The Good, the Bad and the Ugly in Cybersecurity – Week 16

The Good

Last month, Microsoft released an out-of-band security update addressing a total of seven CVEs, four of which are associated with ongoing, targeted attacks. Since then, numerous organizations have patched their systems. But many haven’t, and this puts them in grave danger. Step up, the US government, which in an unprecedented (and in some quarters controversial) move this week conducted a court-authorized operation to remove malicious web shells from infected servers on US soil. The operation covered devices running on-premises versions of Microsoft Exchange Server and vulnerable to HAFNIUM.

“The FBI conducted the removal by issuing a command through the web shell to the server, which was designed to cause the server to delete only the web shell” explained the US Justice Department.

The FBI says it will attempt to alert server owners through their publicly available contact information or ISP provider via an email message from an account.

It’s important to note that the action doesn’t actually patch those vulnerable servers from further compromise. Organizations of all shapes and sizes need to take responsibility and ensure they have a thorough and robust patch management policy and practices in place.

And for those who missed the news: in this month’s patch Tuesday (April 2021), Microsoft released security updates including new mitigations for additional on-premise Exchange Server vulnerabilities. CISA has issued an alert on the same vulnerability and recommends to patch immediately.

The Bad

It has been suggested that within five years there will be some 41.6 billion IoT devices in the home, enterprise and industrial environments. Most of these devices are insecure by nature, and others, although possessing some form of security mechanisms, may be left exposed due to poor cyber hygiene and lack of IoT security know-how. In June 2020, a set of vulnerabilities affecting millions of ‘Smart’ devices named “Ripple20” fired a warning shot to businesses about the potential dangers of IoT in the enterprise. Now, a new set of nine such vulnerabilities are exposing an estimated 100 million devices worldwide, including numerous IoT products and IT management servers.

The collection of vulnerabilities, dubbed Name:Wreck, were found within the DNS implementations of four TCP/IP stacks in widespread use by device manufacturers: FreeBSD, IPnet, NetX and Nucleus NET. The related CVEs are CVE-2016-20009, CVE-2020-7461, CVE-2020-15795, CVE-2020-27009, CVE-2020-27736, CVE-2020-27737, CVE-2020-27738, and CVE-2021-25677.

An attacker exploiting the Name:Wreck vulnerabilities could cause a Denial of Service via either crashing the device or knocking it offline. Even worse, researchers say, Name:Wreck could be used to gain control of a vulnerable device remotely, including devices responsible for critical building functions such as heating and ventilation.

Among those affected are devices produced by Siemens, who are now releasing emergency patches. In some cases, however, the device manufacturers haven’t created mechanisms that would allow users to update the vulnerable code. In other situations, the manufacturers no longer produce or support the component anymore, and it’s almost impossible to notify owners and alert them.

Consequently, these vulnerabilities are likely to persist for many years to come. Now that they have been made public, it’s inevitable that attackers will look for ways to search for and exploit any such devices exposed to the public internet.

The Ugly

In case you hadn’t heard, Clubhouse is an audio-only social media app that facilitates auditory communication through rooms that can accommodate groups of up to 5,000 people, and it is the social media platform of the moment. Estimated to be valued at around $4 billion, the app owes its success to a new user experience that allows unprecedented intimacy with other users: the rooms are “ad-hoc” and the content is generated and shared live, and then it’s gone. However, some of the appeal may be lost if users find their privacy is being violated. This week, an SQL database containing 1.3 million scraped Clubhouse user records leaked for free on a popular hacker forum.

The leaked database contains a variety of user-related information from Clubhouse profiles, including:

  • User ID
  • Name
  • Photo URL
  • Username
  • Twitter handle
  • Instagram handle
  • Number of followers
  • Number of people followed by the user
  • Account creation date
  • Invited by user profile name

The company said that the data is already publicly available and that it can be accessed by “anyone” via their API. A nice, but controversial admission that didn’t assuage the concerns of some.

That raises questions about the privacy stance of the company, since the way Clubhouse is built lets anyone with a token, or via an API, query the entire body of public Clubhouse user profile information. The unfortunate reality is, however, that the kind of data contained in the leaked files can be used by threat actors to target Clubhouse users with phishing and social engineering attacks.