This Week in Security: Ubiquiti, Nissan, Zyxel, and Dovecot

You may have been one of the many of us who received an email from Ubiquiti this week, recommending a password change. The email stated that there was an unauthorized access of Ubiquiti systems, and while there wasn’t evidence of user data being accessed, there was also not enough evidence to say emphatically that user data was not accessed. Ubiquiti has mentioned that the database that may have been accessed contains a user’s name, email address, hashed password, and optionally the mailing address and phone number.

Depending on how the Ubiquiti authentication system is designed, that hashed password may be enough to log in to someone’s account. In any case, updating your password would invalidate the potentially compromised hash. This event underscores a complaint voiced by Ubiquiti users: Ubiquiti has been making it harder to avoid administrating hardware with local only accounts.

Nissan Source Code

Nissan was hosting a large git repository using Atlassian’s Bitbucket. That install was still using default credentials for the admin account, and someone finally noticed. The researcher who first discovered the issue has remained anonymous, and the primary source for the linked article was caught up in the recent outbreak of Twitter censorship, with an account suspension.

The repository contained code from Nissan mobile apps, marketing information, and code for internal-only services. The 18.4 GB data dump is still available on the darker corners of the internet, via torrent files.

Zyxel Scans Seen by ISC

Remember the Zyxel problem we talked about last week? Well this didn’t take long. The Internet Storm Center (ISC) is reporting that it is already seeing SSH login attempts using those hard-coded credentials.

It’s worth taking a minute to call out the ISC and similar efforts for their invaluable work. The ISC primarily serves as a clearinghouse for data from Intrusion Detection Systems and firewalls around the internet. When new patterns emerge, volunteers watching the data can quickly identify new attacks as they emerge. In some cases, this quick response can give administrators around the world time to patch the vulnerability being targeted before they are compromised.

Dovecot Hibernation

Dovecot has released version 2.3.13, and there is a fix for a notable vulnerability, CVE-2020-24386. IMAP supports an IDLE command, putting the connection to the server in a holding pattern, ready to push real-time mail notifications to the client. The vulnerability allows a client to put its connection in this state, and then send a malicious request to the server. This request can allow for limited filesystem access, most notably the downloading of messages from other accounts. It’s possible to mitigate the flaw through disabling IMAP hibernation, but the recommendation is to simply update to the latest release.

Telegram Triangulation

Telegram is one of the go-to solutions for sending secure messages. Just over a year ago, Telegram introduced “People Near Me”, a feature for finding nearby users who have opted in to the service. If you’ve opted in, you might consider going and turning that feature off. Telegram gives a very precise and accurate distance to anyone else who is within seven miles. That distance updates in real time, which is great for meetups. What might not be immediately obvious is that it’s rather trivial to spoof a device’s location to anywhere in the world. Within a few minutes, it’s possible to precisely locate anyone in the world who has Telegram’s location service turned on. Other services have prevented this problem by giving less precise location data. So far, Telegram has responded that this is not a bug, and it doesn’t plan to make any changes.

How Solarwinds Got Hacked

More details on the Solarwinds backdoor is slowly coming to light. The more information is revealed, the more interesting the story becomes. This week, we got Crowdstrike’s write-up of the malware running on Solarwinds machines. This malware, dubbed Sunspot, isn’t the Orion backdoor itself, it is a custom-written piece of malware that modifies source code surreptitiously at compile time. This brings to mind the old Trusting Trust attack.

Sunspot was written to very carefully hide from detection, and to only take action when it detects code compiling. It checks once a second for  MsBuild.exe, and whether it was building Orion. If it is, it modifies one source code file, waits for compilation to complete, and then undoes the malicious change. A developer would be hard pressed to discover the modification, because it only exists during compilation, while the developer is out getting coffee anyway. We were somewhat skeptical when Solarwinds first called this a “sophisticated and novel” hack, but the evidence seems to affirm that opinion.