VPNs emerge as new channel for attacks as security researchers uncover multiple security issues
Virtual Private Networks are used to shield online users against web attacks and other online threats but with the emergence of new vulnerabilities, they can now be weaponised against users. A group of academics has found that an attacker can sniff, hijack and tamper VPN tunneled connections by abusing a flaw in Linux, Android, macOS, and other Unix-based operating systems. The vulnerability tracked as CVE-2019-14899 resides in the networking stacks of multiple Unix-based operating systems and more specifically, in how the operating systems reply to unexpected network packet probes. Attackers can exploit the vulnerability to spot vulnerable devices and extract various details about the user’s VPN connection status. The attack was successful against VPN technologies like OpenVPN, WireGuard, and IKEv2/IPSec. Researchers from Immersive Labs have uncovered multiple local privilege escalation vulnerabilities in Aviatrix VPN. The VPN is used by NASA, Shell, and BT. The issues can allow attackers to gain root privileges of infected computers and steal confidential files and folders. They can also gain root privilege to network services. The discovery comes just two months after the National Security Agency (NSA) and the National Security Council (NSC) issued a warning regarding state-sponsored attackers aiming at vulnerable VPN products. Following the disclosure, Aviatrix has taken swift action and patched the issue by releasing a new version - v2.4.10 - on November 4. Given the increasing security risks on VPNs, organisations should ensure good security solutions to protect themselves against potential cyberattacks. Additionally, they should also adopt white-listed and secured VPNs to prevent online threats.
OpenBSD fixes authentication bypass flaw and other severe bugs
OpenBSD is an operating system that is known for its security protections. Earlier this week, researchers from Qualys Research Labs reported four vulnerabilities in the operating system. Tracked as CVE-2019-19521, this authentication bypass vulnerability in the operating system. The operating system uses BSD Authentication which enables the use of passwords. If an attacker specifies a username in a specific format, the authentication could be forced because of the vulnerability. Through smtpd, ldapd, and radiusd, the vulnerability can be remotely exploited. The security advisory says, “If an attacker specifies a username of the form "-option", they can influence the behavior of the authentication program in unexpected ways.” Apart from this authentication bypass flaw, a local privilege escalation problem tracked as CVE-2019-19520 was also fixed. This flaw allowed attackers to obtain privileges of set-group-ID "auth" through xlock, if the attacker previously had local access to OpenBSD. The flaw is said to be because of a failed check in xlock. Yet another local privilege escalation vulnerability, CVE-2019-19522, was also fixed. This flaw existed in the S/Key or YubiKey functions. Another vulnerability, CVE-2019-19519, that existed in the ‘su’ function was also patched. The fixes were reported to have been developed and rolled out in less than 40 hours by the OpenBSD team. OpenBSD 6.5 and OpenBSD 6.6 are recommended to install the security patches available.
Dexphot Malware hijacked 80K+ devices to mine cryptocurrency
Microsoft is warning of malware, Dexphot, that has infected more than 80,000 machines, sucking up their CPU power in order to mine cryptocurrency. Researchers first discovered Dexphot in October 2018 and saw its activity peak during July. They said that the malware has a complex attack chain and also uses various methods to outwit detection efforts, including an obfuscated script designed to check for antivirus products, and regularly-scheduled malware updates. Researchers did not say how Dexphot is initially spread; Threatpost has reached out for further comment. During the initial execution stage, Dexphot first writes five key files to the disk. With the exception of one of the files – an installer with two URLs – most of these files are legitimate processes, making detection of the malware difficult. These legitimate system processes include msiexec.exe (for installing MSI packages later in the process), rundll32.exe (for loading a loader DLL, which later downloads a password-protected ZIP archive), unzip.exe (for extracting files from the password-protected ZIP archive), schtasks.exe (for scheduled tasks), powershell.exe (for forced updates). Once running, the installer then uses two URLs to download malicious payloads. Dexphot also uses these two URLs later to establish persistence, update the malware and re-infect the device. Researchers say that Dexphot uses a variety of sophisticated methods to evade security solutions, including using layers of obfuscation, encryption and randomized file names to hide its installation process.
Critical Android flaw leads to Permanent DoS
Google has released an update stomping out three critical-severity vulnerabilities in its Android operating system — one of which could result in “permanent denial of service” on affected mobile devices if exploited. The vulnerabilities are part of Google’s December 2019 Android Security Bulletin, which deployed fixes for critical, high and medium-severity vulnerabilities tied to 15 CVEs overall. Qualcomm, whose chips are used in Android devices, also patched 22 critical and high-severity vulnerabilities. The other two critical flaws (CVE-2019-2222 and CVE-2019-2223) exist in Android’s Media framework. This framework includes support for playing a variety of common media types, so that users can easily utilize audio, video and images. Android devices running on operating systems versions 8.0, 8.1,9 and 10 have been addressed for these two bugs, which could enable a remote attacker using a crafted file to execute code within the context of a privileged process. There are no current reports of these vulnerabilities being exploited in the wild.
Edited and compiled by cyber security specialist James Aguilan.