Apr 10, 2024The Hacker NewsWebinar / Identity Security

We all know passwords and firewalls are important, but what about the invisible threats lurking beneath the surface of your systems?

Identity Threat Exposures (ITEs) are like secret tunnels for hackers – they make your security way more vulnerable than you think.

Think of it like this: misconfigurations, forgotten accounts, and old settings are like cracks in your digital fortress walls. Hackers exploit these weaknesses to steal login information, gain sneaky access, and move around your systems unnoticed, whether they’re in the cloud or on-site.

This upcoming webinar, “Today’s Top 4 Identity Security Threat Exposures: Are You Vulnerable?“ isn’t just for tech experts—it’s about protecting your business.

We’ll use real-world examples and insights from Silverfort’s latest report to show you the hidden dangers of ITEs. You’ll learn about:

• The Top 4 Identity Threats You Might Be Overlooking: We’ll name them and explain why they’re so dangerous.
• Shadow Admins: The Secret Superusers in Your SaaS: How these hidden accounts can put your data at risk.
• Service Accounts: Your Biggest Weakness? Why they’re so easy to exploit, and how to fix it.
• Actionable Steps To Find and Fix Your Weak Spots: Practical, easy-to-follow advice you can start using right away.

Don’t Let Hackers Win. Register for our free webinar and take control of your identity security.

This webinar is a wake-up call. We’ll help you uncover the unseen risks lurking in the shadows and give you the tools to fight back. Think of it as an X-ray vision for your digital security!

Your digital identity is your most important asset. Protect it with the knowledge you’ll gain in this webinar.

Jan 19, 2024NewsroomMalware / Endpoint Security

Pirated applications targeting Apple macOS users have been observed containing a backdoor capable of granting attackers remote control to infected machines.

“These applications are being hosted on Chinese pirating websites in order to gain victims,” Jamf Threat Labs researchers Ferdous Saljooki and Jaron Bradley said.

“Once detonated, the malware will download and execute multiple payloads in the background in order to secretly compromise the victim’s machine.”

The backdoored disk image (DMG) files, which have been modified to establish communications with actor-controlled infrastructure, include legitimate software like Navicat Premium, UltraEdit, FinalShell, SecureCRT, and Microsoft Remote Desktop.

The unsigned applications, besides being hosted on a Chinese website named macyy[.]cn, incorporate a dropper component called “dylib” that’s executed every time the application is opened.

The dropper then acts as a conduit to fetch a backdoor (“bd.log”) as well as a downloader (“fl01.log”) from a remote server, which is used to set up persistence and fetch additional payloads on the compromised machine.

The backdoor – written to the path “/tmp/.test” – is fully-featured and built atop an open-source post-exploitation toolkit called Khepri. The fact that it is located in the “/tmp” directory means it will be deleted when the system shuts down.

That said, it will be created again at the same location the next time the pirated application is loaded and the dropper is executed.

On the other hand, the downloader is written to the hidden path “/Users/Shared/.fseventsd,” following which it creates a LaunchAgent to ensure persistence and sends an HTTP GET request to an actor-controlled server.

While the server is no longer accessible, the downloader is designed to write the HTTP response to a new file located at /tmp/.fseventsds and then launch it.

Jamf said the malware shares several similarities with ZuRu, which has been observed in the past spreading via pirated applications on Chinese sites.

“It’s possible that this malware is a successor to the ZuRu malware given its targeted applications, modified load commands and attacker infrastructure,” the researchers said.

Jan 17, 2024NewsroomSpyware / Forensic Analysis

Cybersecurity researchers have identified a “lightweight method” called iShutdown for reliably identifying signs of spyware on Apple iOS devices, including notorious threats like NSO Group’s Pegasus, QuaDream’s Reign, and Intellexa’s Predator.

Kaspersky, which analyzed a set of iPhones that were compromised with Pegasus, said the infections left traces in a file named “Shutdown.log,” a text-based system log file available on all iOS devices and which records every reboot event alongside its environment characteristics.

“Compared to more time-consuming acquisition methods like forensic device imaging or a full iOS backup, retrieving the Shutdown.log file is rather straightforward,” security researcher Maher Yamout said. “The log file is stored in a sysdiagnose (sysdiag) archive.”

The Russian cybersecurity firm said it identified entries in the log file that recorded instances where “sticky” processes, such as those associated with the spyware, caused a reboot delay, in some cases observing Pegasus-related processes in over four reboot delay notices.

What’s more, the investigation revealed a the presence of a similar filesystem path that’s used by all the three spyware families – “/private/var/db/” for Pegasus and Reign, and “/private/var/tmp/” for Predator – thereby acting as an indicator of compromise.

That said, the success of this approach hinges on a caveat that the target user reboots their device as often as possible, the frequency for which varies according to their threat profile.

Kaspersky has also published a collection of Python scripts to extract, analyze, and parse the Shutdown.log in order to extract the reboot stats.

“The lightweight nature of this method makes it readily available and accessible,” Yamout said. “Moreover, this log file can store entries for several years, making it a valuable forensic artifact for analyzing and identifying anomalous log entries.”

The disclosure comes as SentinelOne revealed information stealers targeting macOS such as KeySteal, Atomic, and JaskaGo (aka CherryPie or Gary Stealer) are quickly adapting to circumvent Apple’s built-in antivirus technology called XProtect.

“Despite solid efforts by Apple to update its XProtect signature database, these rapidly evolving malware strains continue to evade,” security researcher Phil Stokes said. “Relying solely on signature-based detection is insufficient as threat actors have the means and motive to adapt at speed.”

Dec 28, 2023NewsroomSpyware / Hardware Security

The Operation Triangulation spyware attacks targeting Apple iOS devices leveraged never-before-seen exploits that made it possible to even bypass pivotal hardware-based security protections erected by the company.

Russian cybersecurity firm Kaspersky, which discovered the campaign at the beginning of 2023 after becoming one of the targets, described it as the “most sophisticated attack chain” it has ever observed to date. The campaign is believed to have been active since 2019.

The exploitation activity involved the use of four zero-day flaws that were fashioned into a chain to obtain an unprecedented level of access and backdoor target devices running iOS versions up to iOS 16.2 with the ultimate goal of gathering sensitive information.

The starting point of the zero-click attack is an iMessage bearing a malicious attachment, which is automatically processed sans any user interaction to ultimately obtain elevated permissions and deploy a spyware module. Specifically, it involves the weaponization of the following vulnerabilities –

• CVE-2023-41990 – A flaw in the FontParser component that could lead to arbitrary code execution when processing a specially crafted font file, which is sent via iMessage. (Addressed in iOS 15.7.8 and iOS 16.3)
• CVE-2023-32434 – An integer overflow vulnerability in the Kernel that could be exploited by a malicious app to execute arbitrary code with kernel privileges. (Addressed in iOS 15.7.7, iOS 15.8, and iOS 16.5.1 )
• CVE-2023-32435 – A memory corruption vulnerability in WebKit that could lead to arbitrary code execution when processing specially crafted web content. (Addressed in iOS 15.7.7 and iOS 16.5.1)
• CVE-2023-38606 – An issue in the kernel that permits a malicious app to modify sensitive kernel state. (Addressed in iOS 16.6)

It’s worth noting that patches for CVE-2023-41990 were released by Apple in January 2023, although details about the exploitation were only made public by the company on September 8, 2023, the same day it shipped iOS 16.6.1 to resolve two other flaws (CVE-2023-41061 and CVE-2023-41064) that were actively abused in connection with a Pegasus spyware campaign.

This also brings the tally of the number of actively exploited zero-days resolved by Apple since the start of the year to 20.

Of the four vulnerabilities, CVE-2023-38606 deserves a special mention as it facilitates a bypass of hardware-based security protection for sensitive regions of the kernel memory by leveraging memory-mapped I/O (MMIO) registers, a feature that was never known or documented until now.

The exploit, in particular, targets Apple A12-A16 Bionic SoCs, singling out unknown MMIO blocks of registers that belong to the GPU coprocessor. It’s currently not known how the mysterious threat actors behind the operation learned about its existence. Also unclear is whether it was developed by Apple or it’s a third-party component like ARM CoreSight.

To put it in another way, CVE-2023-38606 is the crucial link in the exploit chain that’s closely intertwined with the success of the Operation Triangulation campaign, given the fact that it permits the threat actor to gain total control of the compromised system.

“Our guess is that this unknown hardware feature was most likely intended to be used for debugging or testing purposes by Apple engineers or the factory, or that it was included by mistake,” security researcher Boris Larin said. “Because this feature is not used by the firmware, we have no idea how attackers would know how to use it.”

“Hardware security very often relies on ‘security through obscurity,’ and it is much more difficult to reverse-engineer than software, but this is a flawed approach, because sooner or later, all secrets are revealed. Systems that rely on “security through obscurity” can never be truly secure.”

The development comes as the Washington Post reported that Apple’s warnings in late October about Indian journalists and opposition politicians may have been targeted by state-sponsored spyware attacks prompted the government to question the veracity of the claims and describe them as a case of “algorithmic malfunction” within the tech giant’s systems.

In addition, senior administration officials demanded that the company soften the political impact of the warnings and pressed the company to provide alternative explanations as to why the warnings may have been sent. So far, India has neither confirmed nor denied using spyware such as those by NSO Group’s Pegasus.

Citing people with knowledge of the matter, the Washington Post noted that “Indian officials asked Apple to withdraw the warnings and say it had made a mistake,” and that “Apple India’s corporate communications executives began privately asking Indian technology journalists to emphasize in their stories that Apple’s warnings could be false alarms” to shift the spotlight away from the government.

Web Application Security consists of a myriad of security controls that ensure that a web application:

1. Functions as expected.
2. Cannot be exploited to operate out of bounds.
3. Cannot initiate operations that it is not supposed to do.

Web Applications have become ubiquitous after the expansion of Web 2.0, which Social Media Platforms, E-Commerce websites, and email clients saturating the internet spaces in recent years.

As the applications consume and store even more sensitive and comprehensive data, they become an ever more appealing target for attackers.

Common Attack Methods

The three most common vulnerabilities that exist in this space are Injections (SQL, Remote Code), Cryptographic Failures (previously sensitive data exposure), and Broken Access Control (BAC). Today, we will focus on Injections and Broken Access Control.

Injections

SQL is the most common Database software that is used, and hosts a plethora of payment data, PII data, and internal business records.

A SQL Injection is an attack that uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed.

The starting point for this, is a command such as the one below:

This will return ALL rows from the “Users” table, since OR 1=1 is always TRUE. Going further with this, this method will also return passwords if there are any.

Picture an attack like this being performed against a large social media company, or a large e-commerce business, and one can begin to see how much sensitive data can be retrieved with just one command.

Broken Access Control

Broken Access Control (BAC) has risen the ranks on the OWASP top ten from fifth to the most common Web Application Security Risks. The 34 Common Weakness Enumerations (CWEs) mapped to Broken Access Control had more occurrences in applications than any other category during OWASP’s recent testing.

The most common types of BAC, is Vertical and Horizontal privilege escalation. Vertical privilege escalation occurs when a user can elevate their privileges and perform actions, they should not have access to do.

The CVE-2019-0211, which was an Apache Local Privilege Escalation. This critical vulnerability, from 2019, affected Apache HTTP servers running on Unix systems, especially those utilizing the mod_prefork, mod_worker, and mod_event libraries.

This granted attackers the capability to execute unprivileged scripts, potentially leading to root access and compromising shared hosting services. Exploiting this flaw requires the manipulation of shared-memory regions within Apache’s worker processes, which must be done before initiating an Apache graceful restart.

The below is a screenshot of the POC code. As one can see, a certain level of technical ability is required in this respect, however, vertical privilege escalation can just as easily occur when a user’s permissions are overly permissive, or not revoked when they leave a business.

This takes us back to the principle of least privilege, a ubiquitous term found throughout the IT world, that is now becoming more commonplace as we realise how crucial web applications have become.

Horizontal Privilege Escalation is when a user gains access to data they are not supposed to have access to, but that data is held at the same level as their own permissions. This can be seen with one standard user accessing the data of another standard user. Whilst this should not be allowed, the privileges are not rising vertical, but spreading horizontally. This is sometimes seen as more dangerous, as it can occur without raising any alerts on security systems.

With BAC becoming ever more present in the last couple of years, it is important to remember:

• Solely depending on obfuscation is not a sufficient method for access control.
• If a resource is not meant to be accessible to the public, it should be denied access by default.
• Developers should explicitly specify allowed access for each resource at the code level, with access denial as the default setting.

Best Practices – Read between the Lines (of code!)

To maintain security, developers need to verify incoming data, implement parameterized queries when interacting with databases, and apply effective session management methods to protect sensitive data. Much of this relies on both the security of web browsers, but also of the back-end security of the web servers delivering web content, leading to a segregation of duties in web security.

The biggest problem that arises here, is that whilst Web Application Firewalls (WAFs), can mitigate these risks, much of the responsibility for secure implementation of web content lands at the feet of the developers who put these sites together. Cybersecurity can often become an afterthought, with functionality being preferred.

Practical Example – Input Validation

Input Validation is the simplest and most effective ways to implement secure coding, in this example to prevent SQL injections.

1. User Input: The user provides input, for example:

2. Sanitization: The user input is not directly inserted into the SQL query. It is sanitized and treated as data, not as SQL code.
3. Query Execution: The SQL query is executed with the user input as a parameter:
4. As such, the query enters the backend as below:

In this code, the (user_input,) is a tuple containing the user’s input. The database driver takes care of escaping and properly handling this input. It ensures that the input is treated as a data value, not executable SQL code.

If the user input contains malicious code, such as “105 or 1=1,” it is not executed as SQL. Instead, it’s treated as a value to be compared to the UserId in the database.

The database driver automatically handles the escaping of the input, preventing it from affecting the structure of the SQL query or introducing security vulnerabilities.

Web Application Firewalls (WAFs)

A WAF operates at layer 7 of the OSI model, and acts as a reverse proxy, ensuring client traffic passes through the WAF before entering the backend server. The rules or policies on the WAF protect against the documented vulnerabilities that are present in these backend servers and filter out malicious traffic.

There are a plethora of WAFs on the market, and these can all provide a strong defence against the more novel attacks, and contribute well to a defence in depth approach, the practice of secure coding is something that ensure the foundations of the web application is secure and will not fall victim to more complex or novel attacks in the future.

WAFs are currently moving towards a mixture of security model that use behavioural-analysis technologies to detect malicious threats, and further mitigate against the threats of more advanced ‘bots’ which have been leveraged for low-effort attacks on websites.

The main drawback of using a WAF, aside from the added latency and HTTP overhead, is the fact that a WAF can be bypassed by using a 0-day exploit against a web application, which secure coding and correct sanitisation can mitigate against more effectively that offsetting all Web application security to a WAF. It is important to remember a WAF is simply a layer of security, and not the entire solution.

Incident Response and Recovery

SecurityHQ’s suggestions to mitigate against attacks:

1. Employing a WAF as a first line of defence is critical to ensure business can defend against a large volume of attacks.
2. Ensure up-to-date and strong standard algorithms and protocols are in use, this should be paired with proper key management.
3. Encrypt data in transit with secure protocols such as TLS with forward secrecy (FS) ciphers, cipher prioritization by the server. Enforce encryption using directives such as HTTP Strict Transport Security (HSTS).
4. Enable bot management strategies on websites and have a documented incident response plan.
5. Ensure secure development practices are in place, with a documented process of testing new features on web applications and ensure input validation is deployed.
• This should be coupled with ensuring the principle of least privilege.
6. Regularly test for vulnerabilities, with Vulnerability Management, and Managed Defense with IBM tooling, and keep track of component versions.
7. Utilise a red application test to uncover vulnerabilities scanners cannot find.
8. Ensure Developers are regularly trained to keep up with the latest security trends and emerging threats.

For more information on these threats, speak to an expert here. Or if you suspect a security incident, you can report an incident here.

Note: This article was expertly written by Tim Chambers, Senior Cyber Security Manager at SecurityHQ