All of us at Tripwire’s Vulnerability Exposure and Research Team (VERT) are constantly looking out for interesting stories and developments in the infosec world. Here’s what cybersecurity news stood out to us during the week of March 21, 2022. I’ve also included some comments on these stories.
Misconfigured Firebase Databases Exposing Data In Mobile Apps
It’s a gold mine of exploit opportunity in thousands of mobile apps, researchers say. And it’s no wonder; five percent of the databases are vulnerable to threat actors. Thousands of mobile apps – some of which have been downloaded tens of millions of times – are exposing sensitive data from open cloud-based databases due to misconfigured cloud implementations, new research from Check Point has found.
Samantha Zeigler | Security Researcher at Tripwire
It's important to remember that cloud database security is just as important as the security of the applications themselves. The security of any given application is only as secure as its most easily exploited vulnerability. It is essential for developers to ensure their databases are secured with the proper settings before adding any sensitive information into them. The availability of the cloud from almost anywhere makes it a valuable tool - one that can be easily exploited when misconfigurations are present.
New Browser-in-the Browser (BITB) Attack Makes Phishing Nearly Undetectable
A novel phishing technique called browser-in-the-browser (BitB) attack can be exploited to simulate a browser window within the browser to spoof a legitimate domain, thereby making it possible to stage convincing phishing attacks, reports The Hacker News. Says one pen tester, “once landed on the attacker-owned website, the user will be at ease as they type their credentials away on what appears to be the legitimate website (because the trustworthy URL says so).”
Dylan D’Silva | Security Researcher at Tripwire
Having never heard of BITB Attacks (Browser-In-The-Browser Attacks), this article instantly caught my attention. The "use case" here, is that this method of phishing takes advantage of third-party SSO options embedded into websites, such as "Sign in with Google" (or Facebook, Microsoft etc.)
When users click those links to sign in with the respective service, they are usually greeted with a pop-up to complete the sign-in/authentication process. The pen tester and cybersecurity researcher that discovered this flaw was able to replicate the process using a mix of HTML and CSS code to create a completely fake sign-in window. This will eventually lead to credential harvesting.
The general advice and best practice is to "Check the URL" to make sure it's going to the right website and domain. The goal of his research was to see if it was possible to make that advice less reliable. I found the pen tester’s/cybersecurity researcher's write up on this specific issue and watched the demo/PoC he created. It's impressive to say the least.
The one caveat to this type of attack is that the user would still need to land on your website in the first place, and then click the SSO service for credentials to be harvested. With PoC's being available, I would expect to see this style of attack increase in the future
New Dell BIOS Bugs Affect Millions of Inspiron, Vostro, XPS, Alienware Systems
Five new security weaknesses have been disclosed in Dell BIOS that, if successfully exploited, could lead to code execution on vulnerable systems. If so, they would be joining the likes of firmware vulnerabilities recently uncovered in Insyde Software's InsydeH2O and HP Unified Extensible Firmware Interface (UEFI).
Dylan D’Silva | Security Researcher at Tripwire
BIOS Vulnerabilities are just as serious as other OS and Software related vulnerabilities and need to be patched ASAP. The number three PC Manufacturer in the world, Dell, which has a ~19.5% global market-share in PC shipments in Q4 2021 has confirmed 5 new BIOS vulnerabilities across multiple product lines including Inspiron, Vostro, XPS, Alienware, and Edge Gateway 3000 Series.
These new flaws cannot be detected by firmware monitoring systems due to the limitations of TPM (Trusted Platform Modules) measurement. These flaws relate to improper input validation vulnerabilities affecting the System Management Mode (SMM) of the firmware, effectively allowing a local authenticated attacker to leverage the system management interrupt (SMI) to achieve arbitrary code execution.
System Management Mode refers to a special-purpose CPU mode in x86 microcontrollers that's designed for handling system-wide functions like power management, system hardware control, thermal monitoring, and other proprietary manufacturer-developed code.
The researchers who discovered these bugs have attributed them to the lack of input sanitation and/or generally insecure coding practices. An additional part of the challenge is the support for legacy components that are still widely deployed to the field, as the same vulnerability will be fixed over multiple iterations.
Recommendations
- Upgrade the BIOS all on affected machines as soon as possible.
- Depending on how many systems and users this will affect, ensure this is properly planned out. Users should be notified that their systems will be updated (and to save their work). Consider the other impacts it will have on your users and systems and plan accordingly.
- Implement a vulnerability management program to ensure you and your team are staying on top of both new and existing vulnerabilities. The goal here is to reduce your attack surface, attack vectors and risk exposure to be as small as possible. This is an on-going exercise that will continue to develop your cybersecurity best practices; not a "one-and-done" scenario. Good vulnerability management plays an integral part in your overall risk strategy and tolerance.
Microsoft, Okta Confirm Data Breaches Involving Compromised Accounts
Microsoft and Okta have both confirmed suffering data breaches after a cybercrime group announced targeting them, but the companies claim impact is limited, announces Security Week. A threat group calling itself Lapsus$ announced recently that it had gained access to the source code of Microsoft products such as Bing and Cortana.
Dylan D’Silva | Security Researcher at Tripwire
Two large names in the tech industry have been hit with data breaches: Microsoft and Okta. The Lapsus$ group is on a literal cyber-crime spree, having now hit Samsung, NVIDIA, Vodafone, and Ubisoft too.
In Microsoft's case they leaked 40GB of data which was pulled from a compromised account.
Microsoft has confirmed that it was a limited access, and interestingly enough, they do not rely on code secrecy as a security measure and have assured customers that the exposed code does not lead to an elevation risk. They have also noted that customer code and data have not been compromised.
In Okta's case (they specialize in IAM (Identity and Access Management)), while Lapsus$ has not leaked any data, they did post screenshots to confirm they have gained access to customer accounts, giving them the ability to reset passwords and access an admin panel. Okta's confirmed the breach affected ~2.5% of its customer, while that may seem small, they claim they have hundreds of millions of users.
Digging a little further into Okta's incident, they confirmed that an unsuccessful attempt was made to compromise the account of a customer support engineer at a third-party provider in January of this year. An investigation revealed they had access to a support engineer's device in mid-January. The larger concern echoing throughout the cybersecurity community and its customers is why the incident was not disclosed sooner.
Microsoft has published a detailed blog post on the activities, techniques, and tactics of Lapsus$, which is a very interesting read. Within that article, they have listed a number of recommendations to combat the actions of Lapsus$ and strengthen your overall security posture, which are as follows:
- Strengthen MFA Implementation
- Require healthy & trusted endpoints
- Strengthen and monitor your cloud security posture
- Improve awareness of social engineering attacks
- Establish operational security processes (monitor your incident response channels)
Two final thoughts:
- Be proactive in your risk mitigation and strengthening your overall security posture. This is an ongoing, never-ending exercise. The stronger your digital walls are, hopefully the less damage you will incur.
- Every organization, business, government is at some level of risk for being breached. While Lapsus$ may be targeting tech giants, there are other groups out there that will attack medium and small business without hesitation. Do not think that you/your business is immune to these types of attacks.
Malicious npm packages target Azure developers to steal personal data
ZDNet reports that a "large scale" attack is targeting Microsoft Azure developers through malicious npm packages. On Wednesday, cybersecurity researchers from JFrog said that hundreds of malicious packages have been identified, created to steal valuable personally identifiable information (PII) from developers.
Dylan D’Silva | Security Researcher at Tripwire
Typosquatting (a form of phishing) is being leveraged with malicious npm packages, targeting Azure developers to steal personal data. Typosquatting is defined as a form of phishing that relies on mistakes such as typos or omissions made by users when inputting websites into a browser or commands into a shell. The idea here is to redirect the user to a fake website that looks and feels the same as the original, true intended website the user meant to browse to.
npm is one of the world's largest software registries, containing over 800K code packages. npm is used by open-source developers to share software. npm Repos (repositories) were discovered on March 21st with ~50 malicious packages, growing to over 200 in just a few days. The attackers developed an automated script that targets the @azure npm scope, as well as @azure-rest, @azure-tests, @azure-tools, and @cadl-lang. It creates accounts and uploads the malicious npm sets which include container services, a health bot testers and storage packagers.
In this specific case, the attackers are relying on the fact that some developers may forget to add the "@azure" prefix when installing a package, meaning that instead of running the correct command of 'npm install @azure/core-tracing', the devs are running 'npm install core-tracing' by mistake.
I can easily admit that this is a mistake that I would be prone to making as it’s so easy to get caught up in running command after command in a terminal, but a quick way to mitigate this would be to always ensure you are using the auto-tab completion feature. It's typically enabled by default in most Ubuntu and Debian based Linux distros, but if it's not, ensure you install the bash-completion package.
Here is a full list of the malicious packages. It has also been noted that the npm packages in question have been removed by npm maintainers, but Azure devs should be aware going forward.
Honda bug lets a hacker unlock and start your car via replay attack
Researchers have disclosed a 'replay attack' vulnerability affecting select Honda and Acura car models, that allows a nearby hacker to unlock your car and even start its engine from a short distance, reports Bleeping Computer.
Dylan D’Silva | Security Researcher at Tripwire
While we've known for a while that vehicles are susceptible to flaws and vulnerabilities, here is another example of OEMs and software companies need to take vulnerability management seriously.
Researchers have discovered a new bug in Honda vehicles that affect 2016-2020 Honda Civic (LX, EX, EX-L, Touring, Si & Type R), which will allow an attacker to unlock and remotely start your car. Classified as a Man-in-the-Middle attack, but more specifically a replay attack, the attacker captures the RF signals sent from your key fob when a button is pressed to the car and can resend the signals to obtain control of the RKE (remote keyless entry) system. Here are a couple of videos by the researchers that discovered this bug.
The CVE its being tracked under was responsibly disclosed to Honda, however Honda confirmed that they "have no plans to update older vehicles” and use some interesting justification as to why they are choosing not to patch (stating that multiple automakers use legacy technology for remote lock/unlock, as well as a nearby thief can use other means to access a vehicle, as opposed to relying on hi-tech attacks). This also does not appear to be the first time a bug like this has been reported two Honda. The article mentions two other instances (in 2020 and January 2022 respectively), however it appears they've made no attempt to remediate.
Recommendations From the Researchers
- Use Passive Keyless Entry (PKE) if available on your fob, which is an enhancement to RKE that allows you to lock and unlock doors based on physical proximity, without the need to push a button on the fob to lock or unlock
- Visit the dealership to get your key fob reset.
With all other "things" that fight for time, attention, and resources, it's easy to see how vulnerability and patch remediation by OEMs and software manufacturers may be deprioritized but choosing to ignore may have larger safety implications.
Keep in Touch with Tripwire VERT
Want more insights from Tripwire VERT before our next cybersecurity news roundup comes out? Subscribe to our newsletter here.