
Stay in the know
Subscribe to our monthly Learning Matters newsletter and stay up to date with QA's latest news, views, offers, must-go-to events and more.
And if you want to keep up with the latest cyber news, why not subscribe to our weekly Cyber Pulse newsletter.
Richard Beck is Director of Cyber at QA. He works with customers to build effective and successful learning solutions tailored for business needs, helping to solve business problems. Richard has designed and architected numerous enterprise and nationwide cyber programmes for QA customers. Responsible for the QA cyber portfolio, products, proposition and cyber partner community. He has over 15 years' experience in senior Information Security roles.
Prior to QA, Richard was Head of Information Security for an organisation who underpin 20% of the UK's Critical National Infrastructure. Richard also held Security and Technical Management posts in Defence, Financial Services and HMG. He holds a number of leading cyber professional certifications, including CISSP, CISM, CISA.
Richard sits on a number of industry boards and security advisory panels, and previously chaired the Communication Industry Personnel Security Information Exchange (CPNI). He is the work stream lead for Cyber Skills & Diversity on the techUK Cyber Management Committee, in addition Richard is also supporting a work stream for the UK Cyber Security Council Formation project. Richard is a regular contributor for cyber insights and industry collaboration including speaker engagements.
He is also a STEM Ambassador working to engage and enthuse young people in the area of cyber security. Providing a unique perspective on the world of cyber security to teachers and encourage young people to consider a career in cyber security.
More articles by Richard
Cyber Pulse: Edition 151 | 5 May
Cyber Pulse: Edition 150 | 23 April
Cyber Pulse: Edition 149 | 9 April
Stop your search for cyber security talent
Cyber Pulse: Edition 148 | 1 April
Cyber Pulse: Edition 147 | 16 March
Cyber Pulse: Edition 146 | 4 March 2021
Cyber Pulse: Edition 145 | 19 February 2021
Cyber Pulse: Edition 144 | 5 February 2021
Cyber Pulse: Edition 143 | 27 January 2021