Iranian APT, Equifax, & Crowdfense – Hack Naked News #210

Severe RCE vulnerability affected popular StackStorm Automation software, Crowdfense is willing to pay $3 Million for iOS and Android Zero-Days, Equifax neglected cyber security prior to breach, Google launches new Cloud Security services, and an unprotected MongoDB instance exposes 800 million emails! Jason Wood from Paladin Security joins us for expert commentary on how a researcher claims an Iranian APT is behind a 6TB Data Heist at Citrix!

Security News

  1. Facebook Alleges Two Ukrainians Scraped Data From 63K Profiles – the applications used the “login with Facebook” feature to allow users to sign in — it’s a function that allows users to avoid creating brand-new accounts for certain apps. When a user “logs in with Facebook,” they’re alerted that by doing so, they allow the app to access public profile information. The malicious apps in this case were thus actually designed to scrape the app users’ public profiles on Facebook. The apps also eventually prompted users to install malicious extensions that manipulated users’ browsers; these collected a raft of private and public social-media data information when a user visited the Facebook site – Don’t believe for a second that what you put on Facebook is private, this type of attack happens all the time as the social media giants struggle (or ignore) the separation between “good” apps and “bad” apps (or users).
  2. Severe RCE vulnerability affected popular StackStorm Automation Software – According to the expert, the flaw could be exploited by a remote attacker to trick developers into executing arbitrary commands on targeted services. StackStorm has been used to automate workflows in many industries, it allows developers to configure actions, workflows, and scheduled tasks, to perform some operations on large-scale servers. The vulnerability tied the way the StackStorm REST API improperly handled CORS (cross-origin resource sharing) headers, eventually enabling web browsers to perform cross-domain requests on behalf of authenticated users/developers. – The “on behalf” phrase really resonates with me and underscores the challenges in DevOps associated with tying multiple applications and processes together in an automated fashion.
  3. Vulnerability research hub Crowdfense is willing to pay $3 Million for iOS, Android zero-day exploits – Vulnerability research firm Crowdfense is offering up to $3 million for working exploits for iOS and Android zero-day. In 2018, Crowdfence ran a $10 million bug bounty program, now the company decided to increment the value of the bug bounty program and extended them to other areas, including Messengers, Networking Devices, and WiFi/Baseband. – It still begs the question, who is funding this operation?
  4. A serious Windows 0-day is being actively exploited in the wild – Always try to be on the latest version? It would help here: The flaw, which resides in the Windows win32k.sys kernel driver, gives attackers a means to break out of security sandboxes that Chrome and most other browsers use to keep untrusted code from interacting with sensitive parts of an OS. Attackers combined an exploit for this vulnerability with an exploit for CVE-2019-5786, a use-after-free bug in Chrome’s FileReader component. The Windows vulnerability is a NULL pointer dereference in win32k!MNGetpItemFromIndex when the NtUserMNDragOver() system call is called under specific circumstances. “We strongly believe this vulnerability may only be exploitable on Windows 7 due to recent exploit mitigations added in newer versions of Windows,” Lecigne wrote. “To date, we have only observed active exploitation against Windows 7 32-bit systems.”
  5. Equifax neglected cybersecurity prior to breach, Senate report finds | SC Media – Equifax is trying to defend itself: “The fact that Equifax suffered a data breach does not mean the company did not have appropriate data security program or that the company failed to take cybersecurity seriously,” the company’s current CEO Max Begor told Congress. But the report said the credit monitoring agency didn’t adhere to it own patching schedule and failed to locate and patch the Apache Struts vulnerability that led to the 2017 breach. the Senate Permanent Subcommittee on Investigations believes differently, stating: “In addition, Equifax did not have basic tools in place to detect and identify changes to files, a protection which would have generated real-time alerts and detected the unauthorized changes the hackers were making,” the report said. Casey Ellis, CEO and Founder of Bugcrowd, who is also much taller in person than he appears online, is quoted stating that several bug bounty hunters identified the same flaws in other bounty programs some time before the Equifax breach.
  6. Google Launches New Cloud Security Services | SecurityWeek.Com – In addition to funding and launching Chronicle, Google has made several other security plays: Google also announced the general availability of Cloud Armor, a DDoS defense and Web Application Firewall (WAF) service for the Google Cloud Platform (GCP). Based on the same technology used to protect services such as Search, Gmail and YouTube, Cloud Armor delivers L3/L4 DDoS defense, along with IP Allow/Deny capabilities for applications or services behind the Cloud HTTP/S Load Balancer. The release is accompanied by a new Cloud Armor dashboard in Stackdriver Monitoring to monitor and analyze traffic subject to Cloud Armor protection, while also making it easy for users to evaluate the potential impact of proposed rules on their whole project. Many believe that Backstory, a new log monitoring and analysis tool from Chronicle, was the best new security technology showcased at RSA this year, and I agree.
  7. Unprotected MongoDB Instance Exposes 800 Million Emails | SecurityWeek.Com – The attacker is quoted as saying “Jackpot”: An unprotected MongoDB database was recently found exposing over 800 million records, including email addresses and phone numbers. Discovered on February 25 by security researcher Bob Diachenko, the MongoDB instance weighed in at 150 gigabytes and allowed anyone with an Internet connection to access the information within. While most of the 808,539,939 records in the database’s four separate collections of data were email addresses, others were found to contain far more details, including personally identifiable information (PII).
  8. Google Patches Critical Bluetooth RCE Bug – Eleven critical Android bugs were patched as part of Google’s March Security Update. Three of them were tied to Android’s media framework and core system, while the others were related to faulty Qualcomm chip components. Out of those critical bugs, Google patched three critical remote code-execution (RCE) bugs, including two critical media framework vulnerabilities (CVE-2019-1989 and CVE-2019-1990) that impact Android 7.0 (Nougat) and after.

Expert Commentary: Jason Wood, Paladin Security

Researcher Claims Iranian APT Behind 6TB Data Heist at Citrix

Researcher post – Resecurity Blog Post

As many of you have heard, Citrix has joined the list of companies that have experienced a high profile breach. There are a number of blog posts and commentary available online, but I thought it could be useful to talk about how to use the information that has been released publicly so far.

First, I have a disclaimer. My full-time job is a threat hunter at CrowdStrike and nothing I say is the position of CrowdStrike, nor am is anything I’m saying based on analysis done by my employer. So take this as solely my opinion.

With that out of the way, let’s take do a quick summary of what has been released. Three days ago Citrix released a blog post saying that the FBI had notified them that they had experienced a breach. Citrix admits that they do not know the entire scope of the breach or what exactly was impacted. Only that documents have been accessed by the attackers. They further stated that the FBI advised them that the attackers probably used password spraying as a way of getting in. Queue up speculation about password spraying and how the breach occurred from there.

Two days later some fuel was tossed onto the fire by a security company in Los Angeles, CA named Resecurity. They released a blog post stating that they had notified Citrix back on December 28, 2018 a “targeted attack and data breach.” Resecurity stated that They further attributed the attack to an attacker group named Iridium, who is described as an Iranian backed team. Their analysis indicated that the attackers had access to 6TB of data. Resecurity released some Indicators of Compromise (or IOCs) and screenshots related to the breach. I’m curious as to the origins of the screenshots since they include a capture of the Global Address List for Citrix and a mapped drive to an SMB share with 6TBs of data on it.

Regardless, the news has picked up on this blog post and now everyone knows that the attackers stole 6TBs of data, that they were based out of Iran, and used password spraying to get in. In reality, the data released publicly doesn’t confirm any of this in my opinion. The information released by Resecurity is fairly thin as well, though they do state that they have been collaborating with other organizations to get information together. If so, I doubt what they released in their blog post is the only information they have.

With all that out of the way, let’s talk about what to do next. As I said, the information that is public doesn’t have a lot of details, except for the IOCs released by Resecurity. They released 3 source IP addresses and 7 proxy/VPN IP addresses that they have tied to this breach. They also referenced a FBI Flash Alert that discusses the methods used by an Iranian based group named Mabna Institute. In total, we have 10 IP addresses and a technique to do some analysis on.

First, it’s probably worth taking the 10 IP addresses and doing some analysis of your security data based on these IPs. Do you see them in your logs? What were they accessing? Are these assets being used to interact with your organization? Start doing a little hunting on this data and see what you can find out. It’s something I have done in the past and found yield some interesting results.

Second, take a look at password spraying and your defenses. This attack method is very effective and, in spite of the spike in the number of authentication attempts, isn’t usually noticed by organizations. I personally have used it on penetration tests and usually get good results out of it. No one’s account gets locked out, so no one notices. Start asking yourself how could you detect this? How could you defend against it? Multi-factor authentication is an obvious defense. For detection, I would trend authentication activity and alert on changes in volume. With that information, you can hopefully get a jump on an attacker using this technique against you.

I’ve included several links in the show notes related to this news. Read it with a critical eye, but think about how the information in it could be useful to you. I personally have some issues with the data available, but it still seems like we can get some mileage out them in our own defenses.

Full Show Notes

Visit http://hacknaked.tv to get all the latest episodes!

Paul Asadorian

Paul Asadorian – CEO, Security Weekly.

Jason Wood
Jason Wood – Founder; Primary Consultant, Paladin Security.