Mar 29, 2024NewsroomVulnerability / Linux

Details have emerged about a vulnerability impacting the “wall” command of the util-linux package that could be potentially exploited by a bad actor to leak a user’s password or alter the clipboard on certain Linux distributions.

The bug, tracked as CVE-2024-28085, has been codenamed WallEscape by security researcher Skyler Ferrante. It has been described as a case of improper neutralization of escape sequences.

“The util-linux wall command does not filter escape sequences from command line arguments,” Ferrante said. “This allows unprivileged users to put arbitrary text on other users’ terminals, if mesg is set to “y” and wall is setgid.”

The vulnerability was introduced as part of a commit made in August 2013.

The “wall” command is used to write a message to the terminals of all users that are currently logged in to a server, essentially allowing users with elevated permissions to broadcast key information to all local users (e.g., a system shutdown).

“wall displays a message, or the contents of a file, or otherwise its standard input, on the terminals of all currently logged in users,” the man page for the Linux command reads. “Only the superuser can write on the terminals of users who have chosen to deny messages or are using a program which automatically denies messages.”

CVE-2024-28085 essentially exploits improperly filtered escape sequences provided via command line arguments to trick users into creating a fake SUDO prompt on other users’ terminals and trick them into entering their passwords.

However, for this to work, the mesg utility – which controls the ability to display messages from other users – has to be set to “y” (i.e., enabled) and the wall command is executed with setgid permissions.

CVE-2024-28085 impacts Ubuntu 22.04 and Debian Bookworm as these two criteria are met. On the other hand, CentOS is not vulnerable since the wall command does not have setgid.

“On Ubuntu 22.04, we have enough control to leak a user’s password by default,” Ferrante said. “The only indication of attack to the user will be an incorrect password prompt when they correctly type their password, along with their password being in their command history.”

Similarly, on systems that allow wall messages to be sent, an attacker could potentially alter a user’s clipboard through escape sequences on select terminals like Windows Terminal. It does not work on GNOME Terminal.

Users are advised to update to util-linux version 2.40 to mitigate against the flaw.

“[CVE-2024-28085] allows unprivileged users to put arbitrary text on other users terminals, if mesg is set to y and *wall is setgid*,” according to the release notes. “Not all distros are affected (e.g., CentOS, RHEL, Fedora are not; Ubuntu and Debian wall is both setgid and mesg is set to y by default).”

The disclosure comes as security researcher notselwyn detailed a use-after-free vulnerability in the netfilter subsystem in the Linux kernel that could be exploited to achieve local privilege escalation.

Assigned the CVE identifier CVE-2024-1086 (CVSS score: 7.8), the underlying issue stems from input sanitization failure of netfilter verdicts, allowing a local attacker to cause a denial-of-service (DoS) condition or possibly execute arbitrary code. It has been addressed in a commit pushed on January 24, 2024.

Mar 25, 2024The Hacker NewsData Breach / Password Security

In January 2024, Microsoft discovered they’d been the victim of a hack orchestrated by Russian-state hackers Midnight Blizzard (sometimes known as Nobelium). The concerning detail about this case is how easy it was to breach the software giant. It wasn’t a highly technical hack that exploited a zero-day vulnerability – the hackers used a simple password spray attack to take control of an old, inactive account. This serves as a stark reminder of the importance of password security and why organizations need to protect every user account.

Password spraying: A simple yet effective attack

The hackers gained entry by using a password spray attack in November 2023, Password spraying is a relatively simple brute force technique that involves trying the same password against multiple accounts. By bombarding user accounts with known weak and compromised passwords, the attackers were able to gain access to a legacy non-production test account within the Microsoft system which provided them with an initial foothold in the environment. This account either had unusual privileges or the hackers escalated them.

The attack lasted for as long as seven weeks, during which the hackers exfiltrated emails and attached documents. This data compromised a ‘very small percentage’ of corporate email accounts, including those belonging to senior leadership and employees in the Cybersecurity and Legal teams. Microsoft’s Security team detected the hack on January 12th and took immediate action to disrupt the hackers’ activities and deny them further access.

However, the fact that the hackers were able to access such sensitive internal information highlights the potential damage that can be caused by compromising even seemingly insignificant accounts. All attackers need is an initial foothold within your organization.

The importance of protecting all accounts

While organizations often prioritize the protection of privileged accounts, the attack on Microsoft demonstrates that every user account is a potential entry point for attackers. Privilege escalation means that attackers can achieve their goals without necessarily needing a highly privileged admin account as an entry point.

Protecting an inactive low-privileged account is just as crucial as safeguarding a high-privileged admin account for several reasons. First, attackers often target these overlooked accounts as potential entry points into a network. Inactive accounts are more likely to have weak or outdated passwords, making them easier targets for brute force attacks. Once compromised, attackers can use these accounts to move laterally within the network, escalating their privileges and accessing sensitive information.

Second, inactive accounts are often neglected in terms of security measures, making them attractive targets for hackers. Organizations may overlook implementing strong password policies or multi-factor authentication for these accounts, leaving them vulnerable to exploitation. From an attacker’s perspective, even low-privileged accounts can provide valuable access to certain systems or data within an organization.

Defend against password spray attacks

The Microsoft hack serves as a wake-up call for organizations to prioritize the security of every user account. It highlights the critical need for robust password protection measures across all accounts, regardless of their perceived significance. By implementing strong password policies, enabling multi-factor authentication, conducting regular Active Directory audits, and continuously scanning for compromised passwords, organizations can significantly reduce the risk of being caught out in the same way.

1. Active Directory auditing: Conducting regular audits of Active Directory can provide visibility into unused and inactive accounts, as well as other password-related vulnerabilities. Audits provide a valuable snapshot of your Active Directory but should always be complemented by ongoing risk mitigation efforts. If you’re lacking visibility into your organization’s inactive and stale user accounts, consider running a read-only audit with our free auditing tool that gives an interactive exportable report: Specops Password Auditor.
2. Robust password policies: Organizations should enforce strong password policies that block weak passwords, such as common terms or keyboard walks like ‘qwerty’ or ‘123456.’ Implementing long, unique passwords or passphrases is a strong defense against brute-force attacks. Custom dictionaries that block terms related to the organization and industry should also be included.
3. Multi-factor authentication (MFA): Enabling MFA adds an authentication roadblock for hackers to overcome. MFA serves as an important layer of defense, although it’s worth remembering that MFA isn’t foolproof. It needs to be combined with strong password security.
4. Compromised password scans: Even strong passwords can become compromised if end users reuse them on personal devices, sites, or applications with weak security. Implementing tools to continuously scan your Active Directory for compromised passwords can help identify and mitigate potential risks.

Continuously shut down attack routes for hackers

The Microsoft hack underscores the need for organizations to implement robust password protection measures across all accounts. A secure password policy is essential, ensuring that all accounts, including legacy, non-production, and testing accounts, aren’t overlooked. Additionally, blocking known compromised credentials adds an extra layer of protection against active attacks.

Specops Password Policy with Breached Password Protection offers automated, ongoing protection for your Active Directory. It protects your end users against the use of more than 4 billion unique known compromised passwords, including data from both known leaks as well as our own honeypot system that collects passwords being used in real password spray attacks.

The daily update of the Breached Password Protection API, paired with continuous scans for the use of those passwords in your network, equals a much more comprehensive defense against the threat of password attack and the risk of password reuse. Speak to expert today to find out how Specops Password Policy could fit in with your organization.

Feb 03, 2024NewsroomCyber Attack / Software Security

Remote desktop software maker AnyDesk disclosed on Friday that it suffered a cyber attack that led to a compromise of its production systems.

The German company said the incident, which it discovered following a security audit, is not a ransomware attack and that it has notified relevant authorities.

“We have revoked all security-related certificates and systems have been remediated or replaced where necessary,” the company said in a statement. “We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one.”

Out of an abundance of caution, AnyDesk has also revoked all passwords to its web portal, my.anydesk[.]com, and it’s urging users to change their passwords if the same passwords have been reused on other online services.

It’s also recommending that users download the latest version of the software, which comes with a new code signing certificate.

AnyDesk did not disclose when and how its production systems were breached. It’s currently not known if any information was stolen following the hack. However, it emphasized there is no evidence that any end-user systems have been affected.

Earlier this week, Günter Born of BornCity disclosed that AnyDesk had been under maintenance on January 29. The issue was addressed on February 1. Previously, on January 24, the company also alerted users of “intermittent timeouts” and “service degradation” with its Customer Portal.

AnyDesk boasts over 170,000 customers, including Amedes, AutoForm Engineering, LG Electronics, Samsung Electronics, Spidercam, and Thales.

The disclosure comes a day after Cloudflare said it was breached by a suspected nation-state attacker using stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documentation and a limited amount of source code.

Jan 03, 2024NewsroomMalware / Data Theft

Information stealing malware are actively taking advantage of an undocumented Google OAuth endpoint named MultiLogin to hijack user sessions and allow continuous access to Google services even after a password reset.

According to CloudSEK, the critical exploit facilitates session persistence and cookie generation, enabling threat actors to maintain access to a valid session in an unauthorized manner.

The technique was first revealed by a threat actor named PRISMA on October 20, 2023, on their Telegram channel. It has since been incorporated into various malware-as-a-service (MaaS) stealer families, such as Lumma, Rhadamanthys, Stealc, Meduza, RisePro, and WhiteSnake.

The MultiLogin authentication endpoint is primarily designed for synchronizing Google accounts across services when users sign in to their accounts in the Chrome web browser (i.e., profiles).

A reverse engineering of the Lumma Stealer code has revealed that the technique targets the “Chrome’s token_service table of WebData to extract tokens and account IDs of chrome profiles logged in,” security researcher Pavan Karthick M said. “This table contains two crucial columns: service (GAIA ID) and encrypted_token.”

This token:GAIA ID pair is then combined with the MultiLogin endpoint to regenerate Google authentication cookies.

Karthick told The Hacker News that three different token-cookie generation scenarios were tested –

• When the user is logged in with the browser, in which case the token can be used any number of times.

• When the user changes the password but lets Google remain signed in, in which case the token can only be used once as the token was already used once to let the user remain signed in.

• If the user signs out of the browser, then the token will be revoked and deleted from the browser’s local storage, which will be regenerated upon logging in again.

When reached for comment, Google acknowledged the existence of the attack method but noted that users can revoke the stolen sessions by logging out of the impacted browser.

“Google is aware of recent reports of a malware family stealing session tokens,” the company told The Hacker News. “Attacks involving malware that steal cookies and tokens are not new; we routinely upgrade our defenses against such techniques and to secure users who fall victim to malware. In this instance, Google has taken action to secure any compromised accounts detected.”

“However, it’s important to note a misconception in reports that suggests stolen tokens and cookies cannot be revoked by the user,” it further added. “This is incorrect, as stolen sessions can be invalidated by simply signing out of the affected browser, or remotely revoked via the user’s devices page. We will continue to monitor the situation and provide updates as needed.”

The company further recommended users turn on Enhanced Safe Browsing in Chrome to protect against phishing and malware downloads.

“It’s advised to change passwords so the threat actors wouldn’t utilize password reset auth flows to restore passwords,” Karthick said. “Also, users should be advised to monitor their account activity for suspicious sessions which are from IPs and locations which they don’t recognize.”

“Google’s clarification is an important aspect of user security,” said Hudson Rock co-founder and chief technology officer, Alon Gal, who previously disclosed details of the exploit late last year.

“However, the incident sheds light on a sophisticated exploit that may challenge the traditional methods of securing accounts. While Google’s measures are valuable, this situation highlights the need for more advanced security solutions to counter evolving cyber threats such as in the case of infostealers which are tremendously popular among cybercriminals these days.”

(The story was updated after publication to include additional comments from CloudSEK and Alon Gal.)