Cyber Pulse: Edition 156 | 2 July 2021

Majority of web apps in 11 industries are vulnerable all the time

Two-thirds of the applications deployed by the utility sector and 63% of those deployed by public administration organisations have a serious vulnerability undermining security every day of the year, according to a report published by WhiteHat Security. Overall, 11 industries saw a serious vulnerability in at least half of their applications every day for the last year. The top three industries on the list — utilities, public administration and professional services — take at least 288 days on average to fix vulnerabilities, according to the company's monthly AppSec Stats Flash report for June.

The trend is being fuelled, at least partially, by an increase in testing for new applications and legacy applications that have not previously been tested, according to WhiteHat. The number of tested applications has increased by about 10% across the major industry sectors, with two vulnerabilities found on average per site. Companies have expanded testing because recent ransomware attacks have raised business-continuity concerns and because the pandemic has the average company deploying more cloud applications to support remote workers. Another problem is that developers continue to make the same mistakes.

The top five classes of vulnerabilities haven't changed over time, with the most common flaws being information leakage, insufficient session expiration, insufficient transport layer protection, cross-site scripting and content spoofing. According to Secure Code Warrior, common vulnerabilities, many of which have been known for decades, continue to persist within the software development lifecycle (SDLC) because reactive measures (such as scanners, tooling and pen-testing) often only find the problem after the application is in production, and rarely do they address the reason for the problem or its source.

Researchers identify a lack of security in private 5G networks

A survey from GSMA and Trend Micro shows a concerning lack of security capabilities for private 5G networks – think factories, smart cities, industrial IoT, utilities and more. As 5G private networks roll out in the coming years, security may be a key issue for enterprises. A survey released at Mobile World Congress on Monday shows that major gaps persist in security capabilities among mobile operators. Some 68% of operators already sell private wireless networks to enterprise customers, with the rest planning to do so by 2025, according to the study from the GSMA and Trend Micro. However, from a security perspective, these may not be ready for prime time: 41% of surveyed operators said they face challenges when it comes to solving vulnerabilities related to 5G’s network virtualisation, for instance.

5G networks represent a sea change from prior wireless networks in that they are largely software-defined and virtualised. Network functions, historically defined in hardware, become virtual software capabilities in 5G, all orchestrated via a flexible software control plane. Even the air interfaces in the radio access network (RAN) are software-defined in 5G. The problem is that this raises the possibility for rafts of exploitable vulnerabilities to emerge throughout the architecture in places that were never exposed before.

The stakes are higher, too. When it comes to 5G, it’s faster and has lower latency than earlier generations of wireless networks and will support a range of next-gen applications, including smart-factory installations, smart cities, autonomous vehicles, telesurgery, advanced data analytics and artificial intelligence, among others. As such, 5G private networks will roll out in a variety of settings, including: factories, where they’ll connect sensors and a range of industrial internet of things (IoT) devices; hospital and educational campuses; stadiums; industrial locations such as mines, ports and oil rigs; and to support public-safety applications.

EU Commission decides on adequacy for UK privacy

The Commission has today adopted two adequacy decisions for the United Kingdom – one under the General Data Protection Regulation (GDPR) and the other for the Law Enforcement Directive. Personal data can now flow freely from the European Union to the United Kingdom where it benefits from an essentially equivalent level of protection to that guaranteed under EU law. The adequacy decisions also facilitate the correct implementation of the EU-UK Trade and Cooperation Agreement, which foresees the exchange of personal information, for example for cooperation on judicial matters. Both adequacy decisions include strong safeguards in case of future divergence such as a "sunset clause", which limits the duration of adequacy to four years. 

Didier Reynders, Commissioner for Justice, said: “After months of careful assessments, today we can give EU citizens certainty that their personal data will be protected when it is transferred to the UK. This is an essential component of our new relationship with the UK. It is important for smooth trade and the effective fight against crime. The Commission will be closely monitoring how the UK system evolves in the future and we have reinforced our decisions to allow for this and for an intervention if needed. The EU has the highest standards when it comes to personal data protection and these must not be compromised when personal data is transferred abroad.”

For the first time, the adequacy decisions include a so-called "sunset clause", which strictly limits their duration. This means that the decisions will automatically expire four years after their entry into force. After that period, the adequacy findings might be renewed, however, only if the UK continues to ensure an adequate level of data protection. During these four years, the Commission will continue to monitor the legal situation in the UK and could intervene at any point if the UK deviates from the level of protection currently in place. Should the Commission decide to renew the adequacy finding, the adoption process would start again.

Transfers for the purposes of UK immigration control are excluded from the scope of the adequacy decision adopted under the GDPR in order to reflect a recent judgment of the England and Wales Court of Appeal on the validity and interpretation of certain restrictions of data protection rights in this area. The Commission will reassess the need for this exclusion once the situation has been remedied under UK law.

Cloud container infrastructure under attack

Attacks against container infrastructure are continuing to increase in both frequency and sophistication. It takes just a few hours for scanning tools to detect a new vulnerable container online. The attacks are becoming more evasive, while the supply chain is now increasingly targeted. A report from Aqua Security’s Team Nautilus reveals that attacks targeting companies’ container infrastructure, including Docker images, have climbed nearly 600% in a year. Typosquatting and credential stuffing are two of the most common ways that attackers use to target servers hosting Docker daemons or Kubernetes containers. When attackers gain access, they most often install cryptomining software or attempt to escape the container and compromise the host system. More than 90% of these attacks are designed to hijack resources for cryptomining. Most of these are related to the Kinsing malware campaign, which downloads cryptominers.

The recent mass compromise of IPs via Kubernetes or K8s containers between March and May by TeamTNT is one such example, highlighting the scale of the supply chain impact. Researchers confirmed that close to 50,000 IPs were compromised by the gang across multiple clusters. Some of these IPs were repeatedly exploited during this period to launch a large-scale cryptojacking attack. The rise in the abuse of container platforms for cryptojacking attacks is a potential short-term gain in terms of profit for attackers. However, researchers explain that the long-term goal of such attacks is gaining a backdoor to the environment and achieving additional access to the victims’ environments and networks.

Ransomware builder leaked online

A builder for Babuk Locker ransomware has been leaked online, allowing easy access to an advanced ransomware strain. Because of this, any interested individual or criminal group with little technical skills can start their own ransomware operation. According to researchers, this builder can be used to create custom versions of Babuk Locker. These versions can encrypt files hosted on Windows, ARM-based NAS devices, and ESXi servers. Moreover, every custom version of Babuk encryptor created using the builder app can generate decrypters. They can also be used to restore the encrypted files from each victim. In May, the gang rebranded its ransomware leak site as Payload[.]bin. Further, it started working as a third-party host for other ransomware gangs who wanted to leak files from victims, however, did not want to operate their own leak site.

It is not known if the gang attempted to sell its ransomware builder to a third party in a transaction that went south, or if the builder was leaked by a rival gang or a security researcher. Babuk Locker’s builder was leaked online when it was uploaded on the VirusTotal malware scanning portal. The leak of such advanced ransomware code is a grave cause of concern for cybersecurity experts. It is surmised that such leaks allow small cybercrime gangs to adopt leaked builders to develop new ransomware.

Windows 11 security features planned for December release

Security specialists are offering preliminary feedback on Microsoft's sneak peek at the new security measures to be included in the Windows 11 operating system, which is slated for release in December. The operating system, which is essentially an upgraded version of Windows 10, will include "zero trust" capability, hardware-based isolation, encryption and malware prevention turned on by default. The OS also will be designed to make it easier for users to have the option to go passwordless, the company says.

David Weston, Microsoft's director of enterprise and operating system security, says: "This next generation of Windows will raise the security baseline by requiring more modern CPUs, with protections like virtualisation-based security, hypervisor-protected code integrity and Secure Boot built-in and enabled by default to protect from both common malware, ransomware and more sophisticated attacks. We have worked closely with our manufacturer and silicon partners to raise security baselines to meet the needs of the evolving threat landscape and the new world of hybrid work and learning." 

In its announcement about Windows 11, Microsoft did not offer granular details on the new security features. It also did not offer a timeline for when support for Windows 10 might end. The company ceased supporting Windows 7 in January 2020. Microsoft states in its Windows 11 announcement: "The new set of hardware security requirements that comes with Windows 11 is designed to build a foundation that is even stronger and more resilient to attacks." Microsoft says Windows 11 will have improved capability to deliver chip-to-cloud zero trust protection by requiring Trusted Platform Module version 2.0. Windows 11 also will offer, by default, support for Microsoft Azure Attestation, which is designed to enable users to enforce zero-trust policies when accessing sensitive resources in the cloud with supported mobile device management systems.

WordPress plugin with yet more vulnerabilities

Multiple vulnerabilities in a popular WordPress plugin used to upload profile photos could allow an attacker to achieve remote code execution (RCE), researchers warn. Four security issues, which were all assigned a high CVSS score of 9.8, were discovered in May by researchers from Wordfence. These flaws made it possible for an attacker to escalate user privileges and upload malicious code – resulting in the complete takeover of a WordPress site.

Originally, as explained in an advisory from Wordfence, its only functionality was to upload photos, however a recent change saw the plugin augmented with new features including user login and registration. It was flaws in the security of these feature updates that resulted in the vulnerabilities. The critical vulnerabilities were reported to WordPress on 27 May, and a patch was released by 30 May. Wordfence said they “recommend that users immediately update to the latest version available” of WordPress, currently version 3.1.8. Vulnerable versions include 3.0-3.1.3.

Adobe Experience Manager with zero-day vulnerability           

A zero-day vulnerability has been discovered in a popular content management solution used by high-profile companies including Deloitte, Dell and Microsoft. The bug in Adobe Experience Manager (AEM) was detected by two members of Detectify’s ethical hacking community. If left unchecked, the weakness allows attackers to bypass authentication and gain access to CRX Package Manager, leaving applications open to remote code execution (RCE) attacks. Detectify Crowdsource members Ai Ho (@j3ssiejjj) and Bao Bui (@Jok3rDb) uncovered the vulnerability and named it AEM CRX Bypass. 

"Since it went live in May 2021, around 30 instances of the AEM CRX Bypass vulnerability have been in customers’ web applications," said a Detectify spokesperson. 

Detectify's scans for more than 80 unique AEM vulnerabilities have generated over 160,000 hits in total so far. 

The pair found that several large organisations were affected by the bug, including Mastercard, LinkedIn, PlayStation and McAfee. The vulnerability occurs at CR package endpoints and can be remediated by blocking public access to the CRX consoles. The zero-day flaw was reported to Adobe, who swiftly released a patch for it. The AEM CRX Bypass zero-day was then implemented as a security test module on Detectify’s platform. 

Windows PrintNightmare bug accidentally leaked

Proof-of-concept exploit code has been published online today for a vulnerability in the Windows Print Spooler service that can allow a total compromise of Windows systems. Tracked as CVE-2021-1675, the vulnerability was patched earlier this month in the Microsoft June 2021 Patch Tuesday security updates. The vulnerability impacts Print Spooler (spoolsv.exe), a Windows service that serves as a generic universal interface between the Windows OS, applications, and local or networked printers, allowing app developers to easily initiate print jobs.

Initially, no technical write-up or proof-of-concept code was published for CVE-2021-1675, meaning that attackers who wanted to abuse this bug had to investigate the patch code themselves and create an exploit if they wanted to integrate this bug in their attacks. Since the CVE-2021-1675 vulnerability, which the Sangfor team codenamed PrintNightmare, has been revised by Microsoft into an RCE attack vector, and PoC exploit code is now in the public domain, companies are advised to update their Windows fleets as soon as possible. Of note is that the vulnerability impacts all Windows OS versions available today and might even affect deprecated Windows versions such as XP and Vista. Since Print Spooler bugs have been abused in attacks in the past, the chances are pretty high that this bug would be abused as well, especially since it’s an RCE, a vulnerability class prized by most attackers.