Cyber Pulse: Edition 143 | 27 January 2021

Here is our cyber security news round-up of the week:

TikTok bug could have exposed users' profile data and phone numbers

Cybersecurity researchers on Tuesday disclosed a now-patched security flaw in TikTok that could have potentially enabled an attacker to build a database of the app's users and their associated phone numbers for future malicious activity. Although this flaw only impacts those users who have linked a phone number with their account or logged in with a phone number, successful exploitation of the vulnerability could have resulted in data leakage and privacy violation, Check Point Research said in an analysis shared with The Hacker News.

TikTok has deployed a fix to address the shortcoming following responsible disclosure from Check Point researchers. The newly discovered bug resides in TikTok's "Find friends" feature that allows users to sync their contacts with the service to identify potential people to follow. The contacts are uploaded to TikTok via an HTTP request in the form of a list that consists of hashed contact names and the corresponding phone numbers. The app, in the next step, sends out a second HTTP request that retrieves the TikTok profiles connected to the phone numbers sent in the previous request. This response includes profile names, phone numbers, photos, and other profile related information.

Active NHS Covid-19 vaccination phishing attack

A very active phishing campaign is underway pretending to be from the UK's National Health Service (NHS), alerting recipients that they are eligible to receive the Covid-19 vaccine.

Numerous Twitter users are reporting that they received this type of phishing email, with some being in the right age group to be eligible and thus falling for the scam. There are multiple variants of the phishing emails, but they all claim to be from the NHS at noreply@nhs.gov.uk (the real NHS domain is nhs.uk) and use mail subjects similar to "IMPORTANT - Public Health Message| Decide whether if you want to be vaccinated." The phishing email asks the recipient if they want to accept or decline the invitation to schedule their Covid-19 vaccination. Regardless of the button selected, the recipient will be brought to a fake NHS site stating that they were chosen for the vaccination based on their medical history and genetics:

"The NHS is performing selections for coronavirus vaccination on the basis of family genetics and medical history. You have been selected to receive a coronavirus vaccination," the phishing landing page reads.

The recipient will again be asked to accept or reject the invitation, but regardless of the button entered, they are pushed through a series of pages asking for personal information. This information includes the person's name, mother's maiden name, address, mobile number, credit card information, and banking information. Once this information is submitted, the phishing page will state that the application is confirmed and that the NHS will contact the person to schedule the appointment.

After a few seconds, the page will redirect the browser to the real NHS site at https://www.nhs.uk/.

NHS will never require this info for a vaccine. To help people spot NHS Covid-19 phishing scams, the NHS tweeted today that the vaccine is free of charge and that they will never ask for bank account info or copies of personal identification documents. The NHS has created a webpage explaining how people will be contacted to receive the Covid-19 vaccination and spot a scam. It is also important to remember that the NHS' website is at www.nhs.uk and not in the format of nhs.gov.uk or nhs.org.uk, like other UK government websites.

Apple releases bug fixes for security vulnerabilities

Apple has released updates for iOS, iPadOS, and tvOS with fixes for three security vulnerabilities that it says may have been actively exploited in the wild. Reported by an anonymous researcher, the three zero-day flaws – CVE-2021-1782, CVE-2021-1870 and CVE-2021-1871 – could have allowed an attacker to elevate privileges and achieve remote code execution. The iPhone maker did not disclose how widespread the attack was or reveal the identities of the attackers actively exploiting them.

While the privilege escalation bug in the kernel (CVE-2021-1782) was noted as a race condition that could cause a malicious application to elevate its privileges, the other two shortcomings – dubbed a "logic issue" – were discovered in the WebKit browser engine (CVE-2021-1870 and CVE-2021-1871), permitting an attacker to achieve arbitrary code execution inside Safari. Apple said the race condition and the WebKit flaws were addressed with improved locking and restrictions, respectively.

While exact details of the exploit leveraging the flaws are unlikely to be made public until the patches have been widely applied, it wouldn't be a surprise if they were chained together to carry out watering hole attacks against potential targets. Such an attack would involve delivering the malicious code simply by visiting a compromised website that then takes advantage of the vulnerabilities to escalate its privileges and run arbitrary commands to take control of the device.

10-years-old Linux bug lets users gain root-level access

A major vulnerability impacting a large chunk of the Linux ecosystem has been patched today in Sudo, an app that allows admins to delegate limited root access to other users. The vulnerability, which received a CVE identifier of CVE-2021-3156, but is more commonly known as "Baron Samedit", was discovered by security auditing firm Qualys two weeks ago and was patched earlier today with the release of Sudo v1.9.5p2. In a simple explanation provided by the Sudo team today, the Baron Samedit bug can be exploited by an attacker who has gained access to a low-privileged account to gain root access, even if the account isn't listed in /etc/sudoers – a config file that controls which users are allowed access to su or sudo commands in the first place.

The Qualys team reported that "other operating systems and distributions are also likely to be exploitable." For the technical details behind this bug, please refer to the Qualys report. The Qualys team said they were able to independently verify the vulnerability and develop multiple exploit variants for Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33 (Sudo 1.9.2).

Cisco DNA Center bug opens enterprises to remote attack

The high-severity security vulnerability (CVE-2021-1257) allows cross-site request forgery (CSRF) attacks, which could open enterprise users to remote attack and takeover. The flaw exists in the web-based management interface of the Cisco DNA Center, which is a centralised network-management and orchestration platform for Cisco DNA. The DNA Center allows deep reach and visibility into an organisation’s network, all from one point of entry.

CSRF is an attack that forces an end user to execute unwanted actions on a web application in which the person is currently authenticated. Thus, the bug could allow an unauthenticated, remote attacker to “conduct an attack to manipulate an authenticated user into executing malicious actions without their awareness or consent,” according to Cisco’s advisory, issued on Monday. An attacker could exploit the vulnerability by socially engineering a web-based management user into following a specially crafted link, say via a phishing email or chat. If the user clicks on the link, the attacker can then perform arbitrary actions on the device with the privileges of the authenticated user.

Edited and compiled by QA's Director of Cyber, Richard Beck.

Subscribe to our weekly Cyber Pulse newsletter Find out about QA's extensive cyber-security courses